yu-li lin and chien-lung hsu department of information management, chang-gung university information...
TRANSCRIPT
Novel Efficient Key Assignment Scheme for Dynamic Access Control
Yu-Li Lin and Chien-Lung HsuDepartment of Information Management, Chang-Gung University Information Science(SCI)
Reporter: Tzer-Long Chen
Abstract Introduction The Proposed Key Assignment Scheme
◦ Key generation phase◦ Key derivation phase◦ A small example
Dynamic Key Management ◦ Adding a security class, Deleting a security class, Creating a new
relationship, Revoking an existing relationship, Changing a secret key.
Security Analysis Performance Analysis Conclusions
Outline
The proposed scheme is secure against some potential attacks only based on the intractability of reversing one-way hash function.
The proposed scheme can efficiently deal with dynamic access control problems.
The storage required for public and private parameters is significantly reduced.
Abstract
[4] Y.F. Chung, H.H. Lee, F. Lai, “Access Control in User Hierarchy Based on Elliptic Curve Cryptosystem,” Information Sciences, Vol. 178, pp. 230-243, 2008.
This will reduce the key management costs. Performance of the proposed scheme is more efficient than that of the Chung et al. scheme in terms of the computational complexities and storage of public and private parameters.
Introduction
Let SC={SC1, SC2, …, SCn} be a user hierarchy with n disjoint sets of security classes which are partially ordered by binary relation “ ”.≦
Let IDi be the identity for the security class SCi.
The proposed scheme requires a central anthority (CA) to maintain all public system parameters and functions.
CA selects and publishes a large prime p and a one-way hash function h( ).
The Proposed Key Assignment Scheme
CA randomly chooses a distinct secret key ski and a random number Ri for each security class SCi in the hierarchy, i=1, 2, …, n.
Any higher security class SCl to derive the encryption key h(ski R∥ i). For each security class SCi.
CA computes the polynomial fi(x) over GF(p) by
Finally CA sends the secret key ski to the security class SCi via a secure channel and publishes (fi(x), Ri).
Key Generation Phase
( ) ( ( ( || || || ))) ( || ) modl i
i l i l i i iSC SC
f x x h sk R ID ID h sk R p
Step 1. Use its secret key ski, identity IDi, SCj’s identity
IDj, and SCj’s public random number Rj to
compute
Step 2. Use and the public polynomial fj(x) to derive
SCj’s encryption key h(skj R∥ j) as h(skj R∥ j)
=fj( )
Key Derivation Phase
( || || || )i j i j i jh sk R ID ID
i j
i j
Suppose there are a set of six disjoint security classes in a hierarchy as Fig.1
CA chooses a distinct secret key ski and a random number Ri for each security class SCi in the hierarchy, where i=1, 2, …, n.
When the security SC2 wants to derive the encryption key h(sk4 R∥ 4) of the class SC4, it can use the secret key sk2 and public information to calculate and then compute the polynomial fj(x) for each security class by the following equations:
Example
Example 2 2 1 2 1 2 2 2
3 3 1 3 1 3 3 3
4 4 1 4 1 4
2 4 2 4 4 4
5 5
( ) ( ( || || || )) ( || ) mod
( ) ( ( || || || )) ( || ) mod
( ) ( ( || || || ))
( ( || || || )) ( || ) mod
SC f x x h sk R ID ID h sk R p
SC f x x h sk R ID ID h sk R p
SC f x x h sk R ID ID
x h sk R ID ID h sk R p
SC f
1 5 1 5 2 5 2 5
3 5 3 5 5 5
6 6 1 6 1 6
3 6 3 6 6
( ) ( ( || || || ))( ( || || || ))
( ( || || || )) ( || ) mod
( ) ( ( || || || ))
( ( || || || )) (
x x h sk R ID ID x h sk R ID ID
x h sk R ID ID h sk R p
SC f x x h sk R ID ID
x h sk R ID ID h sk
6|| ) modR p
When the security class SC2 wants to derive the encryption key h(sk4 || R4 ) of the class SC4 , it can use the secret key sk2 and the public information to calculate
and then compute h(sk4 || R4 ) = f4 ( )
Example
2 4 2 4 2 4( || || || )h sk R ID ID
2 4
Adding Deleting Creating a new relationship Revoking an existing relationship Changing a secret key
Dynamic Key Management
Step 1.Assign a secret key skk and random number Rk for
the security class SCk.
Step 2.For each SCj (where SCj SC≦ k SC≦ i), replace the
public function fj(x) with f’j(x) where
Step 3.Construct the public polynomial fk(x) using h(ski R∥ k ID∥ i ID∥ j) by
where is a bit concatenation operator∥ Step 4.finally, CA sends the secret key skk to SCk via a
secure channel and publishes the public information
(Rk, fk(x), f’j(x))
Adding a Security Class
' ( ) ( ( ( || || || ))) ( || ) modl j
j l j l j j jSC SC
f x x h sk R ID ID h sk R p
( ) ( ( ( || || || ))) ( || ) modi k
k i k i k k kSC SC
f x x h sk R ID ID h sk R p
Adding a Security Class UpdateNew
Adding a Security ClassStep 1. Assign a secret key sk7 and a random number R7 for the security class SC7 .Step 2. Replace the public polynomial f6 (x) with f6
′ (x) as f6
′ (x) = (((x − h(sk1 || R6 || ID1 || ID6 ))(x − h(sk3 || R6 || ID3 || ID6 )) ((x − h(sk7 || R6 || ID7 || ID6 ))) + h(sk6 || R6 ) mod p Note that before SC7 is added into in the hierarchy, the public polynomial f6 (x) is formed as f6 (x) = (((x − h(sk1 || R6 || ID1 || ID6 )) (x − h(sk3 || R6 || ID3 || ID6 )))+ h(sk6 || R6 )mod pStep 3. Construct the public polynomial f7 (x) using h(sk1 || R7 || ID1 || ID7 ) by f7 (x) = ((x − h(sk1 || R7 || ID1 || ID7 )) + h(sk7 || R7 )mod pStep 4. Replace f6 (x) with f6
′ (x) .Step 5. Publish ( f7 (x), R7 ) and send sk7 to the security class SC7
via a secure channel.
Step 1.Renew a random number Rj as R’j of SCi for all the
successors SCj of SCk (SCk SC≧ j) Step 2.compute the public polynomial f’j(x) as
and replace fj(x) with f’j(x). Step 3.delete the security class SCk from the hierarchy and
discard the secret key and public parameters of SCk.
Deleting a Security Class
' ' '( ) ( ( ( || || || ))) ( || ) modi j
j i j i j j jSC SC
f x x h sk R ID ID h sk R p
Deleting a Security Class UpdateNew
Step 1. Renew two random numbers R5′ and R6
′ for the
security class SC5 and SC6 , respectively. Step 2. Replace the public function f5 (x) with f5
′(x) as
f5′(x) = (((x − h(sk1 || R5
′ || ID1 || ID5))
(x − h(sk2 || R5′ || ID2 || ID5 ))+ h(sk5 || R5
′ )mod p Step 3. Replace the public function f6 (x) with f6
′ (x) as
f6′ (x) = ((x − h(sk1 || R6
′ || ID1 || ID6 )) + h(sk6 || R6′ )mod p
Step 4. Publish ( f5′(x), f6
′ (x),R5′ ,R6
′ ) .
Deleting a Security Class
Step 1. Randomly choose a public number Rl and a secret
key skl for SCl
Step 2. For all SCi ≥ SCl if {SCi | (SCi ,SCl )} R∈ i,l does not hold
until SCk ≥ SCl is created such that SCi ≥ SCk ≥ SCl ≥ SC j
compute h(ski ||Rl ||IDi ||IDj ) and h(skk ||Rl ||IDk ||IDl )
end if end for Step 3. Construct the public polynomial fl (x) as
Creating a New Relationship
( ) ( ( ( || || || ))( ( || || || )))
( || ) modi l
l i l i l k l k lSC SC
l l
f x x h sk R ID ID x h sk R ID ID
h sk R p
Step 4. For all SCi ≥ SCl if {SCi | (SCi ,SCl )} R∈ i,l does
not hold until SCk ≥ SCl is created such that SCi ≥
SCk ≥ SCl ≥ SC j for all {SCi | (SCi ,SCj )} R∈ i,j
compute h(ski ||Rj ||IDi ||IDj ), h(skk ||Rj ||IDk ||IDj )
and h(skl ||Rj ||IDl ||ID)
end for end if end for
Creating a New Relationship
Step 5. Construct the public polynomial f j′ (x) as
where || is a bit concatenation operator and h( ) be a ⋅one-way hash function.
Step 6. Replace f j (x) with f j′ (x)
Step 7. Publish f j′ (x) and fl (x)
Creating a New Relationship
' ( ) ( ( ( || || || ))( ( || || || ))
( ( || || || ))) ( || ) modi l
j i j i j k j k jSC SC
l j l j j j
f x x h sk R ID ID x h sk R ID ID
x h sk R ID ID h sk R p
Creating a New Relationship UpdateNew
Step 1. Renew a random number R6′ for the security class
SC6 . Step 2. Replace f6 (x) with f6′ (x) as
f6′ (x) = ((x − h(sk1 || R6
′ || ID1 || ID6 ))(x − h(sk2 || R6′ || ID2
|| ID6 ))((x − h(sk3 || R6′ || ID3 || ID6 ))((x − h(sk5 ||
R6′ || ID5 || ID6 )))+ h(sk6 || R6
′ )mod p Step 3. Publish ( f6
′ (x),R6′ ) .
Creating a New Relationship
Step 1. For all SCi ≥ SCl Renew a random number Rl as
Rl′ Construct the public polynomial fl
′(x) as
end for Step 2. For all SCk ≥ SC j Renew a random number Rj as
R′j Construct the public polynomial fj
′(x) as
end for Step 3. Revoke the relationship SCk ≥ SCl and publish
(Rl′,Rj
′ , fl′(x), f j
′ (x)) .
Revoking an Existing Relationship
' ' '( ) [( ( || || || )] ( || ) modi l
l i l i l l lSC SC
f x x h sk R ID ID h sk R p
' ' '
'
( ) ( ( ( || || || )( ( || || || )))
( || ) mod
i j
j i j i j l j l jSC SC
j j
f x x h sk R ID ID x h sk R ID ID
h sk R p
Revoking an Existing RelationshipUpdateNew
Step 1. Renew the random number R5 with R5′ .
Step 2. Renew the public polynomial f5(x) with f5′(x) as
f5′(x) = ((x − h(sk1 || R5
′ || ID1 || ID5 ))(x − h(sk3 ||
R5′ || ID3 || ID5)))+ h(sk5 || R5′ )mod p
Step 3. Revoke the relationship SC2 ≥ SC5 and publish
( f5′(x),R5
′ ) .
Revoking an Existing Relationship
It is necessary to change the derivation key for some security consideration. When a security class SCi wants to change its secret key ski to ski′ ,
CA needs to update the public functions of SC j ( SC j ≤ SCi ) and all other keys or information items do not need to be changed.
Changing a Secret Key
Compromising Attack Equation Attack Collaborative Attack Interior Collecting Attack Exterior Collecting Attack
Security Analysis
Consider the scenario that a successor SCj (SCj ≤ SCi ) who knows the public parameters (IDi , Rj , fj(x)) attempts to derive SCi ’s secret key ski .
even if h(ski || Rj || IDi || IDj )is known to the adversary, it is also difficult to compute the secret key ski of the security class SCi because of the fact that it is computationally infeasible to invert the one-way hash function.
Compromising Attack
If two security classes have the common successor(s), one of them might attempt to use the public polynomial(s) of the common successor(s) for deriving unauthorized secret keys.
Equation Attack
Equation Attack
we use the example depicted in Fig. 1 to demonstrate that the relationships SC2 ≥ SC5 and SC3 ≥ SC5 . SC2 might attempt to obtain SC3’s secret key sk3 through SC5’s public information f5 (x) .
Let x = 0 , then
It can be seen that the derivation of SC3 ’s secret key sk3 is based on the difficulty of solving one-way hash function.
)(mod)))())((||()(()( 1525155553 pfxfxRskhxffx
)(mod)))(0()||(( 1525155553 pfffRskhf
Consider the scenario that two or more security classes at lower level in the user hierarchy want to derive a secret key at higher level.
Let SCj , SCk , and SCl be the successors of SCi.
For these above equations, deriving ski is based on the difficulty of solving one-way hash function.
Collaborative Attack
))||||||(()||( jijijjj IDIDRskhfRskh
))||||||(()||( kikikkk IDIDRskhfRskh
))||||||(()||( lililll IDIDRskhfRskh
Consider the scenario that there is a lower-level security class SCj with m predecessors, which are SCi, SCi+1, …, and SCi+m−1 .
solving ski is based on the difficulty of solving one-way hash function.
Interior Collecting Attack
))||||||(()||( jijijjj IDIDRskhfRskh
))||||||(()||( 11 jijijjj IDIDRskhfRskh
.
.
…
))||||||(()||( 11 jmijmijjj IDIDRskhfRskh
Assume that an intruder comes from outside the system, he may try to compute the secret key ski of a security class by using only the public parameters.
solving ski is based on the difficulty of solving one-way hash function.
Exterior Collecting Attack
Performance Analysis
The secret key for each security class is reusable for dynamic access control problems. Key management costs of the proposed scheme are smaller than that of Chung et al.’s scheme.
The proposed scheme can efficiently deal with dynamic access control problems.
The storage required for public and private parameters is significantly reduced.
Performance of the proposed scheme is more efficient than that of Chung et al.’s schemes in terms of the computational complexities and the storage.
Conclusions