yu-li lin and chien-lung hsu department of information management, chang-gung university information...

Novel Efficient Key Assignment Scheme for Dynamic Access Control

Yu-Li Lin and Chien-Lung HsuDepartment of Information Management, Chang-Gung University Information Science(SCI)

Reporter: Tzer-Long Chen

Abstract Introduction The Proposed Key Assignment Scheme

◦ Key generation phase◦ Key derivation phase◦ A small example

Dynamic Key Management ◦ Adding a security class, Deleting a security class, Creating a new

relationship, Revoking an existing relationship, Changing a secret key.

Security Analysis Performance Analysis Conclusions

Outline

The proposed scheme is secure against some potential attacks only based on the intractability of reversing one-way hash function.

The proposed scheme can efficiently deal with dynamic access control problems.

The storage required for public and private parameters is significantly reduced.

Abstract

[4] Y.F. Chung, H.H. Lee, F. Lai, “Access Control in User Hierarchy Based on Elliptic Curve Cryptosystem,” Information Sciences, Vol. 178, pp. 230-243, 2008.

This will reduce the key management costs. Performance of the proposed scheme is more efficient than that of the Chung et al. scheme in terms of the computational complexities and storage of public and private parameters.

Introduction

Let SC={SC1, SC2, …, SCn} be a user hierarchy with n disjoint sets of security classes which are partially ordered by binary relation “ ”.≦

Let IDi be the identity for the security class SCi.

The proposed scheme requires a central anthority (CA) to maintain all public system parameters and functions.

CA selects and publishes a large prime p and a one-way hash function h( ).

The Proposed Key Assignment Scheme

CA randomly chooses a distinct secret key ski and a random number Ri for each security class SCi in the hierarchy, i=1, 2, …, n.

Any higher security class SCl to derive the encryption key h(ski R∥ i). For each security class SCi.

CA computes the polynomial fi(x) over GF(p) by

Finally CA sends the secret key ski to the security class SCi via a secure channel and publishes (fi(x), Ri).

Key Generation Phase

( ) ( ( ( || || || ))) ( || ) modl i

i l i l i i iSC SC

f x x h sk R ID ID h sk R p

Step 1. Use its secret key ski, identity IDi, SCj’s identity

IDj, and SCj’s public random number Rj to

compute

Step 2. Use and the public polynomial fj(x) to derive

SCj’s encryption key h(skj R∥ j) as h(skj R∥ j)

=fj( )

Key Derivation Phase

( || || || )i j i j i jh sk R ID ID

i j

i j

Suppose there are a set of six disjoint security classes in a hierarchy as Fig.1

CA chooses a distinct secret key ski and a random number Ri for each security class SCi in the hierarchy, where i=1, 2, …, n.

When the security SC2 wants to derive the encryption key h(sk4 R∥ 4) of the class SC4, it can use the secret key sk2 and public information to calculate and then compute the polynomial fj(x) for each security class by the following equations:

Example

Example 2 2 1 2 1 2 2 2

3 3 1 3 1 3 3 3

4 4 1 4 1 4

2 4 2 4 4 4

5 5

( ) ( ( || || || )) ( || ) mod

( ) ( ( || || || )) ( || ) mod

( ) ( ( || || || ))

( ( || || || )) ( || ) mod

SC f x x h sk R ID ID h sk R p

SC f x x h sk R ID ID h sk R p

SC f x x h sk R ID ID

x h sk R ID ID h sk R p

SC f

1 5 1 5 2 5 2 5

3 5 3 5 5 5

6 6 1 6 1 6

3 6 3 6 6

( ) ( ( || || || ))( ( || || || ))

( ( || || || )) ( || ) mod

( ) ( ( || || || ))

( ( || || || )) (

x x h sk R ID ID x h sk R ID ID

x h sk R ID ID h sk R p

SC f x x h sk R ID ID

x h sk R ID ID h sk

6|| ) modR p

When the security class SC2 wants to derive the encryption key h(sk4 || R4 ) of the class SC4 , it can use the secret key sk2 and the public information to calculate

and then compute h(sk4 || R4 ) = f4 ( )

Example

2 4 2 4 2 4( || || || )h sk R ID ID

2 4

Adding Deleting Creating a new relationship Revoking an existing relationship Changing a secret key

Dynamic Key Management

Step 1.Assign a secret key skk and random number Rk for

the security class SCk.

Step 2.For each SCj (where SCj SC≦ k SC≦ i), replace the

public function fj(x) with f’j(x) where

Step 3.Construct the public polynomial fk(x) using h(ski R∥ k ID∥ i ID∥ j) by

where is a bit concatenation operator∥ Step 4.finally, CA sends the secret key skk to SCk via a

secure channel and publishes the public information

(Rk, fk(x), f’j(x))

Adding a Security Class

' ( ) ( ( ( || || || ))) ( || ) modl j

j l j l j j jSC SC

f x x h sk R ID ID h sk R p

( ) ( ( ( || || || ))) ( || ) modi k

k i k i k k kSC SC

f x x h sk R ID ID h sk R p

Adding a Security Class UpdateNew

Adding a Security ClassStep 1. Assign a secret key sk7 and a random number R7 for the security class SC7 .Step 2. Replace the public polynomial f6 (x) with f6

′ (x) as f6

′ (x) = (((x − h(sk1 || R6 || ID1 || ID6 ))(x − h(sk3 || R6 || ID3 || ID6 )) ((x − h(sk7 || R6 || ID7 || ID6 ))) + h(sk6 || R6 ) mod p Note that before SC7 is added into in the hierarchy, the public polynomial f6 (x) is formed as f6 (x) = (((x − h(sk1 || R6 || ID1 || ID6 )) (x − h(sk3 || R6 || ID3 || ID6 )))+ h(sk6 || R6 )mod pStep 3. Construct the public polynomial f7 (x) using h(sk1 || R7 || ID1 || ID7 ) by f7 (x) = ((x − h(sk1 || R7 || ID1 || ID7 )) + h(sk7 || R7 )mod pStep 4. Replace f6 (x) with f6

′ (x) .Step 5. Publish ( f7 (x), R7 ) and send sk7 to the security class SC7

via a secure channel.

Step 1.Renew a random number Rj as R’j of SCi for all the

successors SCj of SCk (SCk SC≧ j) Step 2.compute the public polynomial f’j(x) as

and replace fj(x) with f’j(x). Step 3.delete the security class SCk from the hierarchy and

discard the secret key and public parameters of SCk.

Deleting a Security Class

' ' '( ) ( ( ( || || || ))) ( || ) modi j

j i j i j j jSC SC

f x x h sk R ID ID h sk R p

Deleting a Security Class UpdateNew

Step 1. Renew two random numbers R5′ and R6

′ for the

security class SC5 and SC6 , respectively. Step 2. Replace the public function f5 (x) with f5

′(x) as

f5′(x) = (((x − h(sk1 || R5

′ || ID1 || ID5))

(x − h(sk2 || R5′ || ID2 || ID5 ))+ h(sk5 || R5

′ )mod p Step 3. Replace the public function f6 (x) with f6

′ (x) as

f6′ (x) = ((x − h(sk1 || R6

′ || ID1 || ID6 )) + h(sk6 || R6′ )mod p

Step 4. Publish ( f5′(x), f6

′ (x),R5′ ,R6

′ ) .

Deleting a Security Class

Step 1. Randomly choose a public number Rl and a secret

key skl for SCl

Step 2. For all SCi ≥ SCl if {SCi | (SCi ,SCl )} R∈ i,l does not hold

until SCk ≥ SCl is created such that SCi ≥ SCk ≥ SCl ≥ SC j

compute h(ski ||Rl ||IDi ||IDj ) and h(skk ||Rl ||IDk ||IDl )

end if end for Step 3. Construct the public polynomial fl (x) as

Creating a New Relationship

( ) ( ( ( || || || ))( ( || || || )))

( || ) modi l

l i l i l k l k lSC SC

l l

f x x h sk R ID ID x h sk R ID ID

h sk R p

Step 4. For all SCi ≥ SCl if {SCi | (SCi ,SCl )} R∈ i,l does

not hold until SCk ≥ SCl is created such that SCi ≥

SCk ≥ SCl ≥ SC j for all {SCi | (SCi ,SCj )} R∈ i,j

compute h(ski ||Rj ||IDi ||IDj ), h(skk ||Rj ||IDk ||IDj )

and h(skl ||Rj ||IDl ||ID)

end for end if end for

Creating a New Relationship

Step 5. Construct the public polynomial f j′ (x) as

where || is a bit concatenation operator and h( ) be a ⋅one-way hash function.

Step 6. Replace f j (x) with f j′ (x)

Step 7. Publish f j′ (x) and fl (x)

Creating a New Relationship

' ( ) ( ( ( || || || ))( ( || || || ))

( ( || || || ))) ( || ) modi l

j i j i j k j k jSC SC

l j l j j j

f x x h sk R ID ID x h sk R ID ID

x h sk R ID ID h sk R p

Creating a New Relationship UpdateNew

Step 1. Renew a random number R6′ for the security class

SC6 . Step 2. Replace f6 (x) with f6′ (x) as

f6′ (x) = ((x − h(sk1 || R6

′ || ID1 || ID6 ))(x − h(sk2 || R6′ || ID2

|| ID6 ))((x − h(sk3 || R6′ || ID3 || ID6 ))((x − h(sk5 ||

R6′ || ID5 || ID6 )))+ h(sk6 || R6

′ )mod p Step 3. Publish ( f6

′ (x),R6′ ) .

Creating a New Relationship

Step 1. For all SCi ≥ SCl Renew a random number Rl as

Rl′ Construct the public polynomial fl

′(x) as

end for Step 2. For all SCk ≥ SC j Renew a random number Rj as

R′j Construct the public polynomial fj

′(x) as

end for Step 3. Revoke the relationship SCk ≥ SCl and publish

(Rl′,Rj

′ , fl′(x), f j

′ (x)) .

Revoking an Existing Relationship

' ' '( ) [( ( || || || )] ( || ) modi l

l i l i l l lSC SC

f x x h sk R ID ID h sk R p

' ' '

'

( ) ( ( ( || || || )( ( || || || )))

( || ) mod

i j

j i j i j l j l jSC SC

j j

f x x h sk R ID ID x h sk R ID ID

h sk R p

Revoking an Existing RelationshipUpdateNew

Step 1. Renew the random number R5 with R5′ .

Step 2. Renew the public polynomial f5(x) with f5′(x) as

f5′(x) = ((x − h(sk1 || R5

′ || ID1 || ID5 ))(x − h(sk3 ||

R5′ || ID3 || ID5)))+ h(sk5 || R5′ )mod p

Step 3. Revoke the relationship SC2 ≥ SC5 and publish

( f5′(x),R5

′ ) .

Revoking an Existing Relationship

It is necessary to change the derivation key for some security consideration. When a security class SCi wants to change its secret key ski to ski′ ,

CA needs to update the public functions of SC j ( SC j ≤ SCi ) and all other keys or information items do not need to be changed.

Changing a Secret Key

Compromising Attack Equation Attack Collaborative Attack Interior Collecting Attack Exterior Collecting Attack

Security Analysis

Consider the scenario that a successor SCj (SCj ≤ SCi ) who knows the public parameters (IDi , Rj , fj(x)) attempts to derive SCi ’s secret key ski .

even if h(ski || Rj || IDi || IDj )is known to the adversary, it is also difficult to compute the secret key ski of the security class SCi because of the fact that it is computationally infeasible to invert the one-way hash function.

Compromising Attack

If two security classes have the common successor(s), one of them might attempt to use the public polynomial(s) of the common successor(s) for deriving unauthorized secret keys.

Equation Attack

Equation Attack

we use the example depicted in Fig. 1 to demonstrate that the relationships SC2 ≥ SC5 and SC3 ≥ SC5 . SC2 might attempt to obtain SC3’s secret key sk3 through SC5’s public information f5 (x) .

Let x = 0 , then

It can be seen that the derivation of SC3 ’s secret key sk3 is based on the difficulty of solving one-way hash function.

)(mod)))())((||()(()( 1525155553 pfxfxRskhxffx

)(mod)))(0()||(( 1525155553 pfffRskhf

Consider the scenario that two or more security classes at lower level in the user hierarchy want to derive a secret key at higher level.

Let SCj , SCk , and SCl be the successors of SCi.

For these above equations, deriving ski is based on the difficulty of solving one-way hash function.

Collaborative Attack

))||||||(()||( jijijjj IDIDRskhfRskh

))||||||(()||( kikikkk IDIDRskhfRskh

))||||||(()||( lililll IDIDRskhfRskh

Consider the scenario that there is a lower-level security class SCj with m predecessors, which are SCi, SCi+1, …, and SCi+m−1 .

solving ski is based on the difficulty of solving one-way hash function.

Interior Collecting Attack

))||||||(()||( jijijjj IDIDRskhfRskh

))||||||(()||( 11 jijijjj IDIDRskhfRskh

.

.

…

))||||||(()||( 11 jmijmijjj IDIDRskhfRskh

Assume that an intruder comes from outside the system, he may try to compute the secret key ski of a security class by using only the public parameters.

solving ski is based on the difficulty of solving one-way hash function.

Exterior Collecting Attack

Performance Analysis

The secret key for each security class is reusable for dynamic access control problems. Key management costs of the proposed scheme are smaller than that of Chung et al.’s scheme.

The proposed scheme can efficiently deal with dynamic access control problems.

The storage required for public and private parameters is significantly reduced.

Performance of the proposed scheme is more efficient than that of Chung et al.’s schemes in terms of the computational complexities and the storage.

Conclusions