8/8/2019 p285-yeh

1/2

An RSA-Based Time-Bound Hierarchical Key AssignmentScheme for Electronic Article Subscription

Jyh-haw Yeh

Department of Computer Science, Boise State University1910 University Drive, Boise, ID 83642, USA

jhyeh@cs.boisestate.edu

ABSTRACT

The time-bound hierarchical key assignment problem is toassign time sensitive keys to security classes in a partiallyordered hierarchy so that legal data accesses among classescan be enforced. Two time-bound hierarchical key assign-ment schemes have been proposed in the literature, but bothof them were proved insecure against collusive attacks. Inthis paper, we will propose an RSA-based time-bound hier-

archical key assignment scheme and describe its possible ap-plication. The security analysis shows that the new schemeis safe against the collusive attacks.

Categories and Subject Descriptors: E.3 [Data]: DataEncryption

General Terms: Security

Keywords: Access Control, Key Assignment

1. INTRODUCTION

Depending on the security clearance, users in an organi-zation can be divided into a set of disjointed user classesC = {C1, C2, . . . , C m}. The set of classes usually can beorganized as a hierarchical tree if they are partially ordered

by a binary relation . Cj Ci denotes that the classCi has a higher or equal security clearance than the classCj . Thus, users in Ci is allowed to access the data itemsowned by users in Cj , but the access in the opposite direc-tion is prohibited. Many key assignment schemes have beenproposed in the literature to enforce the hierarchical accesscontrol problem [1, 3, 4, 5, 8].

In 2002, Tzeng [7] proposed a time-bound hierarchical keyassignment scheme. He claimed that his scheme not onlyprovides a solution for the hierarchical access control prob-lem, but also has an additional feature that each class hasdifferent data encryption keys for different time periods. Todescribe the feature more specifically, time is divided into asequence of z periods, from period 1 to period z. In eachtime period t, each class Cj will be assigned a data encryp-

tion key Kj,t to encrypt its data to prevent illegal accesses.

Copyright is held by the author/owner.CIKM05, October 31November 5, 2005, Bremen, Germany.ACM 1-59593-140-6/05/0010.

Also, each user in the system has an assigned valid time in-terval [t1, t2], where 1 t1 t2 z. If the user is in aclass Ci, he is able to derive the encryption key Kj,t to de-crypt the encrypted data in class Cj if, and only if, Cj Ciand t1 t t2. This feature enhances the applicability ofthe key assignment approach for some online applicationssuch as digital TV broadcasting and electronic news broad-casting [7]. However, Yi and Ye [9] pointed out that Tzengsscheme is not secure against collusive attacks. After Tzengs

scheme was proved insecure, Chien proposed another time-bound hierarchical key assignment scheme [2] in 2004, basedon tamper-resistant devices. Unfortunately, Santis, Ferrara,and Masucci [6] showed that three malicious users can collu-sively misuse the tamper-resistant devices to compute somesecret keys that they should not know.

In this paper, we will propose a new scheme which is basedon the RSA algorithm. The remainder of this paper is or-ganized as follows. Section 2 presents the new time-boundcryptographic key assignment scheme, which is followed by asecurity analysis in Section 3. Section 4 describes a possibleapplication - online electronic article subscription system.

2. NEW KEY ASSIGNMENT SCHEME

The new scheme is based on the RSA algorithm. Sup-pose the hierarchy has m classes {C1, C2, . . . , C m} and thetime is divided into z periods, starting at period 1. Similarto Tzengs and Chiens schemes, there is a trusted CentralAuthority (CA) responsible for generating and distributingkeys. The CA performs the following:

1. The CA chooses two distinct large primes p and q, andcomputes n = p q and (n) = (p 1)(q 1).

2. For each Ci, the CA chooses a distinct integer ei, whichis relatively prime to (n), and then determines the difor each ei, where eidi = 1 mod (n).

3. For each period y, the CA chooses a distinct integer gy,which is relatively prime to (n), and then determinesthe hy for each gy, where gyhy = 1 mod (n).

4. The CA chooses a number a, 1 < a < n, and computesa class key Ki = a

CkCi

dk mod n for each Ci.5. The CA publishes the parameters e1, e2, . . . , em, g1, g2,

. . . , gz, n and keeps the other parameters secret.

User Registration: When a user is assigned to Ci for atime interval [t1, t2], the CA assigns a user key Ki,(t1,t2) to

the user, where Ki,(t1,t2) = (Ki)t1yt2

hy mod n.Encryption Key Generation: The CA assigns a data

encryption key Ki,t for each Ci in each time period t, 1 t z, where Ki,t = (Ki)

ht mod n.

285

8/8/2019 p285-yeh

2/2

Decryption Key Derivation: A user who is in Ci forthe time interval [t1, t2] can use the user key Ki,(t1,t2) alongwith some public parameters to derive the data encryptionkey Kj,t of Cj for the time period t if, and only if, Cj Ciand t1 t t2. The key derivation is as follows.

(Ki,(t1,t2))CkCi & CkCj

ekt1yt2 & y=t

gy

= (aCkCj

dk)ht = (Kj)ht mod n = Kj,t

An Example: Figure 1 shows a six-class hierarchy. As-

sume that the time is divided into five periods 1, 2, . . ., 5.

C1

C2

C4

C5

C3

C6

dd

dd dd

Fig.1. An example of a hierarchical policy with six classes

A user in C2 from time period 2 to 4 has the user keyK2,(2,4). This user can derive the following data encryptionkeys {K2,2, K2,3, K2,4, K4,2, K4,3, K4,4, K5,2, K5,3, K5,4}.

For example, to derive K5,3, the user computes

(K2,(2,4))CkC2 & CkC5

ek

2y4 & y=3 gy

= (ad2d4d5h2h3h4 )e2e4g2g4 = ad5h3 mod n = K5,3

Performance: Given Ki,(t1,t2) and public parameterswith which to derive Kj,t, the user needs to compute

(Ki,(t1,t2))CkCi & CkCj

ekt1yt2 & y=t

gymod n

The above computation requires r + t2 t1 modular expo-nentiations, where r is the number of classes Ck that satisfyCk Ci and Ck Cj . The key derivation complexity is thesame as that of Tzengs scheme.

3. SECURITY ANALYSIS

Attack by an Outsider: An outsider, with only knowl-edge of public parameters eis and gys, may try to derive akey in the system such as Ki, Ki,(t1,t2), or Ki,t. Since allthe keys are generated based on secret parameters a, dis,or hys, the outsider has no way to know any of them.

Attack by an Insider: Using the same example shownin Figure 1, a user in C2, with a key K2,(2,4), is unable toderive the data encryption keys not in the set {K2,2, K2,3,K2,4, K4,2, K4,3, K4,4, K5,2, K5,3, K5,4}. For example, theuser is unable to derive the key K6,3.

(K2,(2,4))CkC2 & CkC6

ek

2y4 & y=3 gy

= (ad2d4d5h2h3h4 )e2e4e5g2g4 = ah3 mod n = K6,3

By adding one more step above, the number a can be de-rived. Knowing a provides no help in deriving data encryp-

tion keys, since it is necessary to compute modular expo-nentiations with unknown exponents. Again, the security ofthe scheme relies on the same computational difficulty thatthe RSA algorithm is based upon: given a message a, it isnot feasible to forge someones signature, ad mod n, on themessage a without knowing the private key d.

Attack by a group of insiders: Given a data en-

cryption key Ki,t = adht mod n, where d =

CkCi

dk,

even if both ad

and aht (modn) are separately derived bya group of malicious users, they are still unable to compute

adht mod n. Using the example in Figure 1 once more, sup-

pose that a user A in C2, with the key K2,(1,3), conspireswith another user B in C5, with the key K5,(1,5). Theytry to collusively derive the data encryption key K2,5 =ad2d4d5h5 mod n, which both A and B are not eligible to ac-cess. A can compute (K2,(1,3))

g1g2g3 = ad2d4d5 mod n and

B can compute (K5,(1,5))e5g1g2g3g4 = ah5 mod n. Based on

the RSA algorithm, with knowledge of a, ad2d4d5 mod n andah5 mod n, the value ad2d4d5h5 mod n cannot be computed

within a reasonable amount of time.

4. APPLICATION

This section uses ACM as an example to describe a possi-ble application - electronic article subscription system. ACMperiodically publishes different journals. In order to havemore subscription options for subscribers, ACM may pro-vide different subscription packages. These packages form ahierarchical structure as follows. The hierarchy has n leafnodes if ACM has n different journals. A leaf node in thehierarchy corresponds to one, and only one, journal, whereasan internal node in the hierarchy represents a package hav-ing multiple journals. All journals listed in a package Cjare also listed in its predecessors Ci in the hierarchy, where

Cj Ci. Assume that each fiscal year is a unit time pe-riod for subscription. The subscribers normally subscribe apackage for multiple years, from time period t1 to t2.

The proposed new scheme can provide an access controlsolution to such electronic article subscription system. Eachleaf node Cj in the hierarchy will be assigned a data encryp-tion key Kj,t during each time period t. Each journal (cor-responds to a leaf node) published in each time period t willbe encrypted by the leaf nodes data encryption key to pre-vent unauthorized accesses. When a subscriber subscribes apackage Ci from time period t1 to t2, he/she will be assigneda user key Ki,(t1,t2). Suppose that a journal is listed in thesubscribed package Ci and its corresponding leaf node is Cj .With the user key Ki,(t1,t2), the subscriber is able to access

the journal published in the time periodt

by first derivingthe data encryption key Kj,t, where t1 t t2.

5. REFERENCES[1] S. Akl and P. Taylor. Cryptographic solution to a problem of

access control in a hierarchy. ACM Trans. on ComputerSystems, 1:239248, 1983.

[2] H. Chien. Efficient time-bound hierarchical key assignmentscheme. IEEE Trans. of Knowledge & Data Engineering,16(10):13011304, 2004.

[3] H. Chien and J. Jan. New hierarchical assignment withoutpublic key cryptography. Computers & Security, 22:523526,2003.

[4] L. Harn and H. Lin. A cryptographic key generation schemefor multilevel data security. Computers & Security, 9:539546,1990.

[5] R. Sandhu. Cryptographic implementation of a tree hierarchyfor access control. Info. Processing Letters, 27:9598, 1988.

[6] A. Santis, A. Ferrara, and B. Masucci. On the insecurity of atime-bound hierarchical key assignment scheme. Tech. Report,Dept. of Math., University of Waterloo, cacr2005-07.ps, 2005.

[7] W. Tzeng. A time-bound cryptographic key assignment schemefor access control in a hierarchy. IEEE Trans. on Knowledge& Data Engineering, 14:182188, 2002.

[8] J. Yeh, R. Chow, and R. Newman. A key assignment forenforcing access control policy exceptions. In InternationalSympo. on Internet Technology, pages 5459, 1998.

[9] X. Yi and Y. Ye. Security of tzengs time-bound cryptographickey assignment scheme for access control in a hierarchy. IEEETrans. on Knowledge & Data Engineering, 15:10541055,2003.

286