1 / 35

Novel Efficient Key Assignment Scheme for Dynamic Access Control

Novel Efficient Key Assignment Scheme for Dynamic Access Control. Yu-Li Lin and Chien -Lung Hsu Department of Information Management, Chang-Gung University Information Science(SCI) . Reporter : Tzer -Long Chen.

trynt
Download Presentation

Novel Efficient Key Assignment Scheme for Dynamic Access Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Novel Efficient Key Assignment Scheme for Dynamic Access Control Yu-Li Lin and Chien-Lung Hsu Department of Information Management, Chang-Gung University Information Science(SCI) Reporter: Tzer-Long Chen

  2. Outline • Abstract • Introduction • The Proposed Key Assignment Scheme • Key generation phase • Key derivation phase • A small example • Dynamic Key Management • Adding a security class, Deleting a security class, Creating a new relationship, Revoking an existing relationship, Changing a secret key. • Security Analysis • Performance Analysis • Conclusions

  3. Abstract • The proposed scheme is secure against some potential attacks only based on the intractability of reversing one-way hash function. • The proposed scheme can efficiently deal with dynamic access control problems. • The storage required for public and private parameters is significantly reduced.

  4. Introduction • [4] Y.F. Chung, H.H. Lee, F. Lai, “Access Control in User Hierarchy Based on Elliptic Curve Cryptosystem,” Information Sciences, Vol. 178, pp. 230-243, 2008. • This will reduce the key management costs. Performance of the proposed scheme is more efficient than that of the Chung et al. scheme in terms of the computational complexities and storage of public and private parameters.

  5. The Proposed Key Assignment Scheme • Let SC={SC1, SC2, …, SCn} be a user hierarchy with n disjoint sets of security classes which are partially ordered by binary relation “≦”. • Let IDibe the identity for the security class SCi. • The proposed scheme requires a central anthority (CA) to maintain all public system parameters and functions. • CA selects and publishes a large prime p and a one-way hash function h( ).

  6. Key Generation Phase • CA randomly chooses a distinct secret key ski and a random number Ri for each security class SCi in the hierarchy, i=1, 2, …, n. • Any higher security class SCl to derive the encryption key h(ski∥Ri). For each security class SCi. • CA computes the polynomial fi(x) over GF(p) by • Finally CA sends the secret key ski to the security class SCi via a secure channel and publishes (fi(x), Ri).

  7. Key Derivation Phase • Step 1. Use its secret key ski, identity IDi, SCj’s identity IDj, and SCj’s public random number Rj to compute • Step 2. Use and the public polynomial fj(x) to derive SCj’s encryption key h(skj∥Rj) as h(skj ∥Rj) =fj( )

  8. Example • Suppose there are a set of six disjoint security classes in a hierarchy as Fig.1 • CA chooses a distinct secret key ski and a random number Ri for each security class SCi in the hierarchy, where i=1, 2, …, n. • When the security SC2 wants to derive the encryption key h(sk4∥R4) of the class SC4, it can use the secret key sk2 and public information to calculate and then compute the polynomial fj(x) for each security class by the following equations:

  9. Example

  10. Example • When the security class SC2 wants to derive the encryption key h(sk4 || R4 ) of the class SC4 , it can use the secret key sk2 and the public information to calculate and then compute h(sk4 || R4 ) = f4 ( )

  11. Dynamic Key Management • Adding • Deleting • Creating a new relationship • Revoking an existing relationship • Changing a secret key

  12. Adding a Security Class • Step 1.Assign a secret key skk and random number Rk for the security class SCk. • Step 2.For each SCj (where SCj≦SCk ≦SCi), replace the public function fj(x) with f’j(x) where • Step 3.Construct the public polynomial fk(x) using h(ski ∥Rk ∥IDi ∥IDj) by where ∥ is a bit concatenation operator • Step 4.finally, CA sends the secret key skk to SCk via a secure channel and publishes the public information (Rk, fk(x), f’j(x))

  13. Adding a Security Class Update New

  14. Adding a Security Class Step 1. Assign a secret key sk7 and a random number R7 for the security class SC7 . Step 2. Replace the public polynomial f6 (x) with f6′ (x) as f6′ (x) = (((x − h(sk1 || R6 || ID1 || ID6 ))(x − h(sk3 || R6 || ID3 || ID6 )) ((x − h(sk7 || R6 || ID7 || ID6 ))) + h(sk6 || R6 ) mod p Note that before SC7 is added into in the hierarchy, the public polynomial f6 (x) is formed as f6 (x) = (((x − h(sk1 || R6 || ID1 || ID6 )) (x − h(sk3 || R6 || ID3 || ID6 )))+ h(sk6 || R6 )mod p Step 3. Construct the public polynomial f7 (x) using h(sk1 || R7 || ID1 || ID7 ) by f7 (x) = ((x − h(sk1 || R7 || ID1 || ID7 )) + h(sk7 || R7 )mod p Step 4. Replace f6 (x) with f6′ (x) . Step 5. Publish ( f7 (x), R7 ) and send sk7 to the security class SC7 via a secure channel.

  15. Deleting a Security Class • Step 1.Renew a random number Rj as R’j of SCi for all the successors SCj of SCk (SCk ≧SCj) • Step 2.compute the public polynomial f’j(x) as and replace fj(x) with f’j(x). • Step 3.delete the security class SCk from the hierarchy and discard the secret key and public parameters of SCk.

  16. Deleting a Security Class Update New

  17. Deleting a Security Class • Step 1. Renew two random numbers R5′ and R6′ for the security class SC5 and SC6 , respectively. • Step 2. Replace the public function f5 (x) with f5′(x) as f5′(x) = (((x − h(sk1 || R5′ || ID1 || ID5)) (x − h(sk2 || R5′ || ID2 || ID5 ))+ h(sk5 || R5′ )mod p • Step 3. Replace the public function f6 (x) with f6′ (x) as f6′ (x) = ((x − h(sk1 || R6′ || ID1 || ID6 )) + h(sk6 || R6′ )mod p • Step 4. Publish ( f5′(x), f6′ (x),R5′ ,R6′ ) .

  18. Creating a New Relationship • Step 1. Randomly choose a public number Rl and a secret key sklfor SCl • Step 2. For all SCi≥ SCl if {SCi | (SCi ,SCl )}∈Ri,l does not hold until SCk ≥ SClis created such that SCi ≥ SCk ≥ SCl ≥ SC j compute h(ski ||Rl ||IDi ||IDj ) and h(skk ||Rl ||IDk ||IDl ) end if end for • Step 3. Construct the public polynomial fl (x) as

  19. Creating a New Relationship • Step 4. For all SCi≥ SCl if {SCi | (SCi ,SCl )}∈Ri,l does not hold until SCk ≥ SCl is created such that SCi ≥ SCk ≥ SCl ≥ SC j for all {SCi | (SCi ,SCj )}∈Ri,j compute h(ski ||Rj ||IDi ||IDj ), h(skk ||Rj ||IDk ||IDj ) and h(skl ||Rj ||IDl ||ID) end for end if end for

  20. Creating a New Relationship • Step 5. Construct the public polynomial f j′ (x) as where || is a bit concatenation operator and h(⋅) be a one-way hash function. • Step 6. Replace f j (x) with f j′ (x) • Step 7. Publish f j′ (x) and fl (x)

  21. Creating a New Relationship Update New

  22. Creating a New Relationship • Step 1. Renew a random number R6′ for the security class SC6 . • Step 2. Replace f6 (x) with f6′ (x) as f6′ (x) = ((x − h(sk1 || R6′ || ID1 || ID6 ))(x − h(sk2 || R6′ || ID2 || ID6 ))((x − h(sk3 || R6′ || ID3 || ID6 ))((x − h(sk5 || R6′ || ID5 || ID6 )))+ h(sk6 || R6′ )mod p • Step 3. Publish ( f6′ (x),R6′ ) .

  23. Revoking an Existing Relationship • Step 1. For all SCi ≥ SClRenew a random number Rl as Rl′ Construct the public polynomial fl′(x) as end for • Step 2. For all SCk ≥ SC j Renew a random number Rj as R′j Construct the public polynomial fj′(x) as end for • Step 3. Revoke the relationship SCk ≥ SCl and publish (Rl′,Rj′ , fl′(x), f j′ (x)) .

  24. Revoking an Existing Relationship Update New

  25. Revoking an Existing Relationship • Step 1. Renew the random number R5 with R5′ . • Step 2. Renew the public polynomial f5(x) with f5′(x) as f5′(x) = ((x − h(sk1 || R5′ || ID1 || ID5 ))(x − h(sk3 || R5′ || ID3 || ID5)))+ h(sk5 || R5′ )mod p • Step 3. Revoke the relationship SC2 ≥ SC5 and publish ( f5′(x),R5′ ) .

  26. Changing a Secret Key • It is necessary to change the derivation key for some security consideration. When a security class SCi wants to change its secret key ski to ski′, • CA needs to update the public functions of SC j ( SC j ≤ SCi ) and all other keys or information items do not need to be changed.

  27. Security Analysis • Compromising Attack • Equation Attack • Collaborative Attack • Interior Collecting Attack • Exterior Collecting Attack

  28. Compromising Attack • Consider the scenario that a successor SCj (SCj ≤ SCi ) who knows the public parameters (IDi , Rj , fj(x)) attempts to derive SCi ’s secret key ski . • even if h(ski || Rj || IDi || IDj )is known to the adversary, it is also difficult to compute the secret key ski of the security class SCi because of the fact that it is computationally infeasible to invert the one-way hash function.

  29. Equation Attack • If two security classes have the common successor(s), one of them might attempt to use the public polynomial(s) of the common successor(s) for deriving unauthorized secret keys.

  30. Equation Attack we use the example depicted in Fig. 1 to demonstrate that the relationships SC2 ≥ SC5 and SC3 ≥ SC5 . SC2 might attempt to obtain SC3’s secret key sk3 through SC5’s public information f5 (x) . Let x = 0 , then It can be seen that the derivation of SC3 ’s secret key sk3is based on the difficulty of solving one-way hash function.

  31. Collaborative Attack • Consider the scenario that two or more security classes at lower level in the user hierarchy want to derive a secret key at higher level. • Let SCj , SCk , and SCl be the successors of SCi. • For these above equations, deriving ski is based on the difficulty of solving one-way hash function.

  32. Interior Collecting Attack • Consider the scenario that there is a lower-level security class SCj with m predecessors, which are SCi, SCi+1, …, and SCi+m−1 . • solving ski is based on the difficulty of solving one-way hash function. …

  33. Exterior Collecting Attack • Assume that an intruder comes from outside the system, he may try to compute the secret key ski of a security class by using only the public parameters. • solving ski is based on the difficulty of solving one-way hash function.

  34. Performance Analysis

  35. Conclusions • The secret key for each security class is reusable for dynamic access control problems. Key management costs of the proposed scheme are smaller than that of Chung et al.’s scheme. • The proposed scheme can efficiently deal with dynamic access control problems. • The storage required for public and private parameters is significantly reduced. • Performance of the proposed scheme is more efficient than that of Chung et al.’s schemes in terms of the computational complexities and the storage.

More Related