On Key Assignment for Hierarchical Access Control

Transcription

1 On Key Assignment for Hierarchical Access Control Information Security Group, Royal Holloway, University of London

2 On Key Assignment for Hierarchical Access Control/Introduction What is hierarchical access control? Assume the existence of a set of users U and a set of objects O Assume the existence of a partially ordered set (X, ) and a function λ : U O X X associates each entity e with a security label λ(e) u U may access o O if λ(u) λ(o) Sometimes known as the simple security property Cornerstone of many military security policies

3 On Key Assignment for Hierarchical Access Control/Introduction Example X = {unclassified, classified, secret, top secret} unclassified < classified < secret < top secret λ(george) = top secret, λ(jason) = classified george can access any object jason can access any unclassified or classified object

4 On Key Assignment for Hierarchical Access Control/Introduction What is a key assignment scheme? The simple security property can be enforced by encrypting objects and supplying users with appropriate keys Give george k u, k c, k s and k t Give jason k u and k c george has to maintain a number of different keys can we do better?

5 On Key Assignment for Hierarchical Access Control/Introduction Key encrypting scheme Choose keys k u, k c, k s and k t as before Publish E kt (k s ), E ks (k c ), and E kc (k u ) Give george k t and jason k c george can decrypt any key using his key jason can decrypt k u using his key, but cannot (feasibly) compute k s or k t

6 On Key Assignment for Hierarchical Access Control/Introduction Key encrypting scheme for trees Partially ordered set (X, ) is defined by reflexive, anti-symmetric, transitive, binary relation on X Hasse diagram is graph of reflexive, transitive reduction of If (Hasse diagram of) X is a tree then Publish {E κ(x) (κ(y)) : y x} For any x, y X such that y x, there exists a unique path y = z 0 z 1 z n = x If user has security label x she can derive κ(y) by obtaining the keys κ(z n 1 ),...,κ(z 0 )

7 On Key Assignment for Hierarchical Access Control/Introduction Motivation How do we handle arbitrary posets? There is not a unique path from x 1 to x 5 x 4 x 2 x 1 x 5 x 3 x 6

8 On Key Assignment for Hierarchical Access Control/Introduction Motivation There are many schemes in the literature Rely on specific cryptographic primitives Do not consider basic requirements and features of key assignment schemes We want to develop an abstract approach to key assignment schemes Classify existing schemes Evaluate the respective merits of different types of scheme

9 On Key Assignment for Hierarchical Access Control/Introduction Structure of talk Key assignment schemes for arbitrary posets The Akl-Taylor scheme Simplifying the Akl-Taylor scheme A hybrid key assignment scheme

10 On Key Assignment for Hierarchical Access Control/Key assignment schemes Key assignment schemes

11 On Key Assignment for Hierarchical Access Control/Key assignment schemes Basic concepts We assume the existence of a scheme administrator (trusted centre) A key assignment scheme comprises four algorithms makekeys returns a labelled set of encryption keys (κ(x) : x X) makesecrets returns a labelled set of secret values (σ(x) : x X) makepublicdata returns a set of data Pub that is made public by the trusted centre getkey takes x, y X, σ(x) and Pub and returns κ(y) whenever y x A scheme has independent keys if the keys can be chosen independently of each other and Pub

12 On Key Assignment for Hierarchical Access Control/Key assignment schemes Benchmarks Amount of secret data that needs to be distributed to and stored by end users Amount of data that needs to be made public Complexity of key derivation Complexity of key update (if user leaves or key is compromised) Key independency

13 On Key Assignment for Hierarchical Access Control/Key assignment schemes Trivial key assignment scheme Independent keys κ(x) σ(x) = (κ(y) : y x) Pub = κ(y) σ(x) so key derivation is trivial σ 2 = {κ 2, κ 4, κ 5 } x 4 x 1 x 3 x 2 x 5 x 6

14 On Key Assignment for Hierarchical Access Control/Key assignment schemes Trivial key assignment scheme Independent keys κ(x) σ(x) = (κ(y) : y x) Pub = κ(y) σ(x) so key derivation is trivial High private storage costs No public storage High update costs for private data

15 On Key Assignment for Hierarchical Access Control/Key assignment schemes Trivial key encrypting key assignment scheme Independent keys κ(x) and set of key encrypting keys K(X) σ(x) = (K(y) : y x) Pub = (E K(x) (κ(x)) : x X) κ(y) is obtained by decrypting E K(y) (κ(y)) Pub using K(y) σ(x) σ 2 = {K 2, K 4, K 5 } Pub = {E K1 (κ 1 ), E K2 (κ 2 ),...} x 4 x 1 x 3 x 2 x 5 x 6

16 On Key Assignment for Hierarchical Access Control/Key assignment schemes Trivial key encrypting key assignment scheme Independent keys κ(x) and set of key encrypting keys K(X) σ(x) = (K(y) : y x) Pub = (E K(x) (κ(x)) : x X) κ(y) is obtained by decrypting E K(y) (κ(y)) Pub using K(y) σ(x) High private storage costs High public storage costs Very low costs for update of κ(y) High costs for update of K(y)

17 On Key Assignment for Hierarchical Access Control/Key assignment schemes Direct key encrypting key assignment scheme Independent keys κ(x) σ(x) = κ(x) Pub = (E κ(x) (κ(y)) : y < x) κ(y) is obtained by decrypting E κ(x) (κ(y)) Pub using κ(x) Pub = {E κ1 (κ 2 ), E κ1 (κ 4 ),...} x 4 x 1 x 3 x 2 x 5 x 6

18 On Key Assignment for Hierarchical Access Control/Key assignment schemes Direct key encrypting key assignment scheme Independent keys κ(x) σ(x) = κ(x) Pub = (E κ(x) (κ(y)) : y x) κ(y) is obtained by decrypting E κ(x) (κ(y)) Pub using κ(x) Minimizes private storage costs High public storage costs Moderate costs for update of private and public data

19 On Key Assignment for Hierarchical Access Control/Key assignment schemes Iterative key encrypting key assignment scheme Independent keys κ(x) σ(x) = κ(x) Pub = (E κ(x) (κ(y)) : y x) κ(y) is obtained by decrypting κ(z) for all z on a path from x to y Pub = {E κ1 (κ 2 ), E κ2 (κ 4 ),...} x 4 x 1 x 3 x 2 x 5 x 6

20 On Key Assignment for Hierarchical Access Control/Key assignment schemes Iterative key encrypting key assignment scheme Independent keys κ(x) σ(x) = κ(x) Pub = (E κ(x) (κ(y)) : y x) κ(y) is obtained by decrypting κ(z) for all z on a path from x to y Minimizes private storage costs Minimizes public storage costs Moderate costs for update of private and public data Key derivation is iterative

21 On Key Assignment for Hierarchical Access Control/Key assignment schemes IKEKAS example Atallah, Frikken and Bykova (CCS 2005) Pub = {κ(y) h(κ(x), y) : y x}, h is a hash function User with security label x can recover κ(y) by computing h(κ(x), y) All the schemes we have considered thus far make use of the order relation or the covering relation Collectively, we call these schemes edge-based

22 On Key Assignment for Hierarchical Access Control/Key assignment schemes Node-based key assignment scheme Pub (e(x) : x X) κ(x) = f(e(x)) f is a secret function There exists a public algorithm g such that for all y x g(f(e(x)), e(x), e(y)) = g(κ(x), e(x), e(y)) = κ(y) By construction κ(y) can be derived (directly) from κ(x) (using g) Dependent keys (κ(x) = f(e(x)))

23 On Key Assignment for Hierarchical Access Control/Key assignment schemes Summary Scheme Storage Update κ(x) Private Public Private Public TKAS x 0 ( x) 0 TKEKAS x m ( x) ( x) DKEKAS 1 e x x + x IKEKAS 1 c x x NBKAS 1 m?? x = {y X : y x} x = {y X : y x} m = X e = {(y, x) : y x} c = {(y, x) : y x}

24 On Key Assignment for Hierarchical Access Control/Key assignment schemes Summary We surveyed about 30 papers in the literature 2 are TKAS 3 are TKEKAS 2 are DKEKAS 7 are IKEKAS 12 are NBKAS A couple of weird hybrids Often clumsy and almost always over-complicated Wide variety of cryptographic and mathematical techniques RSA Rabin cryptosystem Polynomial interpolation Chinese remainder theorem Discrete logs Sibling intractable function families Hash functions with collisions

25 On Key Assignment for Hierarchical Access Control/Key assignment schemes An example from the literature

26 On Key Assignment for Hierarchical Access Control/The Akl-Taylor scheme The Akl-Taylor scheme

27 On Key Assignment for Hierarchical Access Control/The Akl-Taylor scheme Introduction Akl and Taylor (ACM Trans. Comp. Sys., 1983) Pub = {n} (e(x) : x X) n = pq, p and q are large primes e(x) e(y) if and only if y x κ(x) = s e(x) mod n, s Z n Note that (s e(x) ) e(y) e(x) = s e(y) Hence κ(y) = (κ(x)) e(y) e(x) It is only feasible to compute κ(y) if y x Policy enforcement relies on the assumption that it is difficult to compute integral roots modulo n (where n is composite) and the choice of e

28 On Key Assignment for Hierarchical Access Control/The Akl-Taylor scheme Choosing public parameters It can be shown that particular choices of e(x) are good It is not possible for any set of users to obtain a key that one of them couldn t already obtain See paper for details about resistance to collusion attacks Proposition 1 (Akl and Taylor) κ(y) can be feasibly computed from a set of keys κ(y ), Y X, if and only if gcd{e(x) : x Y } e(y) Corollary 2 (Akl and Taylor) A collusion secure scheme has the following property for all y X gcd{e(x) : x y} e(y)

29 On Key Assignment for Hierarchical Access Control/The Akl-Taylor scheme Choosing public parameters Associate a prime p(x) with each x X and define e(x) = z x p(z) To derive κ(x 5 ) from κ(x 2 ) compute = 3.7 compute (κ(x 2 )) 3.7 mod n It is this instantiation of the scheme that has inspired much of the subsequent research on key assignment schemes

30 On Key Assignment for Hierarchical Access Control/The Akl-Taylor scheme Characteristics claimed of Akl-Taylor scheme Low private storage High public storage (product of primes is O(m log m)) Direct key derivation (but does require division of two products of primes and exponentiation) High cost for update of public data High costs for update of private data

31 On Key Assignment for Hierarchical Access Control/Simplifying the Akl-Taylor scheme Simplifying the Akl-Taylor scheme

32 On Key Assignment for Hierarchical Access Control/Simplifying the Akl-Taylor scheme Some observations The Akl-Taylor scheme has the following characteristics the enforcement of the simple security property relies on the fact this it is difficult to computer integral roots y x implies e(x) e(y) In other words, e : X D(k), where k = x X p(x) and e(x) = p(x) x X y x p(x) Essentially e is an encoding of the structure of X using order filters

33 On Key Assignment for Hierarchical Access Control/Simplifying the Akl-Taylor scheme A simpler embedding Define p : X P, where P is the set of primes, and e : X 2 X, where e (x) = X \ x Proposition 3 e = p e Instead of using products of primes as the public information, we encode subsets of X as binary strings and publish them along with p e (x) can be represented as a string of m bits e(y)/e(x) can be computed by evaluating e (y) e (x) and then multiplying the appropriate primes

34 On Key Assignment for Hierarchical Access Control/Simplifying the Akl-Taylor scheme Example x 4 x 1 x 3 x 2 x 5 x e (x 2 ) = , e (x 5 ) = e (x 2 ) e (x 5 ) = e(x) = p(x 2 )p(x 5 ) = 3.7 (which corresponds to the quotient of and )

35 On Key Assignment for Hierarchical Access Control/Simplifying the Akl-Taylor scheme Updates in the Akl-Taylor scheme and IKEKAS Proposition 4 In changing κ(x) it is necessary to change min{ L \ z : z x} keys One prime p(z), where z x Proposition 5 In changing κ(x) in IKEKAS it is necessary to change x keys O( x ) items of public information

36 On Key Assignment for Hierarchical Access Control/Simplifying the Akl-Taylor scheme Characteristics of simplified Akl-Taylor scheme Time complexity of computing the quotient of e(x) and e(y) reduces from O(m 2 log 2 m) to O(1) Update of public information is trivial because only one prime needs to be changed Updating all keys requires no change to public information (since we simply choose new secret parameter s ) Public storage reduces from O(m 2 log m) to O(m 2 ) Update of secret information remains the same

37 On Key Assignment for Hierarchical Access Control/Conclusions Conclusions

38 On Key Assignment for Hierarchical Access Control/Conclusions Contributions Classification of key assignment schemes Comparison of characteristics of such schemes Evaluation of many schemes in the literature Improvement to implementation of Akl-Taylor Significant reduction in key derivation complexity Reduction in storage requirements Improved insight into key udpates Development of hybrid key assignment scheme Poset partitioned into domains Each domain has a NBKAS Components of domain linked using IKEKAS

39 On Key Assignment for Hierarchical Access Control/Conclusions Future work