Trade-Offs in Cryptographic Schemes for

Transcription

1 in Cryptographic Jason Crampton Information Security Group Royal Holloway, University of London NordSec 2009

2 Cryptographic

3 Cryptography for Suppose we have a poset of security labels (L, ) Each x L is associated with a cryptographic key κ(x) Each user u is associated with a security label λ(u) L Each protected object o is associated with a label λ(o) L and encrypted using κ(λ(o)) top secret secret classified unclassified

4 Cryptography for Suppose we have a poset of security labels (L, ) Each x L is associated with a cryptographic key κ(x) Each user u is associated with a security label λ(u) L Each protected object o is associated with a label λ(o) L and encrypted using κ(λ(o)) top secret secret classified unclassified u should be able to derive κ(y) for all y λ(u) We ignore the trivial solution in which u is given {κ(y) : y λ(u)} We focus on solutions in which the user is given a single key

5 A Generic Solution Given an acyclic directed graph G = (V,E) For each edge (x,y), publish information that enables the computation of κ(y) given κ(x) Typical instantiation is to publish G and Enc κ(x) (κ(y)) for all (x,y) E u can only (feasibly) compute κ(y) with knowledge of κ(x) The computation can be repeated to derive keys along any path in G

6 The enforcement model proposed requires iterative key derivation In the worst case a user will need to derive d keys, where d is the diameter of G (the length of the longest path in the graph G) Alternatively, we could compute E and then publish information for the policy defined by G = (V,E ) Key derivation always requires a single step The amount of public information increases

7 Example 12 edges d = 3 25 edges d = 1 [All edges are directed downwards]

8 Cryptographic

9 Authorization Information is released periodically Each period has an associated encryption key Users are authorized to access information for a certain (continuous) interval of time One possible application is subscription-based services

10 and Hierarchical Model the set of time intervals as a poset ordered by subset inclusion Denote the time periods by t1,..., t m Let L = {[i, j] : 1 i j m} Suggested in CSFW 2006, first schemes appeared in CCS 2006 and ESORICS 2007 User authorized for time period [t i,t j ] is assigned [i,j] L Resource published at time point t i is assigned [i,i] L [1,5] [2,3] [2,2] [3,3]

11 The Naïve Approach Use iterative key encrypting scheme There are m(m 1) edges User has a single key Key derivation requires no more than m 1 hops [1,5] [2,3] [2,2] [3,3]

12 The Naïve Approach Use iterative key encrypting scheme There are m(m 1) edges User has a single key Key derivation requires no more than m 1 hops [1,5] [2,3] [2,2] [3,3] What trade-offs are possible for this particular poset and this particular application?

13 A Crucial Observation Protected objects are keys used to encrypt data for a particular period The key for period i is assigned label [i,i] No labels need be assigned to any other object Users only need to derive keys for labels of the form [i,i] This statement is not true in general (compare L = {top secret, secret, classified, unclassified}) Hence, we can focus on re-engineering the directed graph so that we can get from node [i,j] to node [k,k], i k j, as quickly as possible

14 A Direct Scheme Note that we can simply connect every non- leaf node to the appropriate leaf nodes We require 1 6m(m 1)(m + 4) edges Key derivation requires a single hop

15 Problem Summary Given L = {[i,j] : 1 i j m} find an edge set E such that there exists a path from [i,j] to [k,k] for all k [i,j] the edge set is small the maximum number of hops is small?

16 Cryptographic

17 Reducing the Derivation Time Triangle T 2n contains two copies of T n and one copy of D n The edges connecting nodes in D n are redundant Replace two edges from each node in D n with two edges that enter T n Number of edges remains the same Derivation requires no more than h n + 1 hops, where h n is number of hops for T n

18 Reducing the Derivation Time Triangle T 2n contains two copies of T n and one copy of D n The edges connecting nodes in D n are redundant Replace two edges from each node in D n with two edges that enter T n Number of edges remains the same Derivation requires no more than h n + 1 hops, where h n is number of hops for T n Since h 2n = h n + 1 and h 2 = 1, derivation for T n requires no more than log 2 n hops

19 Skipping a Level Triangle T 4n contains two copies of T 2n, one copy of D 2n and four copies of T n Split D 2n into four copies of D n Replace two edges from each node in D n with edges connecting it to copies of T n

20 Skipping a Level Triangle T 4n contains two copies of T 2n, one copy of D 2n and four copies of T n Split D 2n into four copies of D n Replace two edges from each node in D n with edges connecting it to copies of T n Derivation requires no more than h 2n hops (if h n < h 2n ) If h2n = h n + 1, then h 4n = h n + 1 = h 2n

21 Applications and Generalizations Lemma For n = 2 m, we can construct a scheme where e n 3 2 n(n 1) and h n = 1 2 log 2 n Lemma For n = 2 2k, we can construct a scheme for T n, where e n ne n = 1 6 n n( n 1)( n + 4) and h n = log 2 log 2 n

22 Nodes and Supernodes If n = ab, then T n can be regarded as a b-triangle in which the supernodes are a-triangles and a-diamonds n = 12, a = 4 and b = 3

23 A 2-Hop Scheme We create a 2 copies of a direct scheme for T b (one for each node in the supernode) We create b copies of a direct scheme for T a (one for each triangle supernode)

24 A 2-Hop Scheme We create a 2 copies of a direct scheme for T b (one for each node in the supernode) We create b copies of a direct scheme for T a (one for each triangle supernode) Then we can get from any node in a diamond supernode to a node in a triangle supernode in one hop We can also get from any node in a diamond supernode to a leaf node in one hop The number of edges required is given by 1 n(a(b 1)(b + 4) + (a 1)(a + 4)) 6

25 Minimizing the Number of Edges Clearly, the number of edges will vary with a and b Some high school calculus shows that the number of edges is minimized when a = 1 2 (b2 + 1) a b Edges 2a b

26 Minimizing the Number of Edges Clearly, the number of edges will vary with a and b Some high school calculus shows that the number of edges is minimized when a = 1 2 (b2 + 1) a b Edges 2a b Note that a = b = n is not optimal The number of edges is 1 6 n(n 1)( n + 4) For n = 256, choosing a = 32 and b = 8 yields a scheme with edges, whereas the scheme in which a = b = 16 requires

27 Cryptographic

28 Atallah et al (ESORICS 2007) Insert additional edges in Tn so that key derivation requires small number of steps for each straight path in T n These constructions are based on known schemes for total orders Then for Tn, recursively construct schemes for T n De Santis et al (CCS 2006) Use techniques due to Thorup and to Dushnik and Miller for reducing the diameter of an acyclic DAG Neither approach makes use of the crucial observation Both approaches apply generic techniques to full Hasse diagram

29 Comparison Edges Derivation Crampton n(n 1) log 2 n 3 2 n(n 1) 1 2 log 2 n 1 6 n(n 1)( n + 4) 1 2 Atallah et al O ( n 2) O (log 2 n) O ( n 2 log 2 n ) 4 De Santis et al O ( n 2) O (log 2 n log 2 n) O ( n 2 log 2 n ) O (log 2 n) O ( n 2 log 2 n log 2 (log 2 n) ) 3 1 [Not optimal]

30 Advantages of my approach Attacks the problem directly and makes use of specific characteristics of problem Existing approaches apply known shortcutting techniques to graph May be possible to apply shortcutting techniques to my constructions to obtain further improvements Explicit formulae (rather than asymptotic behaviour) for storage and number of hops Makes it simpler to decide which scheme is most appropriate for a given value of n For values of n that are likely to be used in practice my schemes are likely to be a good choice My schemes can be implemented directly using existing iterative key encrypting schemes

31 References M.J. Atallah, M. Blanton, and K.B. Frikken. Incorporating temporal capabilities in existing key management schemes. ESORICS 2007 G. Ateniese, A. De Santis, A.L. Ferrara, and B. Masucci. Provably-secure time-bound hierarchical key assignment schemes. ACM CCS 2006 J. Crampton, K. Martin, and P. Wild. On key assignment for hierarchical access control. CSFW 2006 A. De Santis, A.L. Ferrara, and B. Masucci. New constructions for provaby-secure time-bound hierarchical key assignment schemes. SACMAT 2007