Malaysian Journal of Computer Siene, Vol 10 No 1, June 1997, pp 36-41 A DYNAMIC ACCESS CONTROL WITH BINARY KEY-PAIR Md Rafiqul Islam, Harihodin Selamat and Mohd Noor Md Sap Faulty of Computer Siene and Information Systems Universiti Teknologi Malaysia Jalan Semarak 54100 Kuala Lumpur Malaysia Tel: 603-2904957 Fax: 603-2930933 email: mm0004@utmklutmmy ABSTRACT Based on the onept of an aess ontrol matrix, a new dynami aess ontrol sheme with binary key-pair is proposed, whih is different from those based on onept of key-lok pairs In the proposed sheme, eah user is assigned a pair of binary keys, whih are derived from the aess rights with respet to the files The derivation of the aess rights is simple The method has a speial feature, a file or user an be added to or removed from the system without muh effort Keywords: Dynami aess ontrol, Key-pair 10 INTRODUCTION Aess ontrol is very important in information seurity systems, beause of the inreasing omplexity of various sorts of information, the large number of users, and the widely used ommuniation networks The issue of information protetion inludes serey, authentiity and availability The so-alled information privay is defined as a deision-making of a subet s privilege to aess ertain information However, information seurity is a method or a tehnique by whih the deision of information privay is exeuted to protet the legitimate aess and to reet the illegitimate one In 1972 Graham and Denning [2] developed the abstrat protetion model for omputer systems The model is based upon protetion system defined by a triple (S, O, A, Where: 1 S is a set of subets (or aessors, the ative entities of the model 2 O is a set of obets (or resoures, the proteted entities of the models 3 A is an aess matrix, with rows and olumns orresponding to subets and obets respetively An entry a i lists the aess rights (privileges of subets S i and obet O The aess ontrol for a omputer system is ahieved by employing an aess ontrol matrix, as depited in Fig 1 Here the user U 1 an Exeute file F 3 and Exeute/Read file F 4 and U 3 an Exeute/Read/Write file F 2 In 1984 Wu and Hwang [3] proposed an alternative Sheme storing ust one key for eah user and one lok for eah file To figure out aess rights a i s of users to files, a funtion f of Key K i and Lok L is used Mathematially, a i = f (K i, L (1 Files F 1 F 2 F 3 F 4 F 5 F 6 Users U 1 0 0 0 0 U 2 4 0 1 0 0 0 U 3 0 3 0 0 2 0 U 4 0 2 0 2 0 3 U 5 4 0 3 0 0 0 0: No aess 1: Exeute 2: Exeute/Read 3: Exeute/Read/Write 4: Exeute/Read/Write/Delete Fig 1: Aess ontrol matrix 36
A Dynami Aess Control With Binary Key-Pair Several relevant methods appeared in the literature after Wu and Hwang s work [4-9] Hwang et al in 1992 proposed a protetion method using prime fatorization [9] In 1994 Chang et al [10] introdued a method with binary keys We are inspired by these two methods and proposed an aess ontrol sheme using binary pair-keys for eah user From Hwang et al s method we exploit only the idea of using non-zero entries The next setion reviews Chang et al s method whih is our main inspiration 20 THE BINARY KEY METHOD This method is proposed by Chang et al [10] for implementation of aess ontrol matrix in distributed systems In this sheme, eah user is assigned a binary key, whih is derived from the aess rights with respet to the files The binary key is possessed by the user, and an be used to derive the aess right to the files Here eah a i in aess ontrol matrix is rewritten in its 1 binary form b i as ( bi b 2 i bi where = 1 + log w and w is the maximal value of a i s The binary form of an aess ontrol matrix with m users and n files is depited in Fig 2 The key vetors for eah user are defined as follows: = (, = ( 2 2, K b b b 1 1 1 i1 i1 i in K b b b i2 i 2 1 i 2 in (2 Ki = ( bi 1 bi 2 bin If K is the th bit in the binary Key K ir ir, then = ( ai Ki 1 Ki 2 Ki (3 By onsidering the aess ontrol matrix in Fig 1, a binary aess ontrol matrix an be found as shown in Fig 3 Aording to equation (2, the key vetors for users U 1, U 2, U 3, U 4 and U 5 are assigned as [Fig 3]: User U 1 : K 11 = 000000 K 12 = 000100 K 13 = 000000, User U 2 : K 21 = 100000 K 22 = 000000 K 23 = 001000, User U 3 : K 31 = 000010 K 32 = 000000 K 33 = 010000, User U 4 : K 41 = 000000 K 42 = 010101 K 43 = 000001, User U 5 : K 51 = 100000 K 52 = 001000 K 53 = 001000 In this method there are Key vetors for eah user It has been easily notied that the sheme need to reonstrut the whole system in the ase of file deletion and file insertion This is an important point On the other hand sine the aess ontrol matrix is usually a sparse [3, 9], this method has wastage of storage for zero entries In order to overome the above weak points, a new dynami aess ontrol method with pair-keys is proposed Our proposed method is dynami in the sense that a new file/user an be deleted from, updated on or oined to the system The strategy of delete/update hanges only pair of keys for dediated users The details are desribed in the next setion Files Users U 1 ( 1 11 11 11 U 2 ( 1 21 F 1 F 2 F n b b b ( b12 1 b12 2 b12 ( b1nb1n b1n b b b ( b 1 22b 2 22 b 22 ( b2nb2n b2n U m ( b 2 m1 bm 1 bm 1 ( b b b mn mn mn Fig 2: Binary aess ontrol matrix with m users and n files 37
Islam, Selamat and Md Sap Files F 1 F 2 F 3 F 4 F 5 F 6 Users U 1 000 000 001 010 000 000 U 2 100 000 001 000 000 000 U 3 000 011 000 000 100 000 U 4 000 010 000 010 000 011 U 5 100 000 011 000 000 000 Fig 3: The binary aess ontrol matrix for Fig 1 30 THE BINARY KEY-PAIR METHOD Here we desribe the binary key-pair method with respet to binary aess ontrol matrix as in Fig 2 as well as in Fig 3 In the proposed method eah user is assigned a pair of keys The first key is a logial one and the seond key for opening aess right These keys are derived from aess rights with respet to the files The keys are possessed by the user and an be used to derive aess right to the files From the first key we an know whether a speifi user has aess right to a speifi file Using the bit of logial key we an find out the aess right for users to files Eah user U i is assigned the following two vetors: = (4 K K K K s il il il il for i = 1, 2,, n and s n, where the xth bit of K il an be defined as follows: x K = il 0 if b { i is zero-bit string (5 1 otherwise If the bit string b i ontains all zero bits, then we will say b i as zero bit string, otherwise non-zero bit string The key for aess right is defined as follows: ir = ir ir ir 2 ir + 1 2 ir ir r + 1 ir K K K K K K K K where r is the number of 1s in logial key vetor K il, and is defined as in setion 2 That means K ir is built from nonzero b i s For instane to hek any aess right a i ie, the aess right of user U i to the file F, at first we will examine logial key vetor K il and find whether the user has aess right to the file If the th bit of K il is 1, then there is an aess right of user U i to the file F, otherwise ie, if K bit il is zero then there is no aess of user U i to the file F Here we will hek the aess right using algorithm 1 that is enoded later (7 Example 1: Initialization of key vetors From binary aess ontrol matrix in Fig 3, we an define the following key vetors Sine b 11 = 000 (zero bit string, K 1 1 0 L = and b 13 = 001 (non-zero bit string, K 1 3 L = 1 K 1L = 0011, K 1R = 001010, K 2L = 101, K 2R = 100001, K 3L = 01001, K 3R = 011100, K 4L = 010101, K 4R = 010010011, K 5L = 101, K 5R = 100011, Algorithm 1 Verifiation of aess right Input: i,, K il, K ir Output: a i Steps: 1 Input i,, K il, K ir ; K = 1 then 2 If il If > 1 then p = number of 1s up to th bit of K il ; p = 1; i ir p + 1 a K KiR p = + 2 KiR p ; a i = Zeros; 3 Output a i Example 2: Verifiation of aess right Case I: For instane we want to verify the aess right, a 46 Here i = 4, = 6, K 4 6 L = 1, p = 3; so we an write a 46 = 7 4 4 8 4 9 = 011, R R R orret K K K whih is Case II: Chek aess right, a 44 Here i = 4, = 4, 4 4 1 L p = 2; a 44 = 4 4 R 4 5 R 4 6 R = 010 whih is orret K K K, K =, 38
A Dynami Aess Control With Binary Key-Pair Case III: Chek aess right, a 21 Here i = 2, 1 1 K = 1,p=1; 2 4 a 21 = K 2R K 2R K 2R = 100, =1, 2L whih is orret 40 IMPLEMENTATION OF DYNAMIC ACCESS CONTROL In this setion, we devise algorithms to implement the dynami aess ontrol, suh as aess right hanging and file updating (deletion and addition of a file We will disuss the ase of user updating by example, beause it an be performed simply by reonstruting or deleting the relevant pair of keys Algorithm 2: Aess right hanging /* Let aess right a i be hanged by bit string l i = li 1 l i 2 l i */ Input:, K il, K ir, l i Output: K il, K ir Steps: 1 Input, K il, K ir, l i 2 Compute p = number of 1s up to th bit of Key vetor K il ; r = number of 1s in K il ; 3 If l i is a non-zero bit string then If K = 0 then il p = p + 1; r = r + 1; Reset bit K il of K il ; ir ir ir ir ( ir p 1 = i i i ( KiR p + 1 + 1 KiR r K K K K K l l l ; ir ir ir ir ( ir p 1 ( = ir p + 1 + 1 ( ir r 1 K K K K K K K Reset bit K il of 4 Output K il, K ir ; K il ; Example 3: Changing aess right Case I: Suppose a 43 = 000 will be hanged into l i = 100 In this ase = 3, K 4L = 10101, K =, p = p + 1 = 2, K 4R = 010010011, 4L r = r +1 = 4; then K 4R = 010100010011 (updated, and K 4L = 011101 (by resetting 3 0 Case II: Assume a 35 = 100 will be hanged into l i = 010 K =, l i is a Here = 5, K 3L = 01001, K 3R = 011100, 3L non-zero bit string, p = 2, r = 2; K 3R = 011010 (updated 5 1 Case III: If a 23 = 001 by l i = 000, = 3, K 2L = 101, K 2R = 100001, p = 2; then K 2R = 100, and K 2L = 100 ( by resetting Algorithm 3 File Updating Setion 1: File Addition /* Let file F q is added and the aess right of user U i is denoted as liq = liq 1 liq 2 liq */ Input: q, l iq, K il, K ir Output: K il, K ir Steps: 1 Input q, l iq, K il, K ir 2 If l iq is zero bit string then K il and K ir remain unhanged; Update K il by putting 1 in 3 Output K il, K ir q K position; il ir = ir 1 ir 2 ir r iq 1 iq 2 iq ; K K K K l l l Setion 2: File Deletion /* Let file F is deleted */ Input:, K il, K ir Output: K il, K ir 1 Input, K il, K ir; 2 If K il = 0 then K il and K ir remain unhanged; Compute p = number of 1s up to th bit of K il ; ir ir ir ir p 1 ir p + 1 K = K K K K + 1 KiR r 1 Reset bit K il of K il ; 3 Output K il, K ir ( ( ( ; Example 4: Addition and deletion of files Here we onsider the system in Fig 3 and let F 7 added to the system that U 2 an write, U 5 an delete So there will be a 27 = 011 and a 57 = 100 Here it is required to update first K il, then K ir that is enough K 2L = 1010001 (putting 1 in K il position, K 2R = 100001011 (putting bit string; K 5L = 101001, K 5R = 100011100 If file F 2 is deleted that U 3 an write, a 32 = 011 and U 4 an read, a 42 = 010 Now we have to update first K ir, then K il Therefore we get, K 3R = 100 (Shift left, 39
Islam, Selamat and Md Sap K 3L = 000001 (by resetting bit 000101 K 3L ; K 4R = 0111, K 4L = 6 Compated spae is used for storing key-pair for eah user and the required storage is less than that of binary key method Example 5: Addition and deletion of users Let us reonsider the system in Fig 3 If U 6 is added to the system, who will read file F 3 and write in file F 5, then we ust onstrut two key vetors K 6L and K 6R for user U 6 Suppose U 4 is deleted who an read F 2, F 4 and write in F 6 Here we shall ust delete the two key vetors for U 4 50 STORAGE REQUIREMENT We know that the aess ontrol matrix is usually sparse So here we shall onsider non-zero-rate r, whih is defined as the ratio of non-zero entries in the aess ontrol matrix The storage: For K il s = mn bits (n bits for eah user, whih is maximum For K ir s = mnr bits Then the required storage = (mnr + mn bits Example 6: Storage alulation Let there are m = 2000 users and n = 1000 files, = 3, r = 01, then the storage requirement for the system, mnr + mn = 2000 1000 3 01 + 2000 1000 = 26,00000 bits But in ase of Chang et al s method [10], mn = 2000 1000 3 = 60,00000 bits Suppose r = 05, so mnr + mn = 2000 1000 3 05 + 2000 1000 = 30,00000 bits But in Chang et al s method same as above, mn = 60,00000 bits That means if the non-zero rate is 50%, the system in our method takes less storage If = 5, then mnr + mn = 2000 1000 5 01 + 2000 1000 = 30,00000 bits But in Chang et al s method, mn = 20000 1000 5 = 100,00000 bits From the above example it is leared that our method takes less storage than that of Chang et al s method 60 THE ADVANTAGES OF THE METHOD The proposed method has the following advantages: 1 Initialization of key vetors for eah user is simple 2 We propose a simpler proedure of aess right heking 3 Aess right hanging is easy 4 Updating users is very simple 5 Updating files is also easy and dynami While the binary key method needs to reonstrut the whole system 70 CONCLUSION In this method we devise algorithms for aess right heking and implementation of dynami aess ontrol, suh as aess right hanging and updating files One good feature of our system is that insertion or deletion of any file an be suessfully implemented without reonstruting all key-vetors The storage requirement is also less than that of Chang et al s method REFERENCES [1] D E R Denning, Cryptography and Data Seurity Addison-Wesley, Reading, MA, 1983 [2] G S Graham and P J Denning, Protetion-Priniple and Pratie, Pro Spring Joint Computer Conf, Vol 40, AFIPS Press, Montvale, NJ, 1972, pp 417-429 [3] M L Wu and T Y Hwang, Aess Control with Single-Key-Lok IEEE Transation on Software Engg, Vol SE-10, No 2, 1984, pp 185-191 [4] C C Chang, On the design of a key-lok-pair mehanism in information protetion systems BIT, Vol 26, 1986, pp 410-417 [5] C C Chang, An Information Protetion Sheme Based upon Number Theory The Computer Journal, Vol 30, No 3, 1987, pp 249-253 [6] C K Chang and T M Jiang, A Binary Single-Key- Lok System for Aess Control IEE Transation on Computers, Vol 38, No 10, 1989, pp 1462-1466 [7] C S Laih, L Harn and J Y Lee, On the design of a single-key-lok mehanism based on Newton s interpolating polynomial IEEE Transation on Software Engineering, Vol 15, No 9, 1989, pp 1135-1137 [8] J K Jan, C C Chang and S J Wang, A dynami Key-Lok-Pair Aess Control Sheme Computers & Seurity, Vol 10, 1991, pp 129-139 [9] J J Hwang, B M Shao and P C Wang, A New Aess Control Method Using Prime Fatorization Computer Journal, Vol 35, No 1, 1992, pp 16-20 40
A Dynami Aess Control With Binary Key-Pair [10] C C Chang, J J Shen and T C Wu, Aess ontrol with binary keys Computers & Seurity, Vol 13, 1994, pp 681-686 BIOGRAPHY Md Rafiqul Islam obtained his Master of Siene in Engineering (Computers from Azerbaian Polytehni Institute in 1987 He is an Assistant Professor of Computer Siene and Engineering Disipline of Khulna University, Khulna of Bangladesh Currently, he is on study leave and doing PhD at the Faulty of Computer Siene and Information Systems of the Universiti Teknologi Malaysia His researh areas inlude design and analysis of algorithms, Database seurity and Cryptography He has published a number of papers related to these areas He is an assoiate member of Bangladesh Computer Soiety Harihodin Selamat holds an MS from Cranfield University, UK and a PhD from the University of Bradford, UK both in omputer siene Currently he is an Assoiate Professor in the Faulty of Computer Siene and Information Systems at the Universiti Teknologi Malaysia His researh area inludes Database seurity, Database design and Software engineering Mohd Noor Md Sap is an Assoiate Professor in the Faulty of Computer Siene and Information Systems at Universiti Teknologi Malaysia He holds degrees in omputer siene: a BS(Hon from the National University of Malaysia, an MS from Cranfield University, UK, and a PhD from the University of Strathlyde, UK He is urrently arrying out researh in Database seurity, Case-based reasoning and Information retrieval 41