Information Processing Letters 92 (2004) 199–205 www.elsevier.com/locate/ipl
Cryptographic key assignment schemes for any access control policy Alfredo De Santis, Anna Lisa Ferrara, Barbara Masucci ∗ Dipartimento di Informatica ed Applicazioni, Università di Salerno, 84081 Baronissi (SA), Italy Received 31 January 2003; received in revised form 16 February 2004 Available online 11 September 2004 Communicated by Y. Desmedt
Abstract The access control problem deals with the management of sensitive information among a number of users who are classified according to their suitability in accessing the information in a computer system. The set of rules that specify the information flow between different user classes in the system defines an access control policy. Akl and Taylor first considered the access control problem in a system organized as a partially ordered hierarchy. They proposed a cryptographic key assignment scheme, where each class is assigned an encryption key that can be used, along with some public parameters generated by a central authority, to compute the key assigned to any class lower down in the hierarchy. Subsequently, many researchers have proposed schemes that either have better performances or allow insertion and deletion of classes in the hierarchy. In this paper we show how to construct a cryptographic key assignment scheme for any arbitrary access control policy. Our construction uses as a building block a cryptographic key assignment scheme for partially ordered hierarchies. The security of our scheme holds with respect to adversaries of limited computing power and directly derives from the security of the underlying scheme for partially ordered hierarchies. Moreover, the size of the keys assigned to classes in our scheme is exactly the same as in the underlying scheme. 2004 Elsevier B.V. All rights reserved. Keywords: Cryptography; Distributed systems; Safety/security in digital systems; Access control; Partial ordering
1. Introduction The access control problem deals with the specification of users’ access permission and is a fundamen* Corresponding author.
E-mail addresses:
[email protected] (A. De Santis),
[email protected] (A.L. Ferrara),
[email protected] (B. Masucci). 0020-0190/$ – see front matter 2004 Elsevier B.V. All rights reserved. doi:10.1016/j.ipl.2004.03.019
tal issue in any system that manages distributed resources. There are several situations where supervisors have all the privileges to control the tasks of their subordinates, while the subordinates have no privileges at all to access the supervisors’ tasks. Applications exist in business and in other areas of the private sector, for example, in the management of databases containing sensitive information or in the protection of industrial
200
A. De Santis et al. / Information Processing Letters 92 (2004) 199–205
secrets. Similar situations abound in other areas, particularly in the government and military. We consider a scenario where the users of a computer system are divided into a certain number of disjoint classes, called security classes. A security class can represent a person, a department, or a user group in an organization. The set of rules that specify the information flow between different user classes in the system defines an access control policy. In particular, for any class in the system, the access control policy specifies the set of classes whose data can be accessed by that class. This set is called the accessible set of the class. Within the scope of cryptography, an access control policy can be implemented by using a cryptographic key assignment scheme, that is, a method to assign an encryption key to each class. This key will be used by each class to protect its data by means of a symmetric cryptosystem. The basic and straightforward cryptographic key assignment scheme requires each class to memorize the encryption keys assigned to all classes in its accessible set. The disadvantage of this solution is that it penalizes users in high level classes, requiring them to handle more information than users in low level classes. The problem of reducing the inherent complexity of the basic straightforward cryptographic key assignment scheme was first considered by Akl and Taylor [1], who proposed an elegant solution to implement an access control policy defining a partially ordered hierarchy on the set of the classes. In the Akl– Taylor scheme, each class is assigned a key that can be used, along with some public parameters generated by a central authority, to compute the key assigned to any class lower down in the hierarchy. Subsequently, many researchers have proposed schemes that either have better performances or allow insertion and deletion of classes in the hierarchy (e.g., [7,9–13,16]). There are several examples of distributed systems requiring more general access control policies. For example, these access control policies may violate the anti-symmetric and transitive properties of a partially ordered hierarchy. The problem of designing cryptographic key assignment schemes for access control policies with transitive and anti-symmetrical exceptions was first considered by Yew et al. [18]. Subsequently, Hwang [8] showed that the scheme proposed in [18] was insecure against collusion attacks
carried out by non-authorized classes. The most used approach to key assignment schemes is based on unproven specific assumptions. A different approach, based on information theory and not depending on any specific unproven assumption, has been proposed in [3–5] to design and analyze key assignment schemes. In this paper we propose a general method to construct a cryptographic key assignment scheme for any arbitrary access control policy. Our method uses as a building block a cryptographic key assignment scheme for partially ordered hierarchies. The security of our scheme holds with respect to adversaries of limited computing power and directly derives from the security of the underlying scheme for partially ordered hierarchies. In our scheme each class is assigned some private information and an encryption key. The private information enables each class to compute the encryption keys assigned to all classes in its accessible set. The size of the keys assigned by our scheme is exactly the same as the size of the keys assigned by the underlying scheme. The paper is organized as follows: in Section 2 we define cryptographic key assignment schemes for arbitrary access control policies. In Section 2.1 we show how to construct a cryptographic key assignment scheme for any arbitrary access control policy. In Section 3 we first give a brief description of the Akl–Taylor scheme for partially ordered hierarchies. Afterwards, we show an Akl–Taylor based scheme for arbitrary access control policies. Finally, we show how to improve the efficiency of the Akl–Taylor based scheme.
2. Cryptographic key assignment schemes We consider a scenario where the users of a computer system are divided into a certain number of disjoint classes, called security classes. The set of rules that specify the information flow between different user classes in the system defines an access control policy. In particular, for any class in the system, the access control policy specifies the set of classes whose data can be accessed by that class. An access control policy can be represented by a directed graph G = (V , E), where the vertex set V corresponds to the set of security classes and there is an edge (u, v) ∈ E if and only if class u has access to the private data
A. De Santis et al. / Information Processing Letters 92 (2004) 199–205
of class v. Clearly, since each class u ∈ V has access to its private data, (u, u) ∈ E, for any u ∈ V . For any class u ∈ V , the set Au = {v ∈ V : (u, v) ∈ E} of classes whose private data can be accessed by u is called the accessible set of u. If the directed graph G = (V , E) representing the access control policy is acyclic and satisfies the transitive property (i.e., if u, v and z are three distinct vertices such that (u, v) ∈ E and (v, z) ∈ E, then (u, z) ∈ E), the access control policy represented by G is called a partially ordered hierarchy. An access control policy represented by a directed graph G can be implemented by using a cryptographic key assignment scheme, that is, a method to assign an encryption key ku to each class u ∈ V . This key can be used by each class to protect its data by means of a symmetric cryptosystem. The generation and distribution of the keys is carried out by a trusted third party, the CA, in such a way that each class u ∈ V can efficiently compute the encryption key kv assigned to a class v ∈ V if and only if v ∈ Au . The CA generates a triple of values (su , ku , tu ) for each class u ∈ V . The value ku corresponds to the encryption key assigned to u. The pair (su , ku ) is sent to class u over a private channel and is kept secret by u, while the value tu is made public. Each class u ∈ V can compute the key kv of any class v ∈ Au , starting from its private information su and from public values tu and tv . A cryptographic key assignment scheme should forbid all illegal key computations by a non-authorized class, even in collusion with other classes. More precisely, for any class v ∈ V , the encryption key kv should be protected against a coalition of classes H ⊆ V \ {v}, where v ∈ / Au for any u ∈ H , trying to compute it. The scheme is said to be secure if such a computation is infeasible. Several researchers have proposed cryptographic key assignment schemes based on specific unproven computational assumptions, such as the infeasibility of factoring the product of two large primes, the existence of one-way functions, etc. Akl and Taylor [1] first showed how to construct a cryptographic key assignment scheme for a partially ordered hierarchy. The security of their scheme is based on the (assumed) infeasibility of computing rth roots modulo a product of two large primes, where r > 1 is an integer. Subsequently, many researchers have proposed schemes that
201
either have better performances or allow insertion and deletion of classes in the hierarchy (e.g., [7,9–13,16]). In the following we propose a general method to construct a cryptographic key assignment scheme for any arbitrary access control policy. Our method uses as a building block a cryptographic key assignment scheme for partially ordered hierarchies. The security of our scheme holds with respect to an adversary of limited computing power, that is, an adversary not capable to efficiently solve the computationally hard problem on which the security of the underlying scheme for partially ordered hierarchies is based. 2.1. A general construction Let G = (V , E) be a directed graph representing any arbitrary access control policy. Starting from G, the CA constructs a directed bipartite graph G = (V , E ), where V = V ∪ Vr and V ∩ Vr = ∅, as follows: • for any u ∈ V , the CA places two vertices u , ur in V , where u ∈ V and ur ∈ Vr , and places the edges (u , u ) and (ur , ur ) in E ; • for any (u, v) ∈ E, the CA places the edge (u , vr ) in E . It is easy to see that the graph G represents a partially ordered hierarchy. Fig. 1 shows an example of the graph transformation described above, where selfloops are omitted. Let Σ be a secure cryptographic key assignment scheme for G . The CA constructs a secure cryptographic key assignment scheme Σ for G as follows. First, it uses the scheme Σ to generate the triple of values (sv , kv , tv ) for each class v ∈ V . Afterwards, for each class u ∈ V , the CA computes the triple of values (su , ku , tu ) as follows: • su = su ; • k u = k ur ; • tu = (tu , tur ). It is easy to see that the resulting scheme is a cryptographic key assignment scheme for G. Indeed, since for any class u ∈ V and any v ∈ Au it holds that vr ∈ Au , it follows that u can easily compute the encryption key kv , by using its private information su
202
A. De Santis et al. / Information Processing Letters 92 (2004) 199–205
Fig. 1. The graph transformation used in our construction.
and public values tu and tv . Assume by contradiction that the scheme Σ is not secure. Then, there exists a class v ∈ V , a coalition of classes H ⊆ V \ {v}, where v∈ / Au for any u ∈ H , such that the encryption key kv can be feasibly computed by H . It follows that there exists a class vr ∈ Vr and a coalition of classes H = {u , ur | u ∈ H }, where vr ∈ / Aw for any w ∈ H , such that the encryption key kvr can be feasibly computed by H . Hence, the scheme Σ is not secure. Contradiction. Hence, starting from any secure cryptographic key assignment scheme Σ for G , we obtain a secure cryptographic key assignment scheme Σ for G. Moreover, the sizes of the keys assigned to each class by Σ and Σ are exactly the same.
the CA computes an integer tu , such that tu divides tv if and only if v ∈ Au , as follows: 1 if Au = V ; tu = v∈ / Au pv otherwise. These integers are made public. Step 2. The CA randomly chooses two large prime numbers p and q, whose product n = p · q is made public. Afterwards, he chooses a secret key k0 , where 1 < k0 < n. Step 3. For each class u ∈ V , the CA computes the encryption key ku as follows: ku = k0tu mod n. This key is sent to class u through a private channel.
3. An Akl–Taylor based scheme and its optimization
Each class u ∈ V can derive the key assigned to a class v ∈ Au , performing the following computation: t /tu
In this section we first give a brief description of the cryptographic key assignment scheme for partially ordered hierarchies proposed by Akl and Taylor [1]. Afterwards, we show an Akl–Taylor based scheme for arbitrary access control policies, obtained from the construction of Section 2.1, when the Akl–Taylor scheme is used on the corresponding partially ordered hierarchy. Finally, we show how to improve the efficiency of the Akl–Taylor based scheme. Let G = (V , E ) be a partially ordered hierarchy. In the Akl–Taylor scheme the private information assigned to a class u ∈ V by the CA is constituted only by the secret key ku , i.e., su = ku . This key can also be used to compute the keys assigned to all classes in its accessible set. In the following we show the steps performed by the CA in the Akl–Taylor scheme: Step 1. The CA assigns a distinct prime number pu to each class u ∈ V . Afterwards, for each class u ∈ V ,
f (ku , tu , tv ) = kuv
mod n.
Indeed, since v ∈ Au , it follows that tv /tu is an integer t /t and kuv u mod n = k0tv mod n = kv . The security of the Akl–Taylor scheme follows from the next result, which relies on the assumption that extracting rth roots modulo n, where r > 1 is an integer and n is the product of two large unknown primes, is a computationally hard problem. In particular, when gcd(r, φ(n)) = 1, where φ(n) is the Euler’s totient function, this is the assumption behind the RSA cryptosystem [15]; whereas, if r = 2, this assumption is used in the Rabin cryptosystem [14]. Lemma 3.1 [1]. Let t and t1 , . . . , tm be integers, and let k ∈ Zn , where n = p · q is the product of two large primes. The power k t mod n can be feasibly computed from the set of powers {k t1 mod n, . . . , k tm mod n} if and only if gcd{t1 , . . . , tm } divides t.
A. De Santis et al. / Information Processing Letters 92 (2004) 199–205
Let G = (V , E) be a directed graph representing an arbitrary access control policy. Applying the construction of Section 2.1 and using the Akl–Taylor scheme on the directed bipartite graph G = (V , E ) corresponding to G, we obtain a cryptographic key assignment scheme for G, called the Akl–Taylor based scheme. In such a scheme, for each class u ∈ V , the CA computes the private values su and ku , where su = tu t ko mod n and ku = kour mod n. On the other hand, each class u can use its private value su to compute the encryption key kv assigned to any class v ∈ Au , by tv /tu computing su r mod n = kv . The left-hand side of Table 1 shows the values su and ku assigned by the CA to each class u in the directed graph represented on the left-hand side of Fig. 1, when the primes assigned by Step 1 of the Akl–Taylor scheme to the classes u and ur in the corresponding directed bipartite graph are the following: Class a b c d e f ar br cr dr er fr Prime 2 3 5 7 11 13 17 19 23 29 31 37 In the Akl–Taylor based scheme, both CA and users are required to perform a modular exponentiation of the form x c mod n. Such operation can be done in a number of steps which is proportional to the length of the binary representation of the exponent c (for example, by using the well known square-and-multiply algorithm). Assume that the primes assigned by Step 1 of the Akl–Taylor scheme to the 2|V | classes in the bipartite graph G are the first 2|V | ones. For any i 1, let pi be the ith prime number and denote by pi # the primorial or prime factorial of pi , that is, pi # = i j =1 pj (see [17, seq. A002110]). For each class u ∈ V , it follows that max{tu , tur } = p2|V | #/pur . Indeed,
203
the value tur contains exactly 2|V | − 1 prime factors, i.e., all the primes in the system, with the exception of pur , since from the construction of Section 2.1, ur is the only class that can be accessed by ur . On the other hand, tu tur , because ur ∈ Au . Therefore, each public exponent in the Akl–Taylor based scheme is almost equal to p2|V | #. In order to estimate the number of bits in the binary representation of p2|V | #, we use some classical results from Number Theory, which can be found in [6,2]. Let x be a positive integer and let π(x) be the prime counting function, i.e., the number of prime numbers less than or equal to x. The Prime Number Theorem states that π(x) has asymptotic behavior π(x) ∼ x/ ln x, where ln x denotes the natural logarithm of x. A consequence of such a theorem is that the ith prime number pi has asymptotic behavior pi ∼ i ln i. The prime counting function π(x) is closely related to the Chebyshev function θ (x), defined π(x) by θ (x) = j =1 ln pj . The Chebyshev function θ (x) has asymptotic behavior θ (x) ∼ x. By the above discussion, it is easy to see that ln(pi #) ∼ i ln i. Indeed, ln(pi #) = θ (pi ), θ (pi ) ∼ pi and pi ∼ i ln i. Hence, it follows that the number of bits in the binary representation of p2|V | # is log(p2|V | #) ∼ 2|V | log(2|V |). In the following we show that is possible to have public exponents of smaller size, improving the efficiency of the Akl–Taylor based scheme. The resulting scheme will be called the optimized Akl–Taylor based scheme. Since the aim of the prime number associated to each class is to protect it against not enabled accesses, and since u and ur correspond to the same class u in the original graph G, there is no need to associate two distinct prime numbers pu and pur to class u. Hence, for the directed bipartite graph
Table 1 Akl–Taylor based schemes for the arbitrary access control policy of Fig. 1 Akl–Taylor based scheme
Optimized Akl–Taylor based scheme
Class u
su
ku
su
ku
a
k03·5·7·11·13·23·29·31·37 k02·5·7·11·13·31 k02·3·7·11·13·19·29·31·37 k02·3·5·11·13·19·23·31 k02·3·5·7·13·17·19·37 k02·3·5·7·11·17·19·23·29·31
k02·3·5·7·11·13·19·23·29·31·37 k02·3·5·7·11·13·17·23·29·31·37 k02·3·5·7·11·13·17·19·29·31·37 k02·3·5·7·11·13·17·19·23·31·37 k02·3·5·7·11·13·17·19·23·29·37 k02·3·5·7·11·13·17·19·23·29·31
k05·7·11·13 k011 k03·7·11·13 k03·5·11 k02·3·13 k02·3·5·7·11
k03·5·7·11·13
b c d e f
k05·7·11·13 k02·3·7·11·13 k02·3·5·11·13 k02·3·13 k02·3·5·7·11
204
A. De Santis et al. / Information Processing Letters 92 (2004) 199–205
G = (V , E ), we replace Step 1. of the Akl–Taylor scheme with Step 1 as follows: Step 1 . The CA assigns a distinct prime number pur to each class ur ∈ Vr , while all classes in V are associated to the value 1. Afterwards, for each class u ∈ V , the CA computes the value 1 if Au = V ; tu = p otherwise. vr ∈A / u
vr
Finally, for each class ur ∈ Vr , the CA computes the value tur = lcmv :ur ∈Av tv . Assume that the primes assigned by the CA in Step 1 are the first |V | ones. Therefore, each public exponent in the optimized Akl–Taylor based scheme is almost equal to p|V | #. From the above discussion, it follows that the number of bits in the binary representation of p|V | # is log(p|V | #) ∼ |V | log |V |. Therefore, the time required by the CA to compute the private values associated to each class is proportional to |V | log |V |. The next lemma is an immediate consequence of the new assignment. Lemma 3.2. Let G = (V , E) be a directed graph representing any arbitrary access control policy and let G = (V , E ), where V = V ∪ Vr , be the corresponding directed bipartite graph. Under the new assignment of Step 1 , for any two classes u ∈ V and vr ∈ Vr , it holds that (1) If vr ∈ Au , then tu divides tvr ; (2) If vr ∈ / Au , then pvr divides tu ; (3) pvr does not divide tvr . Proof. Since vr ∈ Au and tvr = lcmu :vr ∈Au tu , it follows that tu divides tvr . Hence, part (1) of Lemma 3.2 holds. Since vr ∈ / Au and tu = vr ∈A / u pvr , it follows that pvr divides tu . Hence, part (2) of Lemma 3.2 holds. Since vr ∈ Au , from part (2) of Lemma 3.2 it holds that pvr does not divide tu . Therefore, pvr does not divide tvr = lcmu :vr ∈Au tu . Hence, part (3) of Lemma 3.2 holds. 2
From Lemma 3.1, given a class vr ∈ Vr and a coalition of classes H ⊆ V \ {v }, the coalition H can feasibly compute the key kvr if and only if g divides tvr , where g = gcd{tu : u ∈ H }. Hence, in order to show that the new assignment of Step 1 gives rise to a secure cryptographic key assignment scheme for G , we only need to prove the next lemma. Lemma 3.3. Let G = (V , E) be a directed graph representing any arbitrary access control policy and let G = (V , E ), where V = V ∪Vr , be the corresponding directed bipartite graph. Under the new assignment of Step 1 , for any class vr ∈ Vr and any coalition of classes H ⊆ V \ {v }, such that vr ∈ / Au , for any u ∈ H , it holds that g = gcd{tu : u ∈ H } does not divide tvr . / Au for any u ∈ H , from (2) of Proof. Since vr ∈ Lemma 3.2 it follows that pvr divides tu . Hence pvr divides g = gcd{tu : u ∈ H }. From (3) of Lemma 3.2, we have that pvr does not divide tvr . Hence, it follows that g does not divide tvr . 2 Therefore, the new assignment of Step 1 gives rise to a secure and efficient cryptographic key assignment scheme for the partially ordered hierarchy represented by the directed bipartite graph G . Consequently, by using the method described in Section 2.1, we obtain a secure and efficient cryptographic key assignment scheme for the corresponding arbitrary access control policy G, called the optimized Akl–Taylor based scheme. The right-hand side of Table 1 shows the values su and ku assigned by the optimized Akl–Taylor based scheme to each class u in the directed graph represented on the left-hand side of Fig. 1, when the primes assigned by Step 1 of the Akl–Taylor scheme to the classes u and ur in the corresponding directed bipartite graph are the following: Class a b c d e f ar br cr dr er fr Prime 1 1 1 1 1 1 2 3 5 7 11 13
Acknowledgements We would like to thank the anonymous referees for their careful reading and useful comments.
A. De Santis et al. / Information Processing Letters 92 (2004) 199–205
This research has been partially supported by the European Network of Excellence in Cryptology under project IST-2002-507932-Ecrypt and by the University of Salerno under project Sicurezza Dati, Computazione Distribuita e Compressione Dati. References [1] S.G. Akl, P.D. Taylor, Cryptographic solution to a problem of access control in a hierarchy, ACM Trans. Comput. Syst. 1 (3) (1983) 239–248. [2] E. Bach, J. Shallit, Algorithmic Number Theory, Efficient Algorithms, vol. 1, MIT Press, Cambridge, MA, 1996. [3] A. De Santis, A.L. Ferrara, B. Masucci, Unconditionally secure hierarchical key assignment schemes, in: Proc. of the International Workshop on Coding and Cryptography—WCC 2003, Versailles, France, March 24–28, 2003. [4] A. De Santis, A.L. Ferrara, B. Masucci, Unconditionally secure key assignment schemes, Discrete Appl. Math., in press. [5] A.L. Ferrara, B. Masucci, An information-theoretic approach to the access control problem, in: Proc. of the Eighth Italian Conference on Theoretical Computer Science—ICTCS 2003, in: Lecture Notes in Comput. Sci., vol. 2841, Springer-Verlag, Berlin, 2003, pp. 342–354. [6] G.H. Hardy, E.M. Wright, An Introduction to the Theory of Numbers, fifth ed., Clarendon Press, Oxford, England, 1979. [7] L. Harn, H.Y. Lin, A cryptographic key generation scheme for multilevel data security, Computers and Security 9 (6) (1990) 539–546.
205
[8] M.S. Hwang, Cryptanalysis of YCN key assignment scheme in a hierarchy, Inform. Process. Lett. 73 (3–4) (2000) 97–101. [9] M.S. Hwang, A cryptographic key assignment scheme in a hierarchy for access control, Math. Comput. Modeling 26 (1) (1997) 27–31. [10] M.S. Hwang, W.P. Yang, Controlling access in large partially ordered hierarchies using cryptographic keys, J. Systems and Software 67 (2003) 99–107. [11] H.T. Liaw, S.J. Wang, C.L. Lei, A dynamic cryptographic key assignment scheme in a tree structure, Comput. Math. Appl. 25 (6) (1993) 109–114. [12] C.H. Lin, Dynamic key management schemes for access control in a hierarchy, Comput. Commun. 20 (1997) 1381–1385. [13] S.J. MacKinnon, P.D. Taylor, H. Meijer, S.G. Akl, An optimal algorithm for assigning cryptographic keys to control access in a hierarchy, IEEE Trans. Comput. C-34 (9) (1985) 797–802. [14] M.O. Rabin, Digitalized signatures and public key functions as intractable as factorization, Tech. Rep. MIT/LCS/TR-212, MIT Lab. for Computer Science, 1979. [15] R.L. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public key cryptosystems, Commun. ACM 21 (1978) 120–126. [16] R.S. Sandhu, Cryptographic implementation of a tree hierarchy for access control, Inform. Process. Lett. 27 (1988) 95–98. [17] N.J. Sloane, S. Plouffe, The Encyclopaedia of Integer Sequences, Academic Press, San Diego, CA, 1995. [18] J.H. Yeh, R. Chow, R. Newman, A key assignment for enforcing access control policy exceptions, in: Proc. Internat. Symp. on Internet Technology, 1998, pp. 54–59.