Property Based Broadcast Encryption in the Face of Broadcasts

Transcription

1 Property-Based Broadcast Encryption for Multi-level Security Policies André Adelsbach, Ulrich Huber, and Ahmad-Reza Sadeghi Horst Görtz Institute for IT Security, Ruhr Universität Bochum, Germany Eighth International Conference on Information Security and Cryptology (ICISC 2005) Seoul, December 1, 2005

2 Multi-level security allows the system designer to limit the adversary s success to the amount of resources deployed in the attack AN EXAMPLE: MULTI-LEVEL SECURITY IN THE FACE OF VARYING PROTECTION LEVELS ILLUSTRATIVE One level of security Multi-level security Same asset, but two locks with different protection levels Adversary s strategy: break weaker lock Less valuable asset behind weaker lock Adversary s effort grows with desired value to be acquired 1

3 In a flexible content distribution model, the content providers should be able to base their access decision on the devices properties ACCESS DECISION FOR A BROADCAST EMISSION BASED ON ARBITRARY PROPERTIES OF DEVICES EXAMPLE Property 1: Region Property 2: Interface Allowed devices A Analog interface (no software patch*) Disallowed devices Content provider s access decision: only devices In region A With analog interface Digital interface (or software patch possible) l * Or at least no malicious patch, prevented by, e.g., proprietary software. 2

4 We can represent properties in a tree structure, whose leaves are the property configurations REPRESENTATION OF PROPERTIES AND PROPERTY CONFIGURATIONS IN A TREE STRUCTURE EXAMPLE Property Value Region North South Interface Analog Digital Analog Digital Data format MPEG CD MPEG CD MPEG CD MPEG CD Configuration Property configuration 4 := (North, Digital, CD) 3

5 If we choose a straightforward approach for mapping devices with a specific property configuration to devices in a tree-based broadcast encryption scheme, we cannot find an efficient cover A STRAIGHTFORWARD APPROACH FOR MAPPING CONFIGURATIONS TO BROADCAST TREES: ASSIGNMENT TO LEAVES IN ASCENDING ORDER Example: Configuration # of devices EXAMPLE No exclusive common ancestor Several nodes required to cover a configuration Devices Configuration

6 By mapping property configurations to the nodes of a special tree level, we find an efficient cover, but have to distribute unnecessarily many keys to devices AN IMPROVED APPROACH: ASSIGNMENT OF CONFIGURATIONS TO THE NODES OF A SPECIAL TREE LEVEL Assigned leaf Unassigned leaf Configuration level Device Configuration

7 We propose to cut the tree at the special level and generate a configuration tree at the top as well as a forest of device trees at the bottom, where we allow individual tree heights PROPOSED SOLUTION: SEPARATION OF THE SUBTREES BELOW CONFIGURATION NODES AND VARYING HEIGHT OF SUBTREES Assigned leaf Unassigned leaf Configuration tree Device trees Reduced height 6

8 The implantation of pseudo-random chains into the lowest level of the configuration tree induces a hierarchy, allowing superior configurations to descend (go to the left) to inferior configurations INTRODUCTION OF A HIERARCHICAL PROPERTY INTO THE CONFIGURATION TREE BY IMPLANTING PSEUDO-RANDOM CHAINS Increasing hierarchy Pseudo-random chain Regular property Hierarchical property Configuration Configuration 7 has access to content of configurations 5 and 6 7

9 We can interpret the pseudo-random chains as one-way doors, leading to rooms with lower protection INTERPRETATION OF THE PSEUDO-RANDOM CHAINS AS ONE-WAY DOORS Multi-level security with implanted hierarchies One-way door Very weak lock Weak lock Strong lock Very strong lock Implications Value of assets grows with lock strength Single key allows access to all lowerlevel rooms Applications: pay TV, CD/DVD distribution, file encryption, online subscriptions 8

10 Although we can easily embed the pseudo-random chain, its semantics need to be thoroughly enforced during revocation, encryption and decryption SOME TECHNICAL DETAILS OF THE SCHEME 1. Implantation of pseudo-random chains using labels: sk C inf PRCG non-intact C K δ ( PRCG ( label ) 2. Declaration of configuration c k as non-intact: C covered non-intact MostInferior L sup { } Inferior( ) c k c k 3. Encryption with properties and revocation information: disallowed ( C ( C C non-intact ) Provider Center 4. Decryption in three possible ways: c k C covered c k Superior covered allowed non-intact ( C ) ( c ( C C ) k 1 PRCG: pseudo-random chain generator, sk: secret key, inf/sup: inferior/superior configuration, 9

11 By embedding properties including one hierarchical property into a broadcast encryption tree, the proposed solution is more efficient than existing schemes in the hierarchical setting, but still as secure SUMMARY AND RESULT OF THE PROPOSED SOLUTION Summary Encoding of properties into the top of an existing broadcast tree Separation of property-related tree levels from device-related tree levels Configuration tree Device trees Implantation of pseudo-random chains and modification of revocation, encryption and decryption algorithms Result Reduction of message header length in hierarchical setting*: c log 2 ( l) Same security (IND-CCA1) as existing tree-based schemes, e.g., Subset Difference scheme proposed by Naor, Naor and Lotspiech Assumption: availability of cryptographically secure pseudo-random generators * l: number of hierarchy levels, c: small constant, e.g., c = 1 compared to Complete Subtree scheme and c = 2 compared to Subset Difference scheme proposed by Naor, Naor and Lotspiech 10

12 You can reach the authors at the Horst Görtz Institute for IT Security CONTACT TO THE AUTHORS André Adelsbach Ulrich Huber Ahmad-Reza Sadeghi Horst Görtz Institute for IT Security Ruhr Universität Bochum Universitätsstraße Bochum GERMANY Website: 11