A Cryptographic Key Assignment Scheme for Access Control in Poset Ordered Hierarchies with Enhanced Security

Transcription

1 Internatonal Journal of Network Securty, Vol.7, No., PP.3 34, Sept. 8 3 A ryptographc Key Assgnment Scheme for Access ontrol n Poset Ordered Herarches wth Enhanced Securty Debass Gr and P. D. Srvastava (orrespondng author: Debass Gr) Department of Mathematcs, Indan Insttute of Technology, Kharagpur-73, Inda (Emal: {dgr,pds}@maths.tkgp.ernet.n) (Receved Agu., 6; revsed Nov. 8, 6; and accepted June, 7) Abstract In a herarchcal structure, a user n a securty class has access to nformaton tems of securty classes of lower levels, but not of upper levels. Based upon cryptographc technques, several schemes have been proposed for solvng the problem of access control n herarchal structures, whch are based on only one cryptographc assumpton. In ths paper, we propose a scheme for access control n herarchcal structures that acheves better securty, effcency, flexblty and generalty compared to the schemes prevously publshed. Keywords: Access control, cryptography, data securty, key generaton Introducton The concept of herarchcal access control s that an user of a hgher securty level class has the ablty to access the nformaton tems (e.g., a message, data) n users of lower securty level classes. Herarchcal structures are used n many applcatons ncludng mltary, government, schools and colleges, prvate corporatons, computer network systems [6, 9], operatng systems [6] and database management systems [5]. In many stuatons, the herarchcal systems can be represented by a partally ordered set. We consder an organzatonal structure n whch users and ther own nformaton tems are dvded nto a number of dsjont set of securty classes, say,,,..., n, where represents the dentty of the class. For a set = {,,..., n }, we call the relaton s partally ordered f t satsfes the followng three propertes: ) Reflexvty property: For all, ; ) Ant-symmetrc property: If, j, j and j mples = j ; 3) Transtvty property: If, j, k, j and j k mples k. A set s partal ordered on s called partally ordered set (poset, for short). We assume that the set = {,,..., n } s partally ordered wth respect to the relaton, where j means that has securty clearance lower than or equal to j. In other words, users n j can access the encrypted nformaton held by users n. But the opposte s not allowed. Fgure shows an example of four level herarchal structure. The top level classes posses the hghest securty, and securty decreases wth ncrease n the level. Users n bottom level classes have the least securty. If j, s called a successor of j, and j s called a predecessor of. If there s no k such that k j, the class s called an mmedate successor of j and j s called an mmedate predecessor of. If there s no k such that j k, the class j s called leaf securty class; otherwse, the class j s called a non-leaf securty class. It s obvous that a predecessor class of any class s a non-leaf securty class n a herarchy. Assume that a user n the securty class 6 n Fgure encrypts a message wth hs/her own encrypton key. Because of access control n a herarchcal structure, only the users n the securty class 6 and hs/her predecessors classes (.e., 3,, ) can decrypt ths message. Nobody else can decrypt ths message. A straghtforward access control scheme for poset ordered herarchy s to assgn each securty class wth a key, and each class has the keys of all ts successors. The nformaton tems belongng to a class s encrypted wth the key assgned to that class. As a result, f a class encrypts the nformaton tems, ts predecessors can only decrypt the encrypted nformaton tems. The drawback of such scheme s to store the keys n hgher herarchcal classes. Many authors have proposed dfferent methods for solvng such type of problem usng the concept of master key. In 983, Akl-Taylor [] proposed a scheme based on cryptography to access of nformaton n a her-

2 Internatonal Journal of Network Securty, Vol.7, No., PP.3 34, Sept Level Level Level Level 3 Fgure : An example of a herarchcal structure archy. Ther soluton was based on the RSA cryptosystem [6]. The advantage of ths scheme s that the key generaton/dervaton algorthms are qute smple. In 985, Macknnon et al. [7] proposed an mproved algorthm for the Akl-Taylor scheme based on top-down approach of poset ordered herarchy for reducng the value of publc parameters. In 988, Sandhu [7] ntroduced a cryptographc mplementaton of a tree structural herarchy for access control based on one-way functon. In 99, Harn- Ln [7] proposed a scheme whch s smlar to the scheme of Akl-Taylor, but, t s based on bottom-up approach for key generaton. These above mentoned schemes have some drawbacks. Frstly, f the securty classes n the herarchy s large, a large storage space s requred for storng the publc parameters. Secondly, on the solutons of dynamc access control problems, the key assgnment scheme encounters great dffcultes n re-updatng key. Fnally, t s dffcult to provde the user wth a convenent way to change hs/her secret key for the securty consderatons. To overcome these problems, a number of schemes [3, 3, 4, 5, 3, 3] related to access control have been proposed. In 99 and 993, both hang et al. [3] and Law et al. [3, 4] proposed a scheme based on Newton s nterpolatons method and one-way functon. In, Hwang [9] proposed an access control scheme for a totally ordered herarchy based on asymmetrc cryptosystem. In, Wu-hang [3] proposed a cryptographc key assgnment scheme to solve the access control polcy usng polynomal nterpolatons. But, ths scheme has securty flaws as descrbed n [8, 3]. In 3, Ln-Hwang-hang [5] proposed a scheme for access control, where each securty class contans a secret key SK and dervaton key DK whch are kept secret by the class. If j, the class j can derve the secret key of the class usng the dervaton key DK j and publc parameters. In ths scheme requres only small amount of storage space to store publc parameters compared to the Akl-Taylor s scheme []. In, Shen-hen [3] proposed a scheme whch s based on dscrete logarthm problems and the Newton s nterpolatng polynomals. The drawback of ths scheme s that a large number of secret parameters becomes nconvenent to admnster and hazardous to keep them secure. To overcome ths problem, we propose a scheme for access control n poset ordered herarches based on one-way secure hash functons [], the dscrete logarthm problems [, 8, ], the factorng problems [, 3, 4] and the Newton s nterpolatng polynomals [8]. Our scheme requres less amount of storage space to store secret parameters compared to the Shen and hen s [3] scheme. Further, our scheme s applcable to a large-scale herarchcal model. Ths scheme also supports dynamc access control polcy. Moreover, our scheme possesses the enhanced securty compared to the exstng schemes. The remander of ths paper s organzed as follows. Secton gves a bref revew of the Shen and hen scheme. In Secton 3, we descrbe our proposed scheme for access control n poset ordered structural herarches. Secton 4 shows the dynamc key management. In Secton 5, we dscuss the securty analyss. Secton 6 shows the space and tme complexty of our scheme. In Secton 7, our scheme s compared wth prevously publshed schemes. Fnally, Secton 8 concludes the paper. Revew of the Shen and hen Scheme In ths secton, we brefly revew the Shen and hen scheme [3]. There s a central authorty (A, for short) n the system. ID, ID,..., ID n denote the dentfers of,,..., n respectvely. A selects two large prmes P and P, such that P = P +. Next, A selects a prmtve root g over Galos feld GF(P). Then, A publshes g and P as publc parameters. Then, A assgns the secret parameters b and SK to the class, for =,,..., n, where n s the number of classes n the herarchcal system, and gcd(b, P ) = and gcd(sk, P ) =. A computes a publc parameter Q = SK b mod P, for =,,..., n. Then, A computes a Newton s nterpolatng polynomal f (x) over GF(P) by nterpolatng at all the ponts (ID j (g SK mod P), b j ), where the ndex j corresponds to every successor j of, ID j s the dentty of j and s a bt concatenaton operator. Then, A publshes the publc parameter Q of and transmts (SK, f (x), b ) to each class n the herarchy, where SK and b are transmtted securely to. In the key dervaton procedure, suppose j. Then, can derve j s prvate key SK j by computng b j = f (ID j (g SK mod P)) and SK j = Q bj j mod P.

3 Internatonal Journal of Network Securty, Vol.7, No., PP.3 34, Sept The Proposed Scheme In ths secton, we propose a new key assgnment scheme for access control n a poset ordered structure herarchy. We assume that there s a trusted central authorty n the system. The man purpose of A s to generate keys and dstrbute those keys to all classes n the herarchy. Our scheme conssts of fve followng procedures, namely, system setup procedure, relatonshp buldng procedure, key generaton procedure, publc polynomal generaton procedure and key dervaton procedure. 3. System Setup Procedure A chooses a large prme P so that P = P P +, where P and P are two dstnct large prmes. P and P are to be chosen at least 5 bts long prmes for securty consderatons. A computes R = P. A then chooses a prmtve root g over Galos feld GF(P). A selects a prme Q such that log Q log P + log n, where n s the number of securty classes n the system. A selects a symmetrc cryptosystem (for example AES-56 []) n whch E k ( ) and D k ( ) are the encrypton and decrypton algorthms wth the key k respectvely and a cryptographc one-way hash functon h( ) (for example SHA-56 []). A keeps g, P, Q, h( ), and encrypton and decrypton algorthms as publc. In our scheme, we use AES-56 as symmetrc cryptosystem and SHA-56 as cryptographc one-way hash functon. It s noted that the AES-56 has block length, cpher length and key length each of L = 56-bt. Further, n case of SHA-56, the message dgest length of h( ) s L, whch s same as the key length of AES-56. As a result, one can use symmetrc secret key as the hashed value h(r) of a long message, say, r. However, f r or h(r) s not dsclosed to an unauthorzed thrd party or an adversary, t s computatonally hard to recover m from c, where c = E h(r) (m). 3. Relatonshp Buldng Procedure In ths subsecton, we construct a relatonshp lst among all classes n a herarchy n order to store the nformaton regardng those relatonshps. It s noted that a herarchy s represented as a drected acyclc graph, say, G = (, E), where = {,,..., n } and E = {e j, e j, s an edge from j to (.e., there s a drected path from j to ) wth a relaton j for dfferent and j, where, j }. and E represent the vertex set and edge set of the graph G respectvely and each s consdered as a vertex n the graph G. Then, A publshes the graph G correspondng to the herarchy. A has only access to update the publshed graph G,.e., the relatonshp among the classes,,..., n n that herarchy. It s noted that f there exsts a relaton between two dfferent classes and j wth j n a herarchy, a path from j to exsts n graph G correspondng to that herarchy. 3.3 Key Generaton Procedure In ths subsecton, we descrbe the key generaton procedure to generate keys for all classes n a herarchy by A. A randomly chooses a secret key SK {, } L for each class n the herarchy, where L = 56. Then, A transmts securely the secret key SK to each securty class n the herarchy. keeps SK as secret. 3.4 Publc Polynomal Generaton Procedure In ths subsecton, we descrbe the publc polynomal generaton procedure to generate the Newton s nterpolatng polynomal [8] for each non-leaf securty class n the herarchy by A. The descrpton of the publc polynomal generaton procedure over GF(Q) s as follows: ) A chooses a class from the graph G correspondng to the herarchy, where s the dentty of the class. ) To construct the publc dervaton Newton s nterpolatng polynomals for the class, A frst constructs the ponts contanng the denttes and secret keys of the mmedate successors of, and the dentty and the secret key SK of. onsder that has k number of mmedate successors, say,,,, k, where u s the dentty of the class u, u {,,..., k}. A constructs the ponts ( u DK, E h( u SK ) (SK u )) for all u such that u {,,..., k}, where s a bt concatenaton operator and DK = g SK3 mod R mod P s the dervaton key of the class. Then, contanng these ponts, A derves the Newton s nterpolatng polynomal for the class, whch s denoted by NIP, (x) over GF(Q). Next, A computes the Newton s nterpolatng polynomal for the class after constructng the ponts contanng the denttes and secret keys of the mmedate successors of each u, u {,,..., k}, and the dentty and the secret key SK of. Now, consder the case for the mmedate successor of. For example, let have only four mmedate successors, say, a, b, c and d. Then, A constructs four ponts (a DK, E h( a SK ) (SK a )), (b DK, E h( b SK ) (SK b )), (c DK, E h( c SK ) (SK c )) and (d DK, E h( d SK ) (SK d )). Then, contanng these ponts, A derves another Newton s nterpolatng polynomal for the class, whch s denoted by NIP, (x) over GF(Q). Smlarly, A derves NIP, u (x) for all u {, 3,..., k} and then A computes NIP,a (x), NIP,b (x), NIP,c (x) and

4 Internatonal Journal of Network Securty, Vol.7, No., PP.3 34, Sept. 8 6 NIP,d (x) for the class and so on for all successors of, whch are non-leaf securty classes n the herarchy. NIP,j (x) stands for the Newton s nterpolatng polynomal for the class at the ponts contanng the denttes and secret keys of all mmedate successors of j, and the dentty j of j, and the secret key SK and the dervaton key DK of. To construct the publc dervaton Newton s nterpolatng polynomals for the class, A frst constructs the ponts contanng the denttes and secret keys of the mmedate successors of, and the dentty and the secret key SK of. onsder that has k number of mmedate successors, say,,,, k, where u s the dentty of the class u, u {,,..., k}. A constructs the ponts ( u DK, E h( u SK ) (SK u )) for all u such that u {,,..., k}, where s a bt concatenaton operator and DK = g SK3 mod R mod P s the dervaton key of the class. Then, contanng these ponts, A derves the Newton s nterpolatng polynomal for the class, whch s denoted by NIP, (x) over GF(Q). Next, A computes the Newton s nterpolatng polynomal for the class after constructng the ponts contanng the denttes and secret keys of the mmedate successors of each u, u {,,..., k}, and the dentty and the secret key SK of. Now, consder the case for the mmedate successor of. For example, let have only four mmedate successors, say, a, b, c and d. Then, A constructs four ponts (a DK, E h( a SK ) (SK a )), (b DK, E h( b SK ) (SK b )), (c DK, E h( c SK ) (SK c )) and (d DK, E h( d SK ) (SK d )). Then, contanng these ponts, A derves another Newton s nterpolatng polynomal for the class, whch s denoted by NIP, (x) over GF(Q). Smlarly, A derves NIP, u (x) for all u {, 3,..., k} and then A computes NIP,a (x), NIP,b (x), NIP,c (x) and NIP,d (x) for the class and so on for all successors of, whch are non-leaf securty classes n the herarchy. NIP,j (x) stands for the Newton s nterpolatng polynomal for the class at the ponts contanng the denttes and secret keys of all mmedate successors of j, and the dentty j of j, and the secret key SK and the dervaton key DK of. Note that f a successor of s a leaf securty class, A does not derve the Newton s nterpolatng polynomal for that successor. 3) A repeats Step untl each non-leaf securty class s taken n the herarchy. The above procedure s summarzed by the followng algorthm. Algorthm. nput: ) G = (, E), a drected acyclc graph (as descrbed n Subsecton 3.). ) SK, an array n the range from to n, where SK contans the secret key of for =,,..., n. 3) n, the number of vertces of G,.e., number of classes n the herarchy. output: The Newton s nterpolatng polynomals for every, where s a non-leaf securty class n G. Polynomal Generaton (G, SK, n) {. Integer: l, T, DK, X [:n ], Y [:n ] ; [comment: l, T and DK are three nteger varables, and X and Y are two arrays of nteger varables]. whle( φ) do [comment: φ represents null set] {.. hoose an element ;.. Set IS contans all mmedate successors of ;.3. If IS = φ then goto step-.9 ;.4. T = SK ;.5. DK = g T SK mod R mod P; [comment: DK = g SK3 mod R mod P].6. Set S contans all successors of ;.7. Set A = S { };.8. whle (A = φ) do {.8.. Select an element j A;.8.. Set IS contans all mmedate successors of j ;.8.3. If IS = φ then goto step-.8.8;.8.4. l = ;.8.5. whle (IS φ) do { hoose an element k IS; X l = k DK; Y l = E h(j k T) (SK k ); [comment: Y l = E h(j k SK )(SK k )] l = l + ; IS = IS \ { k }; [comment: \ represents set mnus] }.8.6. l = l ;.8.7. omputes NIP,j contanng the ponts (X r, Y r ) for r l;.8.8. A = A \ { j }; }.9. = \ { }; } } A publshes all the Newton s nterpolatng polynomals (.e., the coeffcents of all the polynomals) correspondng to each non-leaf securty class n the herarchy. But, only A owns the authorty to update publc Newton s nterpolatng polynomals. Example. Let us revst the herarchcal structure presented n Fgure. Suppose A runs the algorthm- to compute all the Newton s nterpolatng polynomals for all

5 Internatonal Journal of Network Securty, Vol.7, No., PP.3 34, Sept. 8 7 non-leaf securty classes n the herarchy, whch are shown below. The Newton s nterpolatng polynomals for the class : NIP, (x) s computed contanng the followng two ponts ( DK, E h( SK )(SK )) and ( DK, E h( SK )(SK )). NIP, (x) s computed contanng the followng two ponts (3 DK, E h( 3 SK )(SK 3 )) and (4 DK, E h( 4 SK )(SK 4 )). NIP, (x) s computed contanng the followng two ponts (4 DK, E h( 4 SK )(SK 4 )) and (5 DK, E h( 5 SK )(SK 5 )). NIP,3 (x) s computed contanng the pont (6 DK, E h(3 6 SK )(SK 6 )). NIP,4 (x) s computed contanng the pont (7 DK, E h(4 7 SK NIP,5 (x) s computed contanng the pont (7 DK, E h(5 7 SK The Newton s nterpolatng polynomals for the class : 3.5 Key Dervaton Procedure When a class, say, j, needs to compute the secret key of an another class, say,, where s a successor of j (.e., j ), j frst fnds a path from tself to the class from the graph G. Fgure shows an example of a chan, where j wants to derve the secret key SK of the class and there exsts a path from j to wth some ntermedate classes, say, k, k,..., kl. Here k k... kl j, where kr s the mmedate successor of kr+ for r =,,..., l, and and kl are the mmedate successors of k and j respectvely. j k k NIP, (x) s computed contanng the followng two ponts (3 DK, E h( 3 SK )(SK 3 )) and (4 DK, E h( 4 SK )(SK 4 )). NIP,3 (x) s computed contanng the pont (6 DK, E h(3 6 SK )(SK 6 )). NIP,4 (x) s computed contanng the pont (7 DK, E h(4 7 SK The Newton s nterpolatng polynomals for the class : NIP, (x) s computed contanng the followng two ponts (4 DK, E h( 4 SK )(SK 4 )) and (5 DK, E h( 5 SK )(SK 5 )). NIP,4 (x) s computed contanng the pont (7 DK, E h(4 7 SK NIP,5 (x) s computed contanng the pont (7 DK, E h(5 7 SK The Newton s nterpolatng polynomal for the class 3 : NIP 3,3 (x) s computed contanng the pont (6 DK 3, E h(3 6 SK 3 )(SK 6 )). The Newton s nterpolatng polynomal for the class 4 : NIP 4,4 (x) s computed contanng the pont (7 DK 4, E h(4 7 SK 4 The Newton s nterpolatng polynomal for the class 5 : NIP 5,5 (x) s computed contanng the pont (7 DK 5, E h(5 7 SK 5 k l Fgure : An example of a chan n a herarchcal structure j computes the dervaton key DK j as DK j = g SK3 j mod R mod P. () Usng ts secret key SK j. j then computes SK as follows: NIP j, kl ( DK j ) = E h(kl SK j ) (SK ) () SK = D h(kl SK j ) (NIP j, kl ( DK j )), where k l s the dentty of kl, kl the mmedate predecessor of and NIP j,kl (x) stands for a Newton s nterpolatng polynomal for the class j at the ponts contanng the denttes and secret keys of all the mmedate successors (ncludng the class ) of kl, and the dentty k l of kl, and the secret key SK j and the dervaton key DK j of j. NIP j, kl ( DK j ) s the value of the Newton s nterpolatng polynomal NIP j, kl (x) at the x- coordnate ( DK j ). If the x-coordnate to the Newton s nterpolatng polynomal NIP j, kl (x) s known, one gets the y-coordnate correspondng to the x-coordnate. For

6 Internatonal Journal of Network Securty, Vol.7, No., PP.3 34, Sept. 8 8 an example, f we supply x-coordnate as DK j, one gets y-coordnate as E h(kl SKj ) (SK ) from Equaton (). It s noted that even f the dervaton key DK j of a class j s known to an adversary, t s computatonally nfeasble to compute the secret key SK j of that class j. In order to derve SKj 3, the adversary needs to solve the dscrete logarthm problem over a large prme feld GF(P). The secret key SK j of the class j s to be known by the adversary from SKj 3 P mod R, where R =. Snce R s product of two large prme factors, t s computatonally dffcult for the adversary to derve SK j due to the nteger factorzaton problem. Hence, we note that gven DK j, g and P to compute SK from the Equaton () s based on both dscrete logarthm as well as nteger factorzaton problems. Example. Suppose the class wants to compute the secret key SK 7 of the class 7 n Fgure. At frst supples the x-coordnate as 7 DK to the Newton s nterpolatng polynomal NIP,4 (x) (or NIP,5 (x)). Then derves E h(4 7 SK )(SK 7 ) (or E h(5 7 SK )(SK 7 )) and decrypts that value wth the key h(4 7 SK ) (or h(5 7 SK )) to compute the secret key SK 7 correspondng to the class 7. 4 Dynamc Key Management In ths secton, we present the dynamc key management problems lke addng/deletng a class, addng/deletng a relatonshp and changng a secret key. 4. Addng a New lass Let a be a new class to be added as an mmedate successor of nto the exstng system. Then, all the predecessors of wll also be the predecessors of a. A does the followng steps: ) A randomly chooses a secret key SK a {, } L. ) A computes dervaton key DK a = g SK3 a mod R mod P. 3) If a s a leaf securty class, A constructs NIP k, a (x) for all k such that k ncludng the pont (a DK k, E h( a SK k )(SK a )). Then, A publshes the coeffcents of every NIP k, a (x) correspondng to the class k. 4) Otherwse, f a s not a leaf securty class, we proceed as follows. Let j a, where a s an mmedate successor and mmedate predecessor of and j respectvely. A constructs NIP a, k (x) for all k such that k a and publshes the coeffcents of every NIP a, k (x) correspondng to the class a. A reconstructs NIP l, (x) for all l such that l ncludng one more pont (a DK l, E h( a SK l )(SK a )) and publshes the coeffcents of every NIP l, (x) after deletng the old ones correspondng to the class l. 5) A transmts securely SK a to the class a. 4. Deletng a lass Let d be a class to be deleted from the exstng system. Then the followng steps are requred: ) Let be an mmedate predecessor of d. A reconstructs NIP k, (x) for all k such that k excludng the pont (d DK k, E h( d SK k )(SK d )). Then, A publshes the coeffcents of every NIP k, (x) after deletng the coeffcents of old ones correspondng to the class k. ) A deletes all nformaton correspondng to the class d. 4.3 Addng a Relatonshp Suppose that a new relatonshp to be added between two dfferent and j such that j holds, where s an mmedate successor of j. A reconstructs NIP k, (x) for all k such that j k ncludng the pont ( DK k, E h(j SK k )(SK )) and then A publshes the coeffcents of every NIP k, (x) correspondng to the class k. 4.4 Deletng a Relatonshp Suppose that a relatonshp to be deleted between two dfferent and j wth a relaton j, where j s the mmedate predecessor of. A reconstructs NIP k, j (x) for all k such that j k excludng the pont ( DK k, E h(j SK k )(SK )) and then publshes the coeffcents of every NIP k, j (x) after deletng the coeffcents of old ones correspondng to the class k. 4.5 hangng a Secret Key Sometmes for securty t s needed to change the secret key of a class. Suppose old secret key SK of the class wll be changed by a new secret key SK {, }L. A then performs the followng steps: ) A recomputes dervaton key: DK = g (SK )3 mod R mod P. ) Usng new secret key SK and dervaton key DK of, A reconstructs NIP,j (x) for all j such that j and publshes the coeffcents of every NIP,j (x) after deletng the old ones correspondng to the class. Then, usng the new secret key SK of, A also reconstructs NIP k, (x) for all k dfferent from such that k and publshes the coeffcents of every NIP k, (x) after deletng the old ones correspondng to the class k. 3) A securely transmts the secret key SK to the class.

7 Internatonal Journal of Network Securty, Vol.7, No., PP.3 34, Sept Securty Analyss In ths secton, we present the securty analyss of our scheme aganst dfferent knds of attacks from nsde and outsde of the system. ontrary attack: Let us consder j. Let us verfy whether SK j can be calculated by a user beng an adversary at level through the secret key SK of ts own and all publc parameters. If k s the mmedate predecessor of and k j, SK can be computed by j as SK = D h(k SK j )(NIP j, k ( DK j )). Snce DK j = g SK3 j mod R mod P, SK j can be computed from the equaton E h(k SK j )(SK ) = NIP j, k ( DK j ), whch s based on the dffculty of computng the dscrete logarthm problem over GF(P) and the factorng problem to R even f DK j s known to the adversary. Also, t s known that the problem of computng n-th root of x n mod R for any nteger n s as dffcult as factorng R, where R s product of two large prmes and t has proved n [5] for the case of n =. As a result, even f DK j s known to the adversary at level, t s also dffcult to compute the secret key SK j of the class j because of the fact that t s computatonally nfeasble to compute SK j due to the dscrete logarthms and factorzaton problems. Further, fndng roots of a polynomal over a large prme feld by the adversary at level may feasble due to results based on [, 4, ]. In our scheme, SK s encrypted usng the encrypton key h(k SKj ), where the computaton of DK j s computatonally hard to the adversary at level because of the fact that SK j s not known to the adversary. As a result, even f DK j s known to the adversary at level, t s computatonally hard to compute SK j of the class j usng root fndng algorthms by the adversary at level, whch s already dscussed prevously n Subsecton 3.5. The adversary can also try to compute the secret encrypton key h(k SKj ). Therefore, the adversary has to compute DK j and then the adversary has to solve the plantext-cphertext par attacks aganst the symmetrc cryptosystem, whch s agan dffcult problem for nsuffcent number of plantextcphertext pars because n practcal stuatons, the number of securty classes s not more n order to derve the encrypton key from plantext-cphertext pars. Even f the encrypton key s known to the adversary, t s also dffcult to compute the secret key SK j from h(k SKj ) because of the fact that t s computatonally nfeasble to nvert the secure oneway hash functon [9]. Snce there are no effcent algorthms avalable so far for solvng dscrete logarthm problems, nteger factorzaton problems and nverson of one-way hash functons, we conclude that our scheme s secure aganst such type of attack. ollaboratve attack: Let us check whether the decrypton key of the upper level class can be derved by two or more lower securty level classes. Let us consder j, k and l be the successors of. Assume that j, k and l compromse ther secret keys SK j, SK k and SK l. We assume that x, y and z are the mmedate predecessors of j, k and l respectvely, where x, y and z. We nvestgate whether SK can be calculated by j, k and l usng ther secret keys and publc parameters. The equatons known to them are as follows: SK j = D h(x j SK )(NIP, x (j DK )), SK k = D h(y k SK )(NIP, y (k DK )), SK l = D h(z l SK )(NIP, z (l DK )), where DK = g SK3 mod R mod P. From these above equatons, the dervaton of SK s based on the dffculty of computng the dscrete logarthms over GF(P) and the factorng a large composte nteger R as n contrary attack. Hence, t s computatonally hard to compute secret key of a class for the collaboraton of two or more lower securty level classes. As a result, our scheme s secure aganst ths knd of attack. Interor collectng attack: Let us consder the subordnate class j whch be accessble by m predecessors, say,, +,..., and +m. Agan, assume that the mmedate predecessors of j be { k, k+,..., k+m }, where k+s +s for all s {,,..., m }. Let us verfy whether a user of j beng an adversary can derve the secret key of one of ts predecessors, +,..., and +m. Assume that the followng equatons are known to the attacker. SK j = D h(k j SK )(NIP, k (j DK )), SK j = D h(k+ j SK + )(NIP +, k+ (j DK + )),. SK j = D h(k+m j SK +m ) (NIP +m, k+m (j DK +m )). It s also computatonally hard as n contrary attack to compute the secret key of one of the classes {, +,..., +m } by the adversary. Hence, our scheme s secure aganst ths attack. Exteror attack: Assume that an ntruder enters from outsde the system,.e., he/she s not an user of any class of the herarchy. He/she beng an adversary may try to compute the secret key SK of a class usng only the publc parameters. The securty of our scheme ressts the unauthorzed ntruder. Because, even f DK and h(j k SK ) are known to the adversary, t computatonally hard to compute SK, where k and j are the denttes of the classes k and j respectvely, and k s the mmedate successor of j wth k j.

8 Internatonal Journal of Network Securty, Vol.7, No., PP.3 34, Sept. 8 3 Sblng attack: Let us consder j and k be the sblngs wth same mmedate predecessor. Let us nvestgate whether j can compute SK k of the class k or vce versa. Let a user of j beng an adversary want to compute SK k. j already knows the followng equaton: SK j = D h( j SK )(NIP, (j DK )). If j wants to compute SK k (= D h( k SK )( NIP, (j DK ))) usng ts secret key SK j and all publc parameters, j needs to compute SK frst, whch s computatonally hard as n contrary attack. As a result, t s computatonally hard to compute SK k by the adversary wthout dervng SK. Hence, our scheme s secure aganst ths attack. Interor root fndng attack: In ths attack, a securty class beng an adversary has to compute the roots of a polynomal over a prme feld GF(Q), whch s feasble due to [, 4, ]. Then, the adversary can try to compute the secret key of a class whch s not a successor of the class. For an example, n Fgure, can compute the secret keys SK 4, SK 5 and SK 7 of the classes 4, 5 and 7 respectvely. Then, can try to compute the secret key of any one of the classes {,, 3, 6 }. However, Hus et al. [8] show that can compute the secret key SK 3 of the class 3 n the Shen and hen s scheme [3] for the same herarchcal structure as n Fgure after computng the secret key SK 4 of the class 4 and then applyng the root fndng algorthm supplyng SK 4 and the dentty 3 of the class 3 (more detals can be found n [8]). Further, usng the secret key SK 3, can also compute the secret key SK 6 of the class 6. Now, let us consder our scheme. onsder that and j have a common successor k. Besde that common successor, let and j have other successors. Let us check whether can compute the secret key of any other successor of j whch s not a successor of, or whether j can compute the secret key of any successor of whch s not a successor of j. If t s true, these volate the herarchy requrement. However, such type of attack s not possble n our scheme because of the fact that successors secret keys are encrypted by the secret key of ts predecessor to construct the Newton s nterpolatng polynomals correspondng to that predecessor. Followng example shows that our scheme s secure aganst the attack n [8]. In Fgure, and have a common successor 4. has also another successor 3, and has another successor 5 and so on. Let us nvestgate whether beng an adversary can compute the secret key SK 3 of 3. As 4 s a successor of, can compute the secret key SK 4 of the class 4. But, t s computatonally hard for the adversary to compute the secret key SK 3 of the class 3 from the publc parameters and the secret key SK 4 of the class 4 wthout knowng the secret key SK of the class from the followng equatons SK 3 = D h( 3 SK )(NIP, (3 DK )), SK 4 = D h( 4 SK )(NIP, (4 DK )). As a result, t s computatonally hard for beng an adversary to compute the secret key SK 3 of 3. Thus, our scheme s secure aganst ths attack, whereas such attack can be mounted on Shen and hen s scheme (see n [8]). Exteror root fndng attack: In ths attack, an adversary who s not a user n any class n a herarchy can derve secret key of a class by root fndng algorthm over a large prme feld. Such type of attacks s shown n more detals n [3]. All successors secret keys of a class are embedded n ts publc polynomal, say, f (x), where can compute the secret keys of ts all successors. When A adds or deletes some mmedate successors from, A updates the publc polynomal as f (x). But, for those successors, whch reman as successors of, ther secrets are stll computed by usng f (x). As a result, the adversary can try to compute x-coordnates of ponts whch are used to construct the publc polynomals by solvng the equaton f (x) f (x) =. Then, the adversary can try to compute the secret key of the successors of (more detals can be found n [3]). But, n our scheme, the adversary can compute the x-coordnates from the equaton NIP,j (x) NIP,j (x) = correspondng to the class, where j s the dentty of j wth j. That s adversary can get k g SK3 mod R mod P, where k s the dentty of an mmedate successor of j. From ths value, t s computatonally nfeasble to compute SK. As a result, t s computatonally hard to derve the secret key SK k of the class k, whch s an mmedate successor of the class j, and k j. Snce SK k s encrypted by the encrypton key h(j k SK ), whch s composed by the secret key SK of the class, our scheme s secure aganst such type of attack. But, such type of attack can be possble for the Shen and hen s scheme (see n [3]). 6 Effcency of our Scheme Storage space requrement: In our scheme, the secret parameter s SK for each class, where SK {, } L. Therefore, the storage requrement for storng the secret parameter s L bts. Let us consder has k number of relatons among all successors of and the class tself. Then, from the key generaton procedure, A publshes k number of publc parameters (.e., all coeffcents of the Newton s nterpolatng polynomals) correspondng to the class, where each publc parameter les between and Q. Therefore, the storage requrement for storng

9 Internatonal Journal of Network Securty, Vol.7, No., PP.3 34, Sept. 8 3 Table : Functonal comparsons Items Publc storage for a Secret storage for a key dervaton Schemes class wth n successors, class wth n successors complexty and n relatons among these n successors and the class tself Akl-Taylor Ω(n 3 log n) bts log N bts Exponentaton Harn-Ln Ω(n 3 log n) bts log N bts Exponentaton Exponentaton Shen-hen O(n log P ) bts Ω(n log P ) bts + Interpolatons 3 Multplcatons + Our scheme O(n log Q ) bts L bts Exponentaton + Hash + Decrypton + Interpolatons the publc parameters s k log Q bts correspondng to the class. In the Shen and hen s scheme, 3 log P + r log P bts are requred to store the secret parameters for each class, where r s the number of successors of, P s a prme slghtly larger than P. Snce L < 3 log P +k log P and L < log P because L = 56 and log P 5 as P can be at least 5-bt for securty on dscrete logarthm problems, our scheme requres less amount of space to store secret parameters compared to the Shen and hen s scheme. Tme requrement for dervng a key: Let n + be the number of successors of a class j, and be a successor of j. In worst case, there s n + number of successors whch may be the mmedate successors of j, and as a result, the degree of the Newton s nterpolatng polynomal s n for the class j. Moreover, the evaluaton of a n degree polynomal needs n number of modular multplcatons and n modular addtons. Thus, the tme requred to evaluate a polynomal of degree n at a pont s O(n log Q) n terms of bt operatons, where the notaton O (bg oh) denotes upper bound. Further, the tme requred to compute the dervaton key s O(log 3 P) bt operatons because t s exponentaton operaton on large modulus P. As a result, n our scheme, t takes O(n log Q + log3 P) computatonal tme n terms of bt operatons to derve a secret key of lower securty level class by an upper securty level class after neglectng the computatonal tme taken for multplcaton, hashng and decryptng operatons because of the fact that these operatons take less computatonal tme compared to the exponentaton operatons on large modulus. 7 omparson In ths secton, we compare our scheme wth the prevously publshed schemes. Ω represents the lower bound. Table shows that the space requrement to store publc parameters and secret parameters, and tme taken to derve a key for dfferent schemes. Let us assume that P (a large prme) and N (product of two large prmes) be n the range between 4-48 bts for decent securty and are of the same sze, and L = 56. However, n the Shen and hen s scheme, when herarchy becomes qute large, the users n a hgher securty level classes need to store a large number of secret parameters. As a result, a large numfer of secret parameters becomes nconvenent to admnster and hazardous to keep them secure. But, n our scheme, the sze of secret parameter s always L bts, whch does not depend on the sze of the herarchy. As a result, n our scheme, the sze of secret parameter s much less than the Shen and hen s scheme even f the herarchy becomes large. Further, we observe from ths table that our scheme requres three modular multplcaton, one hashng, one modular exponentaton, computaton of one nterpolatng polynomal, and one symmetrc decrypton operatons. We know that cryptographc hashng and symmetrc encrypton/decrypton are much more effcent than modular exponentaton for a large exponent compared to the computatonal pont of vew, whereas two modular exponentaton and computaton of one nterpolatng polynomal are needed n the Shen and hen s scheme. Snce there s one more modulo exponentaton s needed n the Shen and hen s scheme compared to our scheme to derve a secret key of a class, our scheme s more effcent than the Shen and hen s scheme. Furthermore, sometmes the computaton of nterpolatng polynomal n our scheme s less than that of the Shen and hen s scheme. In the Shen and hen s scheme, the Newton s nterpolatng polynomal for a class conssts of ponts correspondng all successors of. There s only one nterpolatng polynomal correspondng to the class and the degree of the polynomal depends on the number of suc-

10 Internatonal Journal of Network Securty, Vol.7, No., PP.3 34, Sept. 8 3 k k +k + k + Fgure 3: An example of poset ordered herarchcal structure cessors of that class. If a class has n number of successors, the degree of polynomal s n correspondng to that class. On the other hand, n our scheme, the number of the Newton s nterpolatng polynomal may be more than one correspondng to a class, whch depends upon the number of non-leaf successors of that class plus one. For an example, n Fgure, the number of the Newton s nterpolaton polynomals for the class s 6, because the number of non-leaf successors of s 5 plus. Further, the degree of the Newton s nterpolatng polynomal n our scheme s less then or equal to the degree that of the Shen and hen s scheme correspondng to a class for computng the secret key of a successor of that class, whch can be shown by the followng example. Example 3. In Fgure 3, has two mmedate successors and. has k number of mmedate successors, say, 3, 4,..., k+. Furthermore, 3 has k number of mmedate successors, say, k+3, k+4,..., k+k +, and 4 has an mmedate successor k+k +. Now, let want to compute the secret key of the class k+3. In the Shen and hen s scheme, the total number of successors of s k + k. Therefore, the degree of the Newton s nterpolaton polynomal correspondng to the class s k +k. As a result, (k +k ) modular multplcatons and (k +k ) modular addtons are requred to compute the secret key of k+3 by. But, n our scheme, to derve the secret key of the class k+3, needs the Newton s nterpolaton polynomal NIP,3 (x) whch s of degree k. Thus, k modular multplcatons and k modular addtons are requred for our scheme. Hence, for dervng the secret key of the class k+3, the degree of NIP,3 (x) n our scheme s less than the degree of the Newton s nterpolatng polynomal n Shen and hen s scheme correspondng to the class. Due to less number of modular multplcatons and addtons, our scheme requres less computatonal tme for nterpolaton than that of the Shen and hen s scheme. If we consder the class 3 n Fgure 3, the degree of the Newton s nterpolatng polynomal s k, whch s same both n our scheme, and Shen and hen s scheme. Hence, the degree of the Newton s nterpolatng polynomal n our scheme s less then or equal to the degree that of the Shen and hen s scheme correspondng to a class for computng the secret key of a successor of that class. Further, when a user n a class wants to compute the secret key of ts successor, he/she frst chooses the approprate Newton s nterpolatng polynomal so that degree of the polynomal s less. Hence, our scheme s more effcent than the Shen and hen s scheme. Further, when herarchy becomes qute large, Akl-Taylor s, and Harn-Ln s schemes are not applcable because of the fact that the sze of publc parameters wll ncrease dramatcally. Moreover, n Akl-Taylor s, and Harn-Ln s schemes, the key assgnment technque encounters great dffcultes n re-updatng key. Fnally, t s dffcult to provde the user wth a convenent way to change hs/her secret key for the securty consderatons for these schemes. However, our scheme elmnates these dffcultes. 8 oncluson In ths paper, we have proposed a scheme for solvng the multlevel key generaton technque n poset ordered herarches. The securty of our proposed scheme s based on the dffcultes of smultaneously solvng the strong collson resstant of secure one way hash functons, the dscrete logarthms and the factorng a composte number,. e. a mxture of multple cryptographc dffculty problems, to enhance the securty of herarchcal access control. Furthermore, our scheme s applcable to a largescale herarchcal model. By comparng wth the Shen and hen s scheme, our proposed scheme needs less computatonal tme to derve a key and provdes better securty. Ths scheme also supports the dynamc key management technques. Hence, the proposed scheme s more effcent, flexble and secure. References [] S. G. Akl and P. D. Taylor, ryptographc soluton to a problem of access control n a herarchy, AM Transactons on omputer Systems, vol., no., pp , 983. [] M. Ben-Or, Probablstc algorthms n fnte felds, nd IEEE Anual Symposam on Foundatons of omputer Scence (FOS 8), pp , 98. [3].. hang, R. J. Hwang, and T.. Wu, ryptographc key assgnment scheme for access control n a herarchy, Informaton Systems, vol. 7, no. 3, pp , 99.

11 Internatonal Journal of Network Securty, Vol.7, No., PP.3 34, Sept [4] H. ohen, A ourse In computatonal Algebrac Number Theory, Sprnger-Verleg, 99. [5] D. E. Dennng, S. G. Akl, M. Morgenstern, P. G. Neumann, R. R. Schell, and M. Heckman, Vews for multlevel database securty, Proceedng of the IEEE Symposum on Securty and Prvacy, pp. 56-7, Oakland, 986. [6] L. J. Fram, SOMP: A soluton to the multlevel securty problem, IEEE omputer, vol. 6, no.7, pp. 6-34, 983. [7] L. Harn, and H. Y. Ln, A cryptographc key generaton scheme for multlevel data securty, omputers and Securty, vol. 9, no. 6, pp , 99. [8]. L. Hus and T. S. Wu, rypanalyss and nprovements of two cryptographc key assgnment schemes for dynamc access control n a user herarchy, omputers and Securty, vol., no. 5, pp , 3. [9] M. S. Hwang, An asymmetrc cryptographc key assgnment scheme for access control n totally-ordered herarches, Internatonal Journal omputer Mathematcs, vol. 73, pp ,. [] E. Keltofen and V. Shoup, Subquadratc-tme factorng of polynomals over fnte felds, Mathematcs of omputatons, vol. 67, no. 3, pp , 998. [] B. LaMaccha, and A. M. Odlyzko, omputaton of dscrete logarthms n fnte felds, advanced n ryptology (RYPTO 9), pp , 99. [] A. K. Lenstra and M. S. Manasse, Factorng by electronc mal, advanced n ryptology (EURO- RYPT 89), pp , 99. [3] H. T. Law and. L. Le, An Optmal algorthm to assgn cryptographc keys n a tree structure for access control, BIT, vol. 33, pp , 993. [4] H. T. Law, S. J. Wang, and. L. Le, An dynamc cryptographc key assgnment scheme n a tree structure, omputers and Mathematcs wth Applcatons, vol. 5, no. 6, pp. 9-4, 993. [5] I.. Ln, M. S. Hwang, and.. hang, A new key assgnment scheme for enforcng complcated access control polces n herarchy, Future Generaton omputer Systems, vol. 9, no. 4, pp , 3. [6] W. P. Lu and M. K. Sundareshan, Enhanced protocols for herarchcal encrypton key management for secure communcaton n nternet envronments, IEEE Transactons on ommuncatons, vol. 4, no. 4, pp , 99. [7] S. J. Macknnon, P. D. Taylor, H. Mejer, and S. G. Akl, An optmal algorthm for assgnng cryptographc keys to control access n a herarchy, IEEE Transactons on omputers, vol. 34, no. 9, pp , 985. [8] K. S. Mcurley, The dscrete logarthm problem, Proceedngs of Symposa n Appled Mathematcal Socety, vol. 4, pp , 99. [9] J. McHugh, and A. P. Moore, A securty polcy and formal top level specfcaton for a mult-level secure local area network, Proceedng of the IEEE Symposum on Securty and Prvacy, pp , 986. [] Natonal Insttute of Standards and Technology, Advanced Encrypton Standard, Federal Informaton Processng Standard (FIPS) 97, Nov. 6,. [] Natonal Insttute of Standards and Technology, Secure Hash Standard, Federal Informaton Processng Standard (FIPS) 8-, Aug.. [] A. M. Odlyzko, Dscrete logarthms n fnte felds and ther cryptographcs sgnfcance, ryptology (EURORYPT 89), pp. 4-34, 99. [3]. Pomerance, Analyss and comparson of some nteger factorng algorthms, omputatonal Methods n Number Theory, vol. 54, pp , 98. [4]. Pomerance, Factorng, n Proceedngs of Symposa n Appled Mathematcs, vol. 4, pp. 7-48, 99. [5] M. O. Rabn, Dgtalzed Sgnatures And Publc-Key Functons As Intractable As Factorzaton, Techncal Report MIT/LS/TR-, Laboratory for omputer Scence, Massaachusetts Insttute of Technology, ambrdge, Mass, 979. [6] R. L. Rvest, A. Shamr, and L. Adleman, A method for obtanng dgtal sgnatures and publc-key cryptosystems, ommuncatons of the AM, vol., no., pp , 978. [7] R. S. Sandhu, ryptographc mplmentaton of a tree herarchy for access control, Informaton Processng Letters, vol. 7, pp , 988. [8] J. B. Scarborough, Numercal Mathematcal Analyss, Oxford and IBH publshng o. Pvt. Ltd., 966. [9] B. Schneer, Appled ryptography, Second edton, John Wley and Sons, New York, 996. [3] V. R. L. Shen and T. S. hen, A novel key management scheme based on dscrete logarthms and polynomal nterpolatons, omputers and Securty, vol., no., pp. 67-7,. [3] S-Y. Wang and. S. Lah, rypanalyss of two key assgnment schemes based on polynomal nterpolatons, omputers and Securty, vol. 4, pp , 5. [3] T.. Wu and.. hang, ryptographc key assgnment scheme for herarchcal access control, Internatonal Journal of omputer Systems Scence and Engneerng, vol. 6, no., pp. 5-8,.

12 Internatonal Journal of Network Securty, Vol.7, No., PP.3 34, Sept Debass Gr receved hs M. Sc. degree n Mathematcs from the Indan Insttute of Technology, Kharagpur 7 3, Inda n 998. He also receved the M. Tech. degree n omputer Scence and Data Processng from the Indan Insttute of Technology, Kharagpur 7 3, Inda, n. He s currently pursung hs Ph. D. degree n the Department of Mathematcs from the Indan Insttute of Technology, Kharagpur 7 3, Inda. Before jonng the Ph. D. program, he worked as a lecturer n the Department of omputer Scence and Engneerng of Halda Insttute of Technology, West Bengal, Inda from March, to January, 4. Hs current research nterests nclude cryptography, network securty, nformaton securty and e-commerce securty. Parmeshwary Dayal Srvastava receved hs M. Sc. degree n Mathematcs from Kanpur Unversty, Kanpur (U. P.), Inda n 975 and Ph.D. n Mathematcs from Indan nsttute of Technology, Kanpur (U. P.), Inda n 98. Dr. Srvastava joned as Faculty n the department of Mathematcs, I. I. T. Kharagpur (Inda) n May, 98. Durng hs 6 years of teachng, he taught varous courses of pure & Appled Mathematcs such as Real Analyss, omplex Analyss, Algebra, Measure theory, Numercal Analyss etc. to UG & PG students at IIT, Kharagpur. He has publshed more than 37 papers n a journal of Internatonal repute. He s referee of Indan Journal of Pure & Appl. Maths. (Inda); Demonstrato Mathematca (Warsa, Poland); Soochow J. Mathematcs (hna); Tamkang J. Mathematcs (hna); Bull. Natonal Metallurgcal Lab. (SIR) Jamshedpur (Inda); ISTAM, IIT Kharagpur (Inda); J. Natural Scences & Mathematcs (Pakstan); Journal of Orssa Mathematcal Socety (Inda) and revewer for Mathematcal Revew. Professor Srvastava s the lfe member of Indan Mathematcal Socety, Allahabad (Inda) & Indan Academy of Socal Scence, Allahabad (Inda). Presently, Dr. Srvastava s Professor of Mathematcs at I. I. T. Kharagpur (Inda). Hs current research nterests are Functonal Analyss and ryptography & Network Securty.