Hierarchical Key Management Scheme
Using Polynomial Interpolation
Manik
Lal Das 1,2
Ashutosh
Saxena I
Ved P. Gulati I
Deepak
B. Phatak 2
1Institute for D e v e l o p m e n t and Research in B a n k i n g T e c h n o l o g y
Castle Hills, R o a d N o . l , M a s a b T a n k
Hyderabad-500057, India.
Email: {mldas, asaxena, vpgulati}@idrbt.ac.in
2 K. R. School of I n f o r m a t i o n T e c h n o l o g y
I n d i a n I n s t i t u t e of T e c h n o l o g y - B o m b a y
Mumbai-400076, India.
Email: {mdas, dbp}@it.iitb.ac.in
Abstract
We present a hierarchical key management scheme using cryptographic hash function and Newton's polynomial interpolation for users key and system resources management. A similar technique has been proposed in 2002 by Shen and Chen, but
their scheme suffers large computational overhead and security weakness. We show
that our scheme is secure and efficient in comparisons to the Shen and Chen's scheme.
Keywords: Key Management, Controlling Authority, Partially Ordered Set.
I
Introduction
In a hierarchical system the users are authorized and classified into different privileges
for accessing the system resources. The users and their own information are divided into
a number of distinct classes, namely, C1,C2,...,Cn. A class consists of many users with
the same privilege and the users data is being protected by the class's key. The user
belonging to a higher-privileged class has access rights to the data owned by a user in
a lower-privileged class. In the hierarchy, the users and their data can be distributed in
either totally ordered relation or partially ordered relation. Our paper is limited to later
one and we discuss the properties of partially ordered relation.
Let '..~' is a binary and partially ordered relation on the set C=(C1,C2,...,Cn). In a
partially ordered set (POSet), Cj~Ci means that the users in the class Ci have access
rights to those in the class Cj. For a set of classes C=(C1,C2,...,Cn), the POSet satisfies
the following three properties:
40
(i) Ci_~Ci (Reflexive property)
(ii) Cj~C~ and Ci~Cj implies Ci=Cj (Anti-symmetric property)
(iii) Cj_~Ck and Ck~Ci implies Cj~Ci (Transitive property)
The POSet in a user hierarchy is shown in Figure-1. The higher-privileged (or predecessor) class can access the lower-privileged (or successor) class's data. For instance,
Cj~Ci implies that Cj is the successor of Ci. If Cj~Ck~Ci, then Ck is an immediate
successor of Ci and Cj is an immediate successor of Ck. As per the security properties of
Figure 1: The POSet in a user hierarchy
Bell and Padula model [1], the users in Ci can read the information belongs to Cj for the
relation Cj~_Ci, but Cj cannot read the data owned by Ci. On the other hand, Cj can
write (or update) the information to Ci, but Ci cannot do it in Cj. The primary problem
for accessing/updating system resources requires deriving the key(s) of the class(es). In
2002, Shen and Chen (Shen-Chen for short) [2] proposed a hierarchical key management
scheme based on discrete logarithm problems [3]. It is observed in Shen-Chen scheme
that each class has to maintain two keys (public and secret) for accessing/updating the
system resources. Afterwards, Hsu and Wu [4] pointed out the security weakness of
Shen-Chen scheme; that is, users in a class can have access to the data held by those
classes which are not its successors. In this paper, we propose an improved version of
Shen-Chen scheme and we show that the proposed scheme is secure and more efficient
than the former one. In the next section, we discuss the related work and Shen-Chen
scheme. In section 3, we propose the improved scheme. In section 4, we analyze the
security and efficiency of the scheme. Finally, we conclude the paper with section 5.
II
Related Work
In 1983, Akl and Taylor [5] proposed the first well-known hierarchical key management
scheme. Their scheme is simple with respect to the key generation and key derivation procedures, but suffers high memory overhead to store the computed parameters
and does not support dynamic key insertion or deletion. MacKinnon et al. [6] proposed an improved scheme to reduce the values of the public information by using a
canonical assignment method. Later, Harn et al. [7] presented another method which
used a bottom-up key generation scheme. It is observed that whenever a new class is
41
added/inserted into or deleted from the system, the above schemes cannot satisfy the
security requirements. Unless the issued keys are changed, a class is impossible to be
added into the system. Since then, several key management schemes and improvements
have been proposed in [8] - [12] to solve the dynamically inserting or deleting the class,
and to reduce the size of public information. Shen and Chen [2] proposed a scheme
in 2002, to solve the dynamic key management problems using discrete logarithms [3]
and Newton's polynomial interpolations [13]. In [2], each class has to retain the public key and private key for accessing/updating the system resources. As our scheme is
an improved version of Shen-Chen scheme, we briefly discuss the Shen-Chen scheme as
follows.
Shen-Chen Scheme: In this scheme, a Controlling Authority (CA) builds the set
up for the hierarchy. The CA assigns the secret parameters bi and SKi to the class,
SCi, for i = 1, 2, ..., n, where n is the number of classes in the hierarchy. Then, the CA
computes Newton's polynomial interpolation Hi(x) for SCi by interpolating at points
(j[[(gSg~ mod P), bj) for the relation SCj~SCi, where g is a primitive root over Galois
field GF(P), P is a large prime and '[[' is a bit concatenation operator. The CA publishes
1
the public parameter Qi of SCi, where Qi = S K ~ mod P. The key derivation phase
of this scheme is a two-step procedure. Firstly, each user in SCi obtains the secret
parameter bj of his successor class SCj on computing bj = H(j[[SKi). Secondly, the
user of SCj generates the secret key SKi as SKi = Q~J mod P. As each class has to
maintain a public key and secret key for the class's functionality, a large storage space
is required for storing the keys of the classes. Moreover, Hsu and Wu [4] showed the
security flaws of this scheme; that is, the scheme is vulnerable if the two classes in the
hierarchy have the same immediate successor, then the data owned by the successor is
accessible to the class which is not authorized to access it. Thus, the scheme is insecure
as well as inefficient.
III
The Proposed Scheme
There is a Controlling Authority (CA), who is responsible to manage and monitor the set
of classes C= (C1,C2,...,Cn) in the hierarchy. The CA maintains a secret key s for checking
the genuineness of the class's secret key as and when required. It is noted that the security weakness of Shen-Chen scheme arises due to the availability of (Classidemity][gSK~
mod P) in a plain form. We overcome this weak construction by protecting the value
(Classidenti~y[[gski rood P) with a cryptographic hash function. The different phases of
our scheme work as follows.
3.1 Key and Interpolation Generations P h a s e
This is a two-step process. In the first step, the CA assigns the secret keys to the classes
in the hierarchy. In the second step the interpolation function for the classes will be
created.
42
3.1a Key Generation
1. Generates a random number iP~ for the class
Ci.
s as Ki=Es(P~), where E is a symmetric key encryption technique (e.g. 3DES) [14]. Then, CA assigns Ki to Ci.
2. Encrypts P~ by the secret key
3.1b I n t e r p o l a t i o n F u n c t i o n G e n e r a t i o n
1. Computes Newton's interpolation function [13] Hi(x) at points (h(IDjllKi), Kj)
for Cj~Ci, where IDj is the identity of Cj, where h(.) is a cryptographic hash
function [14].
2. The secret parameters of Ci are Ki and Hi(x).
3.2 K e y D e r i v a t i o n P h a s e
The predecessor class Ci can easily derive its successor class Cj's key K j as K j = Hi (h (I D j IIKi ) ) .
3.3 K e y I n s e r t i o n P h a s e
To insert a new class, Ca, in the existing setup satisfying the relation Cj'~Ca~Ci, the
following are the steps.
1. The CA generates Ra and computes Ka=Es(Ra).
2. For the predecessor Ci of Ca, the CA updates the interpolation Hi(x) at points
(h(IDj[IKi) , Kj), where Cj_~Ci.
3. For the successor Cj of Ca, the CA interpolates Ha(x) at points (h(IDjllKa), Kj),
where Cj ~Ca.
4. The secret parameters of Ca are Ka and Ha(x).
3.4 K e y D e l e t i o n P h a s e
Let the class Cd be deleted from the hierarchy, where Cj_~Cd~Ci. Then, the CA does
the following:
1. For the predecessor Ci of Cd, the CA updates the interpolation Hi(x) at points
(h(IDillKi), Kj), where Ci-~Ci and Ci~Cd.
2. The CA revokes the parameter Kd.
43
3.5 Accessibility of t h e S y s t e m R e s o u r c e s
Typically, access to the system resources needs three basic entities: Subject, Object, and
Privilege. A Subject can be a user, a process, a class etc. The Object is the resource to
be protected. The Privilege is the access modes, such as Read, Write and Append. As
per the security properties in [1], access to the system resources follows the following
two rules:
Simple Security Property (No Read-up): A Subject in Ci has Read access to an Object
of Cj for the relation Cj-~Ci.
,-Property (No Write-down): A Subject in Cj has the Write (or Append) access to
an Object of Ci for the relation Cj_~Ci.
R e a d Access: The class, Ci, has read access to an Object of Cj for the relation
Cj~Ci. The following are the steps to be taken into account when Ci needs to read data
owned by Cj.
1. Ci executes a read operation to an Object of Cj.
2. Cj sends back the Object encrypting by the key Kj.
3. Ci derives Kj by computing Kj=Hi(h(IDj IIKi)).
4. Ci decrypts the received object by Kj and reads the data.
W r i t e or A p p e n d Access: The class Cj has write (or append) access to an Object
of Ci for the relation Cj_~Ci. The following are the steps to be taken into account when
Cj wants to write (or append) data in Ci.
1. Cj executes a write (or append) operation to Ci. Then, Cj sends data encrypting
by the key Kj.
2. Ci derives CSs key Kj as Kj=H~(h(IDjlIKi)).
3. Ci decrypts the received data by Kj and performs the write (or append) operation.
IV Security Analysis and Efficiency
In this section, we analyze the security and efficiency of our scheme.
4.1 S e c u r i t y
The security of the scheme is based on a cryptographic hash function and Newton's
interpolations computation. As the secret key Ki of Ci is encrypted by the CA's secret
key, it is practically infeasible to duplicate the secret key Ki by any dishonest party
unless he/she gets s. In the following, we show that the proposed scheme can successfully
withstand some possible attacks.
C o l l a b o r a t i v e Attacks: Collaborative attack is the case when two or more classes
at the lower level in the hierarchy cooperatively wish to derive the key of their superior
class. Let the classes Ci and Cj have a common parent Cp. Their keys are Ki, Kj, and
44
Kp respectively. Then it is hard to derive Kp without the knowledge of Hp(x), which is
a secret parameter to Cp.
C o m m o n S u b o r d i n a t e Attacks: This is the case when the subordinate class Cj
is accessible by two or more superior classes C~ and Ck. In that case, the class Ci may
gain access to the secret key of Ck through the common subordinate Cj. In our proposed
scheme, using the hash function for the polynomial construction for each class prevents
this attack. For instance, the interpolation is constructed at points (h(IDj I[Ki), Kj)) for
the accessible classes. So, the adversary may get the value of h(IDjllKi ) , but cannot
get Ki, which occurs in the Shen-Chen scheme.
Furthermore, the CA can verify the legitimacy of the Ci's key by computing whether
Ri = Ds(Ki) at any point of time, where D is the corresponding symmetric key decryption technique (e.g. 3DES) [14].
4.2 E f f i c i e n c y
In the following, we show that the improved scheme saves both storage and computation
cost significantly in comparisons to the Shen-Chen scheme.
Space C o m p l e x i t y Let n be the number of classes in the hierarchy, k be the number of bits to represent large prime P in discrete logarithm. Table-1 shows the space
complexity for the initial setup of n classes and key generation phase of the schemes.
The public and private space complexity refers to the storage of the key for the initial
setup and when a class is inserted into the hierarchy. It is important to note that our
scheme does not require any public space. The notation ~ denotes lower bound and e
denotes exact bound.
Schemes ,~
Ours
Public Space Private Space Public Space I Private Space
Nil
~(n.k)
Nil
f~(k)
Table 1: Space Complexity
T i m e C o m p l e x i t y : The computation cost of the scheme primarily includes Newton's polynomial interpolation and symmetric encryption/decryption process for the various phases. The process of Newton's polynomial interpolating at (t -/- 1) points requires
O(t 2) computation [15]. Let the running time for each class's key derivation/insertion
by discrete logarithm is ~(P). For the sake of clarity, the scheme uses any standard
encryption/decryption algorithm for accessing/updating data of the class and the running time of the encryption/decryption algorithm is ~(M), where M is dependant on
the key size and other parameters of the algorithm. It is noted that the key addition
phase of the Shen-Chen scheme requires a greatest common divisor (gcd) computation.
The complexity of gcd(A, B) is roughly ~(InB), where A>B. Table-2 gives the time
complexity of Shen-Chen scheme and our scheme for the various phases.
From Table-2, it is clear that our scheme saves computation time at least ~ ( P ) for
the key derivation, key insertion and Read/Write operations in comparisons to the ShenChen scheme.
45
Schemes =-~
Phases
Key Derivation
Key Insertion
Read/Write Access
Shen-Chen
Ours
0 (t 2) +f~ (P) +~2(lnB)
O(t~)+fl(M)
O(t2)+a(M)
o(t ~)
O(t2)+fl( P)+ f~(M)
Table 2: Time Complexity
V
Conclusion
We have proposed an efficient key management scheme to enforce access control policies
in a hierarchical system. The proposed scheme does not require any public key to manage the system resources, which in turn saves the storage cost and computational time
significantly compared to the Shen-Chen scheme. The scheme allows the CA to verify
the correctness of the key Ki for the class Ci at any stage using CA's secret key. The
CA decrypts Ci's key Ki by the CA's secret key s and checks whether Ri=Ds(Ki) as
and when required. If the decrypted value is not equal to R / t h e n the CA immediately
suspends the class Ci. It is the CA's responsibility to assign unique key to the classes in
the hierarchy and for this care should be taken while generating the random number R/
for C/.
References
[1] D. Bell and L. L. Padula. Secure Computer Systems-Unified Exposition and Multics
Interpretation. MTR-2997, ESD-TR-75-306, The MITRE Corporation, Bedford,
MA, 1975.
[2] V. R. Shen and T. S. Chen. A Novel Key Management Scheme Based on Discrete
Logarithms and Polynomial Interpolations. Computers 8J Security, 21(2):164-171,
2002.
[3] W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Trans. on Info.
Theory, IT-22(6):644-654, 1976.
[4] C. L. Hsu and T. S. Wu. Cryptanalyses and improvements of two cryptographic key
assignment schemes for dynamic access control in a user hierarchy. Computers 8J
Security, 22(5):453-456, 2003.
[5] S. G. Akl and P. D. Taylor. Cryptographic solution to a problem of access control
in a hierarchy. A C M Trans. on Computer System, 1(3):239-247, 1983.
[6] S. T. MacKinnon, P. D. Taylor, H. Meijer and S. G. Akl. An optimal algorithm
for assigning cryptographic keys to control access in a hierarchy. IEEE Trans. on
Computers, C-34(9):797-802, 1985.
[7] L. Harn and H. Y. Lin. A cryptographic key generation scheme for multilevel data
security. Computers ~ Security, 9(6):539-546, 1990.
46
[8] C. C. Chang, R. J. Hwang and T. C. Wu. Cryptographic key assignment scheme for
access control in a hierarchy. Information Systems, 17(3):243-247, 1992.
[9] C. C. Chang and D. J. Buehrer. Access control in a hierarchy using a one-way trapdoor function. Computers and Mathematics with Applications, 26(5):71-76, 1993.
[10] G. C. Chick and S. E. Tavares. Flexible access control with master keys. In Proc. of
CRYPTO'89, LNCS #435, pages 316-322, 1990.
[11] R. S. Sandhu. Cryptographic implementation of a tree hierarchy for access control.
Information Processing Letter, 27(2):95-98, 1988.
t
[12] H. M. Tsai and C. C. Chang. A cryptographic implementation for dynamic access
control in a user hierarchy. Computers ~4 Security, 14(2):857-959, 1995.
[13] J. B. Scarborough. Numerical Mathematical Analysis. Oxford and IBH Publishing
Co. Pvt. Ltd, 1966.
[14] B. Schneier. Applied Cryptography. John Wiley ~ Sons Inc., 1996
[15] D. E. Knuth. The Art of Computer Programming, Seminumerical algorithms.
Addison-Wesley, Boston, 1999.
47