1
A new key assignment scheme A new key assignment scheme for enforcing complicated for enforcing complicated access control policies in access control policies in
hierarchyhierarchyAuthors:Authors: Iuon-Chang Lin, Min-Shiang Hwang Iuon-Chang Lin, Min-Shiang Hwang and C. C. Changand C. C. ChangSource:Source: Future Generation Computer Systems, Future Generation Computer Systems, Vol.19, pp.457-462, 2003.Vol.19, pp.457-462, 2003.Adviser:Adviser: Min-Shiang Hwang Min-Shiang HwangSpeaker:Speaker: Chun-Ta Li Chun-Ta LiDate:Date: 2004/11/18 2004/11/18
2
Cryptanalysis of YCN key assignment scheme in a hierarchy
Authors:Authors: Min-Shiang HwangMin-Shiang Hwang
Source:Source: Information Processing Letters, Information Processing Letters, Vol.73, pp.97-101, 2000.Vol.73, pp.97-101, 2000.
3
Modifying YCN Key Assignment Scheme
against Hwang’s Attack
Authors:Authors: Jyh-Haw Yeh, Min-Shiang Hwang and Wen-Chen Hu
Preprint submitted to Elsevier Science Preprint submitted to Elsevier Science 5 November 2004 5 November 2004
4
Introduction
• Access control policy – access control problem Access control policy – access control problem in a hierarchyin a hierarchy
C1
C2 C3
C4 C5 C6
Key4 Key5 Key6
Key2 Key3
Key1
Key management Key management problemproblem
Key4 Key5 Key6Key2 Key3
5
Introduction (cont.)
• Ak1 and Taylor [1983]Ak1 and Taylor [1983]– Super-key (top-down)Super-key (top-down)
• CA assigns to each user class {CA assigns to each user class {primeprime, , secret keysecret key, , pupublic parameterblic parameter}}
• CjCjhigh high derive the secret key of Ciderive the secret key of Cilowlow
Secret keySecret key and and Public parameterPublic parameter of of
Ci and CjCi and Cj
Large public Large public parameterparameter
Product of the primes of Ci
6
Introduction (cont.)
• Mackinnon et al. [1985] – canonical assignment– Reduce the values of public parameters
Large amount of Large amount of storage to store storage to store
public parameterspublic parameters
• Harn and Lin [1990] – (bottom-up)– Security: difficulty of factoring a large number– Size of the storage space is much smaller
• Yeh et al. [1998] – YCN scheme– transitive exceptions– anti-symmetrical arrangements Hwang [2000] Hwang [2000]
YCN is YCN is insecureinsecure
Several user classes can collaborate to
derive the derivation and encryption keys
7
Original YCN Scheme
• CA– Generates secret number K0
– Generates M (product of two large prime numbers)
– Assign a prime number Pi to each user class Ci
– Compute the product Xi for Ci
m
miiUj
CCmj
Ujiji PPX
,...,1,,...,1
C1
C2
C5
C4
C6
C3
除鄰近節點外 順著箭頭所能到
達的節點
將能順箭頭指到 i節點的 Pij 值做連乘
8
Original YCN Scheme (cont.)• Compute the public information Tie and Tid for Ci
C1
C2
C5
C4
C6
C3
i imUj CC
mijid PPT,...,1
imn CCm
Cniiie PPXT /
順箭頭所到達不了的節點質數值
PPmm = 7 = 7
PPmm = 2 = 2PPmm = 2,7 = 2,7
PPmm = 2,3,7,11,13 = 2,3,7,11,13
PPmm = 2,7 = 2,7
PPmm = 2,3,5,7,11 = 2,3,5,7,11
除鄰近節點外的祖先節點
PPn1n1 = = ØØ
PP4242= = 3131
PPn4n4 = = ØØ
PP1515 = = 1919
PP13,43,5313,43,53 = = 17,37,4317,37,43
PP16,26,4616,26,46 = = 23,29,4123,29,41
9
Original YCN Scheme (cont.)• Assign the derivation key Kid and encryption key Kie f
or each Ci
• Ci can use its own derivation key Kid to derive the encryption key Kje of Cj
MKK idTid mod)( 0
MKK ieTie mod)( 0
MKK idje TTidje mod)( /
kept secret by the user class Ci
C1
C2
C5
C4
C6
C3
C2 derives C3’s encryption key K3e K3e
=(K02*3*7*11*13*19*23*29*31*41) mod M = (K0
2*7
*29)2*3*7*11*13*19*23*29*31*41/2*7*29 mod M
10
The Weakness of the YCN Scheme
• gcd(Tad, Tbd) = 1
• sTad + tTbd = 1
• Ca and Cb can collaborate to derive the secret K0
KsadKt
bd = (K0)sTad(K0)tTbd mod M
= (K0)(sTad+tTbd) mod M
= K0
• gcd(T1d,T4d) = gcd(52003,94054) = 1
• (s, t) = (76107, -42080) such that sT1d + tT4d = 1
Ks1dKt
4d = (K0)sT1d(K0)tT
4d mod M
= (K0)((76107*52003)-(42080*94054)) mod M
= K0
Theorem 1. Assume that there are only two top classes (Ca and Cb) in the hierarchy. Ca and Cb can collaborate to derive the derivation and encryption keys of all of the classes in the YCN scheme.
C1
C2
C5
C4
C6
C3
TT1d1d = 7,17,19,23 = 7,17,19,23
TT4d4d = 2,31,37,41 = 2,31,37,41
11
The Weakness of the YCN Scheme (cont.)
• C1 and C2 derivation and encryption keys of C6
– gcd(T1d, T2d) = 7– s(T1d/7) + t(T2d/7) = 1– C1 and C2 can collaborate to derive the secret (K0)7
((K1d)s(K2d)t)T6d
/7 mod M
= ((K0)sT1d(K0)tT2d)T6d/7 mod M
= (K0)T6d
mod M
= K6d
• C5 and C6 derivation and encryption keys of C3
– gcd(T5d, T6d) = 2*7 = 14– s(T5d/14) + t(T6d/14) = 1– C1 and C2 can collaborate to derive the secret (K0)14
((K5d)s(K6d)t)T3d
/14 mod M
= ((K0)sT5d(K0)tT6d)T3d/14 mod M
= (K0)T3d
mod M
= K3d
Theorem 2. If C1,C2,…, and Cn are n top classes in the hierarchy, any two of these classes (e.g., C1 and C2) can collaborate to derive the derivation and encryption keys of all successors of these top classes.
C1
C2
C5
C4
C6
C3
(K0)7
(K0)14
12
The Modified YCN Scheme
• CA– Generates secret number K0
– Generates M (product of two large prime numbers)
– Assign a prime number Pi to each user class Ci
– Compute the product PPii`̀ for Ci
C1
C2
C5
C4
C6
C3
The Modified YCN Scheme (cont.)• CA computes the public information Ti
d and Tie
))(()(),(
'
jiji CC
jECC
jjd
i PPPT
)())()(( ')(
'),( ittjjCiCjEjCiCjj
di
CCthatsuchCifPPP
otherwiseT
eiT
C1
C2
C5
C4
C6
C3
Tid
5* 11*19 *7 *13 *3(1,3) (1,5) (1,4)(1,6) 1(2)
Tid 2*
(5,1)5*
(5,3)7*
(5,4) 35(2)Ti
e
2*3*5*7*11*13*1*17
14
The Modified YCN Scheme (cont.)• CA assigns a derivation key Ki
d = (K0)Tid mod M and a
n encryption key Kie = (K0)Ti
e mod M
• A class Ci can apply a key derivation function fil(x,y) to derive another class Cl’s key (x and y could be either t
he character d or e)
– fil(x,y) = (Kix)T
l
y/Ti
x = ((K0)T
i
x)T
l
y/Ti
x = (K0)T
l
y) mod M = Kl
y
15
The Modified YCN Scheme (cont.)
• Theorem 1. Under the modified YCN key assignment scheme, Ti
d|Tle if and only if the policy allows Ci to access Cl, i.
e., (Ci,Cl) .
• Theorem 2. If the policy does not allow any class Cik to access Cl, i.e., ,then both Tl
d and Tle are not m
ultiple of Y under the modified YCN scheme, where .
• Theorem 3. If there is a transitive exception Ci Cl with an intermediate class Ck, i.e., Ci(Ck), then Ti
d Tkd and Tk
e Tl
d under the modified YCN scheme.
H
E
ECC lik ),(
}|gcd{ HCTY ikd
ik
16
A New Key Assignment Scheme
• CA generates two large primes: p and q• CA calculates n = p*q, where n is public• CA chooses another parameter, g
• CA chooses a set of distinct primes {e1,e2,…,em} for all user classes {C1,C2,…,Cm}
• CA calculates {d1,d2,…,dm}
gcd(gcd(Ø(n)Ø(n), , eeii) = 1 an) = 1 an
d 1 < d 1 < eeii < < Ø(n)Ø(n)
eeii x x ddii ≡ 1 mod ≡ 1 mod Ø(n)Ø(n)
17
A New Key Assignment Scheme (cont.)• CA generates the derivation keys {DK1,DK2,…,DKm} and t
he secret keys {SK1,SK2,…,SKm} for all user classes {C1,C2,…,Cm}
• Ci can derive the secret key of class Cj with the derivation key DKi as follows:
ngDK jiCjC d
i mod)(
ngSK dii mod
nDKSK kjkiCkC e
ij mod)(,
ng kjkiCkCkiCkC edmod)(
)()( ,
ng jd mod
18
A New Key Assignment Scheme (cont.)
• Example– CA calculates the derivation keys
• CC11: DK1 = gd2*d4 mod n SK1 = gd1 mod n
• CC22: DK2 = gd3*d4 mod n SK2 = gd2 mod n
• CC33: DK3 = null SK3 = gd3 mod n
• CC44: DK4 = gd2 mod n SK4 = gd4 mod n
– C1 derives the secret keys SK2 and Sk4
• SK2 = DK1e4 mod n
• SK4 = DK1e2 mod n
19
Thanks for your attentionThanks for your attention
20
Example
• transitive exceptionstransitive exceptions– C1 can access C2 and C2 can access C3
– But C1 cannot access C3
• anti-symmetrical arrangementsanti-symmetrical arrangements– C2 can access C4 and C4 can access C2
– But C2 and C4 are two different user classes
Top Related