Figure 2 shows a conventional model for data retrieval from a web site with authentication, authorization and commu-nication security. U first sends his identity α to W . W gets the authentication data of α and authenticates α by an authentication protocol. If U passes the authentication, W and U execute a key-exchange protocol to establish a com-munication session key k. U then sends his data retrieval command ω to W . W checks whether ω is authorized. If it is so, W retrieves data D from its database system, encrypts D with k as C = E(k, D), and sends the encrypted data C to U , where E is a symmetric encryption method, such as DES. Finally, U uses k to decrypt C to get D. Since W knows α, U is not anonymous to W .
For secure communication, W has to encrypt data D on-line.
If there are requests for retrieving data in a short period of time, the on-line computation load of W would be heavy so that the system performance is lowered.
Figure 3 shows our proposed model for data retrieval from a web site. The data in the database of the web site is encrypted with the class keys of the time-dependent hier-archical key assignment scheme. The system authenticates a user’s identity anonymously by an anonymous authenti-cation scheme. The authorization is controlled by the key trapdoor that a user possesses. In this model, on-line en-cryption of communication is not necessary.
6.1 The system
W sets a partially ordered hierarchy with classes Ci, 1 ≤ i ≤ m, and assigns time-dependent class keys Ci,t, as described in Section 4.2. W also chooses an anonymous authentica-tion scheme, as described in Secauthentica-tion 5. W can perform the following operations.
1. Storing new data. When W decides to assign the new data D to class Ci at time t, it uses the time-dependent class key Ki,t to encrypt D as E(Ki,t, D) and put it into the database of the web site.
the system, W verifies its identity and then issues a certificate (α, v, s) to U . W adds U ’s authentication key (α, v) into the authentication list L. Then, W decides which class U should be in, say Ci, and what data are authorized to U , say between time periods t1
and t2. W issues the key trapdoor K[i,t1,t2] to U . 3. Membership revocation. When W need revoke U ’s
membership, it simply removes U ’s authentication key from its authentication list L. Thus, U can no longer pass anonymous authentication with W .
4. Anonymous authentication. When U need retrieve data from the system, W performs anonymous authen-tication with U . If U passes the anonymous authenti-cation, W starts to process the command.
5. Command processing. After passing anonymous authentication, U sends a data retrieval command ω to W . W simply sends the command to the database system for processing. Suppose that the database sys-tem returns data Dj,t= E(Kj,t, D). W sends Dj,t to U . If U has the appropriate key trapdoor K[i,t1,t2], he can decrypt Dj,tto obtain D. Otherwise, U is not authorized to obtain D.
6.2 The user
After registering to W , U has two private parameters. One is the certificate (α, v, s) for anonymous authentication and the other is the key trapdoor K[i,t1,t2]for decrypting authorized data. A user U can perform the following operations.
1. Anonymous authentication. When U need retrieve data from the system, he uses his certificate (α, v, s) to execute the anonymous authentication scheme with W . If U passes the authentication, he sends his request command to W .
2. Data decryption. Assume that Dj,t is returned by W . If the requested data is authorized, that is, Cj≤ Ciand t1≤ t ≤ t2, U uses his key trapdoor K[i,t1,t2]to derive the time-dependent class key Kj,t. U decrypts Dj,t with key Kj,t to obtain D.
6.3 A subscription system
W can establish a flexible subscription system by the time-dependent hierarchical key assignment scheme. W classifies data into classes by various criteria, such as, categories, sen-sitivity, etc. We assume that the higher the class is, the more valuable the data in the class is. Each data is also tagged with time t. For example, a news is tagged with the time period it was reported. Then, the data D classified into class Ci of time period t is encrypted with key Ki,t and stored into the database.
W places a price tag for class Ciand time periods [t1, t2]. If a user U pays for the data in class Cibetween time periods t1 and t2, W gives him the key trapdoor K[i,t1,t2]so that he can decrypt the authorized data.
The above subscription system has some distinct features.
Firstly, W can put its database on mirror sites for better
ω
Figure 2: Conventional model for data retrieval with authentication, authorization and communication secu-rity.
Figure 3: New model for data retrieval with anonymous authentication, key-controlled authorization and communication security.
services, such as faster access. Since mirror sites are less trusted, W does not want to put valuable information on them. By our system, W need not give user information to the mirror sites. The mirror sites cannot obtain the infor-mation in the database since the data are encrypted. Sec-ondly, U need not rush to get all purchased information out of W . For conventional subscription systems, a user who pays for the data is allowed to access the database for a period of time. After the expiration date, the user can no longer access the database. Therefore, the user may want to get all data out of the database before his membership expires, no matter whether the data is useful to him or not.
This sometimes causes severe traffic and system load. By our subscription system, the user can access the database as long as W does not revoke his membership. On the other hand, he can get only the data that he paid for.
6.4 Efficiency analysis
There are two efficiency problems in anonymous authenti-cation. The first is that on-line computation for modular exponentiation is indeed necessary. Nevertheless, authen-tication is executed once for each visit, the computation load should not be a big problem for modern computers.
The second one is that if the system has a large number of members, anonymous authentication is not efficient. For this case, we can sacrifice a little anonymity for efficiency by grouping members. Each group consists of a reasonable number of members. Each member belongs to a group. The system has group authentication lists L1, L2, . . . , Lr. When a member visits the system, he first provides its group name to W . W then uses the group authentication list to authen-ticate the user anonymously. Although the system knows which group the user is in, it cannot know who the user is.
6.5 Discussion
A system may discard anonymous authentication and leaves access control to time-dependent class keys entirely. This shall save computation cost of anonymous authentication.
We have discussed that the system’s database may be put into mirror sites for faster access. Since mirror sites are less trusted, user authentication may not achieve its goal.
Without authenticating users, the mirror sites can provide faster access and entail no serious security problems.
Most web site systems use only one-level hierarchy for data.
In those systems, the access control depends solely on time periods. This reduces cost for computing class keys.
It is possible that two users team up to cheat as follows. An authorized user downloads data for another one who is not authorized to get. This is the problem for all systems that provide content information. It should be resolved by the legal system.
7. CONCLUSIONS
We have proposed a secure system for data access. The sys-tem provides an authentication mechanism so that the user’s identity is anonymous. The system uses the time-dependent hierarchial key assignment scheme to control authorization.
The system provides an integrated view for authentication, authorization and communication security. It would be in-teresting to have an implementation to check its feasibility and practicability.
8. REFERENCES
problem of access control in a hierarchy. ACM Transactions on Computer Systems 1(3), pp.239-248, 1983.
[2] D. Boneh,M. Franklin. Anonymous authentication with subset queries. In Proceedings of The 6th ACM Conference on Computer and Communications Security, ACM Press, 1999.
[3] C.C. Chang, R.J. Hwang, and T.C. Wu.
Cryptographic key assignment scheme for access control in a hierarchy. Information Systems 17(3), pp.243-247, 1992.
[4] D. Chaum. Security without identification:
transaction systems to make big brother obsolete.
Communications of the ACM 28(10), pp.1030-1044, 1985.
[5] D. Chaum, J.-H. Evertse. A secure and
privacy-protecting protocol for transmitting personal information between orgainzation. In Proceedings of Advances in Cryptology - Crypto 86, Lecture Notes in Computer Science 263, pp.118-167, 1986.
[6] D.E. Denning, D.K. Branstad. A taxonomy for key escrow encryption systems. Communications of the ACM 39(3), pp.34-40, 1996.
[7] U. Feige, A. Shamir. Witness indistinguishable and witness hiding protocols. In Proceedings of The 22nd ACM Symposium on Theory of Computing,
pp.416-426, ACM Press, 1990.
[8] W. Ford. Computer Communications Security:
Principles, Standard Protocols and Techniques.
Prentice Hall, Englewood Cliffs, New Jersey, 1994.
[9] L. Harn and H.Y. Lin. A cryptographic key generation scheme for multilevel data security. Computers &
Security 9(6), pp.539–546, 1990.
[10] ISO/IEC 9798-1. Information technology - Security techniques - Entity authentication mechanisms - Part 1: General model. ISO, Geneva, Switzerland, 1991 (first edition).
[11] ISO/IEC 9798-2. Information technology - Security techniques - Entity authentication - Part 2:
Mechanisms using symmetric encipherment algorithms. ISO, Geneva, Switzerland, 1994 (first edition).
techniques - Entity authentication mechanisms - Part 3: Entity authentication using a public-key algorithm.
ISO, Geneva, Switzerland, 1993 (first edition).
[13] ISO/IEC 9798-4. Information technology - Security techniques - Entity authentication - Part 4:
Mechanisms using a cryptographic check function.
ISO, Geneva, Switzerland, 1995 (first edition).
[14] ISO/IEC 9798-5. Information technology - Security techniques - Entity authentication - Part 5:
Mechanisms using zero knowledge techniques. ISO, Geneva, Switzerland, 1996 (draft).
[15] J. Kilian, E. Petrank. Identity escrow. In Proceedings of Advances in Cryptology - Crypto 98, Lecture Notes in Computer Science 1462, pp.169-185,
Springer-Verlag, 1998.
[16] S.J. Mackinnon, P.D. Taylor, H. Meijer, and S.G. Akl.
An optimal algorithm for assigning cryptographic keys to control access in a hierarchy. IEEE Transactions on Computers 34(9), pp.797-802, 1985.
[17] A. Lysyanskaya, R. Rivest, A. Sahai, S. Wolf.
Pseudonym systems. The 6th Annual Workshop on Selected Areas in Cryptography, Lecture Notes in Computer Science 1758, Springer-Verlag, 1999.
[18] S. Muftic. Security Mechanisms For Computer Networks. Ellis Horwood, Chichester, England, 1989.
[19] R. Rivest, A. Shamir, L. Adleman. A method for obtaining digital signatures and public-key
cryptosystems. Communications of the ACM 21(2), pp.120-126, 1978.
[20] B. Schneier. Applied cryptography: protocol,
algorithms, and source code in C, 2nd Edition. John Wiley & Sons, New York, 1996.
[21] W.-G. Tzeng. Common modulus and chosen message attacks on public-key schemes with linear recurrence relations. Information Processing Letters 70, pp.153-156, 1999.
[22] W.-G. Tzeng. A time-bound cryptographic key assignment scheme for access control in a hierarchy.
IEEE Transactions on Knowledge and Data Engineering 14(1), pp.182-188, 2002.
[23] W.-G. Tzeng, C.-M. Hu. Inter-protocol interleaving attacks on some authentication and key distribution protocols. Information Processing Letters 69(6), pp.297-302, 1999.