Preliminaries - 以朋友互動性為基準的金鑰管理方法-用於社群網路

proposed scheme in terms of security and performance. Chapter 5 simulates our proposed scheme to demonstrate the feasibility of our scheme. Our scheme can be used in Facebook is discussed in chapter 6, and conclude in chapter 7.

Chapter 2 Preliminaries

In this chapter, we introduce two techniques: i) Shamir’s Secret Sharing Scheme, ii) key management for access hierarchies in order to create the required foundation for our proposed key mechanism.

2.1 Shamir’s Secret Sharing Scheme [26]

Definition 1 Let t, n be positive integers, t  n. A (t, n)-threshold scheme is a method of sharing a key K among a set of t participants (denoted by P), in such a way that any t participants can compute the value of K, but no group of t-1 participants can do so.

At a later time, a subset to participants B  P will pool their shares in an attempt to compute the key K. (Alternatively, they could give their shares to a trusted authority which will perform the computation for them.) If |B|  t, then they should be able to compute

the value of K as a function of the shares they collectively hold; if |B| < t, then they should not be able to compute K. The value of K is chosen by a special participant called the dealer.

The dealer is denoted by D and we assume D  P. When D wants to share the key K among the participants in P, he gives each participant some partial information called a share. The shares should be distributed secretly, so no participant knows the share given to another participant.

We will use the following notation. Let P = {Pi : 1  I  n} Be the set of w participants.  is the key set (i.e., the set of all possible keys); and  is the share set (I.e., the set of all possible shares).

The Shamir (t, n)-Secret Sharing Scheme is following:

Initialization Phase

1. D chooses n distinct, non-zero elements of Zp, denoted xi, 1  i  n. For 1  i  n, D gives the value xi to Pi. The values xi are public.

Share Distribution

2. Suppose D wants to share a key KZp. D secretly chooses (independently at random) t –

1 elements of Zp which are denoted a1, . . . , at-1.

12 basically accomplished by means of polynomial interpolation. Suppose that participants B = {P_i₁, . . ., P_i_t}, want to determine K. They know that ( ) are linearly independent, there will be a unique solution, and a0 will be revealed as the key.

The correctness and privacy of Shamir’s scheme follow Theorem1: For every field F, every t distinct values x_i₁, . . . ,x_i_t, and any t values y_i₁, . . . ,y_i_t, there exists a unique polynomial a(x) of degree at most t – 1 over F such that a(x_i_j) =y_i_jfor 1  j  t.

Theorem 1 (Lagrange interpolation formula)

Suppose p is prime, suppose x_i₁, . . . ,x_i_t are distinct elements in Zp, and supposey_i₁, . . . ,

y are (not necessarily distinct) elements in Zp. Then there is a unique polynomial a(x)Zp[x]

having degree at most m, such that a(x_i_j) = y_i_j, 1  j  t.

The polynomial a(x) is as follows:

. polynomial a(x). It is sufficient for them to deduce the constant term K = a(0). Hence, they can compute the following expression, which is obtained by substituting x = 0 into the

For a given set B, the reconstruction function is a linear combination of the shares, that is,





hand, any unauthorized set T with t – 1 parties hold t – 1 points of the polynomial, which

together with every possible secret determines a unique polynomial of degree at most t – 1.

2.2 key management for Access Hierarchies [24]

The paper [24] addresses the problem of access control and, more specifically, the key management problem in an access hierarchy. Informally, the general model is that there is a set of access classes order using partial order. They use a directed graph G, where nodes correspond to classes and edges indicate their ordering, to represent such hierarchy. A user who obtains access (i.e., a key) to a certain class can also obtain access to all descendant classes of her class through key derivation. More specifically, a hierarchical key assignment (KA) is to assign a distinct cryptographic key to each class so that users attached to any “base”

class can also derive the keys of “lower” classes. As confidential data are classified into such security classes, they can be protected with respective encryption keys using a symmetric cipher, where the decryption operation asks a user for the same encryption key so as to recover the data.

For ease of presentation, we have the classes partially order according to a binary relation “”. They form a partial-order hierarchy (C, ), whereC_jC_imeans the clearance or security level of class C_j is lower than that of C_i, and C_jC_iallows for additional case of j = i. The hierarchical KA problem is to assign a key K_ to each class C_, so that a

user attached to her base class C_i can use the issued K_i to derive any K_j (thus to access the data in C_j), iff C_jC_i. The hierarchy can be mapped to a directed acyclic graph, where each class corresponds to a vertex. For example in Figure 1.

Figure 1. A partial-order hierarchy (C , ) of m = 8 security classes. One class may have

multiple immediate ancestors (e.g., C6 C2 ). Although there is a top-level class C1 , this graph is not a rooted tree.

The approach of this paper can support arbitrary access graphs, they proposed two efficient and secure key management schemes for access hierarchies, we introduce the base scheme is as following:

BASE SCHEME

Assume that we are given a cryptographic hash function F:{0,1}^*{0,1}^.

Key generation. The private key generation process and the nature of public information

stored at each node of the graph is as follows:

Private key Each vertex _i is assigned a random private key ki in{0,1}^ . An entity that is assigned access levelsV^'Vis given a smartcard with all keys for their access levels _jV^'.

Public information For each vertex _i there is a unique label  in _i {0,1}^ that is assigned to the vertex. Also for each edge(_i,_j), the value y_i_,_j k_jF(k_i,_j)mod 2^is stored publicly for this edge.

Key derivation. All that needs to be shown is how to generate a child’s key from the

parent’s private information and the public information. Suppose _i is a parent of _j with respectively keys k_i and k_j . Now,  and _j y_i_,_j k_jF(k_i,_j) mod 2^ are public information. Clearly, node _i can generate k_jwith this information.

Example. Figure 2 shows key allocation for a graph more complicated than a tree, for

which we give two examples. First, it is possible for the node with k₁ to generate key k₂, because that node can compute node can computeF(k₁,₂) and use it, along with the public edge information, to obtain k₂. The node with k₃, on the other hand, cannot generate k₂, since this would require inversion of the Ffunction.

Figure 2. Key allocation for example access graph.

We introduce the key Recovery security. Informally, in defining the notion of Key Recovery, we allow an adversary to corrupt keys at various nodes in the graph. The adversary

then chooses a challenge node v_c, keys for every child of v_c, and keys for every sibling of each node on the way from the root to v_c, then adversary can (efficiently) generate keys for all nodes in the graph except _c and its ancestors. To be more specific, adversary obtains access to a single oracle that returns a challenge node _c along with all of the node keys as described above and adversary eventually outputs its guess for k_c.

Definition 2 Pseudorandom Function (PRF) Family. Let {F^}___Nbe a family of functions where F^:K^D^ R^. For kK^, denote by F_k^:D^ R^. the function defined by F_k^(x) F^(k,x). Let Rand^denote the family of all functions from D^ to R^, i.e.,

} :

{ ^ ^

 g g D R

Rand   .

Let A(1^) be an algorithm that takes as oracle a function g:D^ R^, and returns a bit. Functiongis either drawn at random fromRand^(i.e., g^r Rand^), or set to be F_k^,

The PRF-advantage of A is then defined as:



graph (DAG) G, assuming the security of the pseudorandom function family.

Definition 3 (Key Recovery). A Key Allocation scheme is secure w.r.t. key recovery if no

polynomial time adversary A has a non-negligible advantage (in the security parameter ) against the challenger in the following game:

-Setup: The challenger runs Set(1^,G), and gives the resulting public information Pub to the adversary A.

-Phase 1:The adversary issues, in any adaptively chosen order, a polynomial number of Corrupt(vi) queries, which the challenger answers by retrieving (Si, ki) = Sec(vi) and giving Si to A.

-Break: The adversary outputs a node v^* , subject to v^*  Desc(v_i) for any vI asked in Phase 1, along with her best guess ^'*

kv to the cryptographic key kv*associated with node v^*. We define the adversary’s advantage in attacking the scheme as:

]

Pr[ * *

' v v KR

A k k

Adv   .

Note that v^* is chosen by the adversary then it would like to be challenged (subject to the constraint that the adversary does not already have access to that node’s key or a key of any of its ancestors).

20 phases: i) Secret Sharing phase, ii) Social tuning phase, iii) Secret recovery phase, iv) Secret update phrase. Before describing the details of scheme we show the notation used throughout this paper in Table 1.

Notation Meaning

U. A identifier chosen by Owner U

t A Time period

ci_, The ciphertext encrypted associate with k_i_,_t

mi_, The content in v_i in time period t

Uf A friend of owner U

tnow The current time

wt Secret instant in time period t

Wf_, A set of shares of user Uf associated with vi

Table 1. Notation in paper.

Server Setup

We assume that the following services are available:

1. CREATE(name, pwd): This creates a user account with a specific username. The password, pwd, is used to authenticate the user at a later point in time. If a user’s account cannot

be created this method will return false otherwise it will return true.

2. GETPUB(username): This returns the public information for username . Note that this operation is anonymous and does not require the user to authenticate to the server.

3.1 Secret Sharing (Sha)

User setup – UserRegister()

The user U creates an account on the server, and then he creates an access graph for himself. This corresponds to the master vertex and the content vertices. In our case we create| V | = 3 classes named closed, Like-minded, acquaintance respectively as the content vertices in our access graph. The user then applies Setup to his access graph to establish a key allocation scheme for this graph. The user posts pub on the server. Finally we construct

|V| polynomials in order to protect the hierarchical keys(i.e. sec) in access graph. Note that the parameter of secret sharing n we restricted to 2d-1. The details of the algorithm for creating the access graph are described in Algorithm 1.

Algorithm 1 UserRegister()

1: U: bool:CREATE(U,pwd) 2: U: if bool false then 3: F A I L

4: end if

5: U: choose a favorite U.id, PRF(x), (d, n)

6: U: construct a access graph G = (V, E) and choose a security parameter  7: U:(pubU,secU)Setup(1^,G,t)

8: U: split t into n time intervals ti 9: for j = 1 ~ n do

23 and a secret for each node in the graph. The details of theSetup algorithm are described in Algorithm 2.

Sec : v _i (S_i,k_i_,t)

The algorithm 3 use shamir’s (d, n)-secret sharing scheme to protect the secret (i.e. sec) in access graph. The user U constructs |V| polynomials of degree d-1 in which its constant term is the secret P_i_,_t(0)k_i_,_t, 1i|V|. Note that we XOR k_i_,_tand F(U_f.id)in order to let share

)

, (x

P_i_t generates can be different from each user for security consideration. More specifically, assume there are the two friends of user U, U1 and U2, U1 and U2 get a share from U is received is specific to each user.

Algorithm 3 Share(SecU)

3.2 Social Tuning (Tun)

The social tuning provides a mechanism for assigning shares to users based on their cooperative behaviors on contents. It includes uploadResouce and accessResource algorithms. We introduce these algorithms are as follows:

3.2.1 UploadResource

The uploadResource algorithm is a process that a user publishes a content mi associated with vertex vi to class i (ex: acquaintance) in time period t. Suppose the user U wants to publish content mi for class i in time period t, U can encrypt content mi using ki,t and then submit the ciphertext to server. Finally, the server uploads the ciphertext to a storage service provider (SSP). The meta(mi) record the information about mi that include tag, size, type and i. the tag is used to describe the mi; the size is used to describe the content size of mi; the type is used to describe the content is a text, link, photo, or video; the i means that the content can be access by i class. The algorithm 4 shows the details of uploadResource.

Algorithm 4 uploadResource(m_i,t)

1: U: if i{1.2,...,|V|}then 2: U: c_i_,_tEnccypt(k_i_,_t,m_i_,_t)

3: U: meta(m_i)||c_i_,_t,meta(m_i)[tag,size,type,i] 4: UServer: meta(m_i)||c_i_,_t

26 5: ServerSSP: upload(meta(m_i)||c_i_,t)

6: else 7: U: c_i_,_t m_i_,_t

8: UServer: meta(m_i)||c_i_,_t

9: ServerSSP: upload(meta(m_i)||c_i_,t)

3.2.2 AccessResource

The accessResource algorithm allows a user to access contents in a private OSN. A friend of U, Uf, he or she gets the public information of U from server and uses Derive algorithm to derive the key. Therefore he or she uses the key to decrypt the ciphertext. Der(1ⁿ, pub, u, v, secu) algorithm takes the public information pub, a source node node u, a destination node v, and the source node’s secret secu, and if there is a path from u to v in the access graph derives the key for node v. A user, who shares content, adds a comment or clicks like is called a user who does cooperative behavior on content. When a user does a cooperative behavior, he gets a share. That is, the user can recover the secret when he gets number of shares greater than threshold of secret sharing scheme. We consider that the access control based on cooperative behavior can adjust the class members dynamically to leverage keeping

cooperative users close and decreasing irrelevant contents to others. Through the cooperative process, the user can broader the view of content (i.e. he can see more important content because he gets the upper class secret). The algorithm 5 shows the details of the accessResource.

randomQuery is a function that takes as input the current time tnow and produce a random value rj when tnowtij.

share delivery strategy

1. Deliver the share of ki-1,t when the message is encrypted with ki,t.

2. Deliver the share of current used key (i.e. ki-1,t) even if user looks at old content encrypted

with ki,t-1 in current time period t.

3.3 Secret Recovery (Rec)

The secretRecovery algorithm takes as input the share set and produces a secret. The algorithm is running at client side when user gets a share from content owner. When the user whose shares achieve the threshold he can reconstruct the polynomial by Lagrange interpolation, consequently, the secret P(0) = secret is recovered. Through secret recovery, the user can access the contents encrypted using the secret he recovered.

Algorithm 6 SecretRecovery(W_f_,_i) 1: U_f :if |W_f_,_i|din time period t

2: U_f: reconstruct the secret k_i_,_t by Lagrange interpolation

3.4 Secret Update (Upd)

The secret update phase not only provides the users who own the contents (owner) to decrease the level of friend of owner but also keeps the shares the friend of owner get in second half of the time period t-1 to prevent the effort lost. On the other hand, we deactivate the shares the friend of owner get in first half of the time period in order to provide users a strong incentive to do cooperative behaviors on contents. The secret update phase can prevent the inactive users from doing nothing when recovering the secret. We

hope that the friend of user can keep doing cooperative behavior even though he receives shares enough to recover the secret.

The SecretUpdate algorithm takes as input the time period t, secret of owner and produce |V| Lagrange interpolation polynomials and new secrets secU. To begin with, the algorithm reselects n random values for new time period t, then updating the secret from ki,t-1 to ki,t, furthermore recomputing the public information yi,j,t using the new secret ki,t, finally constructing |V| Lagrange Interpolation Polynomials using new secrets ki,t and shares the owner U uses in second half of the time period t-1 as points. Note that we guarantee the shares of second half of time period t-1 are valid through selecting specific shares as points to construct new polynomial. The details of SecretUpdate algorithm is described in Algorithm 7.

Algorithm 7 SecretUpdate(t, secU) 1: U:Split t into n time intervals ti 2: for j = 1 ~ n do

3: choose a random value rj N for tij

4: end for

5: U: for v_iV do

6: set k_i_,_t F(K_i,w_t),w_t_R N 7: end for

8: U:for (v_i,v_j)E do

30 9: compute y_i_,_j_,_t k_j_,_tF(k_i_,_t,_j)

10: end for

11: U server: pubU 12: U:for v_iV do

13: Construct a Lagrange Interpolation Polynomial:

14:



Chapter 4 Analysis

In this chapter, we analyze the security and performance of our scheme. The security of our scheme is based on the pseudorandom function assumption.

4.1 Strawman Solution

Before analyzing our scheme, we initially describe a trivial solution that each user U prepares a bulletin board for recording all the behaviors of his friend. An example of bulletin board is presented in Table 2, where the number in the table means that the number of times that the friends of user U had did cooperative behaviors on contents.

First half of time period Second half of time period

(Acquaintance) 2 2

(Like-minded) 1 0

(Closed) 0 0

1 1

0 0

1 3

U3 2 0

0 0

… … …

Table 2. A Fragment of a bulletin board.

In Tun phase, when a friend of user U, Uf, does cooperative behaviors on contents, our scheme will deliver shares to Uf. This strawman solution counts all the cooperative behaviors of friends of user U at owner side. The drawback of this solution is that storage overhead and bulletin board management overhead. That is, the storage overhead at owner side is proportional to the size of friends of owner U. Our solution decentralizes storage overhead to each friends of user U such that decreasing the storage overhead and bulletin board management overhead. In secret recovery phase, this solution can use a secure way to deliver key to user who achieves the threshold.

4.2 Security analysis

Key recovery security

The security of our (Sha, Tun, Rec, Upd) scheme is based on the security of key allocation scheme [24] that we introduced in section 2.2. More specifically, our proof of security is based on the standard model assuming that a hash function H(x) can be implemented as a pseudo-random function F(x). We show security of the scheme against

active adversary who is allowed to adaptively corrupt nodes in the graph. After corrupting some nodes, the adversary is presented with a challenge: it is asked to recover the key of a node that is not a descendant of a corrupted node (the adversary is allowed to corrupt additional nodes that comply with this condition). We claim that if the adversary wins this game with a non-negligible probability, then we can construct an adversary who obtains non-negligible advantage in breaking the security of PRF, contradicting the definition of PRF defined in definition 2.

Now assume that adversary B is given access to the public information associated with the

key assignment of G and is allowed to adaptively corrupt nodes from V. That is, B obtains Ki

 KA(vi), where viV and can compute ()

h for arbitrary labels {0,1}^. At some point, B makes a single query to a challenge oracle vc C(G), where vc is a node of the graph not a descendant of any corrupted nodes and is chosen by the oracle. After that, B may corrupt more nodes that do not have the challenge node vc among their descendants.

At some point B outputs a key kˆ{0,1}^and wins if kˆk_c.

Definition 4 Let KA be a key allocation that implements an access graph G = (V, O, E) and let B

be an algorithm that has access to oracles as above and returns a string in {0,1}^. We consider the following experiment:

Experiment Exp^kr_KA,_B

) ( ),

ˆ B^KA(^vⁱ ^C ^G

k

if after a call to vc = C(G) B makes a query KA(vi) where vcDesc(vi), return 0

if kˆk_cthen return 1 else return 0

The kr-advantage of B is defined as

kr B

AdvKA_, = Pr[Exp_KA^kr_,_B 1].

While the above definition assumes an adaptive adversary, in our case this adversary is no more powerful than a static adversary that is given the maximum amount of information.

That is, if an adversary B^’ is given a challenge node vc, keys for every child of vc, and keys for every sibling of each node on the way from the root to vc, then B^’ can generate keys for all nodes in the graph except vc and its ancestors. To be more specific, adversary B^’ obtains

access to a single oracle that returns a challenge node vc along with all of the node keys as described above and B^’ eventually outputs its guess for kc. Since usage of static adversary makes our presentation easier, we will assume that a static adversary with maximal power is used.

If the adversary B^’ has non-negligible advantage in the key recovery experiment, then we can construct an adversary AB'that uses B^’ and can distinguish between a PRF and a random

function with non-negligible probability (i.e. break the security of PRFs).

LEMMA 1. _ pseudo-random functions using algorithm B^’. Instead of using public information associated with the graph G = (O, V, E) constructed according to the above key assignment scheme, in this experiment public information is constructed in such a way that with 50% probability the key assignment is performed in the usual way, and with 50% probability one of the functions

F (vcV) is replaced with a random function g. '

AB obtains access to the same oracle C(G) as B^’ did, and when querying this oracle obtains a challenge node vc along with the keys of the children of vc and siblings of ancestors of vc (let this set of keys be denoted as _cso that

在文檔中以朋友互動性為基準的金鑰管理方法-用於社群網路 (頁 18-0)