Robust Dynamic Access Control Scheme in a User Hierarchy Based on
One-Way Hash Function
Chien-Lung Hsu, Pei-Ling Tsai, and Yen-Chun Chou
Department of Information Management, Chang Gung University
[email protected], [email protected],
[email protected]
Abstract-
In 2004, Yang and Li addressed an access control scheme based on one-way hash function that uses limited number of keys and some public hash functions to solve the dynamic access control problem. Our research finds that in their scheme users can overstep his authority to access unauthorized information. We further propose a robust dynamic access control scheme to eliminate such an attack.Keywords: Access control; One-way hash function; Cryptographic key assignment scheme; Dynamic access control.
1. Introduction
Evident in the widespread use of computer techniques and internet, computer system has
gradually gained acceptance during people’s life.
In general, the security of electronic documents is protected by users’ encryption techniques. However, considering the hierarchical property of an enterprise, how to share electronic documents confidentially has become an important issue. A primitive access control is to allow only the authorized personnel to access these electronic documents and block out any unauthorized access. Obviously, in an
organization a manager must have the privilege to access employee data to protect the business digital information, while employees are assigned lower authority.
The access control in a computer communication system is usually formed as a user hierarchy called Partially Ordered Set (POSET), in which the users and their information are divided into n disjoined sets
n
SC ,..., SC ,
SC1 2 , called security clearance.
Using “” as a binary partially ordered relation,
in this set SCj SCi denotes that SC hasi
higher security clearance than SC -- that is, thej users in SC have the authority to access datai belonging to the users in SC but not the otherj
way around.
The simplest way to address the access control problem is to allow users in each security clearance to hold all available secret keys in his direct or indirect security clearances. However, it is memory intensive for key retention, and as the hierarchy becomes larger and more complex, the key management becomes difficult. Akl and Taylor [AT83] introduced the cryptographic key assignment scheme that simplifies the key generation and derivation procedure to resolve the access control problem in the POSET. MacKinnon et al. [MTMA85] pointed out that
Akl and Taylor’s scheme is vulnerable to the
collusion attack and proposed a remedy. However, the dynamic access control problem remains unresolved; all secret keys and public parameters still have to be regenerated when adding, deleting, or changing nodes. Harn and Lin [HL90] proposed a bottom-up cryptographic key assignment scheme (compared to the top-down ones proposed by Akl and Talyor [AT83] and MacKinnon et al. [MTMA85]) to address such inefficiency. Nevertheless, the efficiency of dynamic access control problem has not yet been fully resolved.
Our comprehensive survey of solutions to dynamic access control problem [CHW92, WWH95, KSCL99, WC01] reveals that, although the number of parameters has been reduced the computation cost and time complexity are still high. Yang and Li [YL04] recently introduced an access control scheme based on one-way hash function that only uses a limited number of keys and some hash functions, and it also decreases the number of parameters needed to be altered. Their approach is a vast improvement in resolving the dynamic access control problem and the method requires little storage space. Unfortunately, we find that there exist some security flaws in Yang and Li’s scheme [YL04]. Specifically, users can still exceed the pre-assigned rights and access unauthorized information when (1) a new node is added, or (2) a new node is added after another is deleted. In terms of security flaws, this paper will give the detailed discussion on these two situations and then propose improvements to eliminate the pointed attacks.
2. Review of Yang and Li’s scheme
Yang and Li [YL04] proposed an access
control scheme based on one way hash function, in which a trusted CA (central authority) first determines a set of public one way hash functions H {H1,H2,...,Hn}, where n is the degree of the hierarchy, that is, the maximum number of direct child nodes in the hierarchy. The degree in Figure 1 is 3, for example. In the key generation side, the CA assigns an arbitrary secret key for each security clearance first. Considering the property of access control in a
hierarchy, it’s necessary for a higher security
clearance to have the capability of deriving the secret key of his direct or indirect child nodes from his own secret key to access the information. The way of key derivation can be divided into the following three situations: (1) For root node (namely the node which has no
direct parent nodes). The secret key of the node is arbitrarily assigned by the CA, and cannot be derived by anyone.
(2) For the node which has only one direct parent node. Suppose node r is the onlyi
direct parent of noder (j rj ri), and r isj
the li,jth child node of r (from left toi
right). It can be shown that the secret key of
i
r is K , and the secret key ofi r can bej
derived from ( ) , i l j H K K j i .
(3) For the node which has more than one direct parent nodes. Suppose node r has m directj
parent nodes (rj1,rj2,...,rjm) , where
i j j r
r , for i = 1, 2, …, m, and r is thej
j i
l, th child node of r . The secret keys ofji
) ,..., ,
(rj1 rj2 rjm are (K1,K2,...,Km) ,
share the other parameters Hlt(Kt), for t =
1, 2, …, m and ti, to derive the secret key of r by calculatingj )) ( ),..., ( ), ( ( l1 1 l2 2 l m l H K H K H K H m i .
Given a hierarchy with eight nodes (A,B,…,H)
in the Figure 1, the secret key of each node is assigned by the CA first to be (KA,KB,...,KH), and
(1) The secret key of node A is K .A
(2) Node B can derive the secret key of node E by computing H2(KB) , such that
) (
2 B
E H K
K . Hence, KBH1(KA) and KC H2(KA) on this account. (3) Node B or node C can derive the secret key
of node F KF by computing )) ( ), ( ( 3 1 3 B C F H H K H K K , if nodes B and C know H1(KC) and H3(KB) ,
respectively.
Figure 1 Key derivation in the hierarchy
3. Attacks and Improvements on
Yang and Li’s scheme
Yang and Li [YL04] claimed that their scheme can resolve the dynamic access control problem when adding, deleting, or changing the relationship between nodes. Only parts of nodes instead of all nodes need to renew secret keys. Unfortunately, some flaws are found in the situation that a node has more than one direct parent nodes. We point out that someone may overstep his authority to access the unauthorized information in the two cases of adding a node, or
adding a new node after deleting another, below. (1) In the case of adding a node. Node F in
Figure 1 has two direct parent nodes B and C, hence the information of H1(KC) and
) (
3 KB
H is held by node B and node C, respectively. When adding a new node Q, as shown in Figure 2, the secret keys of node Q, D, E, and F are KQ H1(KB) , ) ( 2 B D H K K , KE H3(KB) , and ) ( 4 B F H K
K , respectively. At this time, node C will hold H4(KB) and H3(KB).
He can derive the secret key of node E by the information of H3(KB). The security of node E is threatened.
Figure 2 Adding a new node Q
(2) In the case of adding a new node after
deleting another. Node C in Figure 3
originally holds H3(KB). However, after deleting node E, node C will hold H2(KB) and H3(KB), and the secret key of node F will be KF H2(H2(KB),H1(KC)) . After that, if a new node Q is added, node C will be able to derive K formQ H2(KB)
to access the unauthorized information.
Figure 3 Adding a new node Q after deleting a node E
According to the above weakness in Yang
and Li’s scheme, some improvements are given
as follows. Suppose ID andi K be thei
identity and the secret key of each node, respectively, for i= {A, B, …, H} as shown in Figure 1. Comparing with Yang and Li’s scheme, only an own-way hash function H is used here. Three scenarios of key generation ways are modified as follow.
(1) For a node which has no direct parent nodes, the secret key is assigned by the CA (eg. The secret key of node A is K assigned by theA
CA).
(2) For a node r which has only one directj
parent node ri (rj ri), r can derive thei
secret key of rj by computing
) , , ( i i j j r r r r H ID K ID
K . For instance, node A can derive the secret key of node B by computing H(IDB,KA,IDA) , such that
) , ,
(IDB KA IDA
H .
(3) For a node r which has more than onej
direct parent nodes (rj1,rj2,...,rjm), where
i j j r
r , for i = 1, 2, …, m, each parent node
i j
r can derive the secret key of node rj by
calculating ( ( , 1, 1,, j j j j r r r r H HID K ID K j m j j j j m j r r r r r r H ID K ID ID H ID ID ), ( , 2, 1,, ),..., ( )) , , , , 1 m j j m j r r r ID ID K with sharing ) , , , , ( 1 m j j i j j r r r r K ID ID ID H , where i = 1,
2, …, m, and i j. For example, node B or C can derive the KF by
computing H(H(IDF,KB,IDB,IDC), )) , , , (IDF KC IDB IDC H .
4. Security analysis
In this section, we will give some security analysis for our proposed improved scheme. (1) The access control problem can be resolved
by using a one-way hash function. That is, the parent node can derive the secret keys of his direct or indirect child nodes, while the child node cannot derive the secret key of his parent from the hash value.
(2) Consider the scenario of that a node has more than one direct parent nodes, the information each parent nodes hold are only the hash values of the child’s identity and another
parent’s secret key. For any parent node, it’s
infeasible to derive the secret key of other parent nodes from the shared information. (3) The secret key of each child node is the hash
value of his own identity and the direct
parent’s secret key. Therefore, it’s
impossible for a parent node to derive the same secret keys of different child nodes. In the scenario of that a node has more than one direct parent nodes, even if adding a node or adding a new node after deleting a node, it
won’t violate the objective of access control.
5. Conclusions
This paper pointed out that Yang and Li’s scheme violates the requirements of dynamic access control problem in the situation of that a node has more than one direct parent nodes. We further give improvements to eliminate the pointed out attacks by only using a one way hash function and bounding the child node’s identity into the derived key.
References
[AT83] S. G. Akl and P. D. Taylor,
control in a hierarchy”, ACM Transactions on
Computer System, Vol. 1, No. 3, 1983, pp. 239-248.
[CHW92] C. C. Chang, R. J. Hwang, and T. C.
Wu, “Cryptographic key assignment scheme for access control in a hierarchy”, Information
Systems, Vol. 17, No. 3, 1992, pp. 243-247. [HL90] L. Harn and H. Y. Lin,
“Cryptographic key generation scheme for
multilevel data security”, Computers and Security, Vol. 9, No. 6, 1990, pp. 539-546. [KSCL99] F. H. Kuo, V. R. L. Shen, T. S. Chen,
and F. Lai, “Cryptographic key assignment
scheme for dynamic access control in a user
hierarchy”, IEE Proceedings – Computers and
Digital Techniques, Vol. 146, No.5, 1999, pp. 235-240.
[MTMA85]S. J. MacKinnon, P. D. Taylor, H.
Meijer, and S. G. Akl, “An optimal algorithm for
assigning cryptographic keys to control access in
a hierarchy”, IEEE Transactions on Computers,
Vol. C-34, No. 9, 1985, pp. 797-802.
[WC01] T. C. Wu and C. C. Chang,
“Cryptographic key assignment scheme for hierarchical access control”, Computer Systems
Science and Engineering, Vol. 16, No. 1, 2001, pp. 25-28.
[WWH95] T. C. Wu, T. S. Wu, and W. H. He,
“Dynamic access control scheme based on the Chinese remainder theorem”, Computer Systems
Science and Engineering, Vol. 10, No. 2, 1995, pp. 92-99.
[YL04] C. Yang and C. Li, “Access control
in a hierarchy using one-way hash functions”, Computers and Security, Vol. 23, No. 8, 2004, pp. 659-664.
