1

A new key assignment scheme A new key assignment scheme for enforcing complicated for enforcing complicated access control policies in access control policies in

hierarchyhierarchyAuthors:Authors: Iuon-Chang Lin, Min-Shiang Hwang Iuon-Chang Lin, Min-Shiang Hwang and C. C. Changand C. C. ChangSource:Source: Future Generation Computer Systems, Future Generation Computer Systems, Vol.19, pp.457-462, 2003.Vol.19, pp.457-462, 2003.Adviser:Adviser: Min-Shiang Hwang Min-Shiang HwangSpeaker:Speaker: Chun-Ta Li Chun-Ta LiDate:Date: 2004/11/18 2004/11/18

2

Cryptanalysis of YCN key assignment scheme in a hierarchy

Authors:Authors: Min-Shiang HwangMin-Shiang Hwang

Source:Source: Information Processing Letters, Information Processing Letters, Vol.73, pp.97-101, 2000.Vol.73, pp.97-101, 2000.

3

Modifying YCN Key Assignment Scheme

against Hwang’s Attack

Authors:Authors: Jyh-Haw Yeh, Min-Shiang Hwang and Wen-Chen Hu

Preprint submitted to Elsevier Science Preprint submitted to Elsevier Science 5 November 2004 5 November 2004

4

Introduction

• Access control policy – access control problem Access control policy – access control problem in a hierarchyin a hierarchy

C1

C2 C3

C4 C5 C6

Key4 Key5 Key6

Key2 Key3

Key1

Key management Key management problemproblem

Key4 Key5 Key6Key2 Key3

5

Introduction (cont.)

• Ak1 and Taylor [1983]Ak1 and Taylor [1983]– Super-key (top-down)Super-key (top-down)

• CA assigns to each user class {CA assigns to each user class {primeprime, , secret keysecret key, , pupublic parameterblic parameter}}

• CjCjhigh high derive the secret key of Ciderive the secret key of Cilowlow

Secret keySecret key and and Public parameterPublic parameter of of

Ci and CjCi and Cj

Large public Large public parameterparameter

Product of the primes of Ci

6

Introduction (cont.)

• Mackinnon et al. [1985] – canonical assignment– Reduce the values of public parameters

Large amount of Large amount of storage to store storage to store

public parameterspublic parameters

• Harn and Lin [1990] – (bottom-up)– Security: difficulty of factoring a large number– Size of the storage space is much smaller

• Yeh et al. [1998] – YCN scheme– transitive exceptions– anti-symmetrical arrangements Hwang [2000] Hwang [2000]

YCN is YCN is insecureinsecure

Several user classes can collaborate to

derive the derivation and encryption keys

7

Original YCN Scheme

• CA– Generates secret number K0

– Generates M (product of two large prime numbers)

– Assign a prime number Pi to each user class Ci

– Compute the product Xi for Ci

m

miiUj

CCmj

Ujiji PPX

,...,1,,...,1

C1

C2

C5

C4

C6

C3

除鄰近節點外 順著箭頭所能到

達的節點

將能順箭頭指到 i節點的 Pij 值做連乘

8

Original YCN Scheme (cont.)• Compute the public information Tie and Tid for Ci

C1

C2

C5

C4

C6

C3

i imUj CC

mijid PPT,...,1

imn CCm

Cniiie PPXT /

順箭頭所到達不了的節點質數值

PPmm = 7 = 7

PPmm = 2 = 2PPmm = 2,7 = 2,7

PPmm = 2,3,7,11,13 = 2,3,7,11,13

PPmm = 2,7 = 2,7

PPmm = 2,3,5,7,11 = 2,3,5,7,11

除鄰近節點外的祖先節點

PPn1n1 = = ØØ

PP4242= = 3131

PPn4n4 = = ØØ

PP1515 = = 1919

PP13,43,5313,43,53 = = 17,37,4317,37,43

PP16,26,4616,26,46 = = 23,29,4123,29,41

9

Original YCN Scheme (cont.)• Assign the derivation key Kid and encryption key Kie f

or each Ci

• Ci can use its own derivation key Kid to derive the encryption key Kje of Cj

MKK idTid mod)( 0

MKK ieTie mod)( 0

MKK idje TTidje mod)( /

kept secret by the user class Ci

C1

C2

C5

C4

C6

C3

C2 derives C3’s encryption key K3e K3e

=(K02*3*7*11*13*19*23*29*31*41) mod M = (K0

2*7

*29)2*3*7*11*13*19*23*29*31*41/2*7*29 mod M

10

The Weakness of the YCN Scheme

• gcd(Tad, Tbd) = 1

• sTad + tTbd = 1

• Ca and Cb can collaborate to derive the secret K0

KsadKt

bd = (K0)sTad(K0)tTbd mod M

= (K0)(sTad+tTbd) mod M

= K0

• gcd(T1d,T4d) = gcd(52003,94054) = 1

• (s, t) = (76107, -42080) such that sT1d + tT4d = 1

Ks1dKt

4d = (K0)sT1d(K0)tT

4d mod M

= (K0)((76107*52003)-(42080*94054)) mod M

= K0

Theorem 1. Assume that there are only two top classes (Ca and Cb) in the hierarchy. Ca and Cb can collaborate to derive the derivation and encryption keys of all of the classes in the YCN scheme.

C1

C2

C5

C4

C6

C3

TT1d1d = 7,17,19,23 = 7,17,19,23

TT4d4d = 2,31,37,41 = 2,31,37,41

11

The Weakness of the YCN Scheme (cont.)

• C1 and C2 derivation and encryption keys of C6

– gcd(T1d, T2d) = 7– s(T1d/7) + t(T2d/7) = 1– C1 and C2 can collaborate to derive the secret (K0)7

((K1d)s(K2d)t)T6d

/7 mod M

= ((K0)sT1d(K0)tT2d)T6d/7 mod M

= (K0)T6d

mod M

= K6d

• C5 and C6 derivation and encryption keys of C3

– gcd(T5d, T6d) = 2*7 = 14– s(T5d/14) + t(T6d/14) = 1– C1 and C2 can collaborate to derive the secret (K0)14

((K5d)s(K6d)t)T3d

/14 mod M

= ((K0)sT5d(K0)tT6d)T3d/14 mod M

= (K0)T3d

mod M

= K3d

Theorem 2. If C1,C2,…, and Cn are n top classes in the hierarchy, any two of these classes (e.g., C1 and C2) can collaborate to derive the derivation and encryption keys of all successors of these top classes.

C1

C2

C5

C4

C6

C3

(K0)7

(K0)14

12

The Modified YCN Scheme

• CA– Generates secret number K0

– Generates M (product of two large prime numbers)

– Assign a prime number Pi to each user class Ci

– Compute the product PPii`̀ for Ci

C1

C2

C5

C4

C6

C3

The Modified YCN Scheme (cont.)• CA computes the public information Ti

d and Tie

))(()(),(

'

jiji CC

jECC

jjd

i PPPT

)())()(( ')(

'),( ittjjCiCjEjCiCjj

di

CCthatsuchCifPPP

otherwiseT

eiT

C1

C2

C5

C4

C6

C3

Tid

5* 11*19 *7 *13 *3(1,3) (1,5) (1,4)(1,6) 1(2)

Tid 2*

(5,1)5*

(5,3)7*

(5,4) 35(2)Ti

e

2*3*5*7*11*13*1*17

14

The Modified YCN Scheme (cont.)• CA assigns a derivation key Ki

d = (K0)Tid mod M and a

n encryption key Kie = (K0)Ti

e mod M

• A class Ci can apply a key derivation function fil(x,y) to derive another class Cl’s key (x and y could be either t

he character d or e)

– fil(x,y) = (Kix)T

l

y/Ti

x = ((K0)T

i

x)T

l

y/Ti

x = (K0)T

l

y) mod M = Kl

y

15

The Modified YCN Scheme (cont.)

• Theorem 1. Under the modified YCN key assignment scheme, Ti

d|Tle if and only if the policy allows Ci to access Cl, i.

e., (Ci,Cl) .

• Theorem 2. If the policy does not allow any class Cik to access Cl, i.e., ,then both Tl

d and Tle are not m

ultiple of Y under the modified YCN scheme, where .

• Theorem 3. If there is a transitive exception Ci Cl with an intermediate class Ck, i.e., Ci(Ck), then Ti

d Tkd and Tk

e Tl

d under the modified YCN scheme.

H

E

ECC lik ),(

}|gcd{ HCTY ikd

ik

16

A New Key Assignment Scheme

• CA generates two large primes: p and q• CA calculates n = p*q, where n is public• CA chooses another parameter, g

• CA chooses a set of distinct primes {e1,e2,…,em} for all user classes {C1,C2,…,Cm}

• CA calculates {d1,d2,…,dm}

gcd(gcd(Ø(n)Ø(n), , eeii) = 1 an) = 1 an

d 1 < d 1 < eeii < < Ø(n)Ø(n)

eeii x x ddii ≡ 1 mod ≡ 1 mod Ø(n)Ø(n)

17

A New Key Assignment Scheme (cont.)• CA generates the derivation keys {DK1,DK2,…,DKm} and t

he secret keys {SK1,SK2,…,SKm} for all user classes {C1,C2,…,Cm}

• Ci can derive the secret key of class Cj with the derivation key DKi as follows:

ngDK jiCjC d

i mod)(

ngSK dii mod

nDKSK kjkiCkC e

ij mod)(,

ng kjkiCkCkiCkC edmod)(

)()( ,

ng jd mod

18

A New Key Assignment Scheme (cont.)

• Example– CA calculates the derivation keys

• CC11: DK1 = gd2*d4 mod n SK1 = gd1 mod n

• CC22: DK2 = gd3*d4 mod n SK2 = gd2 mod n

• CC33: DK3 = null SK3 = gd3 mod n

• CC44: DK4 = gd2 mod n SK4 = gd4 mod n

– C1 derives the secret keys SK2 and Sk4

• SK2 = DK1e4 mod n

• SK4 = DK1e2 mod n

19

Thanks for your attentionThanks for your attention

20

Example

• transitive exceptionstransitive exceptions– C1 can access C2 and C2 can access C3

– But C1 cannot access C3

• anti-symmetrical arrangementsanti-symmetrical arrangements– C2 can access C4 and C4 can access C2

– But C2 and C4 are two different user classes