Embed Size (px)
Citation preview
This article was downloaded by: [Massachusetts Institute of Technology]On: 27 November 2014, At: 04:37Publisher: Taylor & FrancisInforma Ltd Registered in England and Wales Registered Number: 1072954Registered office: Mortimer House, 37-41 Mortimer Street, London W1T3JH, UK
International Journal ofComputer MathematicsPublication details, including instructions forauthors and subscription information:http://www.tandfonline.com/loi/gcom20
An algebra to representsecurity policies forcryptography-based securestorage systemsD.J. King a & P. Jarratt aa Centre for Computing and Computer Science ,The University of Birmingham , P.O. Box 363,Birmingham, B15 2TT, EnglandPublished online: 19 Mar 2007.
To cite this article: D.J. King & P. Jarratt (1987) An algebra to represent securitypolicies for cryptography-based secure storage systems, International Journal ofComputer Mathematics, 23:1, 9-23, DOI: 10.1080/00207168708803604
To link to this article: http://dx.doi.org/10.1080/00207168708803604
PLEASE SCROLL DOWN FOR ARTICLE
Taylor & Francis makes every effort to ensure the accuracy of allthe information (the “Content”) contained in the publications on ourplatform. However, Taylor & Francis, our agents, and our licensorsmake no representations or warranties whatsoever as to the accuracy,completeness, or suitability for any purpose of the Content. Any opinionsand views expressed in this publication are the opinions and views ofthe authors, and are not the views of or endorsed by Taylor & Francis.The accuracy of the Content should not be relied upon and should be
independently verified with primary sources of information. Taylor andFrancis shall not be liable for any losses, actions, claims, proceedings,demands, costs, expenses, damages, and other liabilities whatsoeveror howsoever caused arising directly or indirectly in connection with, inrelation to or arising out of the use of the Content.
This article may be used for research, teaching, and private studypurposes. Any substantial or systematic reproduction, redistribution,reselling, loan, sub-licensing, systematic supply, or distribution in any formto anyone is expressly forbidden. Terms & Conditions of access and usecan be found at http://www.tandfonline.com/page/terms-and-conditions
Dow
nloa
ded
by [
Mas
sach
uset
ts I
nstit
ute
of T
echn
olog
y] a
t 04:
37 2
7 N
ovem
ber
2014
An Algebra to Represent Security Policies for Cryptography- Based Secure Storage Systems
D. J KING a n d P. JARRATT Centre for Compurmg and Cornpurer Soence, The Unwersiry of Birm~ngham, P 0 Box 363, Bfrrningham 815 2TT England
Thv paper introduces an algebra for expressing security policies with particular appl i~ct ion la cryptographir rnrthods of storing informatian. The algebra is composed of operands which ;ire rr!plupiaphic functions. dependent upon an algorithm and a kc), and a w( nf ~ ~ p e r a t w ~ . By combinmg expressions in meaningful Nays. security pnl~cirr c.w hi. r eprew~t rd . The advantages of this are that the categories and c l i l i s ~ l i ~ 1 1 t ~ w ~ 01 i n f ~ w m a t ~ ~ n can clrarl! he srrn the repiesent;~lion of security poliaes c;ir hr c n n c w ;ind a model represented in the algebra may be translated readilj into a mnfigur .~t~iw of ; ryp tograph~ key, thus aimplify~ng the utheiwise diiricull task of ~ e r , l > l l l g >cc<wit>
K E Y WORDS: Algebra, secunty policies, cryptography
C R CATFGORILS. F . 3 Data tncrypt irm D.46 Security and Protection.
1. INTRODUCTION
The security of data stored on a shared medium depends largely on the correc tnw of the access control mechanism employed. Addition- 311) one of [he nujor difficulties in building secure systems has been that of verifying the correctness of the mechanism and ensuring the checking d a l l referen~xs [o objects.
Dow
nloa
ded
by [
Mas
sach
uset
ts I
nstit
ute
of T
echn
olog
y] a
t 04:
37 2
7 N
ovem
ber
2014
10 D. J . KING A N D P. JARRATT
Little use however has been made of cryptography for secure information storage, in general its main application having been in providing both secrecy and authentication of information passing between systems. The protection of information within a system is usually the responsibility of an access control mechanism which mediates between subjects such as users, and objects such as files and processes.
In using cryptography for secure information storage, the control of access is determined solely by the distribution and the manage- ment of the cryptographic keys in which a key behaves like a capability in that it enables the possessor to gain access to certain objects in the system.
This paper presents a formalisation of a cryptographic protection mechanism which allows the controlled sharing of information, not necessarily through the distribution of keys, but through the deriving of special keys from the encrypting keys which are distributed. Perhaps the most important feature of the method is that certain combinations of these special keys are required to recover the original key.
In a secure system with several users and many more files it is important to organise the distribution of keys to reflect accurately a security policy. A formal notation is introduced which is aimed at simplifying the modelling of such policies.
2. PROTECTION PRIMITIVES
A set of protection primitives is presented in Gifford [I9821 in which, for example, data can be encrypted such that it can be decrypted with either of two keys. This requirement can be expressed in an algebraic notation which describes the appropriate protection structure. Thus we can write
which is read. applying key K is equivalent to applying either K , or K 2 . K is the key which actually encrypts and decrypts the data and K , and K , are derivatives. either of which will also encrypt the data.
Dow
nloa
ded
by [
Mas
sach
uset
ts I
nstit
ute
of T
echn
olog
y] a
t 04:
37 2
7 N
ovem
ber
2014
ALGEBRA SECURITY POLICIES CRYPTOGRAPHY
Note that this is not necessarily equivalent to
In another example, data may be encrypted such that it can only be decrypted given two keys. In this case we can write
read, applying key K is equivalent to applying both K , and K,. With these primitives it is possible to protect data in a controlled
manner. In addition to these two operators a QUORUM operator is introduced in which data can be encrypted such that decryption requires any subset of size 117 of a set of n keys. In this case we have
read, applying key K is equivalent to applying any m of K,, K,, K , , K The creation of more elaborate protection structures using all three operators provides new and interesting possibilities for security policies.
The way in which the protection structures can be used at a practical level is demonstrated in the following example.
Saltzer 119741 describes an access control list approach in a number of systems. Associated with a file is a list of user-access right pairs. specifying for each user the access he has for the file. Using single key encryption, a file D is encrypted with K :
I t is required that four users have access to the file and the following quorum protection structure is set up:
Each user is issued with one of the keys. By virtue of its possession the user has read access to the file D.
Dow
nloa
ded
by [
Mas
sach
uset
ts I
nstit
ute
of T
echn
olog
y] a
t 04:
37 2
7 N
ovem
ber
2014
12 D. J. KING AND P. JARRATT
3. A N ALGEBRA OF CRYPTOGRAPHIC FUNCTIONS
In Gudes [I9801 and Gifford 119821, reference is made to the implementation of recognised protection policies in a system where protection is controlled by the management o f keys. In building protection policies llowevcr, formal methods to describe the protec- tion properties arc needed. Gifford presents the protection primitives in a language EL, a version of Lisp 1.5 developed at MIT [McCarthy ur a/.. 19621. This representation is useful for demon- strating the functionality of the primitixs. hut in order to model existing protection policies and possibly to develop policies for new configurations, it is necessary to use a formal description.
This section therefore introduces a formalisation of the protection primitives in which they are shown to possess certain algebraic properties.
Thc two essential clcments of the algebra are the operand and the operator. The operand is the cryptographic function which, given a cleartext, will produce a ciphcrtext. Many different functions are known and have various applications, for example: DES [NBS (National Bureau of Standards) 19771 and RSA public key crypto- system [Rivest et a/.. 19781.
It is important to note that in the following paragraphs, the cryptographic function will refer not simply to the transforming algorithm, but also to the key. We also note that in an implemen- tation. an appropriate algorithm, a set of keys and a means of implementing the opcrators which fulfill thc properties described in this section must be found.
Now let .A represent an algorithm, and let K represent a key. Let F , ( A . K), i = 1.2.. . . . n, be cryptographic functions contained in the set of all cryptographic functions 4. In what follows, expressions are always evaluated from left to right. We now define the basic opcrators for the algebra.
I ) And Operafur: This is a binary operator used to specify "both" of the cryptographic functions and is denoted by " A ". For example
means "both F, and F,". An object protected with F, A F , requires that both F ~ , and F , are needed to access it.
Dow
nloa
ded
by [
Mas
sach
uset
ts I
nstit
ute
of T
echn
olog
y] a
t 04:
37 2
7 N
ovem
ber
2014
ALGEBRA S E C ~ J R I T Y POLICIES CRYPTOGRAPHY 13
2) Or Opurrlor: This is a binary operator used to specif)' "either" of two cryptographic functions and is denoted by " v ". For example
means "either f , or F,". An object protected with F , v F , requires that either F, or F, is needed to access it.
3) Quorum Operator: The quorum operator is used to specify any rn cryptographic functions from a list of n functions where m is an integer not exceeding the number of functions in the list. Thus
means "any m items in the list F,. F,, F,, . .., F,,".
4) Eyuivalence Opcuuror: This is used to specify that two expressions have equivalent properties and is denoted by "=". For example:
means that "applying F , is equivalent to applying F , and F,",
5 ) Finally brackets are used in the conventional way to change the order in which the operations are carried out.
The algcbra satisfies the idempotent. thc commutative, the as- sociative and the distributive properties.
Note that in the context of the above definitions, a simple quorum expression may be considered to be a cryptographic function and thus can in effcct be substituted by a cryptographic function.
Hence each property holds for expressions containing a quorum expression. For example:
In a real situation where the functions are used to encrypt and decrypt information, it is necessary to implement the functions such that they retain the properties defined in such expressions. If functiorls are going ro be created and deleted dynamically, it is essential that new functions can be introduced into existing protec- tion structures. Creation of a new function is possible in t u o ways. A
Dow
nloa
ded
by [
Mas
sach
uset
ts I
nstit
ute
of T
echn
olog
y] a
t 04:
37 2
7 N
ovem
ber
2014
14 D. I. KING AND P. JARRATT
new algorithm can he created, or a new key can be created, either of which will result in a new cryptographic function. Automatic creation of a new algorithm is difficult and creates insurmountable problems in proving its security. The alternative of creating new keys provides a more practical solution, since keys are much easier to create, and the security provided by a new key is equivalent to that provided by any other key, provided that it is non-degenerate and different from any other key.
In what follows, it is assumed that of the two components of a cryptographic function, the algorithm and the key, the algorithm will remain fixed. Accordingly the behaviour of the function will be entirely dependent upon the key.
4. A N ALGEBRA OF CRYPTOGRAPHIC KEYS
The rules governing the behaviour of cryptographic functions are of little practical value because security policy in a cryptography-based secure system is governed by the distribution of the keys. Neverthe- less, the rules apply directly to the behaviour of cryptographic keys for the cases in which the encryption algorithm is fixed. Moreover it is not necessary to define this algebra explicitly, for the reader may readily reconstruct the governing rules from the above definitions, replacing each occurrence of a cryptographic function for a crypto- graphic key.
5. SECURITY POLICY
A security policy is a description of a system in terms of general security organisation and a good treatment of the subject can be found in DoD (Department of Defense) C198.11.
We now discuss how protection structures can be defined using the algebra, which accurately reflect a security policy.
Because controls can he imposed in a system at one level of the design, it is not difficult to change the controls to suit the applic- ation. Such a change might be to extend an information flow policy so that exceptional flows of information between the classifications contrary to the conventional policy are permitted. In general, a
Dow
nloa
ded
by [
Mas
sach
uset
ts I
nstit
ute
of T
echn
olog
y] a
t 04:
37 2
7 N
ovem
ber
2014
ALGEBRA SECURITY POLICIES CRYPTOGRAPHY 15
modification of this sort would involve recoding a section of the security kernel. In a system based upon the algebra of cryptographic functions, the change would first of all be mapped out using the algebra, and the corresponding changes in the key organisation could then be readily made. It follows that extending a policy is likely to be straightforward, the additional keys required being easily generated and then integrated into the existing protection structures. On the other hand it will be more difficult to increase the restric- tions in a policy. For example, revoking access which was previously permitted is difficult because once a key has been distributed, it is not easy to later recall it.
Rebuilding the complete key structure from a mathematical model is one method of ensuring that modifications do not introduce errors but this will make the file system unavailable for the duration of the rebuilding process. However, there will be some degree of assurance that the modified policy is correctly implemented. Fortunately such modifications to conventional systems are generally rare.
Work is currently being carried out in formalising policies using the representation described above and it has been found valuable in gaining a clear understanding of policy modelling for cryptography- based systems and has proved to be very useful for building new policies.
Policies based upon subject access to classes of information have proved to be straightforward: each subject class and object class is associated with a key. In addition, access to object classes via a coordinate pair of subject classes has been achieved using the And operator to create dependence of an object class on two subject classes.
The most interesting policy formulation has been regarding in- formation flow and, using public key pairs as Read Write keys, [Denning, 1982, p. 111, the simple security property and the *- property [DoD, 19831 can be expressed:
We define a set of public key pairs:
in which the keys, r , to r , are used for reading and the keys w , to w , are used for writing. r j has a higher security clearance than ri for
Dow
nloa
ded
by [
Mas
sach
uset
ts I
nstit
ute
of T
echn
olog
y] a
t 04:
37 2
7 N
ovem
ber
2014
16 D. J. KING AND P. J A R R A T T
j > i. The simple security property is represented by
And the *-property can be expressed thus:
We can extend the policy to include categories [Denning, 1982, p. 2661. We define a matrix of read and write keys for m categories d , to dm. Thus:
r l , = ri A d i ,
Information can thcn be stored using thc key, wii, and read with the corresponding key, v , ~ .
For the algebra of cryptographic keys to be of any practical use, it is necessary to be able to implement the protection primitives. The remainder of this paper discusses the criteria for implementing a protection scheme and prcscnts two methods.
6 , IMPLEMENTATION OF THE THEORY
One of the requirements of using protection structures to control access to information is that access to information is not inadvert- ently granted to unauthoriscd subjects due to weaknesses in the implementation of the structures. Three fundamental requirements for a protection structure liavc been identified.
Consider the statements
Property 1. For either statement St or S, then if F , is unknown, calculating F , must be computationally infeasible.
Dow
nloa
ded
by [
Mas
sach
uset
ts I
nstit
ute
of T
echn
olog
y] a
t 04:
37 2
7 N
ovem
ber
2014
ALGEBRA SECURITY POLICIES CRYPTOGRAPHY 17
Property 2. For either statement S , or S, then if F , and F , are unknown, there exists a non-unique (F,,F,) pair which will satisfy the statement.
Property 3. For either statement S , or S , then if F , is unknown, there exists a non-unique F , which will satisfy the statement.
Property 1 is essential in guaranteeing that information is not divulged to other parties.
Consider for example two files, D l and D,. Each file is encrypted with keys K , and K , respectively. The owner of the files wishes to grant to three colleagues A , B and C access to information stored in the files such that A and B are to have access to Dl and B and C to D,. The following protection structures are set up:
K , = K , v K,, K , = K , v K,.
A is given K,, B is given K , and C, K,. If the Property 1 is not present in the implementation, then A would be able to calculate K , from K,, thereby gaining access to file D,.
Thus any method for which the Property 1 does not hold is unsuitable for implementing a protection structure.
Properties 2 and 3 however are not directly concerned with security. Rather, they specify conditions which are necessary for the derivation of keys.
Two methods are now presented which offer practical solutions to implementing the protection structures and their applicability and flexibility are illustrated using simple examples.
6.1. Method I : Threshold scheme
It is useful to be able to split keys into several (n) parts such that z m parts are required to reconstruct the keys, but < m parts are insuficient for reconstruction. Such schemes are called Threshold Schemes.
In Shamir [I9791 a threshold scheme is described and it is shown that using interpolation, a numerical solution could provide the necessary requirements for implementation. An alternative and more
Dow
nloa
ded
by [
Mas
sach
uset
ts I
nstit
ute
of T
echn
olog
y] a
t 04:
37 2
7 N
ovem
ber
2014
18 D. J. KING AND P. JARRATT
efficient solution of Mignotte [1982, pp. 371-3761 is based in the ring of integers.
We now demonstrate that a threshold scheme alone can provide a practical solution to implementing the protection structures.
Three operators have been introduced, the And operator ( A ) , the Or operator ( v), and a Quorum operator.
Consider the Quorum operator first:
The And operator can be considered to be a special case of the Quorum operator in which the number of subjects is equal to the Quorum size. For example, in a case in which this is two:
K = K, A K, is equivalent to K = (Kt , K,),.
The Threshold Scheme gives us a practical method of deriving two keys, K , and K, from K. In this example, both K, and K, are threshold pieces (shadows) Shamir [1979], and are required to reconstruct K.
The Or operator can likewise be considered as a special case of the Quorum operator for which the number of subjects is two but the quorum size is only one. Thus
K = K , v K, is equivalent to K=(K,,K,), .
Applying K is therefore equivalent to applying either of K, or K,. However, an analysis of the security readily demonstrates that the
Or operator cannot be successfully implemented using either Shamir's solution or Mignotte's solution, for, in both cases, the threshold pieces are identical to the original K.
6.2. Method 2: Multiple encryption
A second method of implementing the protection structures is by means of multiple encryption. In order to explain the technique each operator is considered in turn.
The And Operator Let
Dow
nloa
ded
by [
Mas
sach
uset
ts I
nstit
ute
of T
echn
olog
y] a
t 04:
37 2
7 N
ovem
ber
2014
ALGEBRA SECURITY POLICIES CRYPTOGRAPHY 19
Key K is then encrypted by
The ciphertext, C, is made public knowledge. The protection pro- perty is correctly implemented and is demonstrated if we consider a simple example. A user encrypts a file using cryptographic key, K . In order to give access to two colleagues such that they are required to be available together to recover the file into cleartext, the user grants both colleagues access to keys K , and K 2 . C is public knowledge and therefore each colleague has access to it. It is accordingly possible for them to recover key K from C by decrypting it first with K , , then with K,. The Or Operator Let
Key K is then encrypted twice as follows:
and
Each ciphertext, C , and C,, is then made public knowledge. A user encrypts a file with K . By giving each of two colleagues K , and K , respectively he grants them access to the information encrypted with K . The colleague with K , can decrypt C , to recover K ; the colleague with K , can decrypt C , to recover K.
The Quorum Operator As an example, let
In order to implement this protection structure, a threshold scheme is required.
In this example, key K is split into four parts (threshold pieces), represented by T, to T,, any three of which will recover K . In the
Dow
nloa
ded
by [
Mas
sach
uset
ts I
nstit
ute
of T
echn
olog
y] a
t 04:
37 2
7 N
ovem
ber
2014
20 D. J. KING AND P. JARRATT
Threshold Scheme Method these pieces constitute the actual keys. However, using multiple encryption, they are considered to be only the threshold pieces of K .
The pieces are then encrypted as follows:
Each ciphertext is then made public knowledge. The keys K , to K , can then be distributed to different colleagues. Three threshold pieces need to be decrypted if the key K is to be recovered.
An analysis of the security demonstrates that this method is secure provided that the encryption algorithm used is sufficiently strong to overcome Ciphertext-Only, Known-Plaintext and Chosen-Plaintext attacks [Denning, 19821.
6.3. Comparative assessment o f methods
Neither method is sufficient to implement all three operators. The Threshold Scheme does not provide for the Or-ing of two keys and the Multiple Encryption method requires the threshold method to instantiate the Quorum operator.
To implement the protection structures, a hybrid method, drawing from both methods is described and provides a solution.
The Threshold Method produces threshold pieces which are treated as keys. In Shamir's method, these pieces are ( x , y ) pairs, rather than normal cryptographic keys, which may be just single strings. It is better if a uniform data type can be used, for it makes the building of complex data structures more straightforward. The ( x , y ) pairs may be regarded as a string of bits, rather like the conventional cryptographic key. Such a string may itself then be subject to splitting. It would be necessary to mark those keys which are (x,y) pairs, so that the key is not used directly, but only in the threshold recovery of another key.
For example, by concatenating x and y, a key of standard form can be produced. Conversely, any key can be divided into two components simply by splitting the key. Given two keys, two (x,y) pairs can be produced. It is then possible to create an effective third key by treating the two keys as threshold pieces of the third key.
There is no guarantee that the key produced will be suitable, for it
Dow
nloa
ded
by [
Mas
sach
uset
ts I
nstit
ute
of T
echn
olog
y] a
t 04:
37 2
7 N
ovem
ber
2014
ALGEBRA SECURITY POLICIES CRYPTOGRAPHY 21
may be the wrong length, i.e., not long enough, or too long, or it may be degenerate. Property 3 of Section 6 holds for those cases for which a good key is produced and not for the other cases.
For the Threshold Scheme, the second property holds always. The first property does not however hold for the Or operator using this method.
Now considering the Multiple Encryption Method, deriving two keys from a single key is not in fact possible. For example, given the protection structure:
which gives the ciphertext
it is not possible to deduce K , and K , given only C and K . This is true for each operator. Therefore the Property 2 does not hold for this method.
However, provided that all the encrypted keys are available, the deriving of a key from two other keys is possible, and therefore Property 3 holds.
The Multiple Encryption Method requires the storage of all the encrypted keys. The keys must be public knowledge for the method to work correctly. In a system with many protection structures, the list of encrypted keys may be large. This list may be stored as a hash table or as a binary tree if fast access is important. Recovery of any key requires that first the encrypted key is obtained from the table and then decrypted.
For a complex protection structure, the number of look-ups and decryptions increases linearly with the number of keys in the structure.
However, with the Threshold Method, the time required to recover a key depends on the quorum size of the scheme. The complexity of Shamir's scheme, equivalent to that of solving a set of simultaneous linear equations, is of order m3 operations [Kronsjo, 19791. For Mignotte's scheme, the complexity has an upper bound of m2 operations for threshold recovery. In general m will not be large, and the time overheads are relatively small.
Dow
nloa
ded
by [
Mas
sach
uset
ts I
nstit
ute
of T
echn
olog
y] a
t 04:
37 2
7 N
ovem
ber
2014
D. J. KING AND P. JARRATT
Table I The properties that hold for implementing each operator with both methods
Properties
1 2 3
And Y Y Y Threshold Method O r N Y Y
Quorum Y Y Y
And Y N Y Multiple Encryption Method O r Y N Y
Quorum Y N Y
Of the two methods that have been presented, the Multiple Encryption Method satisfies the necessary requirements for imple- menting the protection structures. The algebra which governs the behaviour of the protection structures provides the basis for design- ing a provably secure cryptography-based storage system.
7 . CONCLUSION
It has been shown that security policies can be represented as groups of algebraic expressions. This can help the designer of a system see clearly the permitted flows of information, enabling new and existing security policies to be modelled and tuned.
A security policy represented in algebraic form can be readily translated into a configuration of cryptographic keys which when distributed amongst subjects in a system allows them to access objects according to the algebraic description.
References
Denning, Dorothy E. (1982). Cryptography and Data Security. Purdue University, Addison-Wesley Pub. Co.
D o D (Department of Defense US.) (1983). Trusted Computer System Evaluation Criteria. G. Meade, Fort George, Maryland 20755.
Gifford, David K. (1982). Cryptographic sealing for information secrecy and authen- tication. Comm. A C M 25, 4, 274-286.
Dow
nloa
ded
by [
Mas
sach
uset
ts I
nstit
ute
of T
echn
olog
y] a
t 04:
37 2
7 N
ovem
ber
2014
ALGEBRA SECURITY POLICIES CRYPTOGRAPHY 23
Gudes, Ehud (1980). The design of a cryptography based secure file system. IEEE Trans. on Software Engineering SE6, 5 .
Kronsjo, Lydia I. (1979). Algorithms: Their Complexity and Efjiciency. John Wiley and Sons.
Mignotte, M. (1982). How to share a secret. Lecture Notes in Computer Science 149, Cryptography, Proceedings of the Workshop on Cryptography, Germany.
McCarthy et al. (1962). Lisp 1.5 Programmer's Manual. MIT Press, Cambridge MA. NBS (1977). Data Encryption Standard, National Bureau of Standards, Federal
Information Processing Standards, Publication 46. Rivest, Ronald L., Shamir, Adi and Adleman, L. (1978). A method for obtaining
digital signatures and public key cryptosystems. Comm. A C M 21, 2 , 12C126. Saltzer, J. H. (1974). Protection and the control of information sharing in Multics.
Comm. ACM 17, 7 , 388402. Shamir, Adi (1979). How to share a secret. Comm. A C M 22, 11, 612-613.
Dow
nloa
ded
by [
Mas
sach
uset
ts I
nstit
ute
of T
echn
olog
y] a
t 04:
37 2
7 N
ovem
ber
2014
