Cryptographic key assignment scheme for overcoming the

0 downloads 0 Views 529KB Size Report
Mar 9, 2001 - cryptographic key assignment scheme, called the CHW scheme, in a user ... For a large number of security classes, the key generation.
Cryptographic key assignment scheme for overcoming the incorrectness of the CHW scheme J.-H.Wen, J.-S.Sheu and T.-S.Chen

Abstract: Based on the Newton interpolation method and a predefined one-way function, a cryptographic key assignment scheme, called the CHW scheme, in a user hierarchy was presented by Chang et al. in 1992. The CHW scheme did not need the large amount of storage needed in the AkTaylor scheme. However, two counter-examples have been presented to prove the incorrectness of the CHW scheme, and further two modified versions of the CHW scheme were also proven to be insecure. Owing to these problems, a simple scheme is proposed to overcome the incorrectness and to enhance the security of the CHW scheme.

1

Introduction

In an information protection system, the security of access control is very important. The access control problem in a herarchy is used in the rmlitary, government departments and private corporations. For example, it is frequently applied to the database management systems [l-31, and computer networks [4,51. There are many schemes [&lo], whch have been proposed to discuss access control in a user hierarchy. A user hierarchy can be represented by a partially ordered set (poset). In such a hierarchy, the users are divided into dfferent security classes named C,, C,, ..., C,, where n is the number of nodes in the user herarchy. Fig. 1 shows an example of the poset in a user hierarchy. According to the partial order 5 , the relationshp among the security classes is presented. For instance, C, < Cj means that the users in Cj have the authority to access the data in C,, but the opposite is not allowed. Under such a relationship, Ci is called a predecessor of CJ, and Cj a successor of Cj. Moreover, if there does not exist any other security class c k such that c/ s c k s Cj,then is an immediate successor of Ci and C j is an immediate predecessor of C,. For simplicity, throughout this paper we use the abbreviations IS and IP to denote an immediate successor and an immediate predecessor, respectively. For a large number of security classes, the key generation algorithm of the Ak-Taylor scheme [6] has been proved infeasible [IO]. To improve the disadvantage of the AkTaylor scheme, a cryptographic key assignment scheme [9], called the CHW scheme based on the Newton interpolation method and a predefined one-way function, was presented. Compared with the Akl-Taylor scheme, the storage required for the public parameters in the CHW scheme is much smaller, and moreover the process in generating and 0 IEE, 2001 ZEE Proceedings online no. 20010393 DO? 10.1049/i~m:20010393 Paper fmt received 21st September 2000 and in revised form 9th March 2001 J.-H. Wen and J.-S. Sheu are With the Department of Electrical Engineering, National C h u g Cheng University, Chia-Yi, Taiwan 621, Republic of China T.-S. Chen is With the Department of Computer sclence and Information Engineering Dayeh University, Chang-Hwa, Taiwan, Republic of China 260

deriving keys becomes simple and efficient. However, two counter examples proposed recently in [ll] show that the CHW scheme [9] is incorrect and its two modified versions [12] are insecure. In this paper, a scheme is presented not only to improve the incorrectness of the CHW scheme, but also to enhance the ability of defending against atta'cks.

Fig. 1

2

Poset in U user hierurchy

Incorrectnessand weakness of CHW scheme

In this Section, a brief introduction to the CHW scheme [9] is given, and its incorrectness and weakness are presented. For any security class Cj in a user hierarchy, both its secret key SKi and its public-parameter pair (Pl, E,) are generated and distributed by the central authority (CA). A large prime number P and a predefined one-way function f are public to all security classes in the user hierarchy by CA. Throughout this paper, we suppose that a security class Ci has kj ISs, denoted by ai = { C i , j = 1, 2, ..., k j } ,for whxh SKij and (PIij, P2..> denote the secret key and the pair of public parameters ?or thejth IS Cij,j = 1, 2, ..., k , respectively. According to the concept of the Newton iriterpolation method [13], CA can construct an interpolating polynomial for each security class Ci in a user h.erarchy, denoted as H,{x) of degree ki,over the Galois field GF(P) by interpolating the following ki + 1 points: (0, Xi) and the kj public-parameter pairs (Pljj, j = 1, 2, ..., ki. Then the secret key SKij for thejth IS Cjjof Cjis generated by Sh7i,j = f ( a j ) (mod P ) (1) where aj is the coefficient of the term xJ in H,(x). IEE Proc.-Commun., Vol. 148, No. 4. August 2001

At the beginning of the key generation process, all security classes in the user hierarchy are unmarked, and then traversed by the preordered way. In the key derivation procedure, a security class C, can reconstruct the interpolating polynomial H,{x) by its secret key SKI and the k, pairs of public parameters of its ISs, and then use H,(x) and the predefmed one-way function to derive the secret keys of all its 1%. For any nonimmediate successor, C, can derive the secret key by performing the key-derivation procedure iteratively. Since no one can reconstruct H,{x)only by the public parameters of C,’s ISs, the secret key of any security class cannot be derived by conspiratorial means. In the sequel, we discuss the incorrectness of the CHW scheme. Let the set of security classes x = {C,, C,+l,..., C,+&,}have the same security clearance; that is, all the elements of the set are on the same level of a user hierarchy. Suppose that the first q ISs of each security class in x are the same. Because the keys are generated by preorder traversal, the first security class C, in x determines the secret keys and public-parameter pairs for the first q shared ISs, shared by all security classes in x.Thus these q shared ISs are marked. That is, C, uses the points (0, SKI)and the k, public-parameter pairs of his ISs to reconstruct the interpolating polynomial, denoted as

H,(x) = S K , + a , , ~ x + a , , ~ x ~.+.+az,k,xkz . (mod P ) Then C, uses the k, coefficients, u , ~U,,,, , ..., a,,&,to derive the secret keys of its ISs according to eqn. f . When it comes to the other security classes in x,their interpolating polynomials are given by

H,(x)= S K , + ~ , , I ~ + U , , ~ Z. .+u,,k,xk~ ~+. (mod P ) f o r j = i + 1, i + 2, ..., i + d - 1. The q coefficients u ~ , ~ ,

of HJ{x), f o r j = i + 1, i + 2, ..., i + d - 1, are used to generate the secret keys of the q shared ISs. Accordingly if each security class in x wants to generate identical secret keys for their q shared ISs, then for each r = I, 2, .,., q the following equations

...,

(mod P ) for all 2 # 3 must be satisfied. However they do not hold in general owing to the distinct secret keys of security classes in x. This is the incorrectness of the CHW scheme and it makes the CHW scheme unusable. Moreover, in the CHW scheme, the secret key of a certain security class is susceptible to being broken if all its ISs are collaborated [12]. Therefore any IP may be broken if all its ISs are united to invade their predecessor. In the next Section, a simple and effective scheme will be presented to solve these two problems. f(a,,,) = f(a,,,)

3

Proposed scheme to improve CHW scheme

To prevent a collaborative attack, any secret key SK will be substituted with its corresponding pretending secret key SKI, generated from the predefined functionf, according to

SIP = f ( S K )

(2)

3.1 Basic idea of the proposed scheme First, we assume that for any set of security classes, say S, all the security classes in this set S have the same security clearance. For simplicity, we use (SI to denote the number of nodes in the set S. A set of IPS is referred to as a similar IP set if all the IPS of the set simultaneously share a number of ISs. Suppose that there are Q L similar IP sets in the Lth security-clearance level. We use Y L= {YL,,, YL,+ ..., YL,,> to denote the QL similar IP sets. Every similar IP IEE Proc-Commun.. Vol. 148, No. 4, August 2001

set corresponds to a set of ISs, which is called a shared IS set. We use qLJto denote the shared IS set corresponding qL,2, to the similar IP set YLJ In addition, let qL = {qL,l; ..., ~ L , Q} denote the Q L shared IS sets corresponding to the s d a r IP sets YL= {VL,l,YL,2, ..., YL,e }. That is, the lqLJI security classes in qLJare shared by each IP in YL,j. A security class CJ is called the exclusive IP with respect to the set AJ,if C, is the only IP that exclusively shares the IAJ security classes in AJ.Therefore, we call A the exclusive IS set with respect to the exclusive IP, c/. breviously, we suppose that a security class CJ in the user herarchy has kJ ISs, denoted by = {C,,,, t = 1, 2, ..., kJ}.It is observed that kl equals IAJ, if C, does not belong to any slmilar IP set. In Fig. 1, {Cl}, {C,, C,, C,}, and {G, c6, ..., belong to the first, second, and third security-clearance levels, respectively. The illustration for the second securityclearance level is shown in Table 1. Apparently, a certain security class may belong to a s d a r IP set and an exclusive IP at the same time. For example, C2 belongs to Y2,l the first similar IP set of the second security-clearancelevel, and is also the exclusive IP of the exclusive IS set A2. Table 1: The illustration for the second security-clearance level of the user hierarchy in Fig. 1 Similar IP setsY2

Y2.1 = {C,,

G, c,,

Y2,2 = IC,.

C4}

{C,

Shared IS sets fi

..., Clo}.corresponding to Y Z , ~

R , =~{Cl,, ..., C17} corresponding to Y2,2

Immediate successors

Q z = {C5, ..., Clo}for C2 @3 = {C7, ..., C17) for

C,

..., Cl*} for C4 A2 = {C5, C), for c2 Q4 = {C,

Exclusive IS set

As = @forC, A4 = {Cl&for

c4

In the proposed scheme, for each security-clearance level, the security classes of similar IP sets and exclusive IPS are

evaluated separately by different algorithms. Accordingly, while CA constructs interpolating polynomials, the 1% of any node C, in the user hierarchy are classified into two parts, if they exist. The first part is the shared IS set corresponding to the similar IP set to which Cibelongs, and the second part is the exclusive IS set whose exclusive IP is C,. Any exclusive IP does not involve the incorrectness of the CHW scheme while CA is generating the secret key of his exclusive ISs. Therefore the proposed scheme here just applies to similar IP sets. Consider a certain similar IP set Y L jwith respect to the shared IS set qLj.The criterion for the key-generation scheme is that each security class in Y L j can only use its own secret key, without any secret key of the other peers in YLj for deriving secret keys of their shared ISs qLj And importantly, it must satisfy the condition that any IP in Y L jcannot use the secret keys of the shared IS set qLjto denve any secret key of the other peers in Y L jIn the next Section, we propose a simple and effective scheme, satisfying these two points. The proposed scheme is based on the combination of Lagrange polynomial [14] and Newton interpolation methods [13]. In the sequel, {SKY k , k = 1, 2, ..., lYLjl}are used to denote the secret keys opthe lYLjlIPS in Y L jConcerning the basic idea of the Lagrange polynomial, we would like to consider the product of factors first, gjven by lQL.3

I.(

I

.(

=

-

SKkL.,,k)

(3)

k=l 261

which is related to the (YLJ( pretending secret keys {SKyL2k,k = 1, 2, ..., lYLJl}. The function OyLJ(x) becomes zero at x = SKyLJ,I, SK'yLJ,2, ..., or SKY p L ~If . Ow (x) is divided by (x - SK"yLSl), the resulting kdnction, de?ined to be

(4) is zero at x =.SKWLp,,,for t # i. Now, we multiply Vl{x)by (x - D),and the resulting function is defined as Ui(LI;)= .( - D)K(LI;) (5) where D is a dummy secret key in order to make Uj(x)a polynomial of degree IYLjl.The d u m y secret key D is different from the IYLjlpretending secret key of Y L jand is only known by the CA. Notice that the value of U,{x) becomes zero at x = SICyLjk for k z i by the property of eqn. 4. The basis of the proposed scheme is to use a secret universal key, denoted as SKvLJ, instead of the secret keys {SKIYLpk, k = 1, 2, ..., IYLjl}of security classes in the similar IP set V L jwhile , any security class in Y L is j constructing the interpolating polynomial for the shared IS set qLj.That is, each security class in Y L jwill construct the identical interpolating polynomial for the shared IS set on the IYLdl + 1 points: (0, S K v d and the /YLjl,public-parameterpairs of qLyover GF(P). ow let us consider the following IYLjl linear congruence equations:

polynomial of the%orresponding shared IS set by the universal key and the public-parameter pairs of the shared IS set. In the key-generation procedure, step 3 and step 4 are designed for the exclusive IPS, and step 5 and step 6 are applied to similar IPS. In the following, the key-generation algorithm is presented and this is followed by two sub-algorithms. Key-generation algorithm Step la: Make all nodes in the user hierarchy unmarked. Step lb: Let L be the security-level index and set L = 1 (the highest security clearance). Step 2a: Take an unmarked node Ci from security classes which belongs to the Lth security clearance. Step 2b: Mark Ci. Step 3a: Determine the exclusive IS set of Ciand de:note it as Ai. Step 3b: Go to the exclusive-IP algorithm. Step 4: Repeat step 2 and step 3 until all nodes in Lth security-clearance are marked. Step 5a: Determine all the similar IP sets of the Lth security-clearance level, shown as Y L= {YL,,,Y,,*, ..., "VL,eL}, and the corresponding shared IS sets, shown as qLI= {Q)~,,, ~

~

...)~ ~

L2 , Q2 ~ }

Therefore each security class in the sirmlar IP set Y L Jcan construct the identical interpolating polynomial for the shared IS set qLJby the secret universal key SKyL, and the lqLJlpublic-parameter pairs of qLJ.Notice that, any security class in YLJcan use neither the derived secret keys of the shared IS set qLJnor the generation polynomial gvL,(x) to break the secret keys of the other peers in YLJ.

Step 5b: Let j be the index for the similar IP sets and defaultj = 1. Step 6a: Run the s d a r - 1 8 algorithm for YLd, thejth similar set of YL. Step 66: Set j = j + 1. If j s QL, then return to step 6a. Step 7: If all the nodes in the user hierarchy are marked, then stop; else set L = L + 1 and retum to step 2. Exclusive-IP sub-algorithm The exclusive-IP algorithm is the same as the key-.generation algorithm of the CHW scheme. Similar-IP sub-algorithm Step 1: Select the secret universal key SKyILJ, and construct the generation polynomial gy,,j! solutions. Accordingly, after solving the unknown coefficients U;, we can have the generation polynomial for the universal key SKyL,,,given by

(7) z=l

From eqns. 6 and 7, and the property of eqn. 4, we find that any security class of the similar IP set YLJcan get the secret universal key merely by his own corresponding pretending secret key, that is

Sh'qk-,3 = ! N L 3 ( S K i J L , , , k (mod ) PI, for k = 1 , 2 , . . . , I Q L , ~ ~ (8)

262

IEE Proc.-Commun.. Vol. 148. Nu. 4 , August 2001

Step 2: The key-derivation algorithm is the same as that of the CHW scheme except that we must determine the exclusive IS set A, of C,. Step 3a: Determine the corresponding similar IP set, say Y, and shared IS set, say q, to which C, and c,,k belong, respectively, and then get the generation polynomial gw(x) for the universal key of the similar IP set Y. Step 3b: C, can obtain the universal key SKY via

Key-generation example Exclusive IPS: For security class Ci, the interpolating polynomial Hl(x) for his exclusive ISs, C, and C3,is computed as Hl(x) = 28 + 27n + 3x2 (mod 31). For security class C,, the interpolating polynomial H2(x) for h s exclusive ISs, C, and C,, is computed as H,(x) = 7 + 7x + 25x2(mod 31). For security class C,, the interpolating polynomial H3(x) for his exclusive ISs, C, and C,, is computed as H3(x)= 18 + 5x + 12x2(mod 31). For security class C,, the interpolating polynomial H4(x) for his exclusive ISs, Clo,Cll and Ci2,is computed as H4(x) = 19 + 9x + 18x2+ 25x3 (mod 31). Similar IP Y2,1= {C,, C,} with the shared ISs C, and C, The generation polynomial for the secret universal key of Y2,1 is shown as

SKQ = gq,(SKi) (mod P ) Step 4u: Reconstruct the interpolating polynomial

H , ( z ) = SI