Key management for non-tree access hierarchies

Access hierarchies are useful in many applications and are modeled as a set of access classes organized by a partial order. A user who obtains access to a class in such a hierarchy is entitled to access objects stored at that class, as well as objects stored at its descendant classes. Efficient schemes for this framework assign only one key to a class and use key derivation to permit access to descendant classes. Ideally, the key derivation uses simple primitives such as cryptographic hash computations and modular additions. A straightforward key derivation time is then linear in the length of the path between the user's class and the class of the object that the user wants to access. Recently, work presented in [2] has given an efficient solution that significantly lowers this key derivation time, while using only hash functions and modular additions. Two fastkey-derivation techniques in that paper were given for trees, achieving O(log log n) and O(1) key derivation times, respectively, where n is the number of access classes. The present paper presents efficient key derivation techniques for hierarchies that are not trees, using a scheme that is very different from the above-mentioned paper. The construction we give in the present paper is recursive and uses the onedimensional case solution as its base. It makes a novel use of the notion of the dimension d of an access graph, and provides a solution through which no key derivation requires more than 2d+1 hash function computations, even for "unbalanced" hierarchies whose depth is linear in their number of access classes n. The significance of this result is strengthened by the fact that many access graphs have a low d value (e.g., trees correspond to the case d = 2). Our scheme has the desirable property (as did [2] for trees) that addition and deletion of edges and nodes in the access hierarchy can be "contained".

[1]  W. Trotter,et al.  Combinatorics and Partially Ordered Sets: Dimension Theory , 1992 .

[2]  Selim G. Akl,et al.  An Optimal Algorithm for Assigning Cryptographic Keys to Control Access in a Hierarchy , 1985, IEEE Transactions on Computers.

[3]  Piyush Maheshwari,et al.  Enterprise application integration using a component-based architecture , 2003, Proceedings 27th Annual International Computer Software and Applications Conference. COMPAC 2003.

[4]  Chin-Chen Chang,et al.  A key assignment scheme for controlling access in partially ordered user hierarchies , 2004, 18th International Conference on Advanced Information Networking and Applications, 2004. AINA 2004..

[5]  Lein Harn,et al.  A cryptographic key generation scheme for multilevel data security , 1990, Comput. Secur..

[6]  Wojciech A. Trybulec Partially Ordered Sets , 1990 .

[7]  Hung-Yu Chien,et al.  New hierarchical assignment without Public Key cryptography , 2003, Comput. Secur..

[8]  Pingzhi Fan,et al.  Access key distribution scheme for level-based hierarchy , 2003, Proceedings of the Fourth International Conference on Parallel and Distributed Computing, Applications and Technologies.

[9]  Chinchen Chang,et al.  A cryptographic implementation for dynamic access control in a user hierarchy , 1995, Comput. Secur..

[10]  Min-Shiang Hwang,et al.  An Improvement of Novel Cryptographic Key Assignment Scheme for Dynamic Access Control in a Hierarchy , 1999 .

[11]  Stafford E. Tavares,et al.  Flexible Access Control with Master Keys , 1989, CRYPTO.

[12]  Anna Lisa Ferrara,et al.  An Information-Theoretic Approach to the Access Control Problem , 2003, ICTCS.

[13]  Kenji Koyama,et al.  Membership Authentication for Hierarchical Multigroups Using the Extended Fiat-Shamir Scheme , 1991, EUROCRYPT.

[14]  Thomas Hardjono,et al.  Sibling Intractable Function Families and Their Applications (Extended Abstract) , 1991, ASIACRYPT.

[15]  Jan van Leeuwen,et al.  The Art of Dynamizing , 1981, MFCS.

[16]  Jan van Leeuwen,et al.  Maintenance of Configurations in the Plane , 1981, J. Comput. Syst. Sci..

[17]  Tsai Hui-Min,et al.  Refereed paper: A cryptographic implementation for dynamic access control in a user hierarchy , 1995 .

[18]  Johann Gasteiger,et al.  Hierarchical classification as an aid to database and hit-list browsing , 1994, CIKM '94.

[19]  Mark H. Overmars,et al.  Dynamization of Order Decomposable Set Problems , 1981, J. Algorithms.

[20]  Alfredo De Santis,et al.  Cryptographic key assignment schemes for any access control policy , 2004, Inf. Process. Lett..

[21]  Chu-Hsing Lin,et al.  Hierarchical key assignment without public-key cryptography , 2001, Comput. Secur..

[22]  Yu-Fang Chung,et al.  A novel key management scheme for dynamic access control in a user hierarchy , 2004, Proceedings of the 28th Annual International Computer Software and Applications Conference, 2004. COMPSAC 2004..

[23]  Chin-Chen Chang,et al.  A new key assignment scheme for enforcing complicated access control policies in hierarchy , 2003, Future Gener. Comput. Syst..

[24]  Ravi S. Sandhu,et al.  Cryptographic Implementation of a Tree Hierarchy for Access Control , 1988, Inf. Process. Lett..

[25]  W. Schnyder Planar graphs and poset dimension , 1989 .

[26]  Wei-Pang Yang,et al.  Controlling access in large partially ordered hierarchies using cryptographic keys , 2003, J. Syst. Softw..

[27]  Chin-Chen Chang,et al.  Access control in a hierarchy using a one-way trap door function , 1993 .

[28]  Sheng Zhong,et al.  A practical key management scheme for access control in a user hierarchy , 2002, Comput. Secur..

[29]  R. S. Sandhu,et al.  On some cryptographic solutions for access control in a tree hierarchy , 1987, FJCC.

[30]  Indrajit Ray,et al.  A cryptographic solution to implement access control in a hierarchy and more , 2002, SACMAT '02.

[31]  C. Lei,et al.  A dynamic cryptographic key assignment scheme in a tree structure , 1993 .

[32]  Selim G. Akl,et al.  Cryptographic solution to a problem of access control in a hierarchy , 1983, TOCS.

[33]  M. Yannakakis The Complexity of the Partial Order Dimension Problem , 1982 .