Enhancing identity trust in cryptographic key management systems for dynamic environments

Cryptographic key management (CKM) schemes can be used to support identity management (IM) systems where linking users securely to data objects is important. CKM schemes enforce data security by encrypting data granting access only to authorized users and security compromises are prevented by updating any keys that are held by users from whom access rights have been revoked. Handling key updates efficiently and providing security against collusion attacks is challenging in dynamic environments like the Internet where manual Security management increases the likelihood of delayed responses. Delay increases the system's vulnerability to security attacks and the potential of the system's violating its service level agreements. Adaptive CKM has emerged as a possibility of addressing this problem but needs to be designed in a way that justifies the cost/benefit tradeoff. In this paper, we show that the key update and collusion avoidance problems are NP-complete and need heuristic algorithms to prevent performance degradations in comparison to standard CKM schemes. As an example of the benefits of a good heuristic, we present a collusion detection and resolution algorithm whose running time is polynomial in the number of keys. The algorithm operates by mapping the generated key set onto a key graph whose independent set is computed. In the key graph, the vertices represent the keys and the edges the probability that their endpoints can be combined to provoke a collusion attack. Collusion possibilities are resolved by applying a heuristic that resets the probability to zero. The performance of our algorithm is analyzed in comparison to the Akl and Taylor scheme that is secure against collusion attack, and the experimental results indicate that collusion prevention can be done dynamically without affecting performance. Copyright © 2010 John Wiley & Sons, Ltd.

[1]  Sushil Jajodia,et al.  Over-encryption: Management of Access Control Evolution on Outsourced Data , 2007, VLDB.

[2]  Wen-Guey Tzeng,et al.  A Time-Bound Cryptographic Key Assignment Scheme for Access Control in a Hierarchy , 2002, IEEE Trans. Knowl. Data Eng..

[3]  Ronald L. Rivest,et al.  Introduction to Algorithms , 1990 .

[4]  Chien-Lung Hsu,et al.  Cryptanalyses and improvements of two cryptographic key assignment schemes for dynamic access control in a user hierarchy , 2003, Comput. Secur..

[5]  Xiaozhou Li,et al.  Batch rekeying for secure group communications , 2001, WWW '01.

[6]  J. Schneider The time-dependent traveling salesman problem , 2002 .

[7]  Morris Sloman,et al.  A survey of trust in internet applications , 2000, IEEE Communications Surveys & Tutorials.

[8]  Matthew Green,et al.  Improved proxy re-encryption schemes with applications to secure distributed storage , 2006, TSEC.

[9]  Arun K. Majumdar,et al.  A Semantic Approach for Modular Synthesis of VLSI Systems , 1988, Inf. Process. Lett..

[10]  Li Zhou,et al.  Adaptive trust negotiation and access control , 2005, SACMAT '05.

[11]  Mikhail J. Atallah,et al.  Dynamic and efficient key management for access hierarchies , 2005, CCS '05.

[12]  E. Eugene Schultz Where have the worms and viruses gone?—new trends in malware , 2006 .

[13]  Selim G. Akl,et al.  An Optimal Algorithm for Assigning Cryptographic Keys to Control Access in a Hierarchy , 1985, IEEE Transactions on Computers.

[14]  Chin-Chen Chang,et al.  Modified Chang-Hwang-Wu access control scheme , 1993 .

[15]  Jason Crampton,et al.  Cryptographically-enforced hierarchical access control with multiple keys , 2009, J. Log. Algebraic Methods Program..

[16]  Chi-Sung Laih,et al.  Merging: an efficient solution for a time-bound hierarchical key assignment scheme , 2006, IEEE Transactions on Dependable and Secure Computing.

[17]  Selim G. Akl,et al.  A Framework for Self-Protecting Cryptographic Key Management , 2008, 2008 Second IEEE International Conference on Self-Adaptive and Self-Organizing Systems.

[18]  Ashutosh Saxena,et al.  Hierarchical key management scheme using polynomial interpolation , 2005, OPSR.

[19]  Yiming Ye,et al.  Security of Tzeng's Time-Bound Key Assignment Scheme for Access Control in a Hierarchy , 2003, IEEE Trans. Knowl. Data Eng..

[20]  Tsau Young Lin,et al.  Managing information flows on discretionary access control models , 2006, 2006 IEEE International Conference on Systems, Man and Cybernetics.

[21]  Xun Yi,et al.  Security of Chien's efficient time-bound hierarchical key assignment scheme , 2005, IEEE Transactions on Knowledge and Data Engineering.

[22]  Victor R. L. Shen,et al.  A Novel Key Management Scheme Based on Discrete Logarithms and Polynomial Interpolations , 2002, Comput. Secur..

[23]  Lein Harn,et al.  A cryptographic key generation scheme for multilevel data security , 1990, Comput. Secur..

[24]  Stephen Gilmore,et al.  Analysing distributed Internet worm attacks using continuous state-space approximation of process algebra models , 2008, J. Comput. Syst. Sci..

[25]  Ravi S. Sandhu,et al.  Cryptographic Implementation of a Tree Hierarchy for Access Control , 1988, Inf. Process. Lett..

[26]  Jason Crampton,et al.  On key assignment for hierarchical access control , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[27]  Selim G. Akl,et al.  An Independent Set Approach to Solving the Collaborative Attack Problem , 2005, IASTED PDCS.

[28]  Alfredo De Santis,et al.  New constructions for provably-secure time-bound hierarchical key assignment schemes , 2007, SACMAT.

[29]  Marina Blanton,et al.  Dynamic and Efficient Key Management for Access Hierarchies , 2009, TSEC.

[30]  Mikhail J. Atallah,et al.  Key management for non-tree access hierarchies , 2006, SACMAT '06.

[31]  F. Kuo,et al.  Cryptographic key assignment scheme for dynamic access control in a user hierarchy , 1999 .

[32]  Selim G. Akl,et al.  Cryptographic solution to a problem of access control in a hierarchy , 1983, TOCS.

[33]  Ravi S. Sandhu,et al.  Induced role hierarchies with attribute-based RBAC , 2003, SACMAT '03.

[34]  Yacine Challal,et al.  Key management for content access control in a hierarchy , 2007, Comput. Networks.

[35]  Selim G. Akl,et al.  On replacing cryptographic keys in hierarchical key management systems , 2008, J. Comput. Secur..

[36]  Hung-Yu Chen,et al.  Efficient time-bound hierarchical key assignment scheme , 2004 .

[37]  Byrav Ramamurthy,et al.  A GCD attack resistant CRTHACS for secure group communications , 2004, International Conference on Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004..

[38]  Matt Blaze,et al.  Divertible Protocols and Atomic Proxy Cryptography , 1998, EUROCRYPT.