Cryptographic Solution to a Problem of Access Control in a ...

Cryptographic Solution to a Problem of Access Control in a Hierarchy

SELIM G. AKL and PETER D. TAYLOR

Queen's University, Canada

A scheme based on cryptography is proposed for access control in a system where hierarchy is represented by a partially ordered set (or poset). Straightforward implementation of the scheme requires users highly placed in the hierarchy to store a large number of cryptographic keys. A time- versus-storage trade-off is then described for addressing this key management problem.

Categories and Subject DescriPtors: D.4.6 [Operating Systems]: Security and Protection--access controls; authentication; cryptographic controls; information flow controls; E.3 [Data]: Data En- cryption--Data Encryption Standard (DES); public-key cryptosystems.

General Terms: Security

Additional Key Words and Phrases: Multilevel security, cryptography, key, symmetric and asymmetric cryptosystems

1. INTRODUCTION

Assume t h a t the users of a c o m p u t e r (or c o m m u n i c a t i o n ) s y s t e m are d iv ided in to a n u m b e r of d i s jo in t sets, /_}1, U2 . . . . . Un. T h e t e r m security class (or class, for short) is used to des igna te each of the Ui. A s s u m e fu r the r t h a t a b i n a r y r e l a t ion _< par t i a l ly orders the set S = ( U1, U 2 , . . . , /_7,} of classes. T h e m e a n i n g of Ui <- Uj in the pa r t i a l ly ordered set (poset) (S, ~) is t h a t users in Ui have a security clearance lower t h a n or equa l to those in Uj. S i m p l y put , th is m e a n s t h a t users in Uj can have access to i n f o r m a t i o n he ld by (or de s t i ned to) users in Ui, while the opposi te is no t allowed.

Le t xm be a piece of in fo rmat ion , or object, t h a t a cen t r a l a u t h o r i t y (CA) desires to s tore in (or b roadcas t over) the sys tem. T h e m e a n i n g of the subsc r ip t m is t h a t ob jec t x is accessible to users in class Urn. T h e par t i a l o rder on S impl ies t h a t xm is also accessible to users in all classes Ui such t h a t Um - Ui. I t is r equ i r ed to design a sy s t em which, in add i t i on to sa t i s fy ing the above condi t ions , e n su r e s t h a t access to i n f o r m a t i o n is as decen t ra l i zed as possible. T h i s m e a n s t h a t au thor ized users shou ld be able to retrieve xm independent ly as soon as it is stored or broadcast by CA.

This work was supported by the Natural Sciences and Engineering Research Council of Canada under Strategic Grant G0381. Authors' Addresses: S. G. Akl, Department of Computing and Information Science, Queen's Univer- sity, Kingston, Ontario, Canada K7 3N6, and P. D. Taylor, Department of Mathematics and Statistics, Queen's University, Kingston, Ontario, Canada K7 3N6. Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage, the ACM copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Association for Computing Machinery. To copy otherwise, or to republish, requires a fee and/or specific permission. © 1983 ACM 0734-2071/83/0800-0239 $00.75

ACM Transactions on Computer Systems, Vol. 1, No. 3, August 1983, Pages 239-248.

240 Selim G. Akl and Peter D. Taylor

This access controlproblem arises in organizations where a hierarchical struc- ture exists. Government, the diplomatic corps, and the military are examples of such hierarchies. Applications also exist in business and in other areas of the private sector, for example, in the management of databases containing sensitive information or in the protection of industrial secrets. Finally, the model is used in the design of computer operating systems to control information flow from one program to another [1, 3].

This paper presents a solution based on cryptography to the problem of access control in a hierarchy. Straightforward implementation of the scheme described in Section 2 requires users highly placed in the hierarchy to store a large number of cryptographic keys. A time-versus-storage trade-off is then proposed in Section 3 for addressing this key management problem. A number of concluding remarks are offered in Section 4. Familiarity with modern cryptology is henceforth assumed [4, 7, 10].

It should be pointed out that this approach does not completely solve the more general multilevel security problem concerned with the protection of classified data and involving requirements for dissemination and update controls, saniti- zation, downgrading, aggregation, and so forth [4]. Most of these issues are of a practical nature and hence not readily solvable by cryptography. Furthermore, the "need to know" requirement in some applications imposes a compartmenta- tion on the hierarchy that is not present in our partial-order model [5]. It is also true, however, that no single model or solution currently in use for the multilevel security problem encompasses all these implementation-dependent questions either.

2. CRYPTOGRAPHIC SOLUTION

In the following we assume the presence of a cryptosystem with enciphering procedure E to be used under the control of an enciphering key K e. The notation

u = EK4v)

means that u is the result of enciphering v using E and K e. A deciphering procedure D and deciphering key K a are used to recover v:

v = Dr,(u).

If enciphering and deciphering are symmetric [14], then K a is identical to (or can be easily obtained from} K e. If the cryptosystem is of the asymmetric type [14], on the other hand, K e and K a are different and knowledge of K e does not contribute to the feasible calculation of K d. The superscripts e and d are henceforth omitted as K e is only used with E and K d with D.

A cryptographic solution to the access control problem may be obtained as follows. The central authority generates n keys (Ki) and distributes to Ui its own key Ki and all keys Kj belonging to Uj below Ui in the hierarchy. When an object xm is to be stored (or broadcast), it is first encrypted with Km to obtain

x' = Exm(xm)

and then stored (or broadcast) as the pair [x', m]. This guarantees that only users

ACM Transact ions on Computer Systems, Vol. 1, No. 3, August 1983.

Cryptographic Solution to a Problem of Access Control in a Hierarchy 241

in possession of K m will be able to retr ieve Xm from

Xm "~- DK,~(X').

This solution has the advantage tha t only one copy of Xm is stored or broadcast. Similarly, the operations of enciphering and deciphering are performed exactly once. Its disadvantage is the large number of keys held by each user. Th e worst case occurs when, for some j, U~ <<_ Uj for all i, and users in Uj have to store n keys. The following section deals with this problem.

3. KEY MANAGEMENT

We solve the key storage problem by proposing a system in which a user in Uj stores only his own key Kj, and can compute from this the key Ki if and only if Ui __ Uj. Formally, whenever Ui _< Uj, we define computable functions gu for which Ki = gij(Kj), but if Ui ~- Uj, Ki cannot be computed from Kj. We first look at the case of a totally ordered set.

3.1 Total ly Ordered Sets

The simplest case of a partially ordered set occurs when the set is totally ordered, tha t is, when/21 -- U2 -< . . . -- U,. Suppose f i s a function which is one-way, and indeed for which fm (where the power denotes composition) is one-way for all positive integers m. Here by one-way we mean easy to compute but extremely difficult to invert from a computat ional point of view. Th en if Kn is randomly selected, we define

K n - 1 = f (K.)

K,,-2 = f (K,,-1)

1,:1 = f (g2) .

Thus go = f~'-( Since positive powers of f are one-way, gij can only be computed if i is not greater t han j . As an example, if EK is the enciphering procedure for any cryptosystem, then f (K) = EK(K) is a candidate for our one-way function f, and our key t ransformation is Ki-1 = EK,(Ki). For example if the Data Encrypt ion Standard (DES) [2] is used, then Ki must be a 56-bit key. Th e only way we can see to invert f is with an exhaustive cryptanalyt ic a t tack using 256 (or on the average 2 ~5) steps. This remote threa t can be easily made more improbable by asking each user in Ui to store two keys Ki and ki and by computing Ki-1 and ki-1 from

Ki-1 = E K i ( k i ) and ki-1 = E k i ( K i ) for i = n, n - 1 . . . . . 2.

The average effort required by a user in Um to go just one level up in the h ierarchy to find the key for Um+I is now 211° steps!

We note in passing tha t a similar key management scheme for totally ordered sets, in which a user needs to r emember (store) only one key and generate the remaining keys by repeated application of a one-way function, is described in

ACM Transact ions on Compute r Systems, Vol. 1, No. 3, August 1983.


[5]. The same basic technique of using a one-way function i teratively has also been proposed in other contexts; see, for example, [8].

3.2. Arbitrary Posets

Our solution for arbi t rary posets has the following form. We assign an integer ti to each class Ui so tha t

Ui <- Uj if and only if tj l ti.

An example of such an assignment appears in Figure 1, which shows the Hasse diagram of a poset (S, _) , with the ti recorded in the Ui node. We then define a family (fro) of one-way functions with the proper ty fmz = fm ° fz, where m and z are integers and the o denotes composition. Th e CA chooses a random K0 and defines

K, = ft,(Ko).

The n if Ui <_ Uj, ti = ztj for some integer z, and

Ki = ft,(Ko) = L o/~j(Ko) = fz(Kj)

so tha t Ki can be computed from Kj and gii = ft,/t~. Th e trick is to choose the functions fm SO this calculation can be made only when Ui <- Uj.

This can be done as follows. The CA chooses two large primes p and q and makes M = p q public. T h e n

fm(K) = K ~ (mod M).

The key t ransformation equat ion becomes

Ki = K~' = [goJ] t ' / t i -~ [g . ] ] tl/tj (mod M), (1)

which, by the result of Appendix A is computable for all K0 only if tj[ t~. Finally we suggest an algori thm for the assignment (ti) . Each class Ug is

assigned a distinct prime pi and

t, = 1-I pJ, (2) vj~u,

where, by convention, an empty product equals 1. This is i l lustrated in Figure 2, with pi undernea th the node and t~ inside. Although systematic and easily programmed, this assignment is not nearly as efficient as the ad hoe assignment of Figure 1, since the size of the ti's it yields grows rapidly with an increasing number of classes. Unlike the assignment of Figure 1, however, assignment (2) is not vulnerable to cooperative at tacks as is shown below. We first prove tha t this assignment works as required.

PROPOSITION 1. Under a s s i g n m e n t (2), ti I ti i f a n d only i f Ui ~ Uj.

PROOF. The proof is immediate. First if Ui <- Uj, then the product defining tj has fewer terms than tha t for t~, and ti I t~. Conversely if Ui ~- Uj, then p~ I t1 (by definition of #) which implies # cannot divide ti (since pi does not divide ti). []

Let us now turn to the problem of eoUusion, where two or more users belonging to different classes cooperate to discover a key to which they are not entitled. Such a th rea t is present in the assignment of Figure 1. Typically, two users f rom



1

2L 31 Figure 1

1

2.5.13 2.3.7

2.3.5.11.13 I [2.3.5.7.13 2.3.5.7.11

7 11 13

Figure 2

Ui and Uj, with Ki = K~ and K i = K0 9, can easily find Ko from the product

(Ki)-2Ky -- K~ s K0 9 = K0 (mod M)

and hence compute all the keys in the system. This leads us to ask when, under scheme (1), a group G of users will be able to collaborate in the manner just described to find a key Ki. The following proposition answers this question.

PROPOSITION 2. In the key generat ion scheme (1) a key Ki can be feasibly computed from a set of keys (Kj: Uj E G} i f a n d only i f

g c d { t i : U j E G} [ti. (3)

PROOF. I f g ---- gcd {tj: Uj E G}, then we can choose integers aj such tha t g = Y,G ajti. If ti = gr for some integer r, then Ki = K t' = Kgo r = [Iv KoJair = 1-IG g• ]r and Ki can be computed from the K]'s.

ACM Transactions on Computer Systems, Vol. 1, No. 3, August 1983.


Conversely, if there is a computational scheme for obtaining Ki = K~' (mod M) from the Kj's for every K0, then the corollary of Appendix A gives us (3). []

We finally prove that assignment (2) is immune against such cooperative attacks.

PROPOSITION 3. Under the scheme given in (2) illegal collusion is unsuc- cessful.

PROOF. Since pi I tj whenever Uj ~ Ui, we have

pilgcd(t j: U1 ~ Ui}.

On the other hand pi ~ ti (by definition), and the result follows. []

To conclude this section, we examine the space and time requirements of scheme (1). Let each of the primes p and q used to compute the modulus M be 100 decimal digits long. Then each key Ki is at most 200 digits long. Since every user in Ui stores only his own key, the space requirements are [log2Ki] (i.e., 665) bits per user. Similarly, assume that the primes pi assigned to the n classes are the n smallest primes. Since the size of the n th prime is O (nlog n) [6], the largest ti obtained by (2) is O((nlog2n)"). The public directory containing the ti's will require O(nlog2n) bits for each ti. Finally, in order to raise Kj to the power ti/tj and take the remainder modulo M, a user in Ui needs to perform O(log2(ti/tj)) operations [4, 6, 13]; that is, O(nlog2n) time is required to obtain Ki from Kj by scheme (1). As the above analysis shows, one disadvantage of scheme (2) for implementing (1) is that the numbers ti it yields grow large rather quickly with increasing n. The problem of finding more efficient, indeed optimal, implemen- tations of (1) is addressed in [9].

3.3 Symmetric Cryptosystems for Use with the Key Management Scheme

We suggest two symmetric cryptosystems which may work well with the key management system of Section 3.2. The first is DES [2], which has the advantages of efficiency and ease of implementation. The keys Ki generated in Section 3.2 can be hashed down to the 56-bit keys required by DES.

The other is a scheme first described in [11]. The CA chooses a large prime N and makes it public. Each class Ui receives a private number bi relatively prime to N - 1. Every object to be enciphered is broken into blocks, each of which is expressed as an integer x smaller than N. Enciphering and deciphering procedures are given by

x' = (X) ai (mod N) and x = (x') b' (mod N),

respectively. Here ai is chosen so aibi = 1 mod(N - 1) for all i. The cryptosystem is symmetric, for, given N, ai and bi can easily be derived from each other.

This scheme could be used with the key management system of Section 3.2 with b~ -- Ki, provided K~ is relatively prime to N - 1. When this fails, an agreed upon algorithm, common to all users, can be used to generate from K~ a number bi relatively prime to N - 1. Such an algorithm is presented in Appendix B. It should be noted that, for ai < N - 1, we have

X ( N - 1 ) + a i = X ai (mod N).



(This is a consequence of Fermat ' s Theo rem [15], which states tha t for a prime N and an integer x not a multiple of N, x N - 1 = 1 (mod N}.) Thus it is preferable to choose N larger than M (and hence larger than all ai's) to guarantee a wide range of encrypted values.

4. CONCLUSION

We have described a scheme based on cryptography for controlling access to data in an organization where hierarchy is represented by a partially ordered set. Th e scheme enables a member of the organization at some level of the h ierarchy to derive from his own cryptographic key the keys of members below him in the hierarchy, and consequently to have access to information enciphered under those keys. One interesting feature of the scheme is tha t the protect ion it offers against illegal disclosure depends nei ther on the physical securi ty of the storage medium where the information resides nor on the t rustworthiness of the people managing it. Fur thermore , this protect ion does not apply only to files tha t are stored in a central computer memory, but also to messages broadcast on a communicat ion network using te lephone lines or radio waves. Anyone with the proper receiving equipment can intercept the message but has access to the information it contains only if in possession of the right key. These two properties, which distinguish the scheme from other solutions to the problem of access control in a hierarchy, are clearly due to the use of cryptography. Another impor tant proper ty of the scheme is tha t it provides security against two or more users of the system collaborating to compute a key to which they are not entitled.

I t is not difficult to conceive of examples of hierarchies where such access control is required. As an illustration, consider the personnel of a chain of depar tment stores. Employees are grouped by their rank into classes forming a poset. Here the piece of information to be broadcast may, for instance, be the date of release on the marke t of the latest brand of a part icular product. Th e problem arises in this case if top management desires to make these data available to all employees at or above the level of store manager, say, but not lower. Another example is a hospital where only doctors with a certain degree of seniority may have access to some personal information in a pat ient 's medical record. Similar situations abound in other areas, part icularly in the government and the military, and are easily envisaged. In all these cases a scheme such as ours may contr ibute a convenient solution to the problem of access control in a hierarchy.

Finally, the scheme could also be useful in a secure distr ibuted system where hosts, operating at different securi ty levels, communicate via an untrus ted communicat ion subnetwork (csn). Encrypted messages are broadcast into the csn without concern for misrouting by untrus ted csn software since unin tended recipients would be unable to decrypt them. Such a use does not, of course, address problems of information flows tha t are based on some type of message s t ream modulation.

APPENDIX A

The result of this appendix is tha t a power K t (mod M} can be feasibly computed from a given set K tl, K t2 . . . . . K t" of powers of K, only if t is a multiple of the gcd of the t i ' s (where M = p q , a product of two primes). Actually the corollary below



does not quite establish this. The argument relies on the current belief [13, p. 126] tha t computing r th roots (mod M) for integral r > 1 is as difficult as factoring M. We remark that this is proved in [12] for the Case r = 2. The method therein generalizes to the case r I ¢ ( M ) , where ¢ ( M ) is the Euler tot ient function.

THEOREM. L e t t a n d t l , . . . , tn be g i v e n i n t eger s a n d s u p p o s e t h e r e is a

c o m p u t a b l e f u n c t i o n F fo r w h i c h

K t = F ( K t~, K t2, . . . . K t") ( m o d M )

for every K in Z x , the g r o u p o f u n i t s rood M . L e t

d = g c d { t i ) , e = g c d ( t , d) , a n d r = d / e .

T h e n we can c o m p u t e r th roo t s in Z x .

PROOF. Taking any H in Z x, we will compute H 1/r (mod M). Let K = H TM

(we cannot necessarily compute K) and ri = t d d . Choose a and b so tha t e = a t + bd. Then

H 1 / r = Held = K e = K b d K at = H b F ( K t , , . . . . K t n ) a

= HbF(K~r , , . . . . K d r " ) a

= H b F ( H r', . . . . Hr") a (mod M),

and this can be computed. []

COROLLARY. U n d e r the a s s u m p t i o n s o f t he a b o v e t h e o r e m , r = 1 a n d h e n c e g c d { t~) l t.

PROOF. Otherwise we could compute nontrivial roots in Z x . []

APPENDIX B

Given two positive integers r and s, where s is even and r < s, the function "relative__prime" returns a unique positive integer which depends on r and is relatively prime to s. The function repeatedly replaces r by r /gcd ( r , s) until a number is obtained which is relatively prime to s. I f this number is larger than 1, it is returned as the answer; otherwise the original value of r is incremented by 2 and the above step repeated. The function is guaranteed to terminate; in the worst case (s - 1) is returned as the answer.

1. relative__prime (r, s) 2. i f ( r is even) t h e n r ~ r + 1 3. outer ~ false 4. while (outer = false) d o 5. begin 6. w ~ - - - r 7. inner ~-- false 8. while (inner = false) d o 9. b e g i n

10. x *-- gcd (w, s) 11. if (x = 1) then inner ~ true 12. e l s e w ~ w / x 13. e n d 14. if w # I then outer ~ true 15. e l s e r *-- r + 2 16. e n d 17. r e l a t i v e ~ p r i m e ~ w.



In order to evaluate the efficiency of "relative~prime", the function was tried on pairs of random numbers r and s of size 40 and 90 decimal digits, respectively. Out of 100 such runs the inner loop (lines 8-13) was executed exactly once in 72 runs, twice in 16 runs, three times in 9 runs, and four times in 3 runs. Line 15 was never executed (i.e., the outer loop initiated at line 4 was never iterated more than once.) This result is justified by noting that the probability that two large random integers (one even and one odd) are relatively prime is

(1 1) ( 1 + 1 1 )

~ 1 - \ 9 2 5 + ~ + ' ' '

11 > 1 - + 1 + - + - -

: 4 16

~r 2 1 1 =i---~-+i+~+i- ~

2 3

ACKNOWLEDGMENTS

We would like to thank the editors and referees of this journal for several useful comments. The last example of Section 4 was suggested by Glenn MacEwen.

REFERENCES

1. BELL, D.E., AND LAPADULA, L . J . Secure computer systems: Mathematical foundations and model. Rep. M74-244, The MITRE Corp., Bedford, Mass., May 1973.

2. NATIONAL BUREAU OF STANDARDS. Data Encryption Standard, Federal Information Process- ing Standards (FIPS), Publication 46. National Bureau of Standards, Wash., D.C., Jan. 1977.

3. DENNING, D.E. A lattice model of secure information flow. Commun. ACM 19, 5 (May 1976), 236-243.

4. DENNING, D.E.R. Cryptograpy and Data Security. Addison-Wesley, Reading, Mass., 1982. 5. GUDES, E. The design of a cryptography based secure file system. IEEE Trans. Softw. Eng.

SE-6, 5 (Sept. 1980), 411-420. 6. KNUTH, D.E. The Art of Computer Programming, vol. 2. Addison-Wesley, Reading, Mass., 1981. 7. KONHEIM, A.G. Cryptography: A Primer. Wiley, New York, 1981. 8. LAMPORT, L. Password authentication with insecure communication. Commun. ACM 24, 11

(Nov. 1981), 770-772. 9. MACKINNON, S., TAYLOR, P.D., MEIJER, H., AND AKL, S.G. An optimal algorithm for assigning

cryptographic keys to control access in a hierarchy. (In preparation.) 10. MEYER, C., AND MATYAS, S.M. Cryptography--A New Dimension in Computer Security. Wiley,

N e w York, 1982. 11. POHLIG, S.C., AND HELLMAN, M.E. An improved algorithm for computing logarithms over

GF(p) and its cryptographic significance. IEEE Trans. Inf. Theory IT-24, 1 (Jan. 1978), 106-110. 12. RABIN, M.O. Digitalized signatures and public-key functions as intractable as factorization.

Tech. Rep. MIT/LCS/TR-212, Laboratory for Computer Science, Massachusetts Institute of Technology, Cambridge, Mass., Jan. 1979.



13. RIVEST, R.L., SHAMIR, A., AND ADLEMAN, L. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM21, (Feb. 1978), 120-126.

14. SIMMONS, G.J. Symmetric and asymmetric encryption. ACM Comput. Surv. 11, 4 (Dec. 1979), 305-330.

15. VINOGRADOV, I.M. An Introduction to the Theory of Numbers. Pergamon, Elmsford, N.Y., 1955.

Received December 1982; revised March 1983; accepted March 1983


Cryptographic Solution to a Problem of Access Control in a ...

Documents

Transcript of Cryptographic Solution to a Problem of Access Control in a ...