Article

Key management for non-tree access hierarchies

Authors:

Mikhail J. Atallah,

Marina Blanton,

Keith B. FrikkenAuthors Info & Claims

SACMAT '06: Proceedings of the eleventh ACM symposium on Access control models and technologies

Pages 11 - 18

https://doi.org/10.1145/1133058.1133062

Published: 07 June 2006 Publication History

Abstract

Access hierarchies are useful in many applications and are modeled as a set of access classes organized by a partial order. A user who obtains access to a class in such a hierarchy is entitled to access objects stored at that class, as well as objects stored at its descendant classes. Efficient schemes for this framework assign only one key to a class and use key derivation to permit access to descendant classes. Ideally, the key derivation uses simple primitives such as cryptographic hash computations and modular additions. A straightforward key derivation time is then linear in the length of the path between the user's class and the class of the object that the user wants to access. Recently, work presented in [2] has given an efficient solution that significantly lowers this key derivation time, while using only hash functions and modular additions. Two fastkey-derivation techniques in that paper were given for trees, achieving O(log log n) and O(1) key derivation times, respectively, where n is the number of access classes. The present paper presents efficient key derivation techniques for hierarchies that are not trees, using a scheme that is very different from the above-mentioned paper. The construction we give in the present paper is recursive and uses the onedimensional case solution as its base. It makes a novel use of the notion of the dimension d of an access graph, and provides a solution through which no key derivation requires more than 2d+1 hash function computations, even for "unbalanced" hierarchies whose depth is linear in their number of access classes n. The significance of this result is strengthened by the fact that many access graphs have a low d value (e.g., trees correspond to the case d = 2). Our scheme has the desirable property (as did [2] for trees) that addition and deletion of edges and nodes in the access hierarchy can be "contained".

References

[1]

S. Akl and P. Taylor. Cryptographic solution to a problem of access control in a hierarchy. ACM Transactions on Computer Systems, 1(3):239--248, September 1983.

Digital Library

[2]

M. Atallah, K. Frikken, and M. Blanton. Dynamic and efficient key management for access hierarchies. In ACM Conference on Computer and Communications Security (CCS'05), pages 190--201, 2005.

Digital Library

[3]

C. Chang and D. Buehrer. Access control in a hierarchy using a one-way trapdoor function. Computers and Mathematics with Applications, 26(5):71--76, 1993.

[4]

C. Chang, I. Lin, H. Tsai, H. Wang, and T. Taichung. A key assignment scheme for controlling access in partially ordered user hierarchies. In International Conference on Advanced Information Networking and Application (AINA'04), 2004.

Digital Library

[5]

T. Chen, Y. Chung, and C. Tian. A novel key management scheme for dynamic access control in a user hierarchy. In IEEE Annual International Computer Software and Applications Conference (COMPSAC'04), pages 396--401, September 2004.

Digital Library

[6]

G. Chick and S. Tavares. Flexible access control with master keys. In Advances in Cryptology -- CRYPTO'89, volume 435 of LNCS, pages 316--322, 1990.

Digital Library

[7]

H. Chien and J. Jan. New hierarchical assignment without public key cryptography. Computers & Security, 22(6):523--526, 2003.

Digital Library

[8]

B. Dushnik and E.W. Miller. Partially ordered sets. American Journal of Mathematics, 63:600--610, 1941.

[9]

A. Ferrara and B. Masucci. An information-theoretic approach to the access control problem. In Italian Conference on Theoretical Computer Science (ICTCS'03), volume 2841, pages 342--354, October 2003.

[10]

L. Harn and H. Lin. A cryptographic key generation scheme for multilevel data security. Computers & Security, 9(6):539--546, October 1990.

Digital Library

[11]

M. He, P. Fan, F. Kaderali, and D. Yuan. Access key distribution scheme for level-based hierarchy. In International Conference on Parallel and Distributed Computing, Applications and Technologies (PDCAT'03), pages 942--945, August 2003.

[12]

M. Hwang. An improvement of novel cryptographic key assignment scheme for dynamic access control in a hierarchy. IEICE Trans. Fundamentals, E82-A(2):548--550, March 1999.

[13]

M. Hwang and W. Yang. Controlling access in large partially ordered hierarchies using cryptographic keys. Journal of Systems and Software, 67(2):99--107, August 2003.

Digital Library

[14]

H. Liaw, S. Wang, and C. Lei. A dynamic cryptographic key assignment scheme in a tree structure. Computers and Mathematics with Applications, 25(6):109--114, 1993.

[15]

C. Lin. Hierarchical key assignment without public-key cryptography. Computers & Security, 20(7):612--619, 2001.

Digital Library

[16]

I. Lin, M. Hwang, and C. Chang. A new key assignment scheme for enforcing complicated access control policies in hierarchy. Future Generation Computer Systems, 19(4):457--462, 2003.

Digital Library

[17]

S. MacKinnon, P. Taylor, H. Meijer, and S. Akl. An optimal algorithm for assigning cryptographic keys to control access in a hierarchy. IEEE Transactions on Computers, 34(9):797--802, September 1985.

Digital Library

[18]

P. Maheshwari. Enterprise application integration using a component-based architecture. In IEEE Annual International Computer Software and Applications Conference (COMSAC'03), pages 557--563, 2003.

Digital Library

[19]

K. Ohta, T. Okamoto, and K. Koyama. Membership authentication for hierarchical multigroups using the extended fiat-shamir scheme. In Workshop on the Theory and Application of Cryptographic Techniques on Advances in Cryptology, pages 446--457, February 1991.

Digital Library

[20]

M.H. Overmars and J. van Leeuwen. Dynamization of order decomposable set problems. Journal of Algorithms, 2(3):245--260, 1981.

[21]

M.H. Overmars and J. van Leeuwen. Maintenance of configurations in the plane. Journal of Computer and Systems Science, 23(2):166--204, 1981.

[22]

I. Ray, I. Ray, and N. Narasimhamurthi. A cryptographic solution to implement access control in a hierarchy and more. In ACM Symposium on Access Control Models and Technologies, June 2002.

Digital Library

[23]

J. Rose and J. Gasteiger. Hierarchical classification as an aid to database and hit-list browsing. In International Conference on Information and Knowledge Management, pages 408--414, 1994.

Digital Library

[24]

R. Sandhu. On some cryptographic solutions for access control in a tree hierarchy. In Fall Joint Computer Conference on Exploring technology: today and tomorrow, pages 405--410, December 1987.

Digital Library

[25]

R. Sandhu. Cryptographic implementation of a tree hierarchy for access control. Information Processing Letters, 27(2):95--98, January 1988.

Digital Library

[26]

A. De Santis, A. Ferrara, and B. Masucci. Cryptographic key assignment schemes for any access control policy. Information Processing Letters (IPL), 92(4):199--205, November 2004.

Digital Library

[27]

W. Schnyder. Planar graphs and poset dimension. Order, 5:323--343, 1989.

[28]

W.T. Trotter. Combinatorics and Partially Ordered Sets: Dimension Theory. Johns Hopkins University Press, Baltimore, MD, 1992.

[29]

H. Tsai and C. Chang. A cryptographic implementation for dynamic access control in a user hierarchy. Computers & Security, 14(2):159--166, 1995.

Digital Library

[30]

J. van Leeuwen and M.H. Overmars. The art of dynamizing. Mathematical Foundations of Computer Science, pages 121--131, 1981.

Digital Library

[31]

M. Yannakakis. The complexity of the partial order dimension problem. SIAM Journal on Algebraic and Discrete Methods, 3:351--358, 1982.

[32]

Y. Zheng, T. Hardjono, and J. Pieprzyk. Sibling intractable function families and their applications. In Advances in Cryptology - AsiaCrypt'91, LNCS, 1992.

Digital Library

[33]

S. Zhong. A practical key management scheme for access control in a user hierarchy. Computers & Security, 21(8):750--759, 2002.

Digital Library

Cited By

Crampton JFarley NGutin GJones MPoettering B(2017)Cryptographic enforcement of information flow policies without public information via tree partitions1Journal of Computer Security10.3233/JCS-1686325:6(511-535)Online publication date: 24-Aug-2017
https://doi.org/10.3233/JCS-16863
Castiglione ADe Santis AMasucci BPalmieri FHuang XCastiglione A(2017)Supporting dynamic updates in storage clouds with the AklTaylor schemeInformation Sciences: an International Journal10.1016/j.ins.2016.08.093387:C(56-74)Online publication date: 1-May-2017
https://dl.acm.org/doi/10.1016/j.ins.2016.08.093
Bezawada BKothapalli KRaman DLi R(2017)Symmetric Key Based Secure Resource SharingSecurity in Computing and Communications10.1007/978-981-10-6898-0_15(179-194)Online publication date: 10-Nov-2017
https://doi.org/10.1007/978-981-10-6898-0_15
Show More Cited By

Index Terms

Key management for non-tree access hierarchies

Recommendations

Dynamic and Efficient Key Management for Access Hierarchies

Hierarchies arise in the context of access control whenever the user population can be modeled as a set of partially ordered classes (represented as a directed graph). A user with access privileges for a class obtains access to objects stored at that ...
Dynamic and efficient key management for access hierarchies
CCS '05: Proceedings of the 12th ACM conference on Computer and communications security

The problem of key management in an access hierarchy has elicited much interest in the literature. The hierarchy is modeled as a set of partially ordered classes (represented as a directed graph), and a user who obtains access (i.e., a key) to a certain ...
Key management in hierarchical access control systems

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SACMAT '06: Proceedings of the eleventh ACM symposium on Access control models and technologies

June 2006

256 pages

ISBN:1595933530

DOI:10.1145/1133058

General Chair:
David Ferraiolo
NIST, USA
,
Program Chair:
Indrakshi Ray
Colorado State University, USA

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 June 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

SACMAT06

Sponsor:

SACMAT06: 11th ACM Symposium on Access Control Models and Technologies 2006

June 7 - 9, 2006

California, Lake Tahoe, USA

Acceptance Rates

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

31
Total Citations
View Citations
504
Total Downloads

Downloads (Last 12 months)2
Downloads (Last 6 weeks)0

Reflects downloads up to 17 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Crampton JFarley NGutin GJones MPoettering B(2017)Cryptographic enforcement of information flow policies without public information via tree partitions1Journal of Computer Security10.3233/JCS-1686325:6(511-535)Online publication date: 24-Aug-2017
https://doi.org/10.3233/JCS-16863
Castiglione ADe Santis AMasucci BPalmieri FHuang XCastiglione A(2017)Supporting dynamic updates in storage clouds with the AklTaylor schemeInformation Sciences: an International Journal10.1016/j.ins.2016.08.093387:C(56-74)Online publication date: 1-May-2017
https://dl.acm.org/doi/10.1016/j.ins.2016.08.093
Bezawada BKothapalli KRaman DLi R(2017)Symmetric Key Based Secure Resource SharingSecurity in Computing and Communications10.1007/978-981-10-6898-0_15(179-194)Online publication date: 10-Nov-2017
https://doi.org/10.1007/978-981-10-6898-0_15
Castiglione ADe Santis AMasucci BPalmieri FCastiglione AHuang X(2016)Cryptographic Hierarchical Access Control for Dynamic StructuresIEEE Transactions on Information Forensics and Security10.1109/TIFS.2016.258114711:10(2349-2364)Online publication date: Oct-2016
https://doi.org/10.1109/TIFS.2016.2581147
Castiglione ADe Santis AMasucci B(2016)Key Indistinguishability versus Strong Key Indistinguishability for Hierarchical Key Assignment SchemesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2015.241341513:4(451-460)Online publication date: 1-Jul-2016
https://doi.org/10.1109/TDSC.2015.2413415
Castiglione ASantis AMasucci BPalmieri FCastiglione A(2016)On the Relations Between Security Notions in Hierarchical Key Assignment Schemes for Dynamic StructuresProceedings, Part II, of the 21st Australasian Conference on Information Security and Privacy - Volume 972310.1007/978-3-319-40367-0_3(37-54)Online publication date: 4-Jul-2016
https://dl.acm.org/doi/10.1007/978-3-319-40367-0_3
Kayem AMartin PAkl S(2012)Self-Protecting Access ControlPrivacy Protection Measures and Technologies in Business Organizations10.4018/978-1-61350-501-4.ch004(95-128)Online publication date: 2012
https://doi.org/10.4018/978-1-61350-501-4.ch004
Crampton J(2011)Time-storage trade-offs for cryptographically-enforced access controlProceedings of the 16th European conference on Research in computer security10.5555/2041225.2041244(245-261)Online publication date: 12-Sep-2011
https://dl.acm.org/doi/10.5555/2041225.2041244
Crampton J(2011)Practical and efficient cryptographic enforcement of interval-based access control policiesACM Transactions on Information and System Security10.1145/1952982.195299614:1(1-30)Online publication date: 6-Jun-2011
https://dl.acm.org/doi/10.1145/1952982.1952996
Kayem AMartin PAkl S(2011)Efficient enforcement of dynamic cryptographic access control policies for outsourced data2011 Information Security for South Africa10.1109/ISSA.2011.6027517(1-8)Online publication date: Aug-2011
https://doi.org/10.1109/ISSA.2011.6027517
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents