A Diffie-Hellman based key management scheme for hierarchical access control

All organizations share data in a carefully managed fashion\ud by using access control mechanisms. We focus on enforcing access control by encrypting the data and managing the encryption keys. We make the realistic assumption that the structure of any organization is a hierarchy of security classes. Data from a certain security class can only be accessed by another security class, if it is higher or at the same level in the hierarchy. Otherwise access is denied. Our solution is based on the Die-Hellman key exchange protocol. We show, that the theoretical worst case performance of our solution is slightly better than that of all other existing solutions. We also show, that our performance in practical cases is linear in the size of the hierarchy, whereas the best results from the literature are quadratic

簡單快速雲端階層式組織授權之應用

[[abstract]]本論文提出一套應用在雲端運算中，使階層式結構中群組間進行資料授權能夠簡單快速方法。本方法中，結構中群組有一把公開金鑰PK及私密金鑰SK，並且將群組私密金鑰SK，用直接上屬群組公開金鑰加密產生公開參數R。利用直屬結構表公開各群組公開金鑰，相對公開參數R及直接上屬群組等資訊。 群組會將資料用群組私密金鑰SK所導出的加密金鑰，加密該文件，並將其上傳至雲端中。當被授權的群組(即上屬群組們)，則透過對直屬結構表中公開數值，遞迴路徑運算出該群組私密金鑰SK進而解密該資料。本論文所提機制亦與AKL、Lo-Hwang-Liu、Chu-Hsing Lin三位所提機制在多個面象(運作成員、效率、新成員加入及離開等)做比較，本論文具不用CA(Certificate Authority，憑證管理中心)、運算簡單、具當階層式結構擴大較少公開參數改變的優點。[[sponsorship]]中華民國資訊管理學會[[conferencetype]]國際[[conferencedate]]20150523~20150523[[booktype]]電子版[[iscallforpapers]]Y[[conferencelocation]]台北市, 台

Controlling Access in Large Partially-Ordered Hierarchies Using Cryptographic Keys

[[abstract]]The problem of access control in a hierarchy is present in many application areas. Since computing resources have grown tremendously, access control is more frequently required in areas such as computer networks, database management systems, and operating systems. Many schemes based on cryptography have been proposed to solve this problem. However, previous schemes need large values associated with each security class. In this paper, we propose a new scheme to solve this problem achieving the following two goals. One is that the number of keys is reduced without affecting the security of the system. The other goal is that when a security class is added to the system, we need only update a few keys of the related security classes with simple operations

Indirect key derivation schemes for key management of access hierarchies

In this thesis, we study the problem of key management within an access hierarchy. Our contribution to the key management problem is an indirect key derivation approach we call the HMAC-method. It is called the HMAC-method, because it is based on hashed message authentication codes (HMACs) built from a fast, single, dedicated hash function (SHA-1). It is intended to provide an efficient indirect key management method for large access hierarchies resembling tree structures. We are able to achieve better tree traversals using a technique we created called path addressing. Our path addressing scheme allows us to efficiently calculate relationships between security classes, determine traversal paths, and improve the performance of indirect key derivation. We also present our cached key update scheme which is meant to improve the indirect key derivation schemes on tree hierarchies by delaying key updates when changes to the structure of the access hierarchy are necessary, but the re-calculation and re-assignment of keys would either be costly or inconvenient. For access hierarchies represented as weakly/strongly connected directed acyclic graphs, we suggest modifications to our path addressing and key derivation scheme which could allow our HMAC-method to be appplied to these types of hierarchies. Along the way, we discuss various current key management methods and discuss certain pragmatic issues that can arise which affect the applicability and implementation of a key management method