Abstract
In this paper, we focus on practically motivated flexibility requirements for the hierarchical access control model, namely transitive exception and anti-symmetric exception. Additionally, we motivate a new flexibility requirement called “class delegation with descendant(s) safety” in a practical application scenario. We propose our extended hierarchical key assignment scheme (E-HKAS) that satisfies all three aforementioned flexibility requirements in a dynamic hierarchy of security classes. To propose a generic E-HKAS, we model the hierarchical access control policy as a collection of access groups. E-HKAS enforces transitive and anti-symmetric exceptions using an efficient group-based encryption scheme. To enforce class delegation with descendant(s) safety, we propose a novel cryptographic primitive called group proxy re-encryption (GPRE) that supports proxy re-encryption between two access groups. We present an IND-CPA-secure construction of our proposed GPRE scheme and formally prove its security. Performance analysis shows that the proposed E-HKAS enforces explicit transitive and anti-symmetric exceptions more efficiently than the existing approaches in the literature. Computation cost for key derivation is constant and does not depend on the depth of the hierarchy. Also, to enforce class delegation with descendant(s) safety, the proposed E-HKAS requires constant number of computational steps to be executed.
References
Atallah M J, Frikken K B and Blanton M 2005 Dynamic and efficient key management for access hierarchies. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS’05), pp. 190–202
Yeh J H, Chow R and Newman R 1998 A key assignment for enforcing access control policy exceptions. In: Proceedings of the International Symposium on Internet Technology, pp. 54–59
Yeh J H, Chow R and Newman R 2003 Key assignment for enforcing access control policy exceptions in distributed systems. Inf. Sci. 152: 63–88
Lin I C, Hwang M S and Chang C C 2003 A new key assignment scheme for enforcing complicated access control policies in hierarchy. Future Gener. Comput. Syst. 19: 457–462
Chang Y F and Chang C C 2007 Tolerant key assignment for enforcing complicated access control policies in a hierarchy. Fundam. Inform. 76: 13–23
Chang Y F 2015 A flexible hierarchical access control mechanism enforcing extension policies. Secur. Commun. Netw. 8: 189–201
Koti N and Purushothama B R 2016 Group-oriented encryption for dynamic groups with constant rekeying cost. Secur. Commun. Netw. 9: 4120–4137
Pareek G and Purushothama B R 2019 Flexible cryptographic access control through proxy re-encryption between groups. In: Proceedings of the 20th International Conference on Distributed Computing and Networking, pp. 507–507
Qin Z, Xiong H, Wu S and Batamuliza J 2016 A survey of proxy re-encryption for secure data sharing in cloud computing. IEEE Trans. Serv. Comput. 9: 1–18
Akl S G and Taylor P D 1983 Cryptographic solution to a problem of access control in a hierarchy. ACM Transactions on Computer Systems (TOCS’83) 1: 239–248
Sandhu R S 1998 Cryptographic implementation of a tree hierarchy for access control. Inf. Process. Lett. 27: 95–98
Zhang Q and Wang Y 2004 A centralized key management scheme for hierarchical access control. In: Proceedings of the IEEE Global Telecommunications Conference (GLOBECOM’04), pp. 2067–2071
Ferrara A L and Masucci B 2003 An information-theoretic approach to the access control problem. In: Proceedings of the Italian Conference on Theoretical Computer Science, pp. 342–354
Chang C C, Lin I C, Tsai H M and Wang H H 2004 A key assignment scheme for controlling access in partially ordered user hierarchies. In: Proceedings of the 18th International Conference on Advanced Information Networking and Applications (AINA’04), pp. 376–379
Das M L, Saxena A, Gulati V P and Phatak D B 2005 Hierarchical key management scheme using polynomial interpolation. ACM SIGOPS Oper. Syst. Rev. 39: 40–47
Hui M T and Chin C C 1995 A cryptographic implementation for dynamic access control in a user hierarchy. Comput. Secur. 14: 159–166
Odelu V, Das A K and Goswami A 2013 A novel linear polynomial-based dynamic key management scheme for hierarchical access control. Int. J. Trust Manag. Comput. Commun. 1: 156–174
Odelu V, Das A K and Goswami A 2013 An effective and secure key-management scheme for hierarchical access control in e-medicine system. J. Med. Syst. 37: 1–18
Chen Y R, Chu C K, Tzeng W G and Zhou J 2013 Cloudhka: a cryptographic approach for hierarchical access control in cloud computing. In: Proceedings of the International Conference on Applied Cryptography and Network Security (ACNS’13), pp. 37–52
Tang S, Li X, Huang X, Xiang Y and Xu L 2016 Achieving simple, secure and efficient hierarchical access control in cloud computing. IEEE Trans. Comput. 65: 2325–2331
Pareek G and Purushothama B R 2017 On efficient access control mechanisms in hierarchy using unidirectional and transitive proxy re-encryption schemes. In: Proceedings of the 14th International Conference on Security and Cryptography (SECRYPT’17), pp. 519–524
Chen Y R and Tzeng W G 2017 Hierarchical key assignment with dynamic read–write privilege enforcement and extended KI-security. In: Proceedings of the International Conference on Applied Cryptography and Network Security (ACNS’17), pp. 165–183
Hwang M S 2000 Cryptanalysis of YCN key assignment scheme in a hierarchy. Inf. Process. Lett. 73: 97–101
Freire E S V, Paterson K G and Poettering B 2013 Simple, efficient and strongly KI-secure hierarchical key assignment schemes. In: Proceedings of the Cryptographers Track at the RSA Conference (CT-RSA), pp. 101–114
Castiglione A, Santis A D and Masucci B 2015 Key indistinguishability versus strong key indistinguishability for hierarchical key assignment schemes. IEEE Trans. Depend. Secure Comput. 13: 451–460
Santis A D, Ferrara A L and Masucci B 2011 Efficient provably-secure hierarchical key assignment schemes. Theor. Comput. Sci. 412: 5684–5699
Acknowledgements
This work was supported by the Ministry of Human Resource Development, Government of India.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Pareek, G., Purushothama, B.R. Extended hierarchical key assignment scheme (E-HKAS): how to efficiently enforce explicit policy exceptions in dynamic hierarchies. Sādhanā 44, 235 (2019). https://doi.org/10.1007/s12046-019-1216-8
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s12046-019-1216-8