1 / 25

A Key Management Scheme for Hierarchical Access Control in Group Communication

A Key Management Scheme for Hierarchical Access Control in Group Communication. Qiong Zhang, Yuke Wang Jason P, Jue 2008 International Journal of Network Security Vol7 2013. 05. 13 Tae Hoon Kim. Referenced ppt by Seung -Tae Hong A-Ra Jo. Contents. 1. Introduction

frieda
Télécharger la présentation

A Key Management Scheme for Hierarchical Access Control in Group Communication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A Key Management Scheme for Hierarchical Access Control in Group Communication Qiong Zhang, Yuke Wang Jason P, Jue 2008 International Journal of Network Security Vol7 2013. 05. 13 Tae HoonKim Referenced ppt by Seung-Tae Hong A-Ra Jo

  2. Contents 1. Introduction 2. Background and Related Work 2.1 Formalization of Partially ordered Relations 2.2 Related work 3. The HAC Scheme 4. Rekey Algorithm 5. Performance Analysis 5.1 Storage Overhead 5.2 Rekey Overhead 6. Performance Comparison 7. Conclusion

  3. Introduction • Emerging Internet application • Teleconferencing, e-newspaper, IPTV • Based on group communication • In order to widely commercialize(Internet Application), the issue of access control must be addressed. • Access control • : User having different access rights to multiple data streams • Hierarchical access control • Include e-newspaper subscription and video multicast services • Commercialize :상업화

  4. Introduction • For Example, consider two types of service • E-newspaper subscription service • Video multicast service • BL : Best Layer • EL : Enhancement Layer

  5. Introduction • What is need to implement access control for group communication? • Data encryption keys • Often used to encrypt data streams • User Access • If the user possesses the data encryption keys • Must be update data encryption keys • When a user dynamically joins or leaves a group • Use backward secrecy and forward secrecy[12]

  6. Introduction • Key management schemes aim • update the data encryption keys in order to ensure backward secrecy and forward secrecy • Two categories of key management scheme • Centralized • A centralized key server controls the entire group • Generates keys and distribute keys to legitimate users via rekey messages • Distributed • No centralized group controller and generate group keys based on the contribution of users in the group

  7. Introduction • In this paper, focus on a centralized key management scheme • It is critical to minimize rekey overhead in order to reduce the cost for communication and computation and computation at the key server and users

  8. Formalization of partially ordered relation • Notation • U : A set of users {u1, u2, …} • R : A set of data streams {r1, r2, …} • A : An access relation, where A U R • Ui: Membership group i consisting of a subset of users • Ri: Resource group i consisting of a subset of data streams • Partial order of users(In an access relation A) • If the data streams that user uican access is a subset of data streams that user ujcan access, then uiis smaller than uj • If users uiand ujcan access exactly the same subset of data streams, both users are equivalent

  9. Formalization of partially ordered relation • Partial order of users (cont.) • If the set of users that can access data stream rjis a subset of users that can access data stream ri, then riis smaller than rj • If the set of users that can access data stream riis exactly same as the set of users that can access data stream rj, the two data streams are equivalent R3 U1 U2 R1 U3 R2 U4

  10. Formalization of partially ordered relation • DAG(Directed Acyclic graph)[3] • The partially ordered relations of membership groups and resource groups can each be represented by a DAG

  11. Formalization of partially ordered relation • Satisfy the following conditions • 1)it must maintain the partial orders of the membership group DAG and the resource group DAG • 2)a user u U has access to a resource r R iff vertex representing U is the same as the vertex representing R or is reachable to the vertex representing R in the unified DAG • 3)the unified DAG is the smallest partial order satisfying the above conditions

  12. Related work • Logical key graph[22] • Important data structure to improve the efficiency of key management • Consisting of k-nodes, U-nodes • K-nodes : Represents a key • U-nodes : Represents a user

  13. Related work • Keyset(U1) = { k1,k7,k9, k11} • Userset(k9) = {u1,u2,u3,u4} K-node that has no outgoing edges data encryption keys Data encryption key : used to data streams encryption keys key Key encryption key : used to data encryption keys Keyset(U1) One or more outgoing edges but no incoming edges Userset(k9)

  14. Related work • Logical key graph be used to • Maintained at key server in order to efficiently distribute keys to dynamically joining or leaving users • Many key management schemes[2,7,8,10,16,22,23] • Proposed to construct a logical key graph and to update keys in the logical graph efficiently • Problem : only provide key management for equivalent users and equivalent data stream

  15. Related work • Constructing a single logical key graph for hierarchical access control[17,19,24] • [19] : User have different leveland higher-level users can access more data streams than lower-level users • Problem : higher-level user are able to access all data streams • [24] : Chinese Reminder Theorem based hierarchical access control scheme • Problem : only suitable for users having a tree-based partially ordered hierarchy • [17] : Users form a partially ordered relation while the data streams are not partially ordered(MG Scheme)

  16. Related work MG Vs. HAC scheme MG HAC • Data stream2 : Financial • Data stream3 : Stock HAC(Hierarchical Access control)

  17. The HAC Scheme • Four steps to construct the logical key graph • Next slide • In the key graph • Users in Ui form a balanced binary tree • mki is root represents the memebership-group Key • RiisResource group • Encrypted by a resource-group key, dki • The membership-group-keys are connected with resource-group keys by the relation subgraph • Use greedy algorithm • To explore the unified DAG • For constructing the sub graph

  18. R1 R2 R3 ① For each resource group, encrypt all data streams in the resource group with a singledata encryption key, called the resource-group key Unified DAG rk4 dk3 Relation subgraph dk2 dk1 rk1 rk3 k25 rk2 • ④ Connect the roots of membership-group subtrees to the corresponding resource-group keys • ② For each membership group, constructa balanced logical key tree called the membership-group subtree, where each user is represented by a u-node and the root ofthe subtree is associated with a key, calledthe membership-group key • ③ Construct a relation subgraphto connectthe resources-group keys based on a unified DAG Balanced logical key tree (membership-group subtree)

  19. Greedy algorithm of the HAC Scheme Notation • M = set of membership group in Vi • K = set of k-nodes; cover disjoint set of membership group • C = set of membership group in M; that has been covered by k-nodes in K • U = set of uncovered membership groups in M • RK = set of representative k-nodes; has been generated • Userset = set of membership groups covered by a representative k-node rkj

  20. Rekey Algorithm • Update the keys in the key graph • User join, leave, or switch membership groups dynamically • The service provider changes access relations dynamically • Case1)User u8 switches from U2 to U1 k8 k26 k20 k17 dk1 mk2 mk1 dk3 k26 dk2 k8 Send {k26}k8 to u8 {k26}k1 to u1 Send {mk’2}k19 to u5, u6 {mk’2}k7 to u7 u8

  21. Rekey Algorithm • Case2)Update the access relations(new data stream, new membership group) R4 dk3’ rk4’ dk4 rk5

  22. Performance Comparison • Experiment environment • Compare the performance of the HAC scheme with the MG scheme • Measured storage overhead and rekey overhead • Develop a simulation model to construct logical key graphs with d =2 based on access relation and to simulate user actions in the system • Consider three cases where equivalent data streams to group, and the number of data streams per resource group is shown in Table3

  23. Performance Comparison • Why HAC experiment is only one? • All data streams in a resource group are encrypted by the same resource-group key Note that, Case III is much higher than the differerce between the HAC scheme and Case II HAC Scheme 3 1 1 1 3 1 1 1

  24. Performance Comparison • We can see that • HAC scheme results in less rekey overhead than the MG Scheme HAC Scheme 3 1 1 1 3 1 1 1

  25. Conclusion • In the HAC scheme • Proposed a hierarchical access control key management scheme for group communication • Employed an algorithm to construct a key graph based on a unified relation of membership groups and resource group • Can handle complex access relations • In the key graph • Equivalent data streams are grouped in a resource group and are encrypted by a single data encryption key • Future work • To employ the batch rekeying[23] scheme in order to further improve the key management efficiency

More Related