A flexible hierarchical access control mechanism enforcing extension policies

Chang, Ya-Fen

doi:10.1002/sec.971

Cited by 7 publications

(9 citation statements)

References 35 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It allows the data owner to temporarily delegate decryption rights of a security class SC i to another security class SC j in such a way that SC j can access data encrypted directly for SC i but cannot access data encrypted for any of SC i 's descendant security classes. For example in figure 1, class delegation with descendant(s) safety from SC 6 to SC 2 means that data intended directly for SC 6 is accessible to SC 2 and SC 1 . However, data intended for SC 7 is accessible to neither SC 2 nor SC 1 .…”

Section: Number Of Secrets Stored By a Security Class Is Constantmentioning

confidence: 99%

“…However, their scheme [5] requires Oðn 2 Þ public storage and features inefficient dynamic update operations, which require public parameters corresponding to all ancestors as well as all descendants of the affected security class to be updated by the data owner. In 2015, Chang [6] proposed another flexible HKAS with the same motivation of enforcing explicit transitive and anti-symmetric exceptions in a traditional access hierarchy. The scheme in [6] uses ECC and efficient one-way hash functions to achieve constant key derivation cost.…”

Section: Related Workmentioning

confidence: 99%

“…In 2015, Chang [6] proposed another flexible HKAS with the same motivation of enforcing explicit transitive and anti-symmetric exceptions in a traditional access hierarchy. The scheme in [6] uses ECC and efficient one-way hash functions to achieve constant key derivation cost. However, storage cost of implementing the scheme is Oðn 2 Þ for a hierarchy of n classes.…”

Section: Related Workmentioning

confidence: 99%

“…In practical application scenarios, explicit policy exceptions may be desired in the hierarchy by either extending the access rights of a security class or by revoking their designated access to some data items or both. These explicit policy exceptions include transitive exception and anti-symmetric exception [5,6]. In transitive exception, SC i can access SC j and SC j can access SC k but SC i cannot access SC k .…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Extended hierarchical key assignment scheme (E-HKAS): how to efficiently enforce explicit policy exceptions in dynamic hierarchies

Pareek

Purushothama

2019

Sādhanā

View full text Add to dashboard Cite

In this paper, we focus on practically motivated flexibility requirements for the hierarchical access control model, namely transitive exception and anti-symmetric exception. Additionally, we motivate a new flexibility requirement called ''class delegation with descendant(s) safety'' in a practical application scenario. We propose our extended hierarchical key assignment scheme (E-HKAS) that satisfies all three aforementioned flexibility requirements in a dynamic hierarchy of security classes. To propose a generic E-HKAS, we model the hierarchical access control policy as a collection of access groups. E-HKAS enforces transitive and antisymmetric exceptions using an efficient group-based encryption scheme. To enforce class delegation with descendant(s) safety, we propose a novel cryptographic primitive called group proxy re-encryption (GPRE) that supports proxy re-encryption between two access groups. We present an IND-CPA-secure construction of our proposed GPRE scheme and formally prove its security. Performance analysis shows that the proposed E-HKAS enforces explicit transitive and anti-symmetric exceptions more efficiently than the existing approaches in the literature. Computation cost for key derivation is constant and does not depend on the depth of the hierarchy. Also, to enforce class delegation with descendant(s) safety, the proposed E-HKAS requires constant number of computational steps to be executed. adhana(0123456789().,-volV)FT3 ](0123456789().,-volV)

show abstract

Section: Number Of Secrets Stored By a Security Class Is Constantmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Extended hierarchical key assignment scheme (E-HKAS): how to efficiently enforce explicit policy exceptions in dynamic hierarchies

Pareek

Purushothama

2019

Sādhanā

View full text Add to dashboard Cite

show abstract

“…Much of the prior work in this area was concerned with designing access control systems from basic cryptographic primitives [18,15,2,11,10,9,8] and/or designing new primitives tailored for the problem of access control [17,23,24,14]. For the most part, the security of cryptographic access control systems was only heuristically studied.…”

Section: Introductionmentioning

confidence: 99%

Universally Composable Cryptographic Role-Based Access Control

Liu

Warinschi

2016

Provable Security

View full text Add to dashboard Cite

Abstract. In cryptographic access control sensitive data is protected by cryptographic primitives and the desired access structure is enforced through appropriate management of the secret keys. In this paper we study rigorous security definitions for the cryptographic enforcement of Role Based Access Control (RBAC). We propose the first simulationbased security definition within the framework of Universal Composability (UC). Our definition is natural and intuitively appealing, so we expect that our approach would carry over to other access models. Next, we establish two results that clarify the strength of our definition when compared with existing ones that use the game-based definitional approach. On the positive side, we demonstrate that both read and writeaccess guarantees in the sense of game-based security are implied by UC security of an access control system. Perhaps expected, this result serves as confirmation that the definition we propose is sound. Our main technical result is a proof that simulation-based security requires impractical assumptions on the encryption scheme that is employed. As in other simulation-based settings, the source of inefficiency is the well known "commitment problem" which naturally occurs in the context of cryptographic access control to file systems.

show abstract

Efficient dynamic key‐aggregate cryptosystem for secure and flexible data sharing

Pareek

Maiti

2022

Concurrency and Computation

View full text Add to dashboard Cite

Summary Secure and efficient enforcement of dynamic access control policies on shared data is a central problem in dynamic and scalable application scenarios, including the Internet of Things and smart cities. Key‐aggregate cryptosystem (KAC) is an efficient mechanism to delegate decryption rights of a subset of a large collection of data items to authorized users. While KAC provides an efficient solution to the problem of secure data sharing, we identify that using it to enforce continuously changing access policies is highly inefficient. In this article, we propose a novel dynamic KAC that, in addition to satisfying all key‐aggregate efficiency requirements, enforces dynamic updates to the aggregate sets with constant computation and constant communication cost. We propose a concrete construction for our dynamic KAC, prove its soundness and formal security, and analyze its theoretical and practical performance. We implement the procedures of a dynamic hierarchical key assignment scheme using the proposed as well as the existing dynamic KACs. We compare the costs of enforcing dynamic updates in large hierarchies. We conclude that the performance enhancement achieved by the proposed dynamic KAC compared to the existing KACs is even more significant in practical access control scenarios.

show abstract

A flexible hierarchical access control mechanism enforcing extension policies

Cited by 7 publications

References 35 publications

Extended hierarchical key assignment scheme (E-HKAS): how to efficiently enforce explicit policy exceptions in dynamic hierarchies

Extended hierarchical key assignment scheme (E-HKAS): how to efficiently enforce explicit policy exceptions in dynamic hierarchies

Universally Composable Cryptographic Role-Based Access Control

Efficient dynamic key‐aggregate cryptosystem for secure and flexible data sharing

Contact Info

Product

Resources

About