Work progress -

Work progress -

A Key Management Scheme for Hierarchical Access Cont rol in Group Communication Qiong Zhang, Yuke Wang Jason P, Jue 2008 International Journal of Network Security Vol7 2013. 05. 13 Tae Hoon Kim Referenced ppt by Seung-Tae Hong A-Ra Jo Contents 1. Introduction 2. Background and Related Work 2.1 Formalization of Partially ordered Relations 2.2 Related work 3. The HAC Scheme 4. Rekey Algorithm 5. Performance Analysis 5.1 Storage Overhead 5.2 Rekey Overhead 6. Performance Comparison 7. Conclusion Introduction Emerging Internet application

Teleconferencing, e-newspaper, IPTV Based on group communication In order to widely commercialize(Internet Application), the iss ue of access control must be addressed. Access control : User having different access rights to multiple data streams Hierarchical access control Include e-newspaper subscription and video multicast se rvices Commercialize : 3 /25 Introduction Access Relation Sports

Financia l Stock Top News Weathe r Gold O O O O O Silver Sport O O O

O O O O Silver Finance O O Basic Access Relation EL2 EL1 BL Best Video Quality O

O O Moderate Video Quality O O O Basic For Example, consider two types of service E-newspaper subscription service Video multicast service BL : Best Layer EL : Enhancement Layer 4 /25 Introduction What is need to implement access control for gr oup communication?

Data encryption keys Often used to encrypt data streams User Access If the user possesses the data encryption keys Must be update data encryption keys When a user dynamically joins or leaves a group Use backward secrecy and forward secrecy[12] 5 /25 Introduction Key management schemes aim update the data encryption keys in order to ensure backward secrecy and forward secrecy Two categories of key management scheme Centralized A centralized key server controls the entire group

Generates keys and distribute keys to legitimate users via rek ey messages Distributed No centralized group controller and generate group keys b ased on the contribution of users in the group 6 /25 Introduction In this paper, focus on a centralized key manage ment scheme It is critical to minimize rekey overhead in order to reduce the cost for communication and computation and computatio n at the key server and users 7 /25 Formalization of partially order ed relation Notation U : A set of users {u1, u2, }

R : A set of data streams {r1, r2, } A : An access relation, where A U R Ui : Membership group i consisting of a subset of users Ri : Resource group i consisting of a subset of data streams Partial order of users(In an access relation A) If the data streams that user ui can access is a subset of data streams that user u can access, then ui is smaller than uj j If users ui and uj can access exactly the same subset of data s treams, both users are equivalent 8 /25 Formalization of partially order ed relation Partial order of users (cont.)

If the set of users that can access data stream r j is a subset of users that can access data stream ri, then r is smaller than r i j If the set of users that can access data stream r i is exactly sa me as the set of users that can access data stream r j , the two data streams are equivalent R:set of data streams Sports Financial Stock Top News Weather Gold O

O O O O U2 Silver Sport O O O U3 Silver Finance O O U4 Basic

O O U1 U : set of Users R1 O R2 O R3 9 /25 Formalization of partially order ed relation DAG(Directed Acyclic graph)[3] The partially ordered relations of membership groups and r esource groups can each be represented by a DAG 10/25

Formalization of partially order ed relation Satisfy the following conditi ons 1)it must maintain the partial orde rs of the membership group DAG a nd the resource group DAG 2)a user u U has access to a resou rce r R iff vertex representing U is the same as the vertex representi ng R or is reachable to the vertex r epresenting R in the unified DAG 3)the unified DAG is the smallest p artial order satisfying the above co nditions 11/25 Related work Logical key graph[22]

Important data structure to improve the efficiency of key man agement Consisting of k-nodes, U-nodes K-nodes : Represents a key U-nodes : Represents a user 12/25 Related work K-node that has no outgoing edges data encryption keys Data encryption key : used to data streams encryption keys key Key encryption key : used to data encryption keys Keyset(U1) One or more outgoing edges but no incoming edges Userset(k9) Keyset(U1) = { k1,k7,k9, k11}

Userset(k9) = {u1,u2,u3,u4} 13/25 Related work Logical key graph be used to Maintained at key server in order to efficiently distribute keys to dynamically joining or leaving users Many key management schemes[2,7,8,10,16,22, 23] Proposed to construct a logical key graph and to update keys i n the logical graph efficiently Problem : only provide key management for equivalent use rs and equivalent data stream 14/25 Related work Constructing a single logical key graph for hiera rchical access control[17,19,24] [19] : User have different level and higher-level users can acc ess more data streams than lower-level users Problem : higher-level user are able to access all data strea ms

[24] : Chinese Reminder Theorem based hierarchical access c ontrol scheme Problem : only suitable for users having a tree-based partia lly ordered hierarchy [17] : Users form a partially ordered relation while the data str eams are not partially ordered(MG Scheme) 15/25 Related work MG Vs. HAC scheme MG Data stream2 : Financial Data stream3 : Stock HAC HAC(Hierarchical Access control) 16/25 The HAC Scheme Four steps to construct the logical key graph

Next slide In the key graph Users in Ui form a balanced binary tree mki is root represents the memebership-group Key Ri is Resource group Encrypted by a resource-group key, dki The membership-group-keys are connected with resource-gro up keys by the relation subgraph Use greedy algorithm To explore the unified DAG

For constructing the sub graph 17/25 For each resource group, encrypt all data streams in the resource group with a single data encryption key, called the resourcegroup key R1 R2 R3 dk3 Unified DAG rk4 Relation subgraph k25 dk2 dk1 rk1

rk2 Connect For each the membership roots ofsubgraph membershipgroup, to Construct a relation group construct subtrees to the corresponding connect resource-group a balanced logical keys key treebased calledonthe the resources-group keys a membership-group subtree, where each unified user is represented by a u-node and the DAG

root of the subtree is associated with a key, called Balanced logical key tree the membership-group key (membership-group subtree) rk3 Greedy algorithm of the HAC Sc heme Notation M = set of membership group in Vi K = set of k-nodes; cover disjoint set of membership group C = set of membership group in M; t hat has been covered by k-nodes in K U = set of uncovered membership

groups in M RK = set of representative k-node s; has been generated Userset = set of membership groups c overed by a representative k-node rkj 19/25 Rekey Algorithm Update the keys in the key graph User join, leave, or switch membership groups dynamically The service provider changes access relations dynamically Case1)User u8 switches from U2 to U1 k26 k17 mk1

dk2 k8 dk1 dk3 k20 mk2 k26 k8 Send {k26}k8 to u8 {k26}k1 to u1 u Send {mk2}k19 to u5, u6 {mk2}k7 to u7 8 20/25 Rekey Algorithm Case2)Update the access relations(new data str eam, new membership group) R4 dk3 rk4

dk4 rk5 21/25 Performance Comparison Experiment environment Compare the performance of the HAC scheme with the MG sc heme Measured storage overhead and rekey overhead Develop a simulation model to construct logical key graphs wi th d =2 based on access relation and to simulate user actions in the system Consider three cases where equivalent data streams to group, and the number of data streams per resource group is shown i n Table3 22/25

Performance Comparison Note that, Case III is much higher than the differerce between the HAC scheme and Case II Why HAC experiment is only one? All data streams in a resource group are encrypted by the sa me resource-group key HAC Scheme 1 1 1 1 1 1 3 3 23/25 Performance Comparison

We can see that HAC scheme results in less rekey overhead than the MG Sche me HAC Scheme 1 1 1 1 1 1 3 3 24/25 Conclusion In the HAC scheme Proposed a hierarchical access control key management sche me for group communication

Employed an algorithm to construct a key graph based on a u nified relation of membership groups and resource group Can handle complex access relations In the key graph Equivalent data streams are grouped in a resource group and are encrypted by a single data encryption key Future work To employ the batch rekeying[23] scheme in order to further i mprove the key management efficiency 25/25

Recently Viewed Presentations

  • Structuralism


    He develops this module base on Saussurean concept of studying signs. denotation and connotation are terms describing the relationship between the signifier and it's signified, and an analytic distinction is made between two types of signified: a denotative signified and...
  • Writing Using adverbials WHAT ARE WE LEARNING? Today

    Writing Using adverbials WHAT ARE WE LEARNING? Today

    An adverbial is a word or a group of words that gives more information about the verb or the sentence. An adverbial can be a clause which makes sense by itself, or a phrase which needs to link to a...
  • Chapter 4 Making Career Decisions Lesson 4.1 Making

    Chapter 4 Making Career Decisions Lesson 4.1 Making

    A negative attitude might prevent you from accepting and evaluating an outcome of a decision that is different from what you wanted or hoped. This would prevent you from learning from the decision. continued Seven Steps to a Decision Graphic...
  • Edmonds Community College at Monroe Correctional Complex

    Edmonds Community College at Monroe Correctional Complex

    Track enrollment data, Accuplacer test results, program completion data. Course Evaluation Data. Data collected via students and other stakeholders. New Accuplacer Test (Math) eCasas Test Training . EdCC. Facility Improvements (Dean, Program Services Manager, DOC): Continued Focus on expanding EdCC...
  • One of the most important ways that information

    One of the most important ways that information

    WAP stands for Wireless Application Protocol and is a popular type of mobile internet service which can be used on a handheld device, such as a mobile phone or PDA. It enables you to go online while out and about...
  • Figure 1: (A) A microarray may contain thousands

    Figure 1: (A) A microarray may contain thousands

    Figure 1: (A) A microarray may contain thousands of 'spots'. Each spot contains many copies of the same DNA sequence that uniquely represents a gene from an organism.
  • Employability for Economics Students

    Employability for Economics Students

    BMW, Debenhams, Homebase, House of Fraser, Mothercare. Other - Channel 4, Kent Tourism Alliance, PR Companies, Church social worker, ..... What You Can Do Now? ... Competency questions. Interview. Group tasks (wear a watch!) It is hard work making applications...
  • WALT: Recognise the rhythm of a haiku and write our own haiku.

    WALT: Recognise the rhythm of a haiku and write our own haiku.

    WALT: Recognise the rhythm of a haiku and write our own haiku. Syllables What are syllables? Short sounds that make up a word. Mis-ter Lew-is (4 Syllables) Haikus Japanese poems with a syllable pattern: Verse 1: 5 Syllables Verse 2:...