Managing key hierarchies for access control enforcement: Heuristic approaches

doi:10.1016/j.cose.2009.12.006

Computers & Security

Volume 29, Issue 5, July 2010, Pages 533-547

https://doi.org/10.1016/j.cose.2009.12.006 Get rights and content

Abstract

Data outsourcing is emerging today as a successful paradigm allowing individuals and organizations to resort to external servers for storing their data, and sharing them with others. The main problem of this trend is that sensitive data are stored on a site that is not under the data owner's direct control. This scenario poses a major security problem since often the external server is relied upon for ensuring high availability of the data, but it is not authorized to read them. Data need therefore to be encrypted. In such a context, the application of an access control policy requires different data to be encrypted with different keys so to allow the external server to directly enforce access control and support selective dissemination and access. The problem therefore emerges of designing solutions for the efficient management of an encryption policy enforcing access control, with the goal of minimizing the number of keys to be maintained by the system and distributed to users.

In this paper, we prove that the problem of minimizing the number of keys is NP-hard and present alternative approaches for its solution. We first formulate the minimization problem as an instance of an integer linear programming problem and then propose three different families of heuristics, which are based on a key derivation tree exploiting the relationships among user groups. Finally, we experimentally evaluate the performance of our heuristics, comparing them with previous approaches.

Introduction

Data outsourcing has become increasingly popular in recent years. The main advantage of data outsourcing is that it promises higher availability and more effective disaster protection than in-house operations. However, since data owners physically release their information to external servers that are not under their control, data confidentiality (and even integrity) may be put at risk. Besides protecting such data from attackers and unauthorized users, there is the need to protect the privacy of the data from the so called honest-but-curious servers, that is, servers that, while trustworthy to properly manage the data, may not be trusted by the data owner to read their content. The problem of protecting data when outsourcing them to an external honest-but-curious server has emerged to the attention of researchers very recently. Existing proposals (e.g., Ceselli et al., 2005, Hacigümüs et al., 2002a, Wang and Lakshmanan, 2006) in the data outsourcing area typically store the data in encrypted form and associate with the encrypted data additional indexing information. Such indexes are used by the external DBMS to select the data to be returned in response to a query. Existing approaches however do not address the problem of supporting different access privileges (authorizations) for different users and result therefore limited in today's scenarios, where remotely stored data may need to be made accessible in a selective way (i.e., different users may be authorized to access different views of the data).

There is therefore an increasing interest in the definition of security solutions that allow the enforcement of access control policies on outsourced data. A promising solution in this direction consists in integrating access control and encryption. Although traditional approaches assume a strict separation between policies and mechanisms, and such a separation has often been beneficial, in the data outsourcing scenario their combination is proving successful. Combining cryptography with access control essentially requires that resources should be encrypted differently depending on the access authorizations holding on them, so to make their decryption possible only to authorized users (Damiani et al., 2006, De Capitani di Vimercati et al., 2007a). The application of this approach in data outsourcing scenarios allows owners to encrypt data, according to an encryption policy regulated by authorizations, outsource the data to the external servers, and distribute to users the needed encryption keys. Proper encryption and key distribution automatically ensure therefore obedience of the access control policy, while not requiring the data owner to maintain control on the data storage and accesses. In this paper, we address such a problem and propose a heuristic approach to minimize the number of keys to be maintained by the system and distributed to users. Like other proposals in the literature (Damiani et al., 2006, Damiani et al., 2007, De Capitani di Vimercati et al., 2007a), we base our solution on key derivation exploiting a key derivation tree that allows users to derive new keys from other keys they know. In Blundo et al. (2009) we presented an early version of our proposal that here is extended to consider alternative approaches for determining the minimal number of keys that correctly enforce an authorization policy defined by the data owner. In particular, we provide a new formulation of the problem in terms of an integer linear programming problem and present two new families of heuristics (i.e., leaves-based and mixed-based heuristics). We also formally prove that the problem of minimizing the number of keys is NP-Hard.

The remainder of the paper is organized as follows. Section 2 illustrates the basic concepts of access control systems based on selective encryption. Section 3 introduces our minimization problem. Section 4 formulates the minimization problem as a minimum weight problem. Section 5 illustrates the integer linear programming problem corresponding to the weight minimization problem. Section 6 presents three families of heuristic, which are based on the computation of a minimum spanning tree (MST) and on vertices factorization to improve the quality of the solution. Section 7 presents some experimental results showing that, compared with previous proposals, our heuristics prove efficient and effective in the computation of a key derivation graph. Section 8 discusses related work. Finally, Section 9 draws our conclusions.

Section snippets

Basic concepts

We assume that the data owner defines an authorization policy to regulate read access to the outsourced resources.¹ Given a set $U$ of users and a set $R$ of resources, an authorization policy over $U$ and $R$ is defined as a set of pairs 〈u, r〉, where $u \in U$ and $r \in R$ , meaning that user u can access resource r. An authorization policy can be modeled via

Problem formulation

Although the solution based on a user hierarchy is conceptually simple and potentially easy to implement, it defines significantly more keys than actually needed. Furthermore, a crucial aspect for the success of a solution supporting selective encryption is the efficiency of the key management and distribution activities required. For these reasons, since key derivation methods working on trees are in general more convenient and simpler than those working on DAGs and require a lower amount of

Minimum weight user tree

Our solution is based on a reformulation of Problem 3.1 in terms of a weight minimization problem. We start by introducing the concept of weight in association with a user tree.

Definition 4.1

(Weight function). Let T = 〈V, E〉 be a user tree.

•
$w : E \to N$ is a weight function such that ∀(υ_i, υ_j) ∈ E, w(υ_i, υ_j) = |υ_j.acl\υ_i.acl|
•
$weight (T) = \sum_{(v_{i}, v_{j}) \in E} w (v_{i}, v_{j}) .$

According to this definition, given a user tree T = 〈V, E〉, the weight w(υ_i,υ_j) of edge (υ_i,υ_j) in E is the number of users in υ_j.acl\υ_i.acl and weight (T) is the

Linear programming approach

The translation of the minimum weight user tree problem into a linear programming problem exploits the interpretation of the edges in the user graph $G_{U} = 〈 V_{U}, E_{U} 〉$ as boolean variables. For each edge (υ_i,υ_j) in $E_{U}$ , we define a boolean variable, denoted x_i_,j, representing whether (υ_i,υ_j) is an edge of a minimum weight user tree T = 〈V, E〉. The vertices composing V are all and only the vertices in $V_{U}$ having at least an incident edge in E.

The formulation of our minimization problem as an integer

Minimum spanning tree heuristics

We now propose three families of heuristics for solving Problem 3.1. All the proposed heuristics are based on the computation of a minimum spanning tree (MST) over a graph G = 〈V, E', w〉, with $V = M, E^{'} = {(v_{i}, v_{j}) | v_{i}, v_{j} \in V \land v_{i} . acl \subset v_{j} . acl}, w$ the weight function defined in Definition 4.1, and where the root vertex is υ₀. The MST over G is a user tree whose weight can be further reduced with the addition of non-material vertices that represent sets of users resulting from the intersection of the acls of

Experimental results

In large scale access control systems with a huge number of users and resources, the time needed to set the right key assignment scheme can be considerably large. A correct evaluation of the performance of the proposed heuristics is requested to provide the system designer with a valid set of tools she can use for the selection of the strategy that provides the best trade-off between the quality of the solution returned by the selected heuristic and the amount of time invested in obtaining such

Related work

Previous related work is in the area of the “database-as-a-service” paradigm (Hacigümüs et al., 2002a, Hacigümüs et al., 2002b), which considers the problem of database outsourcing with the main goal of enabling data owners to outsource their data to, possibly non fully trusted, third parties. This new scenario requires the evaluation of different security issues, which have been recently addressed in the literature (e.g., evaluation of queries on encrypted data, inference exposure control,

Conclusions and future work

There is an emerging trend towards scenarios where resource management is outsourced to an external service providing storage capabilities and high-bandwidth distribution channels. In this context, selective dissemination of data requires enforcing measures to protect the resource confidentiality from both unauthorized users and “honest-but-curious” servers. In this paper, we addressed this issue by integrating access control and encryption and by exploiting key derivation methods as a way for

Acknowledgments

This work was supported in part by the EU within the FP7 under grant 216483 “PrimeLife”; by the EU within the FP7 under contract ICT-2007-216646 “ECRYPT II”; and by the EU within the FP6 under contract FP6-1596 “AEOLUS”.

References (20)

A. De Santis et al.
Cryptographic key assignment schemes for any access control policy
Information Processing Letters
(2004)
R. Sandhu
Cryptographic implementation of a tree hierarchy for access control
Information Processing Letters
(1988)
Agrawal R, Kierman J, Srikant R, Xu Y. Order preserving encryption for numeric data. In: Proceedings of SIGMOD 2004,...
S. Akl et al.
Cryptographic solution to a problem of access control in a hierarchy
ACM Transactions on Computer System
(1983)
Atallah M, Frikken K, Blanton M. Dynamic and efficient key management for access hierarchies. In: Proceedings of ACM...
Ateniese G, De Santis A, Ferrara A, Masucci B. Provably-secure time-bound hierarchical key assignment schemes. In:...
Blundo C, Cimato S, De Capitani di Vimercati S, De Santis A, Foresti S, Paraboschi S, Samarati P. Efficient key...
A. Ceselli et al.
Modeling and assessing inference exposure in encrypted databases
ACM Transactions on Information and System Security
(2005)
Damiani E, De Capitani di Vimercati S, Foresti S, Jajodia S, Paraboschi S, Samarati P. Selective data encryption in...
Damiani E, De Capitani di Vimercati S, Foresti S, Jajodia S, Paraboschi S, Samarati P. An experimental evaluation of...

There are more references available in the full text version of this article.

Cited by (0)

Carlo Blundo received the Laurea degree in Computer Science (cum laude) from the Università di Salerno (Italy) in 1991. From September 1993 to May 1994, he has been visiting the Department of Computer Science and Engineering at the University of Nebraska–Lincoln, Lincoln (USA) doing research with Prof. Douglas R. Stinson. From October 1994 to March 1995 he has been visiting the Department of Computer Science at the Technion, Haifa, Israel. Since September 1995 he has been with the Dipartimento di Informatica ed Applicazioni “Renato M. Capocelli”, Università di Salerno, Italy as: research associate (from September 1995 to October 1998); associate professor (from November 1998 to October 2001); full professor (from November 2001 to present). He is a member of IACR (International Association for Cryptologic Research) and EATCS (European Association for Theoretical Computer Science).

Stelvio Cimato received the Laurea degree and the Phd in Computer Science from the Università di Salerno (Italy) in June 1994 and the Università di Bologna (Italy) in March 1999, respectively. Since January 2005 he is an assistant professor at the Information Technology Department, Università degli Studi di Milano, Italy. His main research interests are in the area of cryptography, network security, and Web applications.

Sabrina De Capitani di Vimercati is a professor at the Department of Information Technology, Università degli Studi di Milano, Italy. Her research interests are in the area of information security, databases, and information systems. On these topics she has published more than 100 refereed technical papers in international journals and conferences. She has been an international fellow in the Computer Science Laboratory at SRI, CA (USA). She is member of the Steering Committees of the European Symposium on Research in Computer Security (ESORICS) and of the ACM Workshop on Privacy in the Electronic Society (WPES). She is vice-chair of the IFIP WG 11.3 on Data and Application Security. She is co-recipient of the ACM-PODS’99 Best Newcomer Paper Award. More information at http://www.dti.unimi.it/decapita.

Alfredo De Santis received the Laurea degree in Computer Science (cum laude) from the Università di Salerno in 1983. Since 1984, he has been with the Dipartimento di Informatica ed Applicazioni of the Università di Salerno, in 1984–1986 as an Instructor in charge of the Computer Laboratory, in 1986–1990 as Researcher Faculty, from November 1990 as Professor of Computer Science. From November 1991 to October 1995 and from November 1998 to October 2001 he was the Director of the Dipartimento di Informatica ed Applicazioni, Università di Salerno. From September 1987 to February 1990 he has been Visiting Scientist at IBM T. J. Watson Research Center, Yorktown Heights, New York. He spent August 1994 at the International Computer Science Institute (ICSI), Berkeley CA, USA, as Visiting Scientist. His research interests include Algorithms, Data Security, Cryptography, Communication Networks, Information Theory, and Data Compression.

Sara Foresti received the PhD in Computer Science from the Università degli Studi di Milano, Italy in April 2009. She is a post-doc at the Information Technology Department, Università degli Studi di Milano, Italy. Her research interests are in the area of data security and privacy, with particular consideration of access control and information protection.

Stefano Paraboschi obtained the Laurea degree in Electronic Engineering in 1990 and a PhD in Computer Science in 1994, both from Politecnico di Milano. In 1996 he became an assistant professor and in 1998 an associate professor, both positions at Politecnico di Milano. Since 2002 he is a full professor at the School of Engineering of the Università di Bergamo, where he is the chair of the Computer Engineering Program. In 2003 he became a founding member and deputy-chair of the Dipartimento di Ingegneria Gestionale e dell'Informazione of the Università di Bergamo (now Dipartimento di Ingegneria dell'Informazione e Metodi Matematici). He spent research periods at the Department of Computer Science of Stanford University (host: Hector Garcia Molina), at the IBM Almaden Research Center in San Jose (host: Jennifer Widom), and at the Center for Secure Information Systems of George Mason University (host: Sushil Jajodia). His research has focused on active databases, multidimensional databases, workflow management systems, Web technologies, computer and information security.

Pierangela Samarati is a professor at the Department of Information Technology of the Università degli Studi di Milano, Italy. Her main research interests are access control policies, models and systems, data security and privacy, information system security, and information protection in general. She has participated in several projects involving different aspects of information protection. On these topics she has published more than 170 refereed technical papers in international journals and conferences. She is co-author of the book “Database Security,” Addison-Wesley, 1995. She has been Computer Scientist in the Computer Science Laboratory at SRI, CA (USA). She has been a visiting researcher at the Computer Science Department of Stanford University, CA (USA), and at the ISSE Department of George Mason University, VA (USA). She is the chair of the Steering Committees of the European Symposium on Research in Computer Security (ESORICS) and of the ACM Workshop on Privacy in the Electronic Society (WPES). She is the Coordinator of the Working Group on Security of the Italian Association for Information Processing (AICA), the Italian representative in the IFIP (International Federation for Information Processing) Technical Committee 11 (TC-11) on Security and Privacy. She is a member of the Steering Committee of: ACM Symposium on InformAtion, Computer and Communications Security (ASIACCS), International Conference on Information Systems Security (ICISS), and International Conference on Information and Communications Security (ICICS). She has served as program chair and on the program committees of various conferences. She is co-recipient of the ACM-PODS'99 Best Newcomer Paper Award. In 2009, she has been named ACM Distinguished Scientist. More information at http://www.dti.unimi.it/samarati.

^☆: A preliminary version of this paper appeared under the title “Efficient Key Management for Enforcing Access Control in Outsourced Scenarios”. In: Proc. of the 24th IFIP TC-11 International Information Security Conference (SEC 2009), Cyprus, May 2009 (Blundo et al., 2009).

View full text

Managing key hierarchies for access control enforcement: Heuristic approaches☆