Denunciar

premsruthiSeguir

24 de Mar de 2013•0 recomendaciones•838 vistas

24 de Mar de 2013•0 recomendaciones•838 vistas

Denunciar

Pairing Based Elliptic Curve Cryptosystem for Message AuthenticationIJTET Journal

Key Management Scheme for Secure Group Communication in WSN with Multiple Gr...csandit

Secure Data Sharing Algorithm for Data Retrieval In Military Based NetworksIJTET Journal

IEEE 2014 DOTNET NETWORKING PROJECTS Secure data-retrieval-for-decentralized-...IEEEMEMTECHSTUDENTPROJECTS

File transfer with multiple security mechanismShubham Patil

secure data retrieval for decentralized disruption-tolerant military networksSneha Joshi

- 1. IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 5, NO. 2, APRIL-JUNE 2008 65 An Efficient Time-Bound Hierarchical Key Management Scheme for Secure Broadcasting Elisa Bertino, Fellow, IEEE, Ning Shang, and Samuel S. Wagstaff Jr. Abstract—In electronic subscription and pay TV systems, data can be organized and encrypted using symmetric key algorithms according to predefined time periods and user privileges and then broadcast to users. This requires an efficient way of managing the encryption keys. In this scenario, time-bound key management schemes for a hierarchy were proposed by Tzeng and Chien in 2002 and 2005, respectively. Both schemes are insecure against collusion attacks. In this paper, we propose a new key assignment scheme for access control, which is both efficient and secure. Elliptic-curve cryptography is deployed in this scheme. We also provide the analysis of the scheme with respect to security and efficiency issues. Index Terms—Secure broadcasting, time-bound hierarchical key management, elliptic curves, elliptic-curve discrete logarithm problem (ECDLP). Ç 1 INTRODUCTION was proposed by Chien [5] in 2004. This scheme greatly I N a Web-based environment, the data to be securely broadcast, for example, electronic newspapers or other types of content, can be organized as a hierarchical tree reduces computational load and implementation cost. However, it has a security hole against Yi’s three-party and encrypted by distinct cryptographic keys according to collusion attack [12]. Inspired by Chien’s idea, we propose in access control policies. We need a key management this paper a new method for access control using elliptic- scheme so that a higher class can retrieve data content curve cryptography. This scheme is efficient and secure that a lower class is authorized to access, but not vice against Yi’s three-party collusion attacks. versa. In many applications (for example, electronic Although there have been attacks on smart cards [2] and newspaper/journal subscription and pay TV broadcast- some other tamper-resistant devices, such attacks require ing), there is a time bound associated with each access special equipment, which would cost more than a subscrip- control policy so that a user is assigned to a certain class tion. The only really valuable data on the smart cards that for just a period of time. The user’s keys need to be our scheme uses is the master key. It must be kept secret, updated periodically to ensure that the delivery of the because an attacker who obtained it could derive all the information follows the access control policies of the data keys for the data that one could get with this smart card. source. An ideal time-bound hierarchical key management Assuming that the master key can be protected, there is a scheme should be able to perform the above task in an good reason to believe that our scheme, which uses tamper- efficient fashion and minimize the storage and commu- nication of keys. In 2002, Tzeng attempted to solve this resistant devices, can have practical important applications problem [11]. Tzeng’s scheme is efficient in terms of its in areas such as digital rights management. space requirement but is computationally inefficient, since Our original motivation for this paper was to provide a a Lucas function operation is used to construct the better key management scheme for [4], in which data is scheme, and this incurs heavy computational load. More- encoded in XML and need to be securely broadcast, but a over, it is insecure against collusion attacks, as shown by solution to the key management scheme fails in terms of Yi and Ye [13]. efficiency and security. Another time-bound hierarchical key assignment scheme The rest of this paper is organized as follows: Section 2 based on a tamper-resistant device and a secure hash function presents the notation and definitions needed to give a hierarchical structure to the data source. Section 3 proposes the new time-bound key management scheme applied to a . E. Bertino and S.S. Wagstaff Jr. are with the Center for Education and hierarchy. Section 4 contains further discussion of the key Research in Information Assurance and Security (CERIAS) and also with the Department of Computer Sciences, Purdue University, West Lafayette, management scheme. Section 5 summarizes our results. IN 47907-2107. E-mail: bertino@cs.purdue.edu, ssw@cerias.purdue.edu. . N. Shang is with the Department of Electrical and Computer Engineering, with the Center for Education and Research in Information Assurance and 2 DEFINITIONS AND NOTATION Security (CERIAS), and with the Department of Mathematics, Purdue University, West Lafayette, IN 47907-2067. Let S be the data source to be broadcast. We assume that S E-mail: nshang@math.purdue.edu. is partitioned into blocks of data called nodes. Manuscript received 27 Feb. 2006; revised 9 Apr. 2007; accepted 29 Oct. 2007; The policy base PB is the set of access control policies published online 6 Nov. 2007. defined for S. In our setting, each access control policy For information on obtaining reprints of this article, please send e-mail to: tdsc@computer.org, and reference IEEECS Log Number TDSC-0030-0206. acp 2 PB contains a temporal interval I among its compo- Digital Object Identifier no. 10.1109/TDSC.2007.70241. nents, which specifies the time period in which the 1545-5971/08/$25.00 ß 2008 IEEE Published by the IEEE Computer Society
- 2. 66 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 5, NO. 2, APRIL-JUNE 2008 access control policy is valid. A sample access control policy 3 KEY MANAGEMENT SCHEME for XML documents might look like 3.1 Initialization Suppose that we have already generated the set C of classes acp ¼ ðI; P; sbj-spec; prot-obj-spec; priv; prop-optÞ; of nodes of the data source S marked with the policy configurations P ci in PB. Such a set is partially ordered where I, P, sbj-spec, prot-obj-spec, priv, and prop-opt are the with respect to " . Let n be the cardinality of C. temporal interval, periodic expression, credential specifica- In this step, the system parameters are initialized, and tion, protection object specification, privilege, and propaga- the system’s class keys Ki are generated: tion option of acp, respectively. Interested readers may refer to [3] and [4] for details. 1. The vendor chooses an elliptic curve E over a finite It is important to notice that several policies may apply field IFq so that the discrete logarithm problem (DLP) to each node in S. In what follows, we refer to the set of is hard on EðIFq Þ.1 The vendor also chooses a point Q 2 EðIFq Þ with a large prime order, say, p. The policies applying to a node in S as the policy configuration vendor then chooses 2n integers ni and gi such that associated with the node. In addition, in what follows, ni gi are all different modulo p for 1 i n. The PCPB denotes the set of all possible policy configurations vendor computes Pi ¼ ni Q on EðIFq Þ and hi such that that can be generated by policies in PB. gi hi 1 ðmod pÞ. The class key Ki ¼ gi Pi is computed We now introduce the notion of a class of nodes, a for class Ci . The points Ri;j ¼ gi Kj þ ðÀKi Þ are also relevant notion in our approach. Intuitively, a class of nodes computed whenever Cj 0 Ci (not just when Cj 0d Ci ). corresponds to a given policy configuration and identifies 2. The vendor chooses two random integers a and b all nodes to which such configuration applies. Intuitively, a and a keyed hash message authentication code class of nodes includes the set of nodes to which the same (HMAC) [6] HK ðÀÞ built with a hash function HðÀÞ set of access control policies apply. and a fixed secret key K. K serves as the system’s Definition 1 (class of nodes). Let P ci be a policy configuration master key and is only known to the vendor. belonging to PCPB . The class of nodes marked with P ci , 3. The vendor publishes Ri;j on an authenticated board, denoted by Ci , is the set of nodes belonging to the data source whereas the integers gi , hi , a, and b are kept secret. S marked by all and only the policies in P ci . Note that the Parties can verify the validity of the Ri;j obtained empty set could be a class of nodes marked with a certain policy from the board. This can be realized by using digital configuration. We denote by C the set of all classes of nodes signatures. defined over S marked with the policy configurations in PCPB . The public values Ri;j are constructed in such a way that We also have the requirement that we distinguish and include the owner of the key Kj of the lower class Cj cannot obtain in C the empty sets marked by policy configurations consisting any information about the class key Ki of the higher class Ci of only one access control policy and exclude from C the empty without knowing the secret value gi , and the owner of the sets marked by any other policy configurations. Note that C higher class key Ki cannot compute Kj on its own due to corresponds to a subset of PCPB . the difficulty of solving the DLP. It turns out that such a construction is secure against the attack [12], which breaks We distinguish and include the empty sets correspond- Chien’s earlier scheme [5]. We will discuss this in ing to different singleton policy configurations so that keys Section 4.3.3. can be assigned to these classes, which enable users 3.2 Encrypting Key Generation belonging to these classes to derive the required decryption In this step, we generate the temporal encryption class keys keys of lower classes. This key derivation process will be Ki;t at time granule t by using the system’s class keys Ki . described in Section 3. The class of nodes Ci 2 C is encrypted by a symmetric The idea for the secure broadcasting mode of the data encryption algorithm, for example, AES [1]. We denote by source is this that the portions of the source marked by Ki;t the secret key for Ci at time granule t 2 ½Tb ; Te Š ¼ ½1; ZŠ. different classes of nodes are encrypted by different secret The generation process for Ki;t is given as follows: keys and are broadcast periodically to the subscribers. À Á Subscribers receive only the keys for the document sources Ki;t ¼ HK ðKi ÞY È H t ðaÞ È H ZÀt ðbÞ È IDi ; that they can access according to the policies. The following definition introduces a partial-order where ðKi ÞY is the y-coordinate of Ki , H m ðxÞ is the m-fold relation defined over C. iteration of HðÀÞ applied to x, IDi is the identity of Ci , and È is the bitwise XOR. Note that we can choose HðÀÞ Definition 2 (partial-order relation on C). Let Ci and Cj be properly in the initialization process so that the output of two classes of nodes marked by P ci and P cj , respectively, HK is the right length for a key for the symmetric where P ci and P cj are policy configurations in PCPB . We say encryption algorithm that we use. that Ci dominates Cj , written Cj Ci , if and only if The one-way property of the hash function H ensures P ci P cj . We also write Cj 0 Ci if Cj Ci but Cj 6¼ Ci . We that H t ðaÞ and H ZÀt ðbÞ can be calculated only when the also say that Ci directly dominates Cj , written Cj 0d Ci , if and values H t1 ðaÞ and H ZÀt2 ðbÞ are available for some t1 and t2 , only if Ci 6¼ Cj and Cj CÃ Ci implies CÃ ¼ Ci or CÃ ¼ Cj . with t1 t t2 . This is the idea for the construction of the We call “Cj 0d Ci ” a directed edge. We say that Ci dominates “time bound” of the key management scheme. Cj via n directed edges if there exists fCik g1 k nÀ1 C such that Cj 0d Ci1 , CinÀ1 0d Cj and CikÀ1 0d Cik for 2 k n À 1. 1. For more background on elliptic-curve cryptography, see [14].
- 3. BERTINO ET AL.: AN EFFICIENT TIME-BOUND HIERARCHICAL KEY MANAGEMENT SCHEME FOR SECURE BROADCASTING 67 3.3 User Subscription [1, 70]. Let U be a user wishing to subscribe the sports portion This is the user subscription phase, in which a tamper- of the newspaper for 1 week, say, the period I ¼ ½8; 14Š. We resistant device storing important information is issued to could match U with an access control policy acp1 ¼ ð½8; 14Š, the subscriber. All days, Subscriber/type = “full”, Sports_supplement, view, Upon receiving a subscription request, an appropriate CASCADE). Then, we can find the class of nodes C1 marked access control policy acpi is searched until there is a match, with policy configuration acp1 from a pregenerated table. then the policy configuration in PB, which contains only These nodes are encrypted and broadcast periodically. U can acpi , is found, and thus, the corresponding class of nodes derive the decryption key for the subscription period using marked with it, say, Ci , is identified. Note that Ci , which the issued class key K1 and the tamper-resistant device storing HK , E, IFq , ID1 , h1 , and H 8 ðaÞ, H 56 ðbÞ ¼ H 70À14 ðbÞ. could be an empty set, is always in C by the construction in For example, U inputs K1 into the device. To obtain the Definition 1. We define the encryption information EncInfi decryption key K1;10 at time granule t ¼ 10, the device as follows: computes À Á EncInfi ¼ f H t1 ðaÞ; H ZÀt2 ðbÞ g; À Á À Á H 10 ðaÞ ¼ H 2 H 8 ðaÞ ; H 60 ðbÞ ¼ H 4 H 56 ðbÞ : where the set on the right side is defined for all acceptable Then, K1;10 ¼ HK ððK1 ÞY È H 10 ðaÞ È H 60 ðbÞ È ID1 Þ, the very time intervals ½t1 ; t2 Š for acpi . thing needed. To obtain the decryption key at t ¼ 13 for a The vendor distributes the class key Ki to the subscriber class C2 C1 , U inputs K1 , ID2 , and R1;2 into the device. The through a secure channel. The vendor also issues the device first computes the class key of C2 : subscriber a tamper-resistant device storing HK (thus H and K), E, IFq , IDi , hi , and EncInfi . There is also a K2 ¼ h1 Á ðR1;2 þ K1 Þ: secure clock embedded in the device, which keeps track of Then, it computes the current time. The device is tamper resistant in the sense À Á À Á that no one can recover K, hi , and EncInfi , change the H 13 ðaÞ ¼ H 5 H 8 ðaÞ ; H 57 ðbÞ ¼ H H 56 ðbÞ ; values of IDi , or change the time of the clock. and K2;13 ¼ HK ððK2 ÞY È H 13 ðaÞ È H 57 ðbÞ È ID2 Þ, the de- 3.4 Decrypting Key Derivation cryption key needed. In this step, the temporal keys for a class and the classes Note that all computations are executed by the tamper- below it are reconstructed by the tamper-resistant device. resistant device. The device can prevent the results of the Assume that the subscription process mentioned above computations from being revealed so that even the user U is completed for a subscriber U associated with class Ci . does not know the class key K2 of the class of nodes C2 0 C1 . U can then use the information received from the vendor This makes the system secure. to decrypt the data in class Cj , with Cj Ci , as follows: 1. If Cj ¼ Ci , U inputs only Ki into the tamper-resistant 4 FURTHER DISCUSSION device. Otherwise, if Cj 0 Ci , U first retrieves Ri;j We have proposed a key assignment scheme for secure from the authenticated public board and then inputs broadcasting based on a tamper-resistant device. A secure it together with the class identity IDj of Cj and its hash function and the intractability of the DLP on elliptic secret class key Ki . curves over the finite field IFq are also assumed. 2. If Kj is the only input, the next step is executed directly. Otherwise, the tamper-resistant device 4.1 Tamper-Resistant Devices computes the secret class key of Cj : The tamper-resistant device plays an important role in our scheme. The system’s master key K must be protected by Kj ¼ hi Á ðRi;j þ Ki Þ: the device. A leak of EncInfi will not help the attackers much, because they are not able to compute the HMAC, 3. If t 2 ½t1 ; t2 Š for some acceptable time interval ½t1 ; t2 Š thus the temporal class keys, without knowing K. A leak of acpi , the tamper-resistant device computes of hi will enable the user of class Ci to obtain the class key À Á À Á Kj of Cj , where Cj Ci , by computing H t ðaÞ ¼ H tÀt1 H t1 ðaÞ ; H ZÀt ðbÞ ¼ H t2 Àt H ZÀt2 ðbÞ ; Kj ¼ hi Á ðRi;j þ Ki Þ; a n d Kj;t ¼ HK ððKj ÞY È H t ðaÞ È H ZÀt ðbÞ È IDj Þ. Note that the values H t1 ðaÞ and H ZÀt2 ðbÞ are as done by the device. However, this does not help the user precomputed and stored in the tamper-resistant decrypt any information belonging to a class not lower than device. Ci . Unless K is discovered, the attacks to retrieve 4. At time granule t, the protected data belonging to EncInfi and hi on individual devices are not effective. class Cj can be decrypted by applying the key Kj;t . With the use of a tamper-resistant device, the security of the scheme is strong enough. Attacks on tamper-resistant 3.5 An Example devices need special equipment. It is cheaper to buy a We now provide an example to illustrate the above process. subscription than the special equipment. As such, the Consider an electronic newspaper system. Let 1 day be attacker does not have economic incentives to mount such a tick of time in this system and Z ¼ 70 be the lifetime of an attack, unless he could capture the master key K. An the system; that is, the system exists in the temporal interval attacker who could find all the information on several
- 4. 68 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 5, NO. 2, APRIL-JUNE 2008 tamper-resistant devices could execute a collusion attack to 4.3.2 Collusion Attack compute extra temporal decryption keys. Second, any collusion attack with more than one input to the As pointed out above, the only information that needs to device does not work either. Since the encryption information be kept secret by the tamper-resistant device is the system’s EncInfi for a device with identity IDi is not likely to be master key K. The Trusted Platform Module (TPM) modified because of the tamper resistance of the device, technology [10], which is good for storing and using any attempt to derive temporal decrypting keys for a secret keys, can well suit our need. We are aware that there class Cm that is not lower than Ci inevitably involves the are attacks on TPMs [9]. There are countermeasures against computation of the class key Km . According to step 2 of the those attacks [9]. Moreover, none of these attacks is capable Decrypting Key Derivation process, gi Km must be compu- of extracting the exact secret information being protected table by the device with a suitable choice of the input (in our case, the system key K). Hence, the attackers are parameters. However, we do not see any way of accomplish- not able to perform the HMAC operations. Therefore, ing this computation without solving the DLP on EðIFq Þ. an attack relying on the knowledge of K is not feasible in practice. We believe that the use of the tamper-resistant 4.3.3 X. Yi’s Attack hardware is practical and secure in reality. As a particular case of the collusion attack just described, One might argue that if we need such a strong tamper- Yi’s attack [12] against Chien’s scheme [5] cannot be replayed resistant device, then we might as well store the needed temporal decryption keys on it directly and discard the key here to break our scheme. We will demonstrate this case to management scheme. However, that approach is not give an impression of how the asymmetry introduced by practical, because the number of needed keys can be large, elliptic-curve cryptography helps strengthen the scheme. considering the temporal intervals and hierarchy. In that Yi’s attack cannot apply directly to our scheme due to case, the system’s class keys cannot be easily updated. Our our different construction. An analog of it would work as proposed scheme is elegant and more efficient in terms of follows: Two users collude to derive certain information Inf storage on the tamper-resistant devices. and pass it to a third user U so that U can input Inf together with his/her secret key to the tamper-resistant device to 4.2 Hash Functions and Elliptic-Curve Discrete derive the decryption keys of a class not lower than U’s. Logarithm Problem Suppose that U belongs to class Cj and U wants to derive Some of the most widely used hash functions, for example, decryption keys Ki;t of Ci , which is not lower than Cj . Then, SHA-0, MD4, Haval-128, RipeMD-128, and MD5, were Ki needs to be computed by the device. Thus, the broken years ago, whereas SHA-1 was announced broken information to be passed to U should be Inf ¼ gj Ki þ early in 2005. Essentially, these hash functions have been ðÀKj Þ so that when U inputs Inf, IDi , and Kj , the tamper- proven not to be collision free, but it is still hard to find a resistant device will compute preimage to a given digest in a reasonable time. In view of this, these attacks on hash functions will not affect the hj Á ðInf þ Kj Þ ¼ hj Á ðgj Ki þ Kj À Kj Þ ¼ Ki : security of our scheme, as long as the DLP on the elliptic In order to obtain Inf, someone must be able to compute curves is still hard. So far, there is no foreseeable break- gj Ki . Given that class Ci is not lower than Cj , gj Ki is not a through in solving DLP on elliptic curves. summand of any of the published values on the authenti- Without having to keep Q 2 EðIFq Þ secret, no one, cated board, and thus, it cannot be produced via collusion, including the user Ui , can recover the secret values gi considering the fact that the ECDLP is hard. and hi of the system due to the difficulty of the elliptic- Therefore, Yi’s attack cannot be modified to attack our curve DLP (ECDLP). Therefore, the system is secure. scheme. 4.3 Security against Possible Attacks 4.4 Yet Another Good Feature Note that the tamper-resistant device in our scheme is an An important advantage of our scheme is that the vendor oracle that does calculation in the Decrypting Key Derivation can change the class keys of the system at anytime without process. This raises the question of whether such a device having to reissue new devices to the users, whereas only the can be attacked by an adversary to gain secret information user’s class keys and the public information Ri;j need to be to subvert this process. This concern is necessary, since updated. However, when an individual user wants to Chien’s scheme has been successfully attacked (see [12]) due change the subscription, a new device needs to be issued. to the weakness of the oracle. We face a similar situation here. This also needs to be done when a different class is desired. 4.3.1 Attack from the Outside 4.5 Space and Time Complexity First, any attack against our scheme with only one input to Our scheme publishes one value Ri;j for each partial-order the device will not work. Any attempt to gain the temporal relation Cj 0 Ci . The total number of public values is at most nðnÀ1Þ decrypting key with only one input KÃ to the device with 2 , where n is the number of classes in C. On the user identity IDi will not succeed, unless the input is the side, the tamper-resistant device stores only HK , E, IFq , IDi , right class key Ki bound to the same device. This can hi , and EncInfi . easily be seen, since in this case, the device will compute À Á At any time granule t, the tamper-resistant device needs HK ðKÃ ÞY È H t ðaÞ È H ZÀt ðbÞ È IDi at time granule t (we to perform ðt À t1 Þ þ ðt2 À tÞ þ 2 ¼ t2 À t1 þ 2 Z hash may assume that t is valid; that is, it is in the subscription iterations. Note that there are two hash iterations per period). This value is meaningless, unless KÃ ¼ Ki . HMAC operation [6]. In a system of a life period of 5 years,
- 5. BERTINO ET AL.: AN EFFICIENT TIME-BOUND HIERARCHICAL KEY MANAGEMENT SCHEME FOR SECURE BROADCASTING 69 TABLE 1 A Comparison of the Three Schemes Suppose that Cj Ci , t 2 ½t1 ; t2 Š. Notation: n: number of classes jCj. r: number of child classes Ci on path from Ci to Cj . Th : hashing operation. Te : modular exponentiation. TL : Lucas function operation. TE : elliptic-curve scalar multiplication. which updates user keys every hour, Z is approximately 5 CONCLUSIONS 43,800. We did an experiment using SHA-1 as the hash In this paper, we have proposed an efficient time-bound function on a Gateway MX3215 laptop computer that has a hierarchical key management scheme based on the use of 1.40 GHz Intel(R) Celeron(R) M processor and 256 Mbytes elliptic-curve cryptography for secure broadcasting of data. of memory and runs Ubuntu 6.10 Edgy Eft. The code is The number of encryption keys to be managed depends written in C and built with GNU C compiler version 4.1.2. only on the number of access control policies. A tamper- The result showed that 43,800 hash iterations took resistant device plays an important role in our scheme. 0.0800 second of processing time. In practice, t2 À t1 is usually The obvious solution of storing all needed decryption keys much smaller than Z, and the hash computation is really fast. in a tamper-resistant device is not practical, because the The bulk of the computation performed by the tamper- number of keys needed can be large. In addition, with such a solution, when the system’s class keys need to be updated, resistant device is the calculation of Kj ¼ hi ðRi;j þ Ki Þ in all devices containing these keys must be discarded, and step 2 of the Decrypting Key Derivation phase. A rough new devices need to be issued. Our approach to key estimate [7] shows that a 160-bit prime p (the order of Q on management avoids these disadvantages. EðIFq Þ) should give us enough security (against the best In the future, we hope to analyze our system from the ECDLP attack) in this situation. In this case, to derive the point of view of provable security. This would require a class key Kj of class Ci 0 Ci from Ki , the device needs to more formal description of our system than what we have perform at most 160 elliptic-curve doublings and 81 elliptic- given here. We also plan to implement our scheme and do curve additions when the method based on repeated experiments on smart cards. doubling and adding is used. This amounts to 241 elliptic additions. Ignoring the negligible field addition in IFq , each APPENDIX elliptic-curve addition requires one field inversion and COMPARISON OF THREE SCHEMES two field multiplications. If we choose q to be a 160-bit We compare the three time-bound hierarchical key manage- number and regard the time to perform a field inversion as ment schemes in Table 1. that of three field multiplications, the class key derivation process needs roughly 241 Â 5 Â 1602 % 225 bit operations. ACKNOWLEDGMENTS Even a smart card can do this in a few seconds [8]. Our The authors would like to thank the anonymous reviewers scheme is, in fact, slower than Chien’s scheme, in which for their helpful comments, Abhilasha Bhargav-Spantzel only hash computations are widely used. However, it is still for the suggestions about the TPM technology, and the very efficient from the point of view of application and Center for Education and Research in Information provides enhanced security. Assurance and Security, Purdue University for support. We include in the Appendix a table comparing the three The work reported in this paper was partially supported by time-bound hierarchical key management schemes. the US National Science Foundation under Grant 0430274.
- 6. 70 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 5, NO. 2, APRIL-JUNE 2008 REFERENCES Ning Shang is currently working toward the PhD degree in the Department of Mathematics, the [1] Advanced Encryption Standard, http://csrc.nist.gov/ Department of Electrical and Computer Engi- CryptoToolkit/aes/, 2007. neering, and the Center for Education and [2] R. Anderson and M. Kuhn, “Low-Cost Attacks on Tamper- Research in Information Assurance and Security Resistant Devices,” Proc. Fifth Int’l Workshop Security Protocols (CERIAS), Purdue University. His research (IWSP ’97), pp. 125-136, 1997. interests include computational number theory, [3] E. Bertino, C. Bettini, E. Ferrari, and P. Samarati, “An Access elliptic and hyperelliptic cryptography, and im- Control Model Supporting Periodicity Constraints and Tem- plementation of cryptographic schemes. He is a poral Reasoning,” ACM Trans. Database Systems, vol. 23, no. 3, member of the AMS and the SIAM. pp. 231-285, Sept. 1998. [4] E. Bertino, B. Carminati, and E. Ferrari, “A Temporal Key Samuel S. Wagstaff Jr. received the BS degree Management Scheme for Secure Broadcasting of XML Docu- in mathematics from Massachusetts Institute of ments,” Proc. Ninth ACM Conf. Computer and Comm. Security Technology, Cambridge, and the PhD degree in (CCS ’02), pp. 31-40, Nov. 2002. mathematics from Cornell University, Ithaca, [5] H.-Y. Chien, “Efficient Time-Bound Hierarchical Key Assignment New York. He is a professor of computer science Scheme,” IEEE Trans. Knowledge and Data Eng., vol. 16, no. 10, in the Department of Computer Sciences, Purdue pp. 1302-1304, Oct. 2004. University, West Lafayette, Indiana. He is also [6] FIPS Publication 198, The Keyed-Hash Message Authentication Code with the Center for Education and Research in (HMAC), http://csrc.nist.gov/publications/fips/fips198/ Information Assurance and Security (CERIAS). fips-198a.pdf, 2008. Before coming to Purdue, he taught at the [7] A. Jurisic and A.J. Menezes, “Elliptic Curves and Cryptography,” University of Rochester, Rochester, New York, the University of Illinois, Dr. Dobb’s J., pp. 23-36, Apr. 1997. Urbana, and the University of Georgia, Athens. From 1971 to 1972, he [8] http://www.raaktechnologies.com/download/raak-c7-standard. was with the Institute for Advanced Study, Princeton, New Jersey. He is pdf, Web article, 2007. the leader of the Cunningham Project, which factors numbers of the form [9] E.R. Sparks, “A Security Assessment of Trusted Platform bn Æ 1. His research interests include primality testing, integer factoriza- Modules,” computer science technical report, http:// tion, cryptography, secure patch distribution, and watermarking. He has www.ists.dartmouth.edu/library/341.pdf, 2007. supervised five PhD theses and published five books and more than [10] Trusted Platform Module, https://www.trustedcomputinggroup. 60 research papers. He is a coinventor (with R. Baillie) of an algorithm org/groups/tpm/, 2007. that was published in 1980 and was selected as the ANSI Standard X9-80 [11] W.G. Tzeng, “A Time-Bound Cryptographic Key Assignment for choosing industrial-grade primes for use in cryptography. It is used Scheme for Access Control in a Hierarchy,” IEEE Trans. worldwide as part of the secure-socket layer. He is a member of the AMS, Knowledge and Data Eng., Proc. Sixth ACM Symp. Access Control the MAA, and the UPE. Models and Technologies (SACMAT ’01), vol. 14, no. 1, pp. 182- 188, Jan./Feb. 2002. [12] X. Yi, “Security of Chien’s Efficient Time-Bound Hierarchical Key Assignment Scheme,” IEEE Trans. Knowledge and Data Eng., . For more information on this or any other computing topic, vol. 17, no. 9, pp. 1298-1299, Sept. 2005. please visit our Digital Library at www.computer.org/publications/dlib. [13] X. Yi and Y. Ye, “Security of Tzeng’s Time-Bound Key Assignment Scheme for Access Control in a Hierarchy,” IEEE Trans. Knowledge and Data Eng., vol. 15, no. 4, pp. 1054-1055, July/Aug. 2003. [14] L.C. Washington, Elliptic Curves, Number Theory and Cryptography. Chapman Hall/CRC, 2003. Elisa Bertino is a professor of computer science in the Department of Computer Sciences, Purdue University and the Research Director of the Center for Education and Research in Information Assurance and Security (CERIAS). Previously, she was a faculty member in the Department of Computer Science and Commu- nication, University of Milan, where she directed the DB and SEC Laboratory. She was a visiting researcher at the IBM Research Laboratory (now Almaden), San Jose, at the Microelectronics and Computer Technology Corporation, at Rutgers University, and at Telcordia Technologies. From 2001 to 2007, she was a coeditor in chief of the Very Large Database Systems (VLDB) Journal. She serves also on the editorial boards of several scientific journals, including the IEEE Internet Computing, IEEE Security and Privacy, ACM Transactions on Information and System Security, and ACM Transactions on Web. Her main research interests include security, privacy, digital identity management systems, database systems, distributed systems, multimedia systems. She has published more than 250 papers in all major refereed journals and in the proceedings of international conferences and symposia. She is a coauthor of Object-Oriented Database Systems: Concepts and Archi- tectures (Addison-Wesley, 1993), Indexing Techniques for Advanced Database Systems (Kluwer Academic Publishers, 1997), Intelligent Database Systems (Addison-Wesley, 2001), and Security for Web Services and Service Oriented Architectures (Springer, Fall 2007). She is a fellow of the IEEE and the ACM and a Golden Core member of the IEEE Computer Society. She received the 2002 IEEE Computer Society Technical Achievement Award for her “outstanding contributions to database systems and database security and advanced data manage- ment systems” and the 2005 IEEE Computer Society Tsutomu Kanai Award for “pioneering and innovative research contributions to secure distributed systems.”