An Efficient Solution for Hierarchical Access Control Problem in Cloud Environment

The time-bound hierarchical key assignment scheme provides a cryptographic solution for the access control problem in distributed systems (e.g., Pay-TV and cloud computing applications). Most time-bound hierarchical key assignment schemes can be divided into two types: adopting tamper-resistant devices and utilizing public values. Despite the fact that adopting tamper-resistant devices can easily resist to collusion attacks, utilizing public values is much cheaper andmore suitable for cloud environment. In this paper, we proposed a new time-bound hierarchical key assignment scheme, which can effectively defeat the collusion attack. Besides, the proposed scheme utilizes public values instead of tamper-resistant devices, which will restrict user’s convenience. Compared with the previous works, our scheme requires fewer public values and has better performance.


Introduction
The access control problem refers to control who can access the resources in a system.Members in an organization are divided into several classes and each class has different limitations on these resources.For example, in a computer system, an administrator has the right to access all files, including the sensitive files, but a normal user just can access some common files.Nowadays the access control problem is a widespread problem in our world, especially in the distributed environment.
A hierarchical key assignment scheme can provide a cryptographic solution ( [1][2][3][4][5]) for the access control problem.In a hierarchical key assignment scheme, resources are encrypted by encrypting keys.Only the user who holds the corresponding encrypting key can access the resources.In addition, the classes will form hierarchical relations between themselves.If two classes have a relation, the user in the higher class can also access the resources in the lower class, but not vice versa.This relation is called partialorder hierarchy.In the previous example, suppose that the administrator belongs to the manager class and normal users belong to the user class.Obviously, these two classes form a hierarchical relation and the manager class has higher right than the user class.The members in the manager class can access the resources in the user class, but normal user cannot access the resources of manager class.However, in some applications such as Pay-TV systems, a user may subscribe to news and sport channels for a week or a month.When the time expires, the user cannot access the channels anymore.Hence, the key assignment scheme needs to consider not only the partial-order hierarchy but also the key update problem when a user leaves the class.
The time-bound hierarchical key assignment protocol is proposed for the above problem.In the time-bound hierarchical key assignment system, the encrypting key for a class is changed as time goes by.According to the user's subscription, the vendor generates his key information that can be used to compute the encrypting key and assigns it to the user.The key information only works in the duration of user's subscription.On the other hand, the user cannot derive the encrypting key except in the duration of his subscription.Since the encrypting key has the time-bound property, we do not need to consider the key update problem when a user leaves the class.As the previous example, suppose that a user subscribes to the news channels in first time slot and then changes his subscription to the sport channels in fifth time slot.The key information can be used to compute the encrypting key of news channels only between first and fifth time slots.Afterwards, this key information can only be used to compute the encrypting key of sport channels.
The time-bound key assignment protocols can be divided into two types: one is based on tamper-resistant devices ( [6,7]) and the other is based on public values.Tamper-resistant devices can protect the secret information and prevent the secrets from revealing.If the encrypting key is stored in the device, the user is hard to reveal the encrypting key to other users.Despite the fact that the tamper-resistant devices can defeat collusion attacks, applying the tamper-resistant devices requires higher costs and is not suitable for the cloud networks.For this reason, some researches ( [8][9][10][11]) apply public values instead of tamper-resistant devices.Users can download the public values and derive the encrypting key by his key information and these values.
In this paper, we propose a time-bound hierarchical key assignment scheme which is based on a bilinear pairing function.Due to the time-bound property, the user can subscribe to some classes in a certain period of time.Besides, our scheme utilizes public values instead of tamper-resistant devices.Utilizing public values is more suitable for cloud computing since cloud computing emphasizes that users can access resources anywhere through the Internet.If a cloud service requires tamper-resistant devices, this will restrict users' convenience.On the other hand, the public values can be downloaded anywhere from the cloud.A user can download and use these public values to derive the encrypting key anywhere.Moreover, the number of public values in our scheme is independent of the length of system life time or the number of classes.Compared to the previous works, the proposed scheme has few numbers of the public values and does not need the special requirement for constructing partial-order hierarchy.
The rest of the paper is organized as follows.In Sections 2 and 3, we introduce previous works and present the necessary preliminaries.The proposed scheme is described in Section 4. Then we provide the performance and security analysis of the proposed scheme in Section 5. Finally, we summarize our results.

Related Work
With the rapid growth of network technology, security issues have been a matter of concern in various network environments ( [12][13][14][15][16][17]) such as wireless sensor networks, social networks, and Internet of things.In this paper, we put emphasis on access control problems in cloud environment.
In 1983, Akl and Taylor [1] first studied the access control problem in a hierarchy and proposed a cryptographic solution for this problem.Then, many researchers also studied this problem and proposed their solutions ( [2][3][4][5]).However, these schemes do not consider that a user may belong to some classes only in a certain period of time.To solve this problem, Tzeng [8] proposed a time-bound hierarchical key assignment scheme based on Lucas function and RSA problem in 2002.Afterwards, many researchers have concentrated on proposing the time-bound key assignment schemes that either have better performance or can resist collusion attacks.These schemes can be divided into tamper-resistant devices based and public values based schemes.As the tamperresistant device based schemes, Chien [6] presented his timebound protocol in 2004 and his scheme is insecure against collusion attacks [18,19].Then Bertino et al. [7] also proposed an efficient time-bound hierarchy key management scheme which is based on elliptic curve.However, Sun et al. [20] also show that Bertino et al. 's scheme [7] is insecure against collusion attack and provided the improved scheme.As the public value based scheme, Yeh [11] proposed their public value based protocol in 2005.In 2006, Ateniese et al. [9] not only showed that Yeh's scheme is vulnerable to collusion attacks, but also introduced two different constructions of time-bound key assignment scheme in a hierarchy.Additionally, they also proved that these schemes are practical and provable-secure.Furthermore, de Santis et al. [10] showed how to construct a provable-secure time-bound hierarchy key assignment protocol and compared their protocol with other pervious works.

Preliminaries
In this section, we introduce some preliminaries about the proposed scheme, before describing our protocol.

The Proposed Scheme
The detail of the proposed scheme is introduced in this section.The proposed scheme consists of three phases: initialization, user subscription, and encrypting key derivation.
Each phase is described in the following.Then, we use a concrete example to explain our scheme.Finally, the notation is shown in the notation section.

Initialization.
In this phase, we suppose that the vendor has already constructed a partial-order hierarchy.The system parameters are initialized as following steps.
(1) The vendor chooses an elliptic curve  over a finite field   and then selects a generating point  ∈ (  ), where the order of  is .(2) Afterwards, the vendor constructs a bilinear map ê : (3) Suppose that the maximum duration of each subscription for a user is  and the system lifetime is , where  < .(5) Finally, the public system parameters are {,  1 ,  2 , , ê, } and the vendor keeps {, ,   , ℎ  } in secret.Besides, the encrypting key is computed by When completing these steps, the vendor publishes  , and  , on an authenticated board.These public values can be downloaded through the Internet and used to compute the encrypting key.

User Subscription.
In this phase, the system generates the key information for a user according to his subscription request.Then this key information is issued to the user through a secure channel.If a user subscribes class   from  1 to  2 , the key information  , 1 , 2 can be computed by Afterwards, the user uses  ,

Encrypting Key Derivation.
In this phase, we show how a user derives an encrypting key.This phase can be divided into two cases: the class which is not dominated by any other classes and the class which is dominated by some other classes.
Case 1. Suppose that a user subscribes to class   which is not dominated by other classes.The user can use  , 1 , 2 and  , to compute  , , where  ∈ [ 1 ,  2 ] and  1 +  =  =  2 − .The encrypting key for the class   at  can be computed as follows: Case 2. Suppose that the user subscribes to   and   is dominated by   (  ≺   ).In order to derive the encrypting key for   , the user first computes  =  , 1 , 2 ×  , .Then, the encrypting key for   can be computed as follows: Now, we show the correctness of equations in both cases.The temporal encrypting key for class   in time slot  is  , =      − , where The following is the correctness of Case 1: = ê(, )      − . ( The correctness of Case 2 is shown as follows: (4)

Analysis
In this section, we not only analyze the security and performance of the proposed scheme but also discuss the applications for the time-bound key assignment scheme in a hierarchy.Compared with previous works, users do not need large storage capacity and perform many times of decryption, and our scheme has fewer broadcasting messages over the network.

Security against Possible
Attacks.In the following, the security analysis will be divided into two parts: the security of key information and the security of encrypting key.For convenience, we first define two mathematical assumptions as follows.

Security of Key
Information.Now, we consider the two types of attackers: outside and inside attackers.

Lemma 1. Under the computational Diffie-Hellman (CDH) assumption, any outside attacker 𝐴 cannot compute the key information of some classes in the proposed scheme even if 𝐴
has obtained all public information  , = ℎ    and  , =     .
Proof.Without loss of generality, we assume that  wants to compute the key information  , 1 , 2 =     1  − 2  of class   from  1 to  2 .Since   and ℎ  are secret values held by vendor,  cannot obtain the individual values   and ℎ  from  , .Meanwhile, attacker  cannot obtain the values   and   under the CDH assumption.Hence, any outside attacker is infeasible to compute key information of some classes in the proposed scheme.

Lemma 2. In the proposed scheme, any inside attackers (malicious subscribers) cannot compute unauthorized key information of some class.
Proof.Without loss of generality, we consider the following two cases to prove this lemma.
Case I. We assume that a subscriber  in class   from  1 to  2 tries to compute unauthorized key information  ,

Lemma 3. In the proposed scheme, any inside attackers (malicious subscribers) cannot collude to compute unauthorized key information in some class.
Proof.Without loss of generality, we consider the following two cases to prove this lemma.

Theorem 4. Under the discrete logarithm and the computational Diffie-Hellman assumptions, any attackers (including inside and outside) cannot compute the unauthorized key
information of some class   in the proposed scheme.Theorem 5.Under the discrete logarithm and the computational Diffie-Hellman assumptions, any attacker (including inside and outside) cannot compute the unauthorized temporal encryption key to access some class   in the proposed scheme.

Performance Evaluation.
The performance of our scheme is evaluated in terms of storage requirements and computation costs.The storage requirements consist of three parts: private parameters, public values, and key information.These public values, including  , ,  , , and {, ,  1 ,  2 , ê, }, are published on an authentic board.Since {, ,  1 ,  2 , ê, } does not affect the storage complexity, we only discuss  , and  , .All users can download and store these public values.Then, a user can use his key information and these public values to compute the encrypting key for accessing the resources.The private parameters are security parameters in the proposed scheme and are kept secret in the server.The vendor uses these private parameters to generate all key information and encrypting keys.The private parameters include   , , and .Finally, the key information is generated according to a user's subscription.Table 1 shows the comparison of storage requirements between our scheme and other previous works.In the table, || means the system lifetime and the maximum duration of each subscription for a user is | T|.We also denote the number of edges and classes in  by || and ||.
In the proposed scheme, the vendor randomly selects secret values   for each class in the partial-order hierarchy, where   can be used to generate   and  , 1 , 2 .Therefore, the space complexity of the private parameters in the server side is (||).Now, we consider the space complexity of the public values in the client side.The public values in our scheme are  , and  , .Since the maximum duration of each subscription for a user is | T|, the number of  , is equal to (| T|(| T| + 3))/2 and the number of  , is ||.Consequently, the space complexity of public values is (| T| 2 + ||).In fact, the storage requirements in our protocol are irrelevant to ||.Otherwise, if the storage requirements are related to ||, the space complexity will rise dramatically when || is very large.Compared to other schemes (as shown in Table 1), our scheme has better performance on the space complexity and the space complexity is irrelevant to ||.Although the number of public values in Bertino et al. 's scheme [7] is fewer than in our scheme, Bertino et al. 's protocol requires tamperresistant devices, which require extra costs in the deployment phase and are not suitable for cloud computing.
The number of key information in our scheme depends on partial-order hierarchy and the number of classes which a user subscribes to.After a user registers to the system, the server will issue some key information to the user.Unlike some works ( [9,21]) which require that a user only belongs to one class, our scheme allows that a user can subscribe to many classes.The worst case is that every class is irrelevant to the other classes.In this case, the space complexity of the key information for a user is (||).However, generally, the number of key information for a user is equal to a constant number.
We use a concrete example to show the space requirements for the proposed scheme.First, we suppose that each time slot is one day.Then, we set the system lifetime to be 10 years ( = 1 × 365 × 10 = 3650) and the maximum duration of each subscription for a user is one month ( = 1 × 30 = 30).Finally, we assume that there are 250 channels in the system.To put it simply, we set || and || to be both equal to 300 in the partial-order hierarchy.According to the previous analysis, the space requirements for the public values are related to the number of  , and  , .Since the number of  , is equal to 495 and the number of  , is 300, we can compute that the space requirements for the public values are (495 + 300) × 160 bits ≅ 16 KB.The space requirement for the private parameters depends on the number of   .Hence the space complexity for the private parameters is equal to 300×160 bits ≅ 6 KB.Finally, the size of each key information is 160 bits.Now, we consider the computation cost of encrypting key derivation.In our scheme, a user only computes two pairing operations at most when he derives the encrypting key.In [22], the results show that the computation cost of pairing operation for a smartphone (HTC Desire HD A9191, Android 2.2) is affordable.Therefore, it is feasible that our scheme can be executed on low-power devices such as phone and set-top box.

Application.
Cloud computing means that applications migrate from local PCs to Internet and sometimes is referred to as Software as a Service (SaaS) [23,24].Users can obtain the computing and storage capacities through Internet.Users pay for the network traffic or CPU utilization time instead of paying for software.When a cloud is only made available to some specific members in an organization, this cloud is called private cloud and only authorized users can access the cloud.For example, enterprises usually construct private data storage service for the employees.
Since security threats can influence the development of cloud computing, many security issues are discussed [25], especially the access control problem.In this section, we introduce two examples, data storage service and videoon-demand (VoD) service, and explain the access control problem in both examples.First application, cloud storage service, allows users to store their files on the remote servers and share their files with other users.Obviously, enterprises can gain great benefits from cloud storage services.However, enterprises always construct their own private cloud services instead of public cloud services because of the privacy and security consideration.In an enterprise or a government, data are always classified into several classes, for example,  1 to  4 , and members are also categorized into these classes.Assume that  1 ≺  2 ≺  3 ≺  4 , where  1 ≺  2 means that a user which belongs to  2 can access the data in  1 and  2 .In this case, a user which belongs to  1 cannot access the data in the  2 ,  3 , and  4 .Therefore, we can apply a key assignment scheme to solve the access control problem.A key assignment scheme can distribute encrypting keys to each member according to their access rights in the organization.Unfortunately, a user may only subscribe to some classes for a certain period of time.Traditional key assignment protocol cannot satisfy the time-bound requirement, but the proposed scheme can solve this problem easily.Besides, utilizing public values is more suitable for cloud computing than adopting tamper-resistant devices.Cloud computing claims that users can access the resources anywhere without any limitations, but adopting tamper-resistant devices in cloud services will restrict users' convenience.We use an example to explain how to apply the proposed scheme to enhance the cloud service.For example, an employee may become an agent of his manager when his manager takes a vacation.Suppose that the manager belongs to  3 and the employee belongs to  1 .In addition, we also assume that the manger is on vacation from  5 to  8 .Hence, the manager only needs to escalate the privilege of his agent into  3 when he is on a vacation ( 5 to  8 ) and our time-bound protocol can easily achieve this requirement.The manager just gives the agent the key information,  3, 5 , 8 .This means that the agent can only access the data which belong to  3 from  5 to  8 .On the other hand, the agent cannot derivate the encrypting key of  3 except for the specific periods of time ( 5 to  8 ).
The second application is the video-on-demand (VoD) system.Recently, many researchers discuss how to utilize cloud services to support large-scale Internet-based applications such as video-on-demand (VoD) [26,27].In VoD systems, users can watch video content on demand.Video content can be either streamed or downloaded through a settop box, a computer, or a mobile device.Users can subscribe to the content that they like and access the content in the duration of subscription.Video content is always encrypted in VoD systems and users must use his encrypting key to access the content.In addition, a user usually subscribes to a program only for a limited period such as a week or a month.Beyond the duration of subscription, users are not allowed to access the content.The proposed time-bound protocol can be easily deployed into VoD systems to manage the users' subscription.In the initial phase, the vender organizes all contents into several classes and constructs a partial-order hierarchy.For every class, the encrypting key will be used to protect the content and be changed as time goes by.A user in the system will obtain some key information according to his subscription.Finally, the user can compute the correct encrypting key through his key information and public values to access the encrypted contents.

Conclusion
We have presented a time-bound key assignment scheme for a partial-order hierarchy.Since our scheme has the time-bound property, the vendor can offer great flexibility in the user subscription.Each user can only use his key information to compute the corresponding encrypting key in the duration of his subscription.Therefore our scheme can easily solve the key update problem without higher costs.In addition, our scheme applies public values instead of tamperresistant devices, which is more suitable for cloud computing.Unlike previous schemes, the number of public values or key information does not depend on the length of system time.As a result, our scheme has lower space complexity and acceptable performance compared with previous works.Moreover, we also present that our scheme can defeat the collusion attacks.

𝐸:
The elliptic curve that the vendor selects ê: A bilinear mapping function, where ê :

5 Figure 1 :
Figure 1: An example for the proposed scheme.
-Order Hierarchy.In a partial-order hierarchy, a class   represents a collection of some resources.Besides, there exists a binary relation "≺" which partially orders these classes.For any two classes   and   , "  ≺   " means that   dominates   and the security level of   is higher than of   .In other words, the users of   can access the resources in   but not vice versa.For example, assume that  1 ≺  3 ≺  4 and  2 is an independent class.If a user belongs to  4 , this means that the user can access all of the resources in  1 ,  3 , and  A key assignment system with the time-bound property means that the encrypting keys in a class are different as time goes by.The user can only derive the encrypting keys that are within the duration of his subscription.Assume that a user belongs to   from  1 to  2 and   ≺   .The user can just derive the encrypting key   and   at  if and only if  1 <  <  2 .Nevertheless, he cannot derive the encrypting key at  3 when  3 ∉ [ 1 ,  2 ].
4, but he does not have the access right of  2 .In other words, the user only holds the encrypting keys for  1 ,  3 , and  4 .Moreover, we usually use a directed acyclic graph  = (, ) to represent a partial-order hierarchy, where  denotes the set of classes and  denotes the set of partial-order relations.3.3.Time-Bound Property.
1 , 2 of class   for some index  and   ⊀   .If  wants to compute  , 1 , 2 , he must find a value   =   ℎ  such that   ⋅  , 1 , 2 = (  ⋅ ℎ  ) ⋅     1  − 2  =  , 1 , 2 .Since   and ℎ  are secret values held by vendor,  cannot compute the value   =   ℎ  .Thus, it is infeasible to compute unauthorized key information  , 1 , 2 from  , 1 , 2 for the case   ⊀   .Case II.We assume that a subscriber  in class   from  1 to  2 tries to compute unauthorized key information  , 1 , 2 of class   , where   ≺   .By similar way to Case I,  must find a value   such that   ⋅  , 1 , 2 =  , 1 , 2 .Although  owns the value  , = ℎ    , he still cannot compute   =   ℎ  by the same reason in Case I. Thus, it is infeasible to compute  , 1 , 2 from  , 1 , 2 for the case   ≺   .
1 , 2 in class   from  1 to  2 , where  subscribes to   from  1 to  2 and  subscribes to   from  1 to  2 with   ≺   ,   ≺   , and   ⊀   .As mentioned in Lemma 2, two malicious subscribers must find a value   =   ℎ  such that   ⋅  , 1 , 2 =  , 1 , 2 or a value   =   ℎ  such that   ⋅ , 1 , 2 =  , 1 , 2 .Even if they have  , = ℎ    and  , = ℎ    , they still cannot compute   and   .Since   and ℎ  are secret values held by vendor, they cannot obtain the individual values   and ℎ  .Thus, it is infeasible to compute  , 1 , 2 from  1 to  2 with   ≺   ,   ≺   , and   ⊀   .

Table 1 :
The space complexity.