Chinese Remainder Theorem Based Hierarchical Access Control for Secure Group Communication

Xukai Zou1 , Byrav Ramamurthy1 , and Spyros S. Magliveras2

Abstract. Secure group communication with hierarchical access control refers to a scenario where a group of members is divided into a number of subgroups located at dierent privilege levels and a high-level subgroup can receive and decrypt messages within any of its descendant lower-level subgroups; but the converse is not allowed. In this paper, we propose a new scheme CRTHACS, which is based on the Chinese Remainder Theorem. The scheme not only enables secure hierarchical control but also provides the following properties: hiding of hierarchy and receivers, authentication of both senders and messages, and a mechanism for the receiver to directly derive the key of a message.

Introduction

Secure group communication (SGC) with hierarchical access control (HAC) refers to a scenario where a group of members is divided into a number of subgroups located at dierent privilege levels and a high-level subgroup can receive and decrypt messages within any of its descendant lower-level subgroups; but the converse is not allowed. HAC is generally enforced using cryptography based techniques [2] i.e., cryptographic keys play a primary role in the control of access rights. If the members in a higher level subgroup possess or can derive the key of a lower level subgroup, the members have the right to access the messages within the lower level subgroup. Cryptography based techniques for SGC with HAC can be divided into two main types: dependent key schemes [1],[3],[6],[8], in which any subgroup key is directly derived from its parents key; thus indirectly from any of its ancestors keys, and independent key schemes [5], in which all subgroup keys are independent and however, there are some precomputed parameters from which, an ancestor can compute the keys of all its descendants. In this paper we propose a new scheme which belongs to the second category, viz., an independent key scheme. The scheme is based on the Chinese Remainder Theorem (CRT) [10]. In the scheme, every subgroup can select and change its own key independently, which is an important security factor [5]. In addition, the scheme also provides the following properties: (1) hiding the hierarchy and receivers, (2) authentication of both senders and messages, and (3) a receiver can directly derive the key of the message sender regardless of how far down the

hierarchy the sender is from the receiver. Hiding the hierarchy is a good feature in the sense that the less hierarchical information subgroups know, the more secure the system will be, and the easier it is to insert or delete a subgroup. Moreover, there is no overhead cost in storing the hierarchy information. Hiding receivers is useful in situations when outsiders (i.e., non-group members) are not allowed to know who the receivers are, when the sender is not allowed to know who the receivers are, or when it is dicult for a sender to know who the receivers are. We call the scheme Chinese Remainder Theorem Based Hierarchical Access Control Scheme (CRTHACS) and present the scheme in the next section.

2
2.1

Chinese Remainder Theorem Based Hierarchical Access Control Scheme for Secure Group Communication
CRTHACS Components and Initialization

There is a Group Controller (GC) in CRTHACS. The entire group is divided into subgroups and the subgroups are located at dierent nodes of a hierarchy (the most general case is a Directed Acyclic Graph, i.e. DAG [2]). Every subgroup has a subgroup controller which is responsible for managing all members in its subgroup and communicating with the GC. We do not consider here how subgroup controllers manage their subgroups, however we remark that any group key management protocol such as the key tree scheme [7],[11] can be used. We denote subgroups by G1 , G2 , , Gm . For simplicity, we also use G1 , G2 , , Gm to denote the subgroup controllers. We also denote the ancestors of Gi by Gi1 , . . . , Gik . The GC has a pair of public and private keys (PGC , SGC ) with PGC being made public. The GC performs the following tasks. It maintains the entire structure of the group; generates a random set of pairwise relatively prime numbers N0 , N1 , N2 , , Nm ; publicizes N0 and sends Ni to Gi securely, i.e., Ni is encrypted by Gi s public key Pi ; computes COM CRTi (see equation (1)) using the CRT algorithm and sends COM CRTi back to Gi securely. Every subgroup Gi is associated with the following six elements (Pi , Si , Ki , Ni , COM CRTi , N i ) where Pi , Si and Ki are generated by subgroup controller Gi whereas Ni , COM CRTi and N i are generated by the GC. Pi is the public key of Gi and is made public. However all other ve elements are kept secret. Si is the private key of Gi corresponding to Pi . Pi and Si are used to encrypt and decrypt the other four elements. Ki is the data key of Gi and is used to encrypt data messages. Ni is the positive integer received from the GC and will be used in CRT computation. COM CRTi , a positive integer, is called a CRT key and is computed from Ki using the CRT algorithm by the GC (see equation (1)). All ancestral subgroups of Gi can use COM CRTi to compute key Ki using the CRT algorithm too. N i is also a positive integer (see equation (2)) and will be used in another type (i.e., data message) of CRT computation (see equation (3)). Every participant j has its own public key and private key (pj ,sj ) and pj is made public. Participant j in a subgroup Gi also knows its subgroups six elements, of which j receives Pi , Si , Ki from the Gi and Ni , COM CRTi , N i from the GC.

The GC and subgroup controllers collaborate to compute the CRT keys as follows. Every subgroup Gi selects its own subgroup data key Ki . After signing and encrypting the key,1 Gi sends EPGC (ESi (Ki )) to the GC where E is a public-key encryption algorithm or a signature algorithm.2 The GC decrypts the key Ki , determines all the ancestors Gi1 , Gi2 , . . . , Gik of Gi and gures out all the public keys Pij and CRT numbers Nij of these ancestors. Let these parameters be Pi1 , Pi2 , , Pik and Ni1 , Ni2 , , Nik . The GC establishes the system of congruences (1) and then computes COM CRTi using the CRT algorithm. COM CRTi EPi1 (Ki ) mod Ni1 COM CRTi EPi2 (Ki ) mod Ni2 . . . COM CRTi EPik (Ki ) mod Nik

(1)

The GC also computes N i (see equation (2)). Then the GC signs and encrypts (Ni , COM CRTi , N i ), and sends the result (i.e., EPi (ESGC (Ni , COM CRTi , N i ))) to Gi . The subgroup controller Gi and all participants in subgroup Gi decrypt the result to get Ni , COM CRTi and N i . N i = N i 1 Ni 2 N i k (2)

Remarks: The COM CRTi contains the information of Pij and Nij of all the ancestral subgroups of Gi . However Gi does not know who its ancestors are. Moreover, even though N i contains the Nj of its ancestral subgroups, Gi cannot obtain these Nj from N i because of the diculty of partitioning the product into the specic factors and in the specic order (this problem is NP-complete). As a result, the hierarchy is totally hidden. 2.2 Data Communication

Whenever a participant j with identity IDj in Gi sends a message M , it does: (1) encrypts M using Ki , i.e., {M }Ki where {x}k means encrypting x with k using some symmetric encryption function [10]; (2) computes a keyed M AC of {M }Ki under Ki , i.e. M ACKi ({M }Ki ) where the M AC could be any of the known Message Authentication Codes, such as MD5 [9]; (3) establishes the system of congruences:3 CRTi COM CRTi mod N i (3) CRTi Esj (M ACKi ({M }Ki )) mod N0 (4) computes CRTi by the CRT algorithm. This CRTi contains all the information about its ancestral subgroup keys, the M AC, and the signature of the sender itself; (5) broadcasts (or multicasts) the tuple (IDj , CRTi , {M }Ki ).
1

2 3

In order to verify the signature, the verication information should be included in this message. We omit it for simplicity. For simplicity, when E is used on a private key, the result represents a signature. The second congruence includes the senders signature in the CRT value.

When a receiver receives (IDj , CRTi , {M }Ki ), it does: (1) computes x = CRTi mod N0 ; (2) decrypts x using js public key to get M ACKi ({M }Ki ) = 1 Epj (x), where E 1 stands for the decryption algorithm corresponding to E; (3) If the receiver is in Gi , then it computes M ACKi ({M }Ki ) using its own Ki . If it is in any Gij of Gi s ancestor subgroups, it rst computes CRTij = CRTi mod Nij 1 and decrypts CRTij to get Ki = ESi (CRTij ), then computes M ACKi ({M }Ki )
j

under Ki . Otherwise, the receiver ignores the message; (4) compares the above two M ACs. If the two M ACs are equal, then both the sender and the message are authenticated. The receiver decrypts the message using Ki . Otherwise, the message is not intended for this receiver or the message was modied during transmission. Therefore the receiver discards the message. 2.3 Dynamic Key Management

In SGC with HAC, there are two levels of dynamics: low level dynamics by which we mean that a member may join/leave a subgroup and which is operated by subgroup controllers and is dependent on the subgroup key management protocol, and high level dynamics which include the following operations: adding/inserting a new subgroup, removing an existing subgroup, merge two subgroups, split a subgroup and modifying an existing subgroup key, all of which are easily done in CRTHACS. For example, when a new subgroup Gi is added into the hierarchy, the GC computes Gi s COM CRTi by equation (1) and sends COM CRTi , N i and Ni to Gi . If Gi has descendant subgroups (i.e., Gi is inserted into the hierarchy), the GC also needs to recompute the COM CRT values for all descendent subgroups of Gi so that these COM CRT include the information of Gi s public key Pi and the corresponding Ni . All other subgroups are not aected. 2.4 Security and Performance Analysis

The CRTHACS scheme is secure because of the independence of subgroup data keys and the diculty of partitioning the product into the specic factors and in the specic order along with the security of underlying cryptosystems. As for the performance of the CRTHACS scheme, there are three complexities to be considered: space, time, and communication complexity, by which we mean the size of key-related materials, including the CRT parameters, communicated between the GC and the subgroups (subgroup controllers and participants) or between subgroup controllers and subgroup members. There are three classes of entities: Group Controller (GC), Subgroup Controllers (Gi ) and participants (pj ). The complexities are summarized in the following table.
Space Time Communication GC O(mHL) O(mM (HL)log(H)) + O(mHM (L)log(L))) O(HL) (GC and Gi /pj ) Gi O(HL) Independent of m and H pj O(HL) O(M (2L)) + O(2M (L)log(L))

Note: H: the maximum number of ancestors a subgroup may have; L: the length of a large integer in bits; m: the number of subgroups; M (n): the time to multiply two n-bit integers in bit operations; O(n) is measured in bits, not in bytes.

counts the space for representing Pi , Si , Ki , Ni , COM CRTi and N i , which require large integers, possibly 1024-bit numbers but ignores the space for representing the access control structure or membership, which need small integers. counts the complexity of the CRT algorithm, i.e., O(M (kL)log(k)) + O(kM (L)log(L)) [4],[10], where k is the number of moduli but ignores the time consumed on key generation, encryption and decryption, which will depend on the special algorithms selected. the key materials between subgroup controllers and subgroup members depend on the subgroup key management protocol selected and are ignored here.

Conclusion

In this paper, we have proposed a new scheme for group communication with hierarchical access control. The scheme has highly desirable properties including scalability, the ability to deal with the dynamical problems related to insertion and deletion of subgroups, and the property of hidding the hierarchy and receivers.

Acknowledgments
We thank Dr. G. Noubir and Dr. J.C. Birget for useful discussions on this work.

References
1. S. G. Akl and P. D. Taylor. Cryptographic solution to a problem of access control in a hierarchy. ACM Transactions on Computer Systems, 1(3):239247, 1983. 2. J.-C. Birget, X. Zou, G. Noubir, and B. Ramamurthy. Hierarchy-based access control in distributed environments. To appear in the Proceedings of the ICC2001 Conference, June 11-14, 2001. 3. G. C. Chick and S. E. Tavares. Flexible access control with master keys. Advances in Cryptology: CRYPTO 89 LNCS, 435:316322, 1990. 4. G. H. Chiou and W.T.Chen. Secure broadcasting using the secure lock. IEEE Transaction on Software Engineering, 15(8):929934, 1989. 5. C. H. Lin. Dynamic key management schemes for access control in a hierarchy. Computer Communications, 20:13811385, 1997. 6. S. T. Mackinnon, P. D. Taylor, H. Meijer, and S. G. Akl. An optimal algorithm for assigning cryptographic keys to control access in a hierarchy. IEEE Transactions on Computers, 34(9):797802, September 1985. 7. G. Noubir. Multicast security. European Space Agency, Project: Performance Optimisation of Interner Protocol Via Satellite, April 1998. 8. R. S. Sandhu. Cryptographic implementation of a tree hierarchy for access control. Information Processing Letters, 27:9598, 1988. 9. B. Schneier. Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd Edition. Addsion-Wesley, Reading, MA, 1995. 10. D. R. Stinson. Cryptography: Theory and Practice. CRC Press, Inc., Boca Raton, Florida, 1995. 11. C. K. Wong, M. Gouda, and S. S. Lam. Secure group communications using key groups. SIGCOMM 98, Also University of Texas at Austin, Computer Science Technical report TR 97-23, December 1998.