International Journal of Computer Information Systems, Vol.

4, No 2, 2012

On the Security of an Efficient Time-Bound Hierarchical Key Management Scheme with Biometrics
M.Daris Femila
Department Of Computer Science, SRM Arts and Science College, Kattankulathur Chennai, India email:darisbennison@gmail.com Dr.A.Anthony Irudhayaraj Dean-Department of Information Technology, Aarupadai Veedu Institute of Technology, Paiyanoor, Chennai, India e-mail:anto_irud@hotmail.com

AbstractRecently, Bertino p r o p o s e d a new time-bound key management scheme for broadcasting. The security of their scheme is planted on the hardness breaking of elliptic curve discrete log problem, HMAC, and tamper-resistance devices. They claimed that as long as the three assumptions hold, their scheme is secure. By means of secure, users cannot a c c e s s resources that they are not granted, even if users collude. In this paper, we demonstrate that this scheme is insecure against the collusion attack. We also provide some possible amendments to this scheme. KeywordsTime-bound key management, cryptanalysis.

We b r i e f l y review Bertinos scheme [3] in t h i s section. Their scheme includes the following phases: the initialization, the encrypting key generation, the user subscription, the decryption key derivation A. Initialization Phase

I.

INTRODUCTION

TIME-BOUND hierarchical key m a n a g e m e n t s c h e m e s have been widely discussed recently [1], [2], [3]. These schemes control different sets of users from accessing different resources at a fixed time of period. Usually, resources are grouped into some classes, and classes have hierarchical relationships among themselves. Users who subscribe to a class can also access the resources in its descendant classes, but not vice versa. Also, users are not allowed to access t h e r e s o u r c e s out periods.These schemes o f their s u b s c r i p t i o n efficiently control users access rights with little transmission overheads. Very recently, Bertino [3] using proposed another new t i m e -bound scheme elliptic-curve cryptography. Bertino claimed that their scheme is efficient and secure against several attacks. Unfortunately, we found that their scheme is not as secure as they claimed. In this paper, we demonstrate that Bertinoal.s scheme is vulnerable to the c o l l u s i o n attack a n d p r o p o s e some possible i m p r o v e m e n t s for their scheme. II. REVIEWING BERTINOETALS SCHEME

The vendor first defines the partially ordered classes Ci of the data source f o r 1 < i < w. We use the notations - to represent partial order relations.If Cj Ci or Cj - Ci , the user who are in the class Ci can also access all resources in Cj . Cj - Ci is different from Cj - Ci only when Ci - Cj does not hold. T h e detail definition of partial order relation is described in [3]. Besides, the vender selects an elliptic curve E over a finite field IFq , a point Q 2 EIFq with a large prime order p, integers ni and gi for 1 < i < w where ni gj are all different modulo p, two random integers a and b, and a keyed HMAC HK , where H denotes a hash function and K denotes the systems master key which is only known to the vender. The vendor then computes the following for each classes i: 1. 2. 3. 4. Pi ni Q on EIFq , hi where gi hi 1mod p, the class key Ki gi Pi for class Ci , and the points Ri;j gi Kj Ki , where Cj - Ci .

The values IDi , Ri;j are published and Pi , ni , gi , hi , a, and b are kept secret. Once Ri;j are released, the class partial order relation- ships cannot be changed without resetting all keys.

February Issue

Page 89 of 91

ISSN 2229 5208

International Journal of Computer Information Systems, Vol.4, No 2, 2012 III. CRYPTANALYSIS ON BERTINOS SCHEME B Encrypting Key Generation Phase Assume that two users u1 and u2 collude together. User u1 subscribed to Ci with time intervals ti1 ; ti2 ], whereas user u2 subscribed to Cj with another non overlapping time interval tj1 ; tj2 ]. Assume that j - Ci , so they should not be able to access the resources of Ci (but not in Cj ) in the time interval tj1 ; tj2 ]. It means, they should not be able to derive K i ;t where t 2 tj1 ; tj2 ]. By u s i n g u2s d e v i c e , they calculate a p o i n t S s u c h that fSgY fKi gY H IDj H IDi . Then, they store S into the device a s the fraud Kj. Since the device treats it as Kj, it directly calculates Kj;t with S as follows: j;t HK fSgY H H a H Hb H IDj HK fKi gY H IDj H IDi H H t a H H Zt b H IDj As a result, they obtain the crafted access key K 0 , which is indeed equal to Ki;t , from the output of the device. Then, they can access Ci at time t using Ki ;t , in which they are not authorized. We shall notice that this attack also works even if tj1 ; tj2 ] and ti1 ; ti2 ] are overlapped. That m e a n s , these two d e v i c e s can access the encrypted resources at the same time. The remaining part is to calculate the point S. Suppose that we follow the suggestion of [3] to implement the elliptic curve over a prime field Fp , a finite field of p elements and p is a prime, with the formula y2 x3 ax b mod p. Therefore, finding S is equivalent to f i n d i n g the r o o t o f x3 ax b mod p. Although S d o e s not always exist, most c a s e s can successfully find S in polynomial time. Other choices o f implementation will a l s o lead t o similar results. Also, if the device does not validate the point S is on the curve or not, this attack will succeed without doubt. In the paper of Hung-Min Sun,King-Hang Wang, and ChienMing Chens On the Security of an Efficient TimeBound Hierarchical Key Management Scheme the causes of the vulnerability: 1) the symmetric property of exclusive-or H and 2) the input materials Ki and Ri;j are not authenticated. A simple improvement is to replace the symmetric operator exclusive-or H in (1) by string concatenation jj. are found out and modifications are made a n d t he resulting equation is shown as (6). Ki;t HK Ki Y jjH t ajjH Zt bjjIDi : (6)

In this phase, the vendor generates the secret key Ki;t for Ci at the time granule t 2 1; Z]. Ki;t is calculated as (1). Ki;t HK Ki Y H H t a H H Zt b H IDi (1) Note that Ki Y means the y-coordinate of the point Ki , H denotes the bitwise XOR operation,and IDi is the public identity of Ci . The n o t a t i o n Hx a is x1 a for x 1 a defined as HH 2 with H Ha. C. User Subscription Phase

If a user u subscribes to Ci with the time interval t1 ; t2 ], the vendor calculates H t1a; H Zt2b. The vendor then issues u a tamper resistant device, like a smart card, which stores H, K, E, IFq , IDi , hi , H t1a and HZt2b. This tamper-resistant d e v i c e is a l s o embedded with a secure c lo c k . We assume that no unauthorized read o r write can be j;t made on the variables it stores. Besides, the class key Ki is distributed to u through a secure channel. D. Decrypting Key Derivation Phase

Suppose a user u subscribes to the class Ci in the time interval t1 ; t2 ]. User u can access Cj at time t, if Cj - Ci and t 2 t1 ; t2 ], by computing the access key Ki;t . He first retrieves Ri;j from the public network and then inputs Ri;j , IDj , Ki into the tamper- resistant device. The device then computes (2), (3), and (4). Kj hi :Ri;j Ki ; H t a H tt1 H t1 a; H Zt b H t2 t H Zt2 b: (2) (3) (4)

Finally, by utilizing the above results, it computes the access key Kj;t using (5): Kj;t HK Kj YH H t a H H Zt b H IDj (5)

In case that Cj Ci , user u inputs only Ki into the device. The device then computes Ki;t using (1) directly.

February Issue

Page 90 of 91

ISSN 2229 5208

International Journal of Computer Information Systems, Vol.4, No 2, 2012 V. CONCLUSION This amendment is lightweight; however, we cannot guarantee that it eradicates all other attacks. The other method is to prove the authenticity of Ki and Ri;j . The vendor signs Ki and Ri;j using digital signature as follows: si SigKi jji; si;j SigRi;j jjijjj: There are many time-bound hierarchical key assignment schemes in the literature which apparently seems to work but they have been shown to be insecure. Nevertheless, the very recent Hung-Min Sun,King-Hang Wang, and Chien-Ming Chens scheme is shown to be broken in this paper. We suggest some simple techniques to improve the performance of digital signatures. REFERENCES
W.-G. Tzeng, A Time-Bound Cryptographic Key Assignment Scheme for Access Control in a Hierarchy, IEEE Trans. Knowledge and Data Eng., vol. 14, no. 1, pp. 182-188, Jan./Feb. 2002.

Then, whenever Ki and Ri;j are input, users respectively provide si and si;j as well. The device aborts the computation if Ki or Ri;j are not input with valid signatures. Although it incurs extra computation and t r a n s m i s s i o n loads t o the system, this amendment makes the s c h e m e provable secure [4]. It is because the device o n l y accepts i n p u t s that a re prepared by the vendor. In addition, Ki are tightly coupled with i and Ri;j are bundled with i; j by the signatures, which disallow attackers to forge or replace any of those. IV. POSSIBLE IMPROVEMENTS

[1]

[2] H.-Y. Chien, Efficient Time-Bound Hierarchical Key Assignment Scheme,IEEE Trans. Knowledge and Data Eng., vol. 16, no. 10, pp. 1301-1304, Oct.2004. [3] E. Bertino, N. Shang, and S. Wagstaff, An Efficient Time-Bound Hierarchical Key Management Scheme for Secure Broadcasting, IEEE Trans. Dependable and Secure Computing, vol. 5, no. 2, pp. 65-70, Apr.-June 2008. [4] H.-M. Sun, K.-H. Wang, and C.-M. Chen, On the Security of an Efficient Time-Bound Hierarchical Key Management Scheme (Full Version),technical report, National Tsing Hua Univ., 2009.

Current digital signature techniques that are used to bind an individual to an electronic document rely on a key or keys presumably known only to the signer or possessed only by the signer (e.g. keys stored on a smart card) of the document. Unfortunately, this approach is not as secure as it may appear, since if the knowledge or possession of the key can be obtained by another individual, either with or without the consent or knowledge of the original individual, then doubt may exist as to the true identity of the signer. So a fundamental problem with acceptance of digital signatures is the fact that someone could compromise their integrity by repudiating their "signature." For example, a person could sign a document, and then claim that their secret key had been compromised, and thus introduce doubt as to the actual signer of the document. Thus there is a need for a more secure method of performing digital signing. The incorporation of a highly robust biometric solves this problem, since the signing of the document is not performed with something that the individual knows or has, but rather something that the individual "is." Additionally it would be significantly difficult to almost impossible for someone to duplicate the biometric portion of the signature. Robust biometric techniques such as iris identification, coupled with cryptographic techniques such as digital signatures may be employed to provide a secure solution.

February Issue

Page 91 of 91

ISSN 2229 5208