A Generic Algebraic Model for the Analysis of
Cryptographic-Key Assignment Schemes
Sabri and Khedri (FPS 2012)
Dhruv Gairo...
Overview
1 Problem and Motivation
2 Brief Mathematical Background
3 Proposed structures
4 Akl-Taylor Technique
5 Generaliz...
Problem and Motivation
Problem : Many key assignment schemes. How to evaluate them?
Crampton et. Al. advocate the adoption...
Brief Mathematical Background
Semigroup : (S, ·) where · is an associative binary operator.
Semiring : (S, +, ·)
(S, +) is...
Brief Mathematical Background (2)
Poset : (C, ) where is a partial order relation (reflexive, transitive,
antisymmetric).
A...
Proposed key structure
Key structure : K = (K, +k, ∗k, 0k, 1k)
Interpretation : +k and ∗k can be seen operators which comb...
Proposed scheme structure
Key assignment scheme : S = (K, C, , a)
K is key structure
(C, ) is poset
a ⊆ K → C is an onto f...
Proposed scheme structure (2)
Given d (key derivation relation) S is said to be :
Cluster secure : low class keys cannot r...
Proposed scheme structure (3)
Theories ( is a quasi-order relation):
1 k1 ≤k k2 =⇒ k1 k2
2 k1 ∗k k2 k2
3 k1 k2 =⇒ k1 +k k3...
Akl-Taylor Technique
Each user assigned a key, ki where ki = κti (mod m).
κ is a private number
m is a product of 2 large ...
Akl-Taylor Technique (2)
Simple math : ki = κti (mod m)
(Hint- j:=i) kj = κtj
(mod m)
(Hint- LHS) κtj
(mod m) = (κti
)tj /...
Akl-Taylor Example
Example : ki = κti (mod m), let m = 11 × 17 = 187, κ = 13
User i : ki = 135×7
(mod 187) = 21
User j : k...
Generalizing Akl-Taylor
The sever that distributes keys determines κ and keeps it private.
Once κ and m are fixed, ti deter...
Generalizing Akl-Taylor (2)
P = {p1 × ... × pn|∃(p1...pn|pi ∈ Np : ∀(pi , pj |pi , pj ∈ Np : i = j =⇒
pi = pj ))}
P = {p1 ...
Generalizing Akl-Taylor (3)
Function rep :
rep : P → P(P(Np))
rep(p1 × ... × pn) = {{p1 × ... × pn}}
Each user is given a ...
Model for the key structure
F = (P(P(Np)), +k, ∗k, 0, 1). We have a model for key structure K!
∗k : P(P(Np)) × P(P(Np)) → ...
Model for the scheme structure
Generalized Akl-Taylor : S = (F, C, , a). Model for S.
In Akl-Taylor (C, ) is a tree but in...
Generalized Akl-Taylor Usefulness
Useful if we need more than one key per user (e.g., user involved in
more than 1 key ass...
Chinese Remainder Theorem
Given r, s ∈ Z+ and a, b are coprime, there ∃N ∈ Z s.t.
N ≡ a(mod r) and N ≡ b(mod s).
We can fin...
Chinese Remainder Technique
Uses ideas from the solution procedure for chinese remainder theorem.
Key structure same as Ak...
Verification of security properties
Properties can be verified :
Ability of user to get info intended for higher class.
Abil...
Verification Example
Six classes get assigned keys :
Part-time nurses : key(cpn) = k1 ∗k k2 ∗k k4
Overnight nurses : key(cn...
Conclusion
Analyse key assignment schemes using algebraic structures.
Generalize existing key assignment schemes using mod...
References
“A Generic Algebraic Model for the Analysis of Cryptographic-Key
Assignment Schemes”, Sabri, Khedri, FPS (2012)...
Thank you.
Dhruv Gairola (McMaster Univ.) Sabri and Khedri (FPS 2012) March 31, 2014 25 / 25
Upcoming SlideShare
Loading in...5
×

A Generic Algebraic Model for the Analysis of Cryptographic Key Assignment Schemes

290

Published on

Published in: Technology
1 Comment
1 Like
Statistics
Notes
No Downloads
Views
Total Views
290
On Slideshare
0
From Embeds
0
Number of Embeds
14
Actions
Shares
0
Downloads
1
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

A Generic Algebraic Model for the Analysis of Cryptographic Key Assignment Schemes

  1. 1. A Generic Algebraic Model for the Analysis of Cryptographic-Key Assignment Schemes Sabri and Khedri (FPS 2012) Dhruv Gairola Algebraic Methods in CS, Ridha Khedri gairold@mcmaster.ca ; dhruvgairola.blogspot.ca March 31, 2014 Dhruv Gairola (McMaster Univ.) Sabri and Khedri (FPS 2012) March 31, 2014 1 / 25
  2. 2. Overview 1 Problem and Motivation 2 Brief Mathematical Background 3 Proposed structures 4 Akl-Taylor Technique 5 Generalizing Akl-Taylor 6 Chinese Remainder Technique 7 Verification of security properties 8 Conclusion Dhruv Gairola (McMaster Univ.) Sabri and Khedri (FPS 2012) March 31, 2014 2 / 25
  3. 3. Problem and Motivation Problem : Many key assignment schemes. How to evaluate them? Crampton et. Al. advocate the adoption of generic key assignment model. Proposed Solution : Algebraic model to analyse these schemes. Benefit : asserting correctness in preserving confidentiality of info; better understanding of key assignment. Dhruv Gairola (McMaster Univ.) Sabri and Khedri (FPS 2012) March 31, 2014 3 / 25
  4. 4. Brief Mathematical Background Semigroup : (S, ·) where · is an associative binary operator. Semiring : (S, +, ·) (S, +) is a commutative semigroup with identity 0s (S, ·) is a semigroup with identity 1s · distributes over + on the left and right 0s is absorbing in (S, ·) i.e., (∀x|x ∈ S : 0s · x = x · 0s = 0s) Dhruv Gairola (McMaster Univ.) Sabri and Khedri (FPS 2012) March 31, 2014 4 / 25
  5. 5. Brief Mathematical Background (2) Poset : (C, ) where is a partial order relation (reflexive, transitive, antisymmetric). Antisymmetry : x y ∧ y x =⇒ x = y Quasi-ordered set : is only reflexive and transitive. Dhruv Gairola (McMaster Univ.) Sabri and Khedri (FPS 2012) March 31, 2014 5 / 25
  6. 6. Proposed key structure Key structure : K = (K, +k, ∗k, 0k, 1k) Interpretation : +k and ∗k can be seen operators which combining keys. Can represent Cesar cipher, Vigenere cipher, Boyd’s RSA cipher using the structure. Dhruv Gairola (McMaster Univ.) Sabri and Khedri (FPS 2012) March 31, 2014 6 / 25
  7. 7. Proposed scheme structure Key assignment scheme : S = (K, C, , a) K is key structure (C, ) is poset a ⊆ K → C is an onto function (assignment function) C is the set of security classes k1 d k2 : info revealed by k1 can also be revealed by k2. Dhruv Gairola (McMaster Univ.) Sabri and Khedri (FPS 2012) March 31, 2014 7 / 25
  8. 8. Proposed scheme structure (2) Given d (key derivation relation) S is said to be : Cluster secure : low class keys cannot reveal info of higher classes Class secure : cluster secure and (C, ) is a chain User secure : scheme contains independent keys s.t. no key can reveal info that can be revealed from other keys We have our structure. What about theories? (Axioms are obvious) Dhruv Gairola (McMaster Univ.) Sabri and Khedri (FPS 2012) March 31, 2014 8 / 25
  9. 9. Proposed scheme structure (3) Theories ( is a quasi-order relation): 1 k1 ≤k k2 =⇒ k1 k2 2 k1 ∗k k2 k2 3 k1 k2 =⇒ k1 +k k3 k2 +k k3 4 k1 k2 =⇒ k1 ∗k k3 k2 ∗k k3 5 k 1k Now we have structure and theories. We can analyze specific key assignment schemes and construct models. Dhruv Gairola (McMaster Univ.) Sabri and Khedri (FPS 2012) March 31, 2014 9 / 25
  10. 10. Akl-Taylor Technique Each user assigned a key, ki where ki = κti (mod m). κ is a private number m is a product of 2 large primes ti is a product of n primes Key idea : one key can be derived from another. Dhruv Gairola (McMaster Univ.) Sabri and Khedri (FPS 2012) March 31, 2014 10 / 25
  11. 11. Akl-Taylor Technique (2) Simple math : ki = κti (mod m) (Hint- j:=i) kj = κtj (mod m) (Hint- LHS) κtj (mod m) = (κti )tj /ti (mod m) (Hint- LHS) (κti )tj /ti (mod m) = k tj /ti i Therefore kj = k tj /ti i Conclusion (key derivation) : kj can be derived from ki iff tj is divisible by ti Dhruv Gairola (McMaster Univ.) Sabri and Khedri (FPS 2012) March 31, 2014 11 / 25
  12. 12. Akl-Taylor Example Example : ki = κti (mod m), let m = 11 × 17 = 187, κ = 13 User i : ki = 135×7 (mod 187) = 21 User j : kj = 133×5×7 (mod 187) = 98 k tj /ti i = kj 213 (mod 187) = 98 Dhruv Gairola (McMaster Univ.) Sabri and Khedri (FPS 2012) March 31, 2014 12 / 25
  13. 13. Generalizing Akl-Taylor The sever that distributes keys determines κ and keeps it private. Once κ and m are fixed, ti determines ki . This is given by log ki log κ = ti . We can view ti as the key. Can we generalize ti ? Yes! ti = {2 × 3 × 7} can be represented as {{2 × 3 × 7}} ∈ P(P(Np)) for a fixed κ and m. Dhruv Gairola (McMaster Univ.) Sabri and Khedri (FPS 2012) March 31, 2014 13 / 25
  14. 14. Generalizing Akl-Taylor (2) P = {p1 × ... × pn|∃(p1...pn|pi ∈ Np : ∀(pi , pj |pi , pj ∈ Np : i = j =⇒ pi = pj ))} P = {p1 × ... × pn|set of product of different primes) ti = {2 × 3 × 7} ∈ P From example in prev slide, generalized tigen ∈ P(P(Np)) Dhruv Gairola (McMaster Univ.) Sabri and Khedri (FPS 2012) March 31, 2014 14 / 25
  15. 15. Generalizing Akl-Taylor (3) Function rep : rep : P → P(P(Np)) rep(p1 × ... × pn) = {{p1 × ... × pn}} Each user is given a set of keys e.g., {{2 × 3 × 7}, {2 × 11 × 17}}. Dhruv Gairola (McMaster Univ.) Sabri and Khedri (FPS 2012) March 31, 2014 15 / 25
  16. 16. Model for the key structure F = (P(P(Np)), +k, ∗k, 0, 1). We have a model for key structure K! ∗k : P(P(Np)) × P(P(Np)) → P(P(Np)) A ∗k B = {a ∪ b : a ∈ A, b ∈ B} +k : P(P(Np)) × P(P(Np)) → P(P(Np)) A +k B = A ∪ B Dhruv Gairola (McMaster Univ.) Sabri and Khedri (FPS 2012) March 31, 2014 16 / 25
  17. 17. Model for the scheme structure Generalized Akl-Taylor : S = (F, C, , a). Model for S. In Akl-Taylor (C, ) is a tree but in generalized Akl-Taylor, (C, ) can be a forest. Dhruv Gairola (McMaster Univ.) Sabri and Khedri (FPS 2012) March 31, 2014 17 / 25
  18. 18. Generalized Akl-Taylor Usefulness Useful if we need more than one key per user (e.g., user involved in more than 1 key assignment scheme). In Akl-Taylor, “one key can be derived from another” i.e., can we show κti d κtj ? Use the relators d and which are present in our scheme S . We can use the 5 theories defined in slide 9 to obtain interesting properties in our Generalized scheme. Dhruv Gairola (McMaster Univ.) Sabri and Khedri (FPS 2012) March 31, 2014 18 / 25
  19. 19. Chinese Remainder Theorem Given r, s ∈ Z+ and a, b are coprime, there ∃N ∈ Z s.t. N ≡ a(mod r) and N ≡ b(mod s). We can find N using basic algebra. Dhruv Gairola (McMaster Univ.) Sabri and Khedri (FPS 2012) March 31, 2014 19 / 25
  20. 20. Chinese Remainder Technique Uses ideas from the solution procedure for chinese remainder theorem. Key structure same as Akl-Taylor. Even ∗k, +k are defined the same. However, we have k1 d k2 ⇔ k2 k1 (dual), unlike for Akl-Taylor where d and are the same. Dhruv Gairola (McMaster Univ.) Sabri and Khedri (FPS 2012) March 31, 2014 20 / 25
  21. 21. Verification of security properties Properties can be verified : Ability of user to get info intended for higher class. Ability of using several keys to reveal info that can be revealed by using another key. Can use Prover9 to verify each property. Dhruv Gairola (McMaster Univ.) Sabri and Khedri (FPS 2012) March 31, 2014 21 / 25
  22. 22. Verification Example Six classes get assigned keys : Part-time nurses : key(cpn) = k1 ∗k k2 ∗k k4 Overnight nurses : key(cnn) = k1 ∗k k3 ∗k k4 Full-time nurses : key(cfn) = k1 ∗k k4 Part-time doctors : key(cpd ) = k2 ∗k k4 Overnight doctors : key(cnd ) = k3 ∗k k4 Full-time doctors : key(cfd ) = k4 Property : any doctor can get info of any nurse in the same class. (key(cpn) d key(cpd )) ∧ (key(cnn) d key(cnd )) ∧ (key(cfn) d key(cfd )) (k1 ∗k k2 ∗k k4 d k2 ∗k k4)∧(k1 ∗k k3 ∗k k4 d k3 ∗k k4)∧(k1 ∗k k4 d k4) Prover9 can verify such properties (automated). Dhruv Gairola (McMaster Univ.) Sabri and Khedri (FPS 2012) March 31, 2014 22 / 25
  23. 23. Conclusion Analyse key assignment schemes using algebraic structures. Generalize existing key assignment schemes using model. Automate verification of security properties. Future work : examine other key assignment schemes to assess strengths and weaknesses. Dhruv Gairola (McMaster Univ.) Sabri and Khedri (FPS 2012) March 31, 2014 23 / 25
  24. 24. References “A Generic Algebraic Model for the Analysis of Cryptographic-Key Assignment Schemes”, Sabri, Khedri, FPS (2012) pp. 62-77 “Algebraic Framework for the Specification and Analysis of Cryptographic-Key Distribution”, Sabri, Khedri, Fundamenta Informaticae 112 (2011) pp. 305335 http://conferences.telecom- bretagne.eu/fps2012/program/slides/24.pdf http://mathworld.wolfram.com/ChineseRemainderTheorem.html Dhruv Gairola (McMaster Univ.) Sabri and Khedri (FPS 2012) March 31, 2014 24 / 25
  25. 25. Thank you. Dhruv Gairola (McMaster Univ.) Sabri and Khedri (FPS 2012) March 31, 2014 25 / 25
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×