A single-key access control scheme in information protection systems

INFORMATION

SCIENCES

51,1-ll(l990)

A Single-Key Access Control Scheme in Information Protection Systems JINN-KE JAN Department of Applied Mathematics, National Chung-Hsing Taichung, Taiwan, Republic of China

University,

ABSTRACT A new access control scheme for information protection systems is proposed. It assigns every legal user just one integer key in such a way that employing a simple formula to the key of the user subject and the ID number of the resource object yields the corresponding access right in the protection system.

1.

INTRODUCTION

The topic of information security has been studied to reduce the rising abuse of computers and increasing threat to personal privacy through data banks in the last two or three decades. Access control, which concerns us the most in this paper, is one of the most important safeguards in information protection systems. Access control regulates the reading, changing, and deletion of data and programs, so as to prevent the accidental or malicious disclosure, modification, or destruction of records, data sets, and program segments. To achieve this control, an access control matrix which specifies who has what access privileges to system resources may be employed. An access control matrix establishes the relationship of each user subject and every resource object; conventionally the accessible objects are arranged in columns and various user subjects are arranged in rows. Logically, each user can be identified as a positive integer i and each resource as a positive integer j; therefore, each element aij in the access control matrix A stands for the corresponding access privilege of user i to resource j. We identify every access privilege as a positive integer, and assign zero to every matrix element which represents no access privilege. For example, let us consider Figure 1 in which the access of user i to file j (one hind of resource) is allowed only when the requested privilege is smaller than or equal to aij. In other words, the right to write implies the right to write, to read, and to execute. The right to own implies all rights. 0Elsevier Science Publishing Co., Inc. 1990 655 Avenue of the Americas, New York, NY 10010

OOZO-0255/90/$03.50

JINN-KE

JAN

Since the access control matrix in general is a sparse matrix, it is never cost-effective to implement such a matrix [l]. In order to solve this problem, several methods have been proposed: the capability-list method, the access-list method, and the key-lock matching method by Graham and Denning [4], Wu and Hwang’s key-lock-pair (KLP) method [6], and Chang’s KLP methods [2-31. For the details, the interested reader should refer to [2,3,6]. Here we mention only some of their obvious disadvantages. The capability-list method and the access-list method have to do an exhaustive search whenever a request to update the information is made. The key-lock matching system has a capability list for each subject and a lock list for each object. Consequently, here it is also time-consuming to update the information, since searching a list structure unavoidably needs exhaustive (sequential) search. Moreover, all these three methods employ lists with variable number of entries. Not only does Wu and Hwang’s KLP method needs more storage space than the original access control matrix for accommodating the keys and locks, but the operations of keys and locks are very time-consuming. Chang’s KLP methods, based on the Chinese remainder theorem, assign every user a key value which grows very rapidly. Our method is intended to achieve the goal of encoding each row vector in the access control matrix into a key value in such a way that the growth rate of key values is slower than that of the above mentioned methods. In Section 2 we shall present our single-key system and its implementation scheme. Section 3 describes how to represent the key value efficiently. Section 4 evaluates the time complexities of K, and aii. Section 5 introduces the grouped-key concept to solve the overflow problem for key values. Finally, conclusions are given in Section 6.

2.

THE SINGLE-KEY

ACCESS CONTROL

SCHEME

The single-key access control scheme is an information protection system in which the accessors can be users or processors, while the resources can be files, proprietary programs, or memory segments, and the access rights can be execute, read, write, copy, or various forms of rights to change the access rights

A SINGLE-KEY

ACCESS CONTROL I

Subject

3

SCHEME

Protection system

I

Object

;

Request

Fig. 2

themselves. In this paper, we have chosen the application of users accessing files within the file system to develop the idea of the single-key system. Therefore, the terms user and file used in the remainder of the paper correspond to the concepts accessor and resource, respectively. The proposed system is based upon a new concept: that by assigning each user only one key, access control can be achieved by applying a simple formula to the user’s key and the file’s ID number. ‘The organization of the single-key system is as depicted in Fig. 2. Conventionally, the file system assigns to rn different users numbers from 1 to rn, and to n different files numbers from 1 to n. When a user i joins the system and its n privileges for files are determined, the file system is required to create a key Ki according to the file numbers and their associated privileges. Afterwards, whenever any access from a user i to a file j is requested, the file system will compute the corresponding access value uij to decide whether the request for access is accepted or not. But how to compute the aij? The following theorem gives us the answer. THEOREM 2.1. Let A,,, be an access control matrix, t be the total number of access control privileges, and aii be the (i, j)th element of the access control matrix A,,,. Then there exists an integer K,, called the key of the user i, such that

a,,

=

I

Ki

J

mod(t+l),

(t +1)j-l

Proof. Let K, =C”q_Iai,(t +1)*-l, Then K, can be rewritten as follows: K,=a,,+a,,(t+l)+

where

ldigm

and l< jrn.

where n is the total number

. ..+a.,(t+l)“-‘.

of users.

4

JINN-KF! JAN

Consequently, we have

I

Ki

(t +1)J_’ =i

1

mod(t+l)

I

a;*+a,,(t+l)+

...

+a,(f+l)“-’

(t +1)‘-’

=~ai,(r+l)‘-JC

I’*

J

mod(t+l)

+aij_~(lCl)-‘+a~j+a,j+,it+l)

-I- .** $a,(t+l)

“-‘I mod(t +l).

Let e=a,

( t+l)‘-‘+

1-S +a,j_,(t+l)-‘,

and let R=aij+&tl)+

*a1 +a,(t+l)“-j.

Now, since t is the total number of privileges, we have

ThlS

t

e< (,+:,,_l+(t+;,j-2 +***+-(t-t11 _

iGi[(iql-‘1 1 t-t1

--1

j-l

=l-&

i

1

,

A SINGLE-KEY This implies

ACCESS CONTROL

5

SCHEME

that 0 < e 6 1 for 1~ j < n. On the other hand,

R=(r+l)(a,,+,+a,,+,(t+l)+ =(t+l)m

‘a* +a;,(t+1)“~‘-‘)

for some one m such that m E I+.

Overall, we conclude

‘,j=

I

1

Ki

(l+l)j_i

mod(t+l)

=le+aij+RJmod(r+l) =[e+ajj+(t+l)m]mod(t+l) =~a,,+(r+l)m]mod(r+l) = ujj. According to the above-proved easily concluded.

procedures,

the following

corollary

can be

COROLLARY~.~. LetA,,, be an access control matrix, t be the total number of access controlprivileges, K, be the key of user i, and uij be the (i, j)th element of the access control matrix A,,,. Then

'ij=

I

Ki

(t+l)j_l

I

mod(l+l)

if K,=q~lu;q(t+l)9-1.

In the following,

an example is given to illustrate

(2.1) the above corollary.

EXAMPLE 1. Let us again consider the simple access control matrix with four users and five files as depicted in Figure 1. Since the total number t of access control privileges is four and the number of files is five, by (2.1) each key can be computed as K,=

;

0,,(4+1)“-’

4-l 5

= 9x1ui959-1.

6

JINN-KE

JAN

ThUS

K, = 2021, K,=291, K3 = 653, K., = 256. Now, let us compute uij for the (i, j)th element. For instance, if i = 3 and j = 4, then the corresponding access control privilege is computed as

= 5mod5

which is correct. In case our single-key system is implemented on a 32-bit computer, the key value will overflow if the number of files is larger than 14 in the case that t is identical to four. Hence, we are forced to evaluate the growth rate of the key value K, as follows. Since ai, < t for all i and j,

Ki=

i

aiq(t+l)q-’

q-1

< i

t(t+1)4-l

q=l

=t

$ (t+l)q-’ q-1

J~+V-l =(t+l)“-1.

t

A SINGLE-KEY

ACCESS CONTROL

SCHEME

7

In other words, the key value Ki has the possibility of overflowing the integer word whenever the value of (r + 1)” is not smaller than the maximum integer of the computer on which our single-key system is implemented. We are unsatisfied with this limitation. In Section 5 a modification is therefore introduced to enhance our system. 3.

THE SMALLEST-KEY-VALUE

REPRESENTATION

We notice that Corollary 2.1 employs a key value K, to represent the ith row vector (ail, a,*,. . . , a,,,), such that whenever a jth value aij is requested, we can use the formula 1Ki/( t + 1)j- ’ ] mod( t + 1) to obtain the required a,, value. Now we have to answer a very eristic question. Is it possible to find another key value K,’ which is smaller than Kj such that K; can represent the ith row vector? The following discussion answers our question. The total number of possibilities for a vector (u,i, air,. . . , ujn) is (t + l)“, since 0 Q a;, Q t. Now we will show that the range of K, is (t + 1)” exactly, no more and no less. Since K, = Ii_ 1a.,4(t + 1)4- ‘, the minimum value of K, is zero in case uig = 0 for all 1 Q q Q n. The maximum value of K, is computed as follows in case u,~ =r for all lbq
i

r(r+1)4-*

9-l =r

i

(r+1)9-l 1

J+1)“-1

r

=(r+l)“-1. Moreover, any vector (a,,, air,. . . , a,,,) can be represented by a nonnegative integer that is computed by the K, formula, since the vector (u,i, ui2,. . . , cl;,,) can be regarded as a nonnegative integer X in base r + 1 such that x=u,,ui2...ui, =u,,(r+l)O+u,,(r+l)+ = 9~Iu&+l)9-1 = K,. (Let a,, be the least significant

digit.)

...

+ui,(r+l)n-l

JINN-KE

8

JAN

Therefore, the formula for X, is the optimal solution for representing the a,,,). In other words, it is impossible to find another key vector (ajl,ai2,..., value K,’ which is smaller than Kj such that K,’ can represent the vector (aiiY ‘i2,*-.7 ‘,,r)*

4.

TIME COMPLEXITIES

First, we investigate time complexity of the key value Ki in Corollary 2.1. in order to compute its Since the key K, is defined as Z&i (I-rq(t +1)4-l, complexity we investigate the number of multiplications to compute (t + 1)4-l. Let T(X) denote the number of multiplications to compute X. Knuth [5] has shown that the upper bound of T(uh) is identical to 2[log, b] by using addition-chain methods. Now since our parameter K, is defined as

K, = i

a,,( t +l)‘-‘,

q-l

’

we have

T( K,) =

5 u;,T((t +1)-l) q-1

< “*2\1og,( =

4

4log2

n -l)J

+ 0( fl)

4)


T(u;j) =O(nlog,n).

9

A SINGLE-KEY ACCESS CONTROL SCHEME 5.

GROUPED-KEY

CONCEPT

If the number of files is large, the user’s key values will overflow. To solve this problem, the grouped-key concept [3] will be introduced in this section. Suppose each K, can represent the ith row vector with maximum size n = 15. Then for any information protection system in which n > 15, our system will group every 15 files into a subgroup j, such that all n files are properly grouped into g file groups. Let S, denote the total number of files in group j, and file (j,k) denote file k of group j, for l
s/

c

Kjj=

~&+l)~-’

q=l

Consequently,

the access right a,(+)

a l(1.k)

can be computed

I

mod(t

=

as

+l).

In order to demonstrate thal t this grouped-key give a simple example below.

method works properly,

we

EXAMPLE 2. Let us consider a file system with five users and ten files. We let the total number of access privileges be four. The access control matrix is shown in Figure 3. Assume our system groups every five files into a subgroup j, such that all ten files are grouped into two file groups as shown in Figure 4.

File User

1

2

3

1101231040 2 210013204 3 103100410 4 2 0 0 5 322002122

4

1

5

2

Fig. 3

6

1

7

0

8

1

9

1

10 1 0 3 0 1

10

JINN-KE

JAN

File Group 1

Group 2

Fig. 4

We illustrate how our system works properly by employing Kij and L+,,~):

Kij=

;

the formulas

for

at(j,k)(r+1)4-1,

q-1

%(j.k) =

I

4j

J

mod(r+l).

(t +l)k-’

We have (in part)

K,2

=1+4~5+5~=646,

K21 = 2+ 5* + 54 = 652, K22

=

3+2~5+4x5~

=513.

The access right of user 2 to file (2,4), for instance, can be computed

a2(2,4)

= I

K22 mod5 53 I

= [$$I mod5 = 4mod5 = 4, which is correct.

as follows:

A SINGLE-KEY 6.

ACCESS CONTROL

SCHEME

11

CONCLUSIONS

We have proposed a mechanism for implementing a single key that achieves access control in an information protection system. Our method assigns every legal user only one key, which is shown to be not only effective in reducing the storage used, but also an efficient representation for the row vector. The grouped-key scheme solves the overflow problem for key values completely, although the number of entries of the key K, is no longer one. Finally, we would like to emphasize here that our scheme is inspired by Wu and Hwang’s method [6]. But instead of employing keys and locks for the access control system, we use single key only. Therefore, faster operation and easier construction of keys are achieved. REFERENCES 1. R. W. Conway, W. L. Maxwell, and H. C. Morgan, On the implementation of security measures in information system, Comm. ACM 15(4):211-220 (Apr. 1972). 2. C. C. Chang, On the design of a key-lock-pair mechanism in information protection systems, BIT 26:410-417 (1986). 3. C. C. Chang and C. P. Chen, “A key-lock-pair mechanism based upon a generalized Chinese remainder theorem, J. Chinese Jnnsr. Engrs. 9(4):383-390 (1986). 4. G. S. Graham and P. J. Denting, Protection-principles and practice, in Proceedings of A FIPS 1972 SJCC, Vol. 40, pp. 417-429. 5. D. E. Knuth, The Art of Computer Programming, Vol. 2, Addison-Wesley, Reading, Mass., 1981, pp. 441-462. 6. M. L. Wu and T. Y. Hwang, Access control with single-key-lock, IEEE Trans. Sofmare Engrg. SE-10(2):185-191 (1984). Received 21 April 1987; revised 21 Februaty 1988