- Email: [email protected]
Controlling the access requests in an information protection system
Information Processing & Management Vol. 29, No. I, pp. 61-68, Printed in Great Britain.
1993 Copyright
0
0306-4573/93 $6.00 + .OO 1993 Pergamon Press Ltd.
CONTROLLING THE ACCESS REQUESTS IN AN INFORMATION PROTECTION SYSTEM CHIN-CHEN CHANG Institute of Computer Science and Information Engineering, National Chung Cheng University, Chiayi, Taiwan 621, R.O.C.
and TZONG-CHEN WV Institute of Computer Science and Information Engineering, National Chiao Tung University, Hsinchu, Taiwan 300, R.O.C. (Received I
July
1991; accepted
in final form
25 February
1992)
Abstract-A new mechanism used for controlling the access requests in information systems is proposed. In our scheme, each access privilege associates to a recursively generated function based on Newton’s interpolating polynomial. The insertion of a new user/file into the system and deletion of an old user/file from the system can be easily implemented. Besides, the updating of a privilege of a user to a file can also be successfully implemented without reconstructing all associated functions. Keywords: Information Newton’s interpolating
protection system, Access control, polynomial.
Single-key-lock
system (SKL),
1. INTRODUCTION
Many studies have reported various implementation methods of access control matrices in information protection systems (Chang, 1986; Chang & Chen, 1986; Chang & Jan, 1988; Chang & Jiang, 1989; Denning, 1982; Graham & Denning, 1972; Laih, Harn, & Lee, 1989; Saltzer & Schroeder, 1975; Wu & Hwang, 1984). By an access control matrix, we mean a matrix with the entry of row i and columnj representing the access privilege of the object identified in the jth column for the subject identified in the ith row. Figure 1 depicts such a matrix. A simple example of an access control matrix is shown in Fig. 2, where r denotes readonly, w denotes write-only, e denotes execute, u denotes update, o denotes open, Ui denotes the ith user and Fj denotes the jth file. Among all of the above mentioned literatures, Saltzer and Schroeder (1975) proposed the capability-list and the accessor-list systems to store the whole access control matrix by row and by column, individually. These two systems suffer from disadvantages such as propagation, revocation, and review problems. Another method, called the key-lock-matching system, proposed by Graham and Denning (1972), suffers from requiring longer time
Fig. 1. The access control matrix. hl
62
C.-C.
CHANG and T.-C.
WV
u2
0
0
e
w
e
u3
w
0
u
e
r
r/h
w
u
e
u
u
Fig. 2. A simple access control
matrix.
in searching for a key-lock-pair. The methods proposed by Chang (1986), Chang and Chen (1986), Chang and Jan (1988), Chang and Jiang (1989), Laih et al. (1989), and Wu and Hwang (1984) are all single-key-lock (SKL) systems. In the SKL system, each subject is assigned a key and each object is assigned a lock; the access privilege aji is revealed by applying a predefined mathematical operation on the corresponding key of the ith subject and the corresponding lock of thejth object. The common disadvantages of the SKL systems are that the required storage for keys and locks actually exceeds that of the original access control matrix and difficulty in handling insertion of a new subject/object, deletion of an old subject/object, and updating an access privilege of a subject to an object. In this article, we shall propose a method, different from the conventional SKL systems, to overcome these drawbacks. 2. OUR SCHEME 2.1 Requirement We assume that there are m users as subjects and n files as objects to be protected in an access control matrix. Figure 3 shows the organization of our access control system. When a user U, requests access to file Fj, the file system fetches the function f, related to U;‘s access request 1. In the system, the access requests can be read, write, execute, update, open, no access, and so on. Then it computes the function value of r/i’s identification number to check if the value is identical to Fj’S identification number or not. For simplicity, we select i as U,‘s identification number and j as Fj’S identification number. The access by U, to Fj is allowed only when fi(i) matches j, which is Fj’s identification number; otherwise, this access request is rejected. In our mechanism, since the functionf, related to the access privilege t is established on a t-list derived from the access control matrix, we first describe how to obtain a t-list from the access control matrix.
Subject
i System
Intervention
:
Object
Access Request j
Fig. 3. Organization
of our access control
system.
Controlling
63
access requests
Consider an access control matrix as shown in Fig. 1. Without there be k users U,, U2,. . . , Uk, k 5 m, with the pairs
(l,j,,),(l,j,,),
. . . ,(Lj,d,),
cLj2,),(2,j,,),
. . . ,(2,j,d,),
related to the access privilege 1. Here a pair (x, y) related privilege t to Fy. The following list (l,jll),(l,j,,),
loss of generality,
to t means
let
U, has the access
. . . ,(L.h,),
(2,j21),W22),.
. . ,W2dJ,
(k + LO),(k + 2,0), . . . ,(m,O) is called the t-list. For instance, consider the access control matrix as depicted in Fig. 2. We see that there are five pairs related to the same access privilege “update.” They are (1,4), (3,3), (4,2), (4,4), and (49. Since U2 has no “update” privilege to any file, we add the pair (2,0) in the above list. Thus, in this case, the u-list is (1,4), (2,0), (3,3), (4,2), (4,4), and (4,5). In a t-list, we see that each user corresponds to a sequence of files to which the user has t as the access privilege. In this case, each user can be associated to an integer according to the sequence of his corresponding files. Thus, we associate Ui to
2”4-’ mod P
5
for r = 1,2, . . . , k,
q=l andassociateU;tozeroforr=k+l,k+2,..., than the largest value of file’s identification associated to
c
2Jf4-’ mod P
m, where P is a prime number number.
Generally,
larger we say that the user Vi is
for r = 1,2, . . . , m.
q=l 2.2 Algorithm Given an access control matrix, the algorithm for constructing related to access privileges t’s are stated in the following. 2.2.1 Algorithm A (Construct functions f,‘s).
Input: An m x n control matrix M. Output: A set of functions ft’s related to access privileges t’s. Step 1: Respecting to each privilege t, convert the access control t-lists. Step 2: for each t-list, do the following: 1. Compute d,
ei = c
q=l
2Jlq-‘mod
P,
for i = 1,2,. . . ,m.
a set of functions
matrix
f,‘s
M to a set of
64
C.-C.
CHANC
2. Using Newton’s interpolation (m, e,) to obtain fr(x)
(m-
=CA(x-
and
method,
‘T.-C.
interpolate
(m -2))
l))(x-
WV
on points
... (x-
1) + ...
(1, er ), (2, e2), . . _,
+ C;(x-
+ CfmodP
1) (1)
with f,(i)
Step 3: Output
the functions
fori=
= 6,
1,2 ,...,
m.
fr’s.
The C:‘s in eqn (1) can be computed
from the following
recursive
formula
with given
di’S, P and jjq’s. C{ = el mod P, e2 - C: c; = ____ (2
-
1)
modpY
c,=e3-[G+G(3-1)1 3 (3 - 1)(3 - 2)
modP
’
(2)
From
eqn (2), C: can be further
simplified i-1
as s-l
(i-z)
e; -nCs’n
c; =
x=1
z=l
(i - l)!
mod P.
(3)
From eqn (3), it can be obviously seen that C;+, is only related to the previous values CL’s, i. The result off,(i) will be used to check on the authority request of U; to Fj for the privilege t. The algorithm for validating the authority request of Uj to Fj for the privilege t is stated as follows. 2.2.2 Afgorithm B (Check on the authority request).
b= 1,2 ,...,
Input: 1. User identification
number i. 2. File identification number j. 3. Access privilege t for U; to Fja Output: A flag to indicate if the request is accepted Step I: Compute f,(i)
= C,:(i
- (m - l))(i
or rejected
- (m - 2)) ...
(i - 1)
+ CA_, (i - (m - 2))(i - (m - 3)) . . . (i - 1) + ... + Ci(i - 1) + Cf mod P.
(4)
Controlling
65
access requests
operation on the binary forms of f*(i) and 2j-‘, and set the result to be w. Step 3: If w = 2j-‘, then set flag = “accept”; otherwise set flag = “reject.”
Step 2: Perform the intersection
According to the property eqn (4) always generates
of Newton’s interpolating
ft(i)
=ej
fori=
1,2 ,...,
polynomials,
we know that
m.
If the intersection of the binary forms of ei and 2Lq-’ results in 2j’4-‘, then this access request is permitted. In eqn (4), since the first m - i terms have the common factor (i - i), therefore, they are all zeros. So a hierarchy consideration may be useful on our mechanism. If a user makes some access requests more frequently than others, we can assign this user the smallest identification number to achieve the less average computation times. Further, Knuth (1980) suggested a more efficient formula for eqn (4) as: fi(i)
= (( ...
(C,‘(i-(i-l)+C,!_,)(i-(i-2))+
= ((...
(C,‘(l) + C,‘_r(2) + . ..)(i-
.-.)(i-l)+Cl)modP 1) + C,‘modP.
(5)
In eqn (5), only (i - 1) multiplications and additions are needed. Now, we describe how our system handles the insertion of a new user/file, the deletion of an old user/file and updating an access privilege of a user Vi to a file Fj. If a new user/file is inserted into the system, we first update the corresponding t-lists related to the privilege t. Then recompute the f,‘s functions for which the associated t-lists are changed. Similarly, the updating of an access privilege aij from u to u to Ui for Fj will cause the reconstructing of two functions f, and f, according to the new u-list and the new v-list, respectively, by just updating the old u-list and the old v-list by deleting the pair (i, j ) from the former and inserting the pair (i, j ) to the latter, respectively. The deleting of an old user Ui can be seen as updating the access privileges from a,, , ai2, . . . , ai,, to X,X, . . . , h and the deleting of an old file Fj can be seen as updating the access privileges from aij, azj, . . . , a,j X, where X means “no access.” toX,X,..., 2.3 Example Consider the access control matrix as depicted in Fig. 2 again. We select P = 67, since the r-list is (l,l), (2,0), (3,5), and (4,0). The function fr can be computed with the coefficients C;‘s calculated by the elements in r-list. Similarly, f,, f,, f,, and f. can also be constructed. They are shown in Table 1. When U2 makes a request to execute F,, the system will evaluate f,(2) by the following: = Ci(2 =
P
1) +
x 1
18)mod67
= Since the is permitted.
of the
forms of
and “25-“’
I. The corresponding
Coeff.
_f,
f,
G
1
4
C; G d
66 42 3
4 28 3
functions
in ‘c24”,
for Fig. 2
Functions
(f,
.f,
f,
f.
18 2 60 26
8 59 6 22
0 3 65 34
access re-
C.-C.
66
and T.-C. Wu
CHANG
r
e
w
I4
e
i
u2
0
0
e
w
e
i r
u3
w
0
u
e
T
h : u
Fig. 4. First,
US is inserted,
e
then F, is inserted.
If a new user U, is inserted into the system with the access privileges as shown in Fig. 4, one more row for the fifth coefficients Ci’s off,‘s is created. This is shown in Table 2. If a new file F6 is inserted into the system with the access privileges as shown in Fig. 4, only the functions corresponding to the new inserted access privileges will be changed. In this case, only the original fr, f,, and f, are changed. The results are shown in Table 3.
3. DISCUSSION
It is easy to see that the computation time for verifying a user’s access request heavily relies on the evaluation of ft( i). If the number of files/users is large in the system, the produced interpolating polynomial ft (i) will have a large measurement. However, we can partition the files/users into modest sized groups as shown in Fig. 5. Then construct the functions f,( i) ‘s for each partitioned group. Therefore, the computation time for verifying a user’s access request is dropped dramatically in practical implementation. Let m be the number of subjects, n be the number of objects, and z the number of distinct access privileges. In summary, our mechanism has the following characteristics: 1. The system only maintains z t-lists corresponding to the access privileges. 2. If P is y bits, then the required memory storage for the coefficients of z functions is myz bits. Further, if the identification number of objects are numbered from 1 to n, then the required memory storage is about m(log n)z bits. 3. Validating an access request is quite simple by just evaluating the corresponding function related to the user’s access request privilege. Further, we can apply Horner’s rule to speed up the evaluation processing. Although both our mechanism are based on Newton’s interpolating
and the Laih-Harn-Lee mechanism (Laih et al., 1989) polynomials, there are some differences between them.
Table 2. The functions
Coeff.
f,
G
1
Ci G G G
66 42 3 32
after
US is inserted
Functions
(f,)
f,
fe
fu
f.
4 4 28 3 21
18 2 60 26 33
8 59 6 22 21
0 3 65 34 0
Controlling
67
access requests
Table 3. The functions
after F6 is inserted
Functions (f, ) Co&f.
c: G G G G
f,
f,
f,
fu
f.
1 31 10 19 49
4 4 28 3 21
50 31 9 26 29
8 59 22 6 8
0 3 65 34 0
In the Laih-Harn-Lee mechanism, each user Ui is assigned a key ZCiand each file 4 is associated to lock vector Lj, which is an interpolating polynomial constructed from points (Ki, a,) ‘S, for i = 1,2,. . . , m. That is, an interpolating polynomial is associated to each file in the Laih-Harn-Lee mechanism, while an interpolating polynomial is associated to each access privilege in our mechanism. In the Laih-Harn-Lee mechanism, like most conventional SKL systems, the system computes the exact access privilege to a request, while our mechanism evaluates the qualification of a user to a file according to the access privilege of a request. Let the number of bits representing the access privilege value be q, which is about (log z) bits when z is the number of distinct access privileges. The required memory storage by the Laih-Harn-Lee mechanism is m (n + 1) (log z) bits, while our mechanism requires m (log n)z bits. In a real system, n is larger than z, occasionally. Thus, our mechanism needs less memory storage than the Laih-Harn-Lee mechanisms needs.
4.
CONCLUSIONS
We have proposed a new scheme for controlling the access requests in information protection systems. Unlike the conventional SKL systems, our system does not need to evaluate the access privileges for users to files. Instead, our mechanism will evaluate the qualification of a user to a file according to the access privilege t, the user’s request, directly. One good feature of our system is that only a few corresponding functions are required. By our mechanism, the insertion of a user/file, the deleting of a user/file, or the updating an access privilege of a user to a file can be successfully implemented without affecting too many keys or locks as the previous SKL systems did. For practical considerations with large number of users or files, we can partition the access control matrix into modest sized groups to speed up the validating time. Further, with a careful arrangement of frequent users, our system’s performance will be greatly improved. Acknowledgements-The the presentation
authors of this paper.
would like to thank the referees for their very useful comments
Group 2
:
, _____~~~~~-,-----------I , Subjects , , ui’s Group 3 ; Group 4
i
Group 1 ‘:
, Fig. 5. Partition the access control matrix into four modest-sized groups.
which improved
CHANG and T.-C.
C.-C.
68
WV
REFERENCES Chang,
C.C. (1986). On the design of a key-lock-pair mechanism in information protection system. BIT, 26, 410-417. Chang, C.C., & Chen, C.P. (1986). A key-lock-pair mechanism based upon generalized Chinese remainder theorem. Journal of the Chinese Institute of Engineering, 9(4), 383-390. Chang, C.C., & Jan, J.K. (1988). An access control scheme for new users and files. The International Journal
of Policy and Information, Chang,
K.C.,
& Jiang,
12(2), 89-98.
T.M. (1989). A binary
single-key-lock
system for access control.
IEEE Transactions on
Computers, C-38(10), 1462-1466. Denning, D.E. (1982). Cryptography and data security. Reading, Graham,
G.S.,
& Denning,
P.J. (1972). Protection-principles
MA: Addison-Wesley. and practices. Proceedings of AFIPS 1972 SJCC,
40, 417-429. D.E. (1980). The art of computerprogramming. Vol. 2. Seminumericalalgorithm (2nd ed.). Reading, MA: Addison-Wesley. Laih, C.S., Harn, L., & Lee, J.Y. (1989). On the design of a single-key-lock mechanism based on Newton’s interpolating polynomial. IEEE Transactions on Software Engineering, SE-I5(9), 1135-l 137. Saltzer, J.H., & Schroeder, M.D. (1975). The protection of information in a computer system. Proceedings of Knuth,
IEEE, 63, 1278-1308. Wu, M.L., & Hwang, T.Y. (1984). Access control ing, 10(2), 185-191.
with single-key-lock.
IEEE Transactions on Software Engineer-
1993 Copyright
0
0306-4573/93 $6.00 + .OO 1993 Pergamon Press Ltd.
CONTROLLING THE ACCESS REQUESTS IN AN INFORMATION PROTECTION SYSTEM CHIN-CHEN CHANG Institute of Computer Science and Information Engineering, National Chung Cheng University, Chiayi, Taiwan 621, R.O.C.
and TZONG-CHEN WV Institute of Computer Science and Information Engineering, National Chiao Tung University, Hsinchu, Taiwan 300, R.O.C. (Received I
July
1991; accepted
in final form
25 February
1992)
Abstract-A new mechanism used for controlling the access requests in information systems is proposed. In our scheme, each access privilege associates to a recursively generated function based on Newton’s interpolating polynomial. The insertion of a new user/file into the system and deletion of an old user/file from the system can be easily implemented. Besides, the updating of a privilege of a user to a file can also be successfully implemented without reconstructing all associated functions. Keywords: Information Newton’s interpolating
protection system, Access control, polynomial.
Single-key-lock
system (SKL),
1. INTRODUCTION
Many studies have reported various implementation methods of access control matrices in information protection systems (Chang, 1986; Chang & Chen, 1986; Chang & Jan, 1988; Chang & Jiang, 1989; Denning, 1982; Graham & Denning, 1972; Laih, Harn, & Lee, 1989; Saltzer & Schroeder, 1975; Wu & Hwang, 1984). By an access control matrix, we mean a matrix with the entry of row i and columnj representing the access privilege of the object identified in the jth column for the subject identified in the ith row. Figure 1 depicts such a matrix. A simple example of an access control matrix is shown in Fig. 2, where r denotes readonly, w denotes write-only, e denotes execute, u denotes update, o denotes open, Ui denotes the ith user and Fj denotes the jth file. Among all of the above mentioned literatures, Saltzer and Schroeder (1975) proposed the capability-list and the accessor-list systems to store the whole access control matrix by row and by column, individually. These two systems suffer from disadvantages such as propagation, revocation, and review problems. Another method, called the key-lock-matching system, proposed by Graham and Denning (1972), suffers from requiring longer time
Fig. 1. The access control matrix. hl
62
C.-C.
CHANG and T.-C.
WV
u2
0
0
e
w
e
u3
w
0
u
e
r
r/h
w
u
e
u
u
Fig. 2. A simple access control
matrix.
in searching for a key-lock-pair. The methods proposed by Chang (1986), Chang and Chen (1986), Chang and Jan (1988), Chang and Jiang (1989), Laih et al. (1989), and Wu and Hwang (1984) are all single-key-lock (SKL) systems. In the SKL system, each subject is assigned a key and each object is assigned a lock; the access privilege aji is revealed by applying a predefined mathematical operation on the corresponding key of the ith subject and the corresponding lock of thejth object. The common disadvantages of the SKL systems are that the required storage for keys and locks actually exceeds that of the original access control matrix and difficulty in handling insertion of a new subject/object, deletion of an old subject/object, and updating an access privilege of a subject to an object. In this article, we shall propose a method, different from the conventional SKL systems, to overcome these drawbacks. 2. OUR SCHEME 2.1 Requirement We assume that there are m users as subjects and n files as objects to be protected in an access control matrix. Figure 3 shows the organization of our access control system. When a user U, requests access to file Fj, the file system fetches the function f, related to U;‘s access request 1. In the system, the access requests can be read, write, execute, update, open, no access, and so on. Then it computes the function value of r/i’s identification number to check if the value is identical to Fj’S identification number or not. For simplicity, we select i as U,‘s identification number and j as Fj’S identification number. The access by U, to Fj is allowed only when fi(i) matches j, which is Fj’s identification number; otherwise, this access request is rejected. In our mechanism, since the functionf, related to the access privilege t is established on a t-list derived from the access control matrix, we first describe how to obtain a t-list from the access control matrix.
Subject
i System
Intervention
:
Object
Access Request j
Fig. 3. Organization
of our access control
system.
Controlling
63
access requests
Consider an access control matrix as shown in Fig. 1. Without there be k users U,, U2,. . . , Uk, k 5 m, with the pairs
(l,j,,),(l,j,,),
. . . ,(Lj,d,),
cLj2,),(2,j,,),
. . . ,(2,j,d,),
related to the access privilege 1. Here a pair (x, y) related privilege t to Fy. The following list (l,jll),(l,j,,),
loss of generality,
to t means
let
U, has the access
. . . ,(L.h,),
(2,j21),W22),.
. . ,W2dJ,
(k + LO),(k + 2,0), . . . ,(m,O) is called the t-list. For instance, consider the access control matrix as depicted in Fig. 2. We see that there are five pairs related to the same access privilege “update.” They are (1,4), (3,3), (4,2), (4,4), and (49. Since U2 has no “update” privilege to any file, we add the pair (2,0) in the above list. Thus, in this case, the u-list is (1,4), (2,0), (3,3), (4,2), (4,4), and (4,5). In a t-list, we see that each user corresponds to a sequence of files to which the user has t as the access privilege. In this case, each user can be associated to an integer according to the sequence of his corresponding files. Thus, we associate Ui to
2”4-’ mod P
5
for r = 1,2, . . . , k,
q=l andassociateU;tozeroforr=k+l,k+2,..., than the largest value of file’s identification associated to
c
2Jf4-’ mod P
m, where P is a prime number number.
Generally,
larger we say that the user Vi is
for r = 1,2, . . . , m.
q=l 2.2 Algorithm Given an access control matrix, the algorithm for constructing related to access privileges t’s are stated in the following. 2.2.1 Algorithm A (Construct functions f,‘s).
Input: An m x n control matrix M. Output: A set of functions ft’s related to access privileges t’s. Step 1: Respecting to each privilege t, convert the access control t-lists. Step 2: for each t-list, do the following: 1. Compute d,
ei = c
q=l
2Jlq-‘mod
P,
for i = 1,2,. . . ,m.
a set of functions
matrix
f,‘s
M to a set of
64
C.-C.
CHANC
2. Using Newton’s interpolation (m, e,) to obtain fr(x)
(m-
=CA(x-
and
method,
‘T.-C.
interpolate
(m -2))
l))(x-
WV
on points
... (x-
1) + ...
(1, er ), (2, e2), . . _,
+ C;(x-
+ CfmodP
1) (1)
with f,(i)
Step 3: Output
the functions
fori=
= 6,
1,2 ,...,
m.
fr’s.
The C:‘s in eqn (1) can be computed
from the following
recursive
formula
with given
di’S, P and jjq’s. C{ = el mod P, e2 - C: c; = ____ (2
-
1)
modpY
c,=e3-[G+G(3-1)1 3 (3 - 1)(3 - 2)
modP
’
(2)
From
eqn (2), C: can be further
simplified i-1
as s-l
(i-z)
e; -nCs’n
c; =
x=1
z=l
(i - l)!
mod P.
(3)
From eqn (3), it can be obviously seen that C;+, is only related to the previous values CL’s, i. The result off,(i) will be used to check on the authority request of U; to Fj for the privilege t. The algorithm for validating the authority request of Uj to Fj for the privilege t is stated as follows. 2.2.2 Afgorithm B (Check on the authority request).
b= 1,2 ,...,
Input: 1. User identification
number i. 2. File identification number j. 3. Access privilege t for U; to Fja Output: A flag to indicate if the request is accepted Step I: Compute f,(i)
= C,:(i
- (m - l))(i
or rejected
- (m - 2)) ...
(i - 1)
+ CA_, (i - (m - 2))(i - (m - 3)) . . . (i - 1) + ... + Ci(i - 1) + Cf mod P.
(4)
Controlling
65
access requests
operation on the binary forms of f*(i) and 2j-‘, and set the result to be w. Step 3: If w = 2j-‘, then set flag = “accept”; otherwise set flag = “reject.”
Step 2: Perform the intersection
According to the property eqn (4) always generates
of Newton’s interpolating
ft(i)
=ej
fori=
1,2 ,...,
polynomials,
we know that
m.
If the intersection of the binary forms of ei and 2Lq-’ results in 2j’4-‘, then this access request is permitted. In eqn (4), since the first m - i terms have the common factor (i - i), therefore, they are all zeros. So a hierarchy consideration may be useful on our mechanism. If a user makes some access requests more frequently than others, we can assign this user the smallest identification number to achieve the less average computation times. Further, Knuth (1980) suggested a more efficient formula for eqn (4) as: fi(i)
= (( ...
(C,‘(i-(i-l)+C,!_,)(i-(i-2))+
= ((...
(C,‘(l) + C,‘_r(2) + . ..)(i-
.-.)(i-l)+Cl)modP 1) + C,‘modP.
(5)
In eqn (5), only (i - 1) multiplications and additions are needed. Now, we describe how our system handles the insertion of a new user/file, the deletion of an old user/file and updating an access privilege of a user Vi to a file Fj. If a new user/file is inserted into the system, we first update the corresponding t-lists related to the privilege t. Then recompute the f,‘s functions for which the associated t-lists are changed. Similarly, the updating of an access privilege aij from u to u to Ui for Fj will cause the reconstructing of two functions f, and f, according to the new u-list and the new v-list, respectively, by just updating the old u-list and the old v-list by deleting the pair (i, j ) from the former and inserting the pair (i, j ) to the latter, respectively. The deleting of an old user Ui can be seen as updating the access privileges from a,, , ai2, . . . , ai,, to X,X, . . . , h and the deleting of an old file Fj can be seen as updating the access privileges from aij, azj, . . . , a,j X, where X means “no access.” toX,X,..., 2.3 Example Consider the access control matrix as depicted in Fig. 2 again. We select P = 67, since the r-list is (l,l), (2,0), (3,5), and (4,0). The function fr can be computed with the coefficients C;‘s calculated by the elements in r-list. Similarly, f,, f,, f,, and f. can also be constructed. They are shown in Table 1. When U2 makes a request to execute F,, the system will evaluate f,(2) by the following: = Ci(2 =
P
1) +
x 1
18)mod67
= Since the is permitted.
of the
forms of
and “25-“’
I. The corresponding
Coeff.
_f,
f,
G
1
4
C; G d
66 42 3
4 28 3
functions
in ‘c24”,
for Fig. 2
Functions
(f,
.f,
f,
f.
18 2 60 26
8 59 6 22
0 3 65 34
access re-
C.-C.
66
and T.-C. Wu
CHANG
r
e
w
I4
e
i
u2
0
0
e
w
e
i r
u3
w
0
u
e
T
h : u
Fig. 4. First,
US is inserted,
e
then F, is inserted.
If a new user U, is inserted into the system with the access privileges as shown in Fig. 4, one more row for the fifth coefficients Ci’s off,‘s is created. This is shown in Table 2. If a new file F6 is inserted into the system with the access privileges as shown in Fig. 4, only the functions corresponding to the new inserted access privileges will be changed. In this case, only the original fr, f,, and f, are changed. The results are shown in Table 3.
3. DISCUSSION
It is easy to see that the computation time for verifying a user’s access request heavily relies on the evaluation of ft( i). If the number of files/users is large in the system, the produced interpolating polynomial ft (i) will have a large measurement. However, we can partition the files/users into modest sized groups as shown in Fig. 5. Then construct the functions f,( i) ‘s for each partitioned group. Therefore, the computation time for verifying a user’s access request is dropped dramatically in practical implementation. Let m be the number of subjects, n be the number of objects, and z the number of distinct access privileges. In summary, our mechanism has the following characteristics: 1. The system only maintains z t-lists corresponding to the access privileges. 2. If P is y bits, then the required memory storage for the coefficients of z functions is myz bits. Further, if the identification number of objects are numbered from 1 to n, then the required memory storage is about m(log n)z bits. 3. Validating an access request is quite simple by just evaluating the corresponding function related to the user’s access request privilege. Further, we can apply Horner’s rule to speed up the evaluation processing. Although both our mechanism are based on Newton’s interpolating
and the Laih-Harn-Lee mechanism (Laih et al., 1989) polynomials, there are some differences between them.
Table 2. The functions
Coeff.
f,
G
1
Ci G G G
66 42 3 32
after
US is inserted
Functions
(f,)
f,
fe
fu
f.
4 4 28 3 21
18 2 60 26 33
8 59 6 22 21
0 3 65 34 0
Controlling
67
access requests
Table 3. The functions
after F6 is inserted
Functions (f, ) Co&f.
c: G G G G
f,
f,
f,
fu
f.
1 31 10 19 49
4 4 28 3 21
50 31 9 26 29
8 59 22 6 8
0 3 65 34 0
In the Laih-Harn-Lee mechanism, each user Ui is assigned a key ZCiand each file 4 is associated to lock vector Lj, which is an interpolating polynomial constructed from points (Ki, a,) ‘S, for i = 1,2,. . . , m. That is, an interpolating polynomial is associated to each file in the Laih-Harn-Lee mechanism, while an interpolating polynomial is associated to each access privilege in our mechanism. In the Laih-Harn-Lee mechanism, like most conventional SKL systems, the system computes the exact access privilege to a request, while our mechanism evaluates the qualification of a user to a file according to the access privilege of a request. Let the number of bits representing the access privilege value be q, which is about (log z) bits when z is the number of distinct access privileges. The required memory storage by the Laih-Harn-Lee mechanism is m (n + 1) (log z) bits, while our mechanism requires m (log n)z bits. In a real system, n is larger than z, occasionally. Thus, our mechanism needs less memory storage than the Laih-Harn-Lee mechanisms needs.
4.
CONCLUSIONS
We have proposed a new scheme for controlling the access requests in information protection systems. Unlike the conventional SKL systems, our system does not need to evaluate the access privileges for users to files. Instead, our mechanism will evaluate the qualification of a user to a file according to the access privilege t, the user’s request, directly. One good feature of our system is that only a few corresponding functions are required. By our mechanism, the insertion of a user/file, the deleting of a user/file, or the updating an access privilege of a user to a file can be successfully implemented without affecting too many keys or locks as the previous SKL systems did. For practical considerations with large number of users or files, we can partition the access control matrix into modest sized groups to speed up the validating time. Further, with a careful arrangement of frequent users, our system’s performance will be greatly improved. Acknowledgements-The the presentation
authors of this paper.
would like to thank the referees for their very useful comments
Group 2
:
, _____~~~~~-,-----------I , Subjects , , ui’s Group 3 ; Group 4
i
Group 1 ‘:
, Fig. 5. Partition the access control matrix into four modest-sized groups.
which improved
CHANG and T.-C.
C.-C.
68
WV
REFERENCES Chang,
C.C. (1986). On the design of a key-lock-pair mechanism in information protection system. BIT, 26, 410-417. Chang, C.C., & Chen, C.P. (1986). A key-lock-pair mechanism based upon generalized Chinese remainder theorem. Journal of the Chinese Institute of Engineering, 9(4), 383-390. Chang, C.C., & Jan, J.K. (1988). An access control scheme for new users and files. The International Journal
of Policy and Information, Chang,
K.C.,
& Jiang,
12(2), 89-98.
T.M. (1989). A binary
single-key-lock
system for access control.
IEEE Transactions on
Computers, C-38(10), 1462-1466. Denning, D.E. (1982). Cryptography and data security. Reading, Graham,
G.S.,
& Denning,
P.J. (1972). Protection-principles
MA: Addison-Wesley. and practices. Proceedings of AFIPS 1972 SJCC,
40, 417-429. D.E. (1980). The art of computerprogramming. Vol. 2. Seminumericalalgorithm (2nd ed.). Reading, MA: Addison-Wesley. Laih, C.S., Harn, L., & Lee, J.Y. (1989). On the design of a single-key-lock mechanism based on Newton’s interpolating polynomial. IEEE Transactions on Software Engineering, SE-I5(9), 1135-l 137. Saltzer, J.H., & Schroeder, M.D. (1975). The protection of information in a computer system. Proceedings of Knuth,
IEEE, 63, 1278-1308. Wu, M.L., & Hwang, T.Y. (1984). Access control ing, 10(2), 185-191.
with single-key-lock.
IEEE Transactions on Software Engineer-