Universally Composable Cryptographic Role-Based Access Control

Abstract

In cryptographic access control sensitive data is protected by cryptographic primitives and the desired access structure is enforced through appropriate management of the secret keys. In this paper we study rigorous security definitions for the cryptographic enforcement of Role Based Access Control (RBAC). We propose the first simulation-based security definition within the framework of Universal Composability (UC). Our definitions are natural and intuitively appealing, so we expect that our approach would carry over to other access models.

Next, we establish two results that clarify the strength of our definition when compared with existing ones that use the game-based definitional approach. On the positive side, we demonstrate that both read and write-access guarantees in the sense of game-based security are implied by UC security of an access control system. Perhaps expected, this result serves as confirmation that the definition we propose is sound.

Our main technical result is a proof that simulation-based security requires impractical assumptions on the encryption scheme that is employed. As in other simulation-based settings, the source of inefficiency is the well known “commitment problem” which naturally occurs in the context of cryptographic access control to file systems.

A The Security Notions of cRBAC Schemes in [12]

Secure read access. A cRBAC scheme \(\mathcal {CRBAC}=(\mathsf {Init}\), \(\mathsf {AddUser}\), \(\mathsf {DelUser}\), \(\mathsf {AddUser}\), \(\mathsf {AddObject}\), \(\mathsf {GrantPerm}\), \(\mathsf {RevokePerm}\), \(\mathsf {AssignUser}\), \(\mathsf {DeassignUser}\), \(\mathsf {Update}\), \(\mathsf {Read}\), \(\mathsf {Write})\) is said to be secure with respect to read accesses if no user can deduce any content of a file without having the read permission. It is formalized by the experiment \(\mathbf {Exp}^\text {read}_{\mathcal {CRBAC}, \mathcal {A}}\). In the experiment, a random bit is selected at the beginning and the cRBAC system is initialized with a set of roles R. The adversary \(\mathcal {A}\) is allowed to request for executing any administrative RBAC command, to take over users, to request an honest user to write some content to a file and to get access to the file system. \(\mathcal {A}\) can also specify a file as his challenge and provides two messages, of which one will be written to the file according to the random bit. It can specify multiple challenges and finally output his guess of the bit. To prevent trivial wins, no corrupt user can get read access to any of the challenge files. We say the adversary wins if its guess is correct. A \(\mathcal {CRBAC}\) is said to be secure with respect to read accesses if no adversary can win the above experiment with probability significantly better than a half.

A predicate \(\mathsf {HasAccess}(u,p)\) is used to reflect that symbolically a user u has access to a permission p. It is defined by: \(\mathsf {HasAccess}(u,p) \leftrightarrow \exists r \in R: (u,r) \in { UA }\wedge (p,r) \in PA . \)

Fig. 8.

Oracles for defining the experiment \(\mathbf {Exp}^\text {read}_{\mathcal {CRBAC},\mathcal {A}}\).

Definition 2

A cRBAC scheme \(\mathcal {CRBAC}\) is secure with respect to read accesses if for any probabilistic polynomial-time adversary \(\mathcal {A}\), we have

$$\begin{aligned} \mathbf {Adv}^\text {read}_{\mathcal {CRBAC}, \mathcal {A}}(\lambda ) := \big | \Pr [\mathbf {Exp}^\text {read}_{\mathcal {CRBAC}, \mathcal {A}}(\lambda ) \rightarrow \texttt {true}] - \frac{1}{2} \big | \end{aligned}$$

is negligible in \(\lambda \), where \(\mathbf {Exp}^\text {read}_{\mathcal {CRBAC}, \mathcal {A}}\) is defined as follows:

The oracles \(\mathcal O_r\) to which the adversary has access are specified in Fig. 8.

Secure write access. A cRBAC scheme \(\mathcal {CRBAC}=(\mathsf {Init}\), \(\mathsf {AddUser}\), \(\mathsf {DelUser}\), \(\mathsf {AddUser}\), \(\mathsf {AddObject}\), \(\mathsf {GrantPerm}\), \(\mathsf {RevokePerm}\), \(\mathsf {AssignUser}\), \(\mathsf {DeassignUser}\), \(\mathsf {Update}\), \(\mathsf {Read}\), \(\mathsf {Write})\) is said to be secure with respect to write accesses if no user can write some content to a file without having the permission. Particularly, in the case of open-accessible file system, the content wrote by an unauthorized user should not be considered as valid. It is formalized by the experiment \(\mathbf {Exp}^\text {write}_{\mathcal {CRBAC}, \mathcal {A}}\). The cRBAC system is initialized with a set of role R. The adversary \(\mathcal {A}\) is allowed to request for executing any of the administrative RBAC commands, to corrupt a user, to request an honest user to write some content to a file and to get access to the file system. At some point, \(\mathcal {A}\) must output a target file with an honest user’s id. It wins if it can write any valid content without the permission(read by the honest user). To prevent trivial wins, from the point when the last write operation to the target file is carried out by an honest user who has the permission till \(\mathcal {A}\) generates its output, no corrupt user can get write access to the target file. A \(\mathcal {CRBAC}\) is said to be secure with respect to write accesses if no adversary can win in the above experiment with non-negligible probability.

Definition 3

A cRBAC scheme \(\mathcal {CRBAC}\) is secure with respect to write accesses if for any probabilistic polynomial-time adversaries \(\mathcal {A}\), we have

$$\begin{aligned} \mathbf {Adv}^\text {write}_{\mathcal {CRBAC}, \mathcal {A}}(\lambda ) := \Pr \big [\mathbf {Exp}^\text {write}_{\mathcal {CRBAC}, \mathcal {A}}(\lambda ) \rightarrow 1\big ] \end{aligned}$$

is negligible in \(\lambda \), where \(\mathbf {Exp}^\text {write}_{\mathcal {CRBAC}, \mathcal {A}}\) is defined as follows:

Fig. 9.

Oracles for defining the experiment \(\mathbf {Exp}^\text {write}_{\mathcal {CRBAC}, \mathcal {A}}\).

The oracles \(\mathcal O_w\) to which the adversary has access are specified in Fig. 9.