Indirect key derivation schemes for key management of access hierarchies

Abstract

In this thesis, we study the problem of key management within an access hierarchy. Our contribution to the key management problem is an indirect key derivation approach we call the HMAC-method. It is called the HMAC-method, because it is based on hashed message authentication codes (HMACs) built from a fast, single, dedicated hash function (SHA-1). It is intended to provide an efficient indirect key management method for large access hierarchies resembling tree structures. We are able to achieve better tree traversals using a technique we created called path addressing. Our path addressing scheme allows us to efficiently calculate relationships between security classes, determine traversal paths, and improve the performance of indirect key derivation. We also present our cached key update scheme which is meant to improve the indirect key derivation schemes on tree hierarchies by delaying key updates when changes to the structure of the access hierarchy are necessary, but the re-calculation and re-assignment of keys would either be costly or inconvenient. For access hierarchies represented as weakly/strongly connected directed acyclic graphs, we suggest modifications to our path addressing and key derivation scheme which could allow our HMAC-method to be appplied to these types of hierarchies. Along the way, we discuss various current key management methods and discuss certain pragmatic issues that can arise which affect the applicability and implementation of a key management method.