Reference Encryption for Access Right Segregation and Domain Representation ()
1. Introduction
We shall refer to a well-known protection model featuring active entities, the processes, that perform access attempts to passive entities, the objects [1,2]. Objects are typed; the type of a given object states the set of operations that can be carried out on this object and, for each operation, the access rights that a process must hold to accomplish this operation successfully. At any given time, a protecttion domain is associated with each process: this is a collection of access rights on the objects that the process can access at that time.
A salient aspect of the protection problem is the representation of access rights and protection domains in memory. A classical solution is based on the concept of a capability [3,4]. This is a pair
, where B is the identifier of an object and AR is a set of access rights for this object. A protection domain takes the form of a collection of capabilities, which correspond to the access rights included in that domain.
Capabilities are sensitive objects that cannot be treated as ordinary data [5]: we must prevent processes from modifying the access right field and add new access rights, for instance. Capabilities can be segregated into capability segments [6,7]. In this case, a protection domain usually takes the form of a tree, where the root of the tree is a capability segment that includes the capabilities for other capability and data segments, and the data segments are the tree leaves. Alternatively, we can take advantage of a tag associated with each memory cell, which specifies whether this cell contains a capability or an ordinary data item [8,9]. In a third approach, a set of passwords is associated with each object, and each password corresponds to one or more access rights. A password capability is a pair
where B is an object identifier and PSW is a password [10,11]. If a match exists between PSW and one of the passwords associated with object B, then the password capability grants its holder the access rights corresponding to that password on B.
In the approaches to capability segregation in memory, outlined so far, a process that holds a capability can take full advantage of this capability, independently of the capability origin. This means that segregation does not prevent a process from taking advantage of a capability obtained illegitimately by means of a fraudulent action of capability copy, for instance.
In this paper, we propose an alternative approach to access right representation in memory, which solves the segregation problem by taking advantage of a form of symmetric-key cryptography [12,13]. In our approach, possession of an access privilege on a given object is certified by possession of a protected reference (p-reference from now on, for short) including the specification of a collection of access rights for this object. P-references are never stored in memory in plaintext. Instead, the protection system associates an encryption key, called the object key, with each object, and a further encryption key, the domain key, with each domain. A p-reference for a given object is always part of a protection domain and is stored in memory in the ciphertext form that results from application of a double encryption using both the object key and the domain key.
2. The Protection System
2.1. Protected References
Let T be an object type, let S0, S1, ··· be the operations that can be executed on an object of type T, and let AR0, AR1, ··· be the access rights defined by T. For each given operation Sm, the definition of type T states the subset of access rights AR0, AR1, ··· that is necessary to accomplish that operation successfully. P-reference R takes the form R =
, where AR is a bit configuration that specifies a collection of access rights for object B: if the i-th bit of AR is asserted, R grants access right AR
i on B.
From now on, we shall use an underline to denote a ciphertext. Let kB be the encryption key associated with object B, and kD be the encryption key associated with the domain D of p-reference R =
.
Figure 1 shows the transformation of R into ciphertext quantity R. The transformation proceeds as follows. Let B be the result of encrypting quantity B by using a symmetric-key cipher with key k
D, and let AR be the result of encrypting pair
by using a symmetric-key cipher with key k
B. Quantity R is given by relation R =
.
Figure 2 shows the reverse transformation of ciphertext quantity R =
into the corresponding plaintext p-reference R. The transformation proceeds as follows. Domain encryption key k
D is used to decrypt quantity B into object name B. Then, the object key k
B associated with object B is used to decrypt quantity AR. Let
be the result of the decryption. Quantity B* is compared with B to validate AR; if a match is found, validation is successful and p-reference R is given by pair
.