Elliptic Curve Cryptosystems-based Date-constrained Hierarchical Key Management Scheme in Internet of Things

In this paper, we propose a new mechanism to improve the disadvantage of the security mechanism proposed by a scholar and then fulfill the demands of Internet of Things (IoT) to go through the decentralized environment access control functions. We also propose the date-constrained hierarchical key management scheme for mobile agents. With elliptic curve cryptosystems (ECCs) and discrete logarithms, the proposed scheme is flexible. Moreover, the duration of access for each security class is restricted with a certain authorized discrete time period. We demonstrate the mathematical derivation and arguments for our scheme and further conduct a numerical trial. The constructed scheme could meet security needs and be more space-efficient.


Introduction
Owing to the advantages of elliptic curve cryptosystems (ECCs), the scheme can recognize an access control object faster with a small key storage space.In this study, the scheme was constructed to reduce the work of key management, minimize key storage, enhance the computation time of construction and derivation phrases, and provide high flexibility and security.
An ECC was proposed by Koblitz (1) and Miller (2) in 1985.To improve the existing cryptosystems, (3) the proposed ECC was used to reduce system parameters, public key certificates, bandwidth usage, power consumption, and hardware processor requirement, and for rapid implementation.Thus, the ECC with its advantages is useful for building a cryptosystem with high security and efficiency. (4)The mathematical illustration is described below. (4,5)lliptic curves are categorized into two families: prime and binary curves.Prime curves (Z p ) are suitable for use in software applications since they do not need to be extended for bitfiddling operations.On the other hand, binary curves [GF(2n)] are for hardware applications since they need a small number of logic gates to build a cryptosystem.With the property of elliptic curves, the efficiency of ECC computing operation increases.

Previous Work
In 1998, Volker and Mehrdad (5) designed a tree-structure-based security scheme of securing a safer place for mobile agents.The functions of this mechanism are distinguished into three categories: mobile agent authorization, key management, and access control.Thus far, Jeng and Wang, (6) Chung et al., (7) Nikooghadam et al., (8) and Lin and Hsu (9) have contributed to the incipience of a reliable and effective scheme for mobile agents.
In 2006, Jeng and Wang (6) applied an ECC as a key management scheme to efficiently solve hierarchical access control problems.In the key derivation phase, a predecessor accesses the authorized files to derive encryption/decryption keys.We can use not only a secret key that is private to itself, but also the successor-related public information.Nevertheless, the scheme proposed by Jeng and Wang (6) had a loophole in security, which makes it possible for any outsider to derive an unauthorized encryption key.The relationship between any security classes was updated.The scheme proposed by Lin and Hsu (9) indicated such a flaw in the Jen and Wang (6) scheme by suggesting that an adversary could further derive the encryption key k j,2 of the security class k j,2 = f j (v l,j ) without knowing any secret information.
In 2008, another key management scheme was introduced by Chung et al. (7) This key management scheme was a novel and efficient solution to the dynamic access control problems in a user hierarchy by means of ECCs and one-way hash functions.The scheme introduced by Chung et al. (7) was different from that of Jen et al. in the application of polynomials.In Jen et al.'s scheme, each security class selected its own secret key and then sent the secret key to the Certificate Authority (CA) via a secure way, whereas in Chung et al.'s scheme, the same public polynomials were used in key generation and derivation phases.The CA was responsible for selecting all the secret parameters and sending them to the corresponding security classes via a secure way.On the other hand, constructing the interpolating polynomials requires both tremendous storage accommodation and a colossal amount of computational overhead.According to Knuth, (10) the cost of constructing an interpolating polynomial of degree m is derived by m additions, 2m 2 + 2 subtractions, 2m 2 + m − 1 multiplications, and m + 1 divisions.With respect to expenditure, Chung et al.'s scheme requires large computational expenditures and this suggests the considerable consumption of system resources to access confidential files.Hence, Nikooghadam et al. (8) introduced an ECC-based improved method for access control and key management.
In 2009 and 2011, an improved version was raised by Jeng et al.'s scheme.They replaced (Ã(n j P i )),K i ), which was proposed in Jeng et al.'s scheme with (h(r || Ã(n j P i )),K i ) using a random number, r, and the one-way hash function h(•).This equation implies that Ã(n j P i ) is not a solution of ( ) ( ) 0 The preference for this method over Jen et al.'s scheme is due to the fact that it can effectively eliminate the security flaw mentioned above.
The elliptic curve discrete logarithm problem (ECDLP) is significantly more difficult and has a larger computational complexity than the integer factorization or discrete logarithm problem. (11)o satisfy security requirements, the ECC needs a comparatively smaller key size than the other cryptosystems.ECC-based access control schemes enjoy high security performance at the expense of bulky mobile agent codes and excessive calculations for encryption/decryption keys.This mechanism based on the ECC theory, therefore, is more efficient and less computationally complex with respect to key generation and derivation.Compared with the other published schemes, in addition to using elliptic curve cryptography, our scheme also incorporates the concepts of elliptic curve digital signature and data constraint.The purpose of using the concept of elliptic curve digital signature is to ensure that a private key is generated for a user only at a legal time granule as a data-bound warrant.
The purpose of using the Internet of Things (IoT) is to be able to share resources and information.IoT, itself, provides an open and public manipulation environment.The heterogeneity of data enables the management and sharing of resources and information.However, ensuring the confidentiality, correctness, and availability of the legally stored information definitely becomes a challenge for sharing information from the past to the present.Since the environment of the internet is unpredictable, this often leads to security problems, such as unauthorized access requirements, data being compromised or unauthorized access, and privacy disclosure; these issues can reveal the necessity and importance of the access control mechanism.Simultaneously, based on some scholars, Volker and Mehrdad (5) suggested some methods of access control to the acting agent and key management mechanism.These will consume the agent's time and cause security problems.When the application of mobile agents roams the internet, it may be attacked by unfriendly agents or the host or the agents will arrive at an unfamiliar or unknown host.This situation will lead to tampering or inaccurate execution of delivered tasks, resulting in private information being peeped or stolen.In this paper, therefore, an access control mechanism is proposed.The application of a mobile agent who is in a hierarchical relationship structure can adequately use the one-way hash function, the concept of time series, and ECC to ensure the security of the key; simultaneously, it can give the permission classification in order to achieve security.

Proposed Scheme
Akl and Taylor's proposed access control scheme (12) was based on a hierarchical structure model, which was obtained by assigning each user to a security class, which can be represented as SC = {SC 1 , SC 2 , SC 3 , …, SC k }.On the basis of the hierarchical structure, the access relationship between one security class and another can be denoted by SC i ≥ SC j .For instance, the class of SC i is at a higher hierarchy than SC j and their relational representation is SC i ≥ SC j .The higher the hierarchy, the more authority to access the information.This means that the user SC i has the authority to access the information available to SC j .As the hierarchy network grows, SC i would have to accommodate a growing number of private keys held by groups at a lower hierarchy.It is considered that a lower hierarchy would cause key management problems and security issues.Thus, Akl and Taylor raised the concept of superkey in place of key.In this manner, key management issues can be resolved.On the basis of the determined hierarchical structure of SC i ≥ SC j , the user SC i uses mathematical operations to obtain the SC j 's superkey with his superkey.
Figure 1 shows an illustration of an improved version of Akl and Taylor's structure.Among the leaf nodes of a hierarchical structure, we shall offer an explanation regarding the access of confidential files.file j is an encrypted confidential file with SC i as an internal node, which also represents a user.SK i represents the secret key held by the user SC i .When SK i is authorized to have access to some encrypted files, it can obtain them from their corresponding leaf nodes.To elucidate the matter, we shall take the node SC 2 as an example.SC 2 holds the secret key SK 2 and the structural hierarchy suggests that it has authorization to access file 1 , file 2 , file 3 , and file 4 .
Before a mobile agent executes its assignments by being linked to the Internet, the mobile agent user must decide on the host to be visited by the mobile agent and on the information to be accessed by the visited host.Afterwards, the mobile agent user has his/her own access policy.This is based on the fact that he/she will construct an accessible network and assigns a different secret key to the corresponding internal node.A user can thus use his/her secret key to obtain the encryption/derivation key of confidential files.The concept of date constraint control is introduced so that access control in a hierarchical structure will become more effective.The effectiveness is achieved by the set-up scheme that will allow a predetermined time interval usage of his/her secret key by the user.Therefore, if the time interval is not the one that it should preset, the secret key holder will not be able to access the file with the key.
We propose a scheme that offers a secure, robust, and efficient hierarchical key management for a mobile agent against interior and exterior attacks.This scheme also has the advantage of allowing each visited host to maintain only one secret key that is used to derive the decryption key of confidential files.This means that the key management costs will be reduced.The cost of the ECC is low and the key size is small.Therefore, the application of the ECC to the mobile devices becomes appropriate.The limitation of bandwidth and storage space can be resolved by their common constraint.The mobile agent can follow the steps below to construct an accessible network.

Initialization phase
The following steps are executed by the CA in the initialization phase.
Step 1.The CA uses y 2 = x 3 + ax + b (mod p) to define an elliptic curve E p (a, b) with the coefficients a and b satisfying 4a 3 + 27b 2 (mod p) ≠ 0, and p being a large prime number.Step 2. The CA selects a base point G = (x, y) on E p (a, b).
Step 3. Suppose that two users, SC i and SC j , obey the rule SC i ≥ SC j .The CA uses PK i = SK i G (mod p) to realize the assignment of the private key SK i to SC i and to realize the computation and publication of the public key PK i of SC i.

Key assignment phase
Step 1.In addition to the traveling route and access control of the agent, the CA establishes the lifetime Z and the servers of the mobile agent.
Step 2. The CA selects a random number a or s to establish the legal time interval [t 1 , t 2 ] and then computes the published T b and T e from 1 ( ) Step 3. The CA selects a secret random number k and applies the parameters T b and T e calculated in the previous step to acquire a signature date-bound warrant W = (T b , T e ), and then calculates and publishes the public parameters R, r, and s illustrated below:

Key derivation phase
The private key SK j is generated by the mobile agent for SC j , which can transmit information to SC i for SK j to acquire the private files of SC j at the time granule t.
Step 1.The server SC i computes H t (a) and H Z−t (a) at the time granule t.If the equation (H t (a), Step 3. T h e s e r v e r S C i g e n e r a t e s t h e p r i v a t e k e y S K j f o r S C j f r o m S K j = H(k, ID j )⊕H t (a)⊕H Z−t (a) with ID j as the public identity of SC j .

Time warrant key signature verification phase
The server the signature for the time warrant W = (T b , T e ) is confirmed to be valid.Solution of the equation:

Analysis of Security
This section provides a security analysis to examine the security of practical applications.Four types of attack that are likely to impact system security are under examination.

Reverse attack
If a user attempts to use his private key and other public information in order to derive a user's private key of higher access authority than his own private key, a reverse attack will occur.In the proposed scheme, the CA assigns a private key SK i to the user SC i .If the server SC i intends to use his private key SK i and other public parameters in the hope of generating the private key SK j of the server SC j , the server will be blocked because the hierarchy SC i ≥ SC j indicates that the lower hierarchy has the one-way property of the hash function.The private key SK j of SC j cannot be used to derive the private key SK i of the user SC j .Likewise, the public key PK i of SC j cannot be used to derive the private key SK i of the user SC i because solving an ECDLP is difficult.

Collusion attack
If a group of users colludes to share the knowledge of their private keys and other public information in the hope of deriving the private key of a user with a higher hierarchy than any member of the group, a collusion attack will occur.We note that each attacker receives his private key either directly from the CA or a user with higher authority.The collusion attack will never occur because the pooled and common knowledge is not practical.Neither can the attackers break the one-way property of a hash function nor can they resort to their pooled knowledge to solve the ECDLP.

External collective attack
If a group of unassociated attackers with the hierarchy attempts to collectively combine their resources and efforts to derive the private key of a user within the hierarchy, then an external collective attack will occur.We note that any user of the hierarchy has knowledge different from that of external attackers.It is impossible for any user of the hierarchy to implement a successful reverse attack; thus, implementing a successful external collective attack is also out of the question.

Date alteration attack
If the user SC i intends to inspire a private key SK j in place of SC j as the equation SC i ≥ SC j suggests, which leads to the deviation from the legal time internal [T 1 , T 2 ] specified by the CA, then a date alteration attack will occur.We note that if a time granule A deviates from the legal time internal [T 1 , T 2 ], then the equation of H t−t1 (T b ) on H t2−t (T e ) in step 1 of the key derivation phase will be invalid.The scheme that we propose has an embedded data-constraint mechanism so the idea of date alteration attack is only theoretical.

Analysis of performance
In this section, we compare the computation complexities (13)(14)(15)(16)(17) and storage requirements in Chung et al.'s, (7) Nikaooghadam et al.'s, (8) and Lin and Hsu's (9) schemes and in our proposed scheme.Table 1 shows the computation complexities and storage requirements in the four schemes mentioned above.
C hu ng e t al .'s sche me st at e s t h at t he CA r e que st s a c omput at ion t i me of _ 1 (  ) to compute all s i G j =(x j,i || y j,i ) and h(x j,i || y j,i ), and that of to construct n polynomials.Deriving the successor's encryption keys takes a computation time of T EC_MUL + v i T MUL + T hash for each class.
Nikooghadam et al.'s scheme contends that a computation time of _ 1 ( ) is required to determine the public parameters k i,j G from the secret parameters k i .
_ EC MUL mT is the computation time for the calculation of c i G. To further calculate M i,j , F i,j , and s i, , Lin and Hsu (2011 ) ( 2) ( 1) ) . Each security class derives the successor's encryption keys by using a computation time of ( 2) To conclude from the implications of the above equations in Lin and Hsu's scheme, the total computation time of We propose a scheme where the CA requires a computation time of Each security class derives the successors' encryption keys by using a computation time of ( ) . We therefore conclude that the total computation time of We now consider the computation times of the four schemes required by the key derivation phase.Figure 2 follows a structure similar to that of Fig. 3, showing us the plots of the computation times.As the number of hierarchy numbers increases above 1200, the respective computation times of our proposed scheme, Lin and Hsu's scheme, Chung et al.'s scheme, and Nikooghadam et al.'s scheme are 1.89, 2.24, 2.77, and 2.92, respectively.Owing to the effectiveness of the overall access control performance in the proposed scheme, the performance characteristics of the other three schemes in terms of key generation and key derivation phases are eclipsed.

Conclusions
Nowadays, the internet environment is conducive to the adaptation of mobile agents since mobile agents can efficiently use network resources and help improve organizational efficiency by reducing a variety of costs.Mobile agents have potential in the market because of their various applications.For example, mobile agents are important to e-commerce.However, the security problems and threats of mobile agents remain and are yet to be solved.Thus, our primary tasks are to minimize security problems, accelerate system operation, and reduce the required storage room of mobile agents.A more complete security system structure of mobile agents is welcomed.
We introduce a date-constrained hierarchical key management scheme, in which a date constraint is imposed on a key.That is, once a key exceeds the preset expiry date, the key user cannot continue to access information with the key anymore, which makes the key management system more secure.Moreover, with the help of elliptic curve cryptography, the access space of keys and key generation calculations can be reduced.In terms of security, the use of ECCs to generate keys also makes a mobile agent more secure.The ECDLP is known for its complexity and difficulty; in comparison, ECCs can use comparatively short keys for considerable protection.Our proposed scheme also has the advantage of reducing key generation calculations, which is helpful in lowering the system load.We comprehensively analyzed four different possible security attacks in order to make our proposed scheme verifiable.The results demonstrate that our proposed scheme can be used in practice, being applicable on the Internet and insusceptible to attacks by malicious users.The users of our proposed scheme can rest assured that the data transmitted through a mobile agent platform is encrypted.

Chung
et al.'s scheme and Nikooghadam et al.'s scheme have the same computation complexity O(k 2 ) in modular exponentiation on an elliptic curve E. On the other hand, Lin and Hsu's scheme and our proposed scheme have the same computation complexity O(k) in modular exponentiation on an elliptic curve E.

Fig. 3 .
Fig. 3. (Color online) Key generation phase.Fig. 2. (Color online) Key derivation phase. )) − −is established, then t is a legal time; otherwise, t is not a legal time.Step 2. The public parameters r, s, and W are the elements of the server SC i for calculating the secret number k as

Table 1
required in the derivation of all secret keys authorized by the corresponding hosts.Therefore, the concluding computation time in Nikooghadam et al.'s scheme is ) i , (T b , T e ), and the public parameters r, s, and R.Furthermore, to construct n polynomials, an additional computation time of 1 ( )