Key management is an essential component of a cryptographic access control system with a large number of resources. It manages the secret keys assigned to the system entities in such a way that only authorized users can access a resource. Read access control allows read access of a resource by the authorized users and disallows others. An important objective of a key management is to reduce the secret key storage with each authorized user. To this end, there exist two prominent types of key management hierarchy with single key storage per user used for read access control in data outsourcing scenario: user-based and resource-based. In this work, we analyze the two types of hierarchy with respect to static hierarchy characteristics and dynamic operations such as adding or revoking user authorization. Our analysis shows that the resource-based hierarchies can be a better candidate which is not given equal emphasis in the literature. A new heuristic for minimizing the key management hierarchy is introduced that makes it practical in use even for a large number of users and resources. The performance evaluation of dynamic operations such as adding or revoking a user’s read subscription is shown experimentally to support our analytical results.

中文翻译：

---

外包数据关键管理层次综合评价

密钥管理是具有大量资源的密码访问控制系统的重要组成部分。它以只有授权用户才能访问资源的方式管理分配给系统实体的密钥。读访问控制允许授权用户对资源进行读访问，而不允许其他人访问。密钥管理的一个重要目标是减少每个授权用户的秘密密钥存储。为此，在数据外包场景中，存在两种主要类型的密钥管理层次结构，每个用户单个密钥存储用于读取访问控制：基于用户和基于资源。在这项工作中，我们从静态层次结构特征和动态操作（例如添加或撤销用户授权）来分析两种类型的层次结构。我们的分析表明，基于资源的层次结构可以是更好的候选者，这在文献中没有得到同等重视。引入了一种用于最小化密钥管理层次结构的新启发式方法，即使对于大量用户和资源，它也可以实际使用。动态操作（例如添加或撤销用户的阅读订阅）的性能评估通过实验显示以支持我们的分析结果。