A comment on the Chen-Chung scheme for hierarchical access control

Consider an information system in which users are organized in a hierarchical structure for access control. In such a system, there are a number of disjoint security classes and each user belongs to one of the security classes. Each security class is assigned a key, used for encryption, identification, etc. Among the security classes, there is a partial order, ≤, where SC1 ≤ SC2 represents that security class SC1 is subordinate to SC2, and thus a user in SC2 has the privilege to access information possessed by SC1. (In this case, we say that SC2 is a predecessor of SC1, or SC1 is a successor of SC2) Typically, it is desirable to allow the user in a superior class to derive the key of a subordinating class. In other words, a user in SC2 should be able to derive the key of SC1 if SC1 ≤ SC2. In this way, users in a superior security class don’t need to keep the keys of all subordinating classes, but can still access the information possessed by these classes. On the other hand, for the purpose of security, a user should never be able to derive the key of a security class that is not subordinate to his own class.