CN105871854B - Adaptive cloud access control method based on dynamic authorization mechanism - Google Patents

Adaptive cloud access control method based on dynamic authorization mechanism Download PDF

Info

Publication number
CN105871854B
CN105871854B CN201610221444.7A CN201610221444A CN105871854B CN 105871854 B CN105871854 B CN 105871854B CN 201610221444 A CN201610221444 A CN 201610221444A CN 105871854 B CN105871854 B CN 105871854B
Authority
CN
China
Prior art keywords
user
cloud
service
credit worthiness
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610221444.7A
Other languages
Chinese (zh)
Other versions
CN105871854A (en
Inventor
陆佳炜
吴斐斐
徐俊
肖刚
高飞
李�杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Planer Technology Co Ltd
Original Assignee
Zhejiang University of Technology ZJUT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University of Technology ZJUT filed Critical Zhejiang University of Technology ZJUT
Priority to CN201610221444.7A priority Critical patent/CN105871854B/en
Publication of CN105871854A publication Critical patent/CN105871854A/en
Application granted granted Critical
Publication of CN105871854B publication Critical patent/CN105871854B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

A kind of adaptive cloud service access control method based on dynamic authorization mechanism, prestige modeling is carried out to user behavior first, use succession thought hierarchical description cloud access privilege, mapping relations of the cloud authentication center according to user's history credit worthiness and user role tree building model, different cloud user identity tokens is authorized, recommends the cloud service for allowing to access for user.By real time monitoring user behavior variation, dynamic adjusts the synthesis credit worthiness of user to judge the credibility of user for cloud authentication center, if user is credible, authorizes cloud service access token, cloud user obtains service by cloud service access token, otherwise denied access.The present invention provides a kind of adaptive cloud service access control method based on dynamic authorization mechanism for having higher safety and reliability.

Description

Adaptive cloud access control method based on dynamic authorization mechanism
Technical field
The present invention relates to cloud service access control fields, and in particular to whether one kind judges some user in cloud environment With a kind of security mechanism for executing certain specific operation permission to a certain cloud service.
Background technique
Cloud computing is a kind of novel calculation occurred after distributed computing, grid computing, P2P computing.Cloud computing Calculating task is distributed on the resource pool that a large amount of computers are constituted, various application systems is enable to obtain calculating as needed Power, memory space and information service have the spies such as on-demand service, quick resilient infrastructure, virtualization resource pond, measurable service Point.
With the rapid development of cloud computing, cloud service is also more and more abundant.It, can be by its point according to the accessibility of cloud service For public cloud and private clound.The flexibility of public cloud allows it to provide the service for meeting QoS for all users, however publicly-owned Cloud can not carry out safeguard protection and access control to resource.Private clound has the characteristics that controllable safety, but it can not be independent It is individually operated except other resources.The Successful Operation of cloud computing technology, key are that how to cope with user's private data lets out How the threat of dew establishes reliable trusting relationship between cloud service provider and user, to implement flexible cloud access control.
However, access control scheme traditional at present often uses Mandatory Access Control, i.e., by the function of cloud service It is mapped with user, but is often changed because the responsibility of user is regular one by one, the access between user and service is awarded Power relationship is not easy to establish and safeguard, and there are user or cloud services to be become trustless by trusting and caused security risk.When The behavior of user changes, and adaptively can not select respective service according to user demand.The present invention is directed to and asks above Topic, proposes a kind of adaptive cloud service access control method based on dynamic authorization mechanism.Under cloud computing environment, succession is used The access authority of thought multi-zone supervision user, to simplify the mapping relations of user role and access authority, according to user behavior Prestige modeling is carried out, to realize the dynamic credible authorization of service, ensures the reliability of user's access and the safety of sensitive data.
Cloud access control refers to that judging whether some user or program have executes certain specific behaviour to a certain cloud service A kind of security mechanism of the permission of work.Have and deeply grind currently, academia just opens service access control strategy under cloud environment Study carefully, existing cloud access control mainly has the service allocation strategy based on user property, and the service based on user behavior distributes plan Slightly, service allocation strategy based on prestige etc..(mould is entrusted in Wu's Bin, the authorization under Feng Deng state multi-domain environment based on attribute to document 1 Type [J] Journal of Software, 2011,22 (7):1661-1675) propose a kind of authorization client model based on attribute, attribute set Representative as entity itself is authorized, and is consistent so that it is guaranteed that possessing the entity of same alike result voucher chain its permission.Text Offering 2, (Zhou Jingcai, Zhang Huyin look into bright resource allocation policy [J] the calculating waited under cloud computing environment based on user behavior characteristics of text Machine research and development, 2014,5 (5):1108-1119) under cloud environment, a kind of resource based on user behavior characteristics point is proposed With strategy, thinking is the behavioural habits by counting user, establishes user behavior characteristics information table, thus dynamic adjustment cloud meter Calculate resource allocation policy.Document 3 (Yang Shaoyu, Wang hereditary official, a kind of cloud service resource letter based on trust negotiation mechanism of the peak Guo Xiao Appoint verification method [J] computer science, 2013,40 (7):107-112) propose a kind of cloud clothes based on trust negotiation mechanism Resource trust authentication method of being engaged in establishes the letter between resource in conjunction with trust negotiation mechanism by way of attribute trust negotiation The relationship of appointing.
In the correlative study of academia, cloud service, which need to shift to an earlier date, negotiates trusting relationship with user at cloud access center, when cloud takes The confidence level of business changes, and user can not have found Mobile state adjustment of going forward side by side in time, and there are certain hysteresis qualitys.Also, cloud is visited The center of asking can not dynamically monitor the Behavioral change of user, the adaptive access authority for adjusting user.
Summary of the invention
In order to overcome traditional access control method there are close coupling, the problems such as nature static, can not according to user behavior from Adapt to selection application service the problems such as, the present invention provide it is a kind of have higher safety and reliability based on dynamic authorization machine The adaptive cloud service access control method of system.
The technical solution adopted by the present invention to solve the technical problems is:
A kind of adaptive cloud service access control method based on dynamic authorization mechanism, the cloud access control method include Following steps:
1) before cloud service may have access to, administrator Mana need to be in cloud authentication center CCC to cloud service CSxIt is configured, Add the access address add of cloud servicex, allow the prestige threshold value accessedThe service such as user authentication ser is provided {Login...};
2) service register center adds authentic authentication module TAM to the cloud service of each registration, intercepts the service of cloud user Access request, by the authentication information and cloud service access token CSAT of verifying cloud useruValidity, to determine whether Cloud user access;
3) cloud user CU issues platform validation request to CCC:User name Nu, log in password Cu, identifying code Idu, user identity Iu
4) cloud authentication center CCC carries out encryption E to password is logged inkkk{Cu, user information storage server DMM is requested, is tested Demonstrate,prove user information.
5) DMM server returns to user information verifying report and user's credit worthiness RxIf being verified, cloud user is generated Identity token CCCATu, otherwise prompt user platform authentication error;
6) after certification passes through, CCC is by the CCCAT of generationuCU is distributed to, and is stored in the cookie of user browser, User is according to CCCATuValidity to keep Entered state;
7) if cloud user CU accesses CSx, by CCC by the CSAT of generationxDistribute to CU.
8) cloud user is by token access service, CSxIn TAM to CSATxCarry out validation verification.If authentication failed, Refuse cloud user access, otherwise Service Source cloudSer is provided.
9) cloud service CSxThe behavior of user is assessed, and by assessment result RuserCloud authentication center is fed back to, and is stored to letter Ren Ku.
Further, the cloud access control method medium cloud user identity token CCCATu, cloud service access token CSATxIf It counts as follows:
Each cloud user needs to verify user identity before accessing cloud authentication center, after being verified, can just obtain service. In initial phase, cloud authentication center need to obtain the current history credit worthiness of user according to reputation model RM, use user role Tree building model MURBT distributes cloud service access authority collection P according to user's degrees of comparison locating at presentuser, cloud authentication center According to PuserGenerate unique cloud user identity token CCCATu, the token by cloud user identity IDu, identity effectively starts Time Ts, identity effective time Tv, subscriber's main station mark HostxIt is determined, identifies the user of each access cloud authentication center, such as Shown in formula (1):
CCCATu={ IDu,Ts,Tv,Hostx,Puser} (1)
After user information initialization, in CCCATuEffective time in, cloud authentication center by parsing cloud user identity enable Board, recommends the cloud service for allowing cloud user to access, and user can carry out free certification to service.Cloud service authentication interface is called, If user authentication success, generates a cloud service access token CSATx, the token by identity user unique identities CCCATu, User is in cloud service CSxIn user name Nx, password CxIt is determined, as shown in formula (2)~(3):
CSATx={ CCCATu,CSx,Nx,Cx} (3)
Meanwhile depositing in the cloud service information authenticated encryption in User Catalog information database, as shown in formula (4):
CCC→DMM:IDu,CSx,Ekkk{Cx},Nx (4)
As shown in the formula of (5)~(6):
CU→DMM:false||(true∪Nx∪Cx) (5)
CSATx={ CCCATu,CSx,Nx,Cx,Ruser} (6)
If having stored cloud user in directory information base to the authentication information of cloud service, cloud authentication center is obtained by RM first The current synthesis credit worthiness R of cloud useruser, cloud user is judged to the accessibility of service, if the comprehensive letter of user according to MURBT Reputation degree is greater than the access thresholds of cloud service, then reads the relevant information in User Catalog information database DMM, generates cloud service and visits Ask token CSATx, without user's input authentication information again, otherwise refuse cloud user access.
Further, quantitative evaluation and calculating are carried out by credit worthiness of user's reputation model RM to cloud user, and used User role tree building model MURBT carries out hierarchical description to the permission of user, is finally reached the purpose of cloud service dynamic authorization.
Further, user's reputation model includes four parts:Direct credit worthiness, recommendation reputation degree, comprehensive prestige Degree and history credit worthiness, direct credit worthiness are based in the directly interactive historical experience of cloud user and cloud service and cloud certification The heart monitors the variation of cloud user current behavior, the credit rating carry out to it;Recommendation reputation degree refers to other cloud services to same use The history at family accesses evaluation;Comprehensive credit worthiness refers to the Comprehensive quantitative evaluation based on direct credit worthiness and recommendation reputation degree;History letter Reputation degree is to be weighted summation to the synthesis credit worthiness of cloud user's history, represents the history prestige situation of cloud user.
Entity in reputation model is divided into four classes, target entity CU by role:Obtain the entity of its credit worthiness;Source service CSo:Want to obtain the service of other entity credit worthinesses;Recommendation service CSr:Service to source service feedback target entity trust information; Behavior monitoring person BM:Monitor the entity of the Behavioral change of user in real time;
The calculating of direct credit worthiness based on target entity and source service, the direct interaction of behavior monitoring person, mainly influence because It is known as:Service request number, the time interval of service request, the history credit worthiness of service request;.
If moment t, source services CSoSatisfaction to target entity CU isSatisfaction of the behavior monitoring person BM to CU ForUtmostly to embody nearest credit worthiness, the interference of credit worthiness remote is avoided, introduces time decay factor λ, i.e., The weight shared by the current time nearlyr credit worthiness is bigger, more credible.T is in time decay window win=[tstart,tend] Middle CU and CSoAt the time of interaction, tcurrentFor current time, then direct credit worthiness is expressed as:
The calculation method of recommendation reputation degree is based on other recommendation service CSrWith the history of same target entity CU is credible comments Valence, influence factor have:The credibility of recommendation service itself, the credibility that recommendation service is interacted with target entity history;
Evaluator is CSo, assessment object is CU, CSrFor CSoNominator, whereinFor t moment CSrTo CSoRecommend Trust,It is t moment CU to CSrDirect trust.Then recommendation reputation degree is expressed as:
For same assessment object, it is understood that there may be multiple nominators, ifFor CSoNominator set,Then evaluator CSoIt is to the merging recommendation reputation degree for assessing object CU:
Comprehensive credit worthinessCalculating depend on direct credit worthiness and recommendation reputation degree, using comentropy to directly letter Reputation degree and recommendation reputation degree weight α1, α2It is automatically corrected, information entropy is smaller, and uncertainty is lower;Comentropy calculates public Formula is as follows:
For direct credit worthinessAnd recommendation reputation degree, calculate separately its entropy α1, α2
According to (13) formula, corresponding α is calculatedi, it is easy to get
Credit worthiness is then integrated to be expressed as:
History credit worthinessCalculating depend on cloud user and all previous interaction of cloud service synthesis credit worthiness, introducing the time Decay factor λ, history degree of belief are expressed as:
In user role tree building process, the user right of each organizational unit org is carried out by way of succession Hierarchical description, root node store public permission;The each descendant node of organizational unit is in addition to all permissions for inheriting predecessor node, all Possess its peculiar permission;Element definition in user role tree is as follows:U is user's collection, and P is authority set, according to its permission feature Authority set can be divided into P=< PRoleTeam1,…,PRoleTeam2>, PformerThe permission possessed by predecessor node, PcurrentFor The permission that present node is possessed,PuserFor the authority set that user possesses, Puser=PRoleTeam1'∪ PRoleTeam2'∪...∪PRoleTeamn', wherein RT is authority distribution table,
In the cloud user identity authentication stage, user role tree building model authorizes cloud use according to cloud user's history credit worthiness The corresponding cloud service access authority collection P in familyuser, according to shown in formula (1), cloud authentication center is according to the logon information and power of cloud user Limit collection, authorizes cloud user identity token CCCATu, cloud authentication center is by parsing CCCATuThe cloud clothes that recommended user allows to access Business.In cloud service dial-tone stage, according to the formula of (2)~(6), user role tree building model by comparing cloud user synthesis Credit worthiness and source service access threshold value, if the synthesis of user enjoys a good reputation in the access thresholds of source service, cloud authentication center is awarded Give user's cloud service access token CSATu
Technical concept of the invention is:It is proposed a kind of adaptive cloud service access control side based on dynamic authorization mechanism Method, first to user behavior carry out prestige modeling, using inherit thought hierarchical description cloud access privilege, cloud authentication center according to According to the mapping relations of user's history credit worthiness and user role tree building model, authorize different cloud user identity tokens, for Recommend the cloud service for allowing to access in family.Cloud authentication center adjusts the synthesis of user by real time monitoring user behavior variation, dynamic Credit worthiness judges the credibility of user, if user is credible, authorizes cloud service access token, cloud user visits by cloud service Ask that token obtains service, otherwise denied access, the cloud service access environment of high credit worthiness is established with this, ensures the peace of sensitive data Quan Xing.
Reputation model to the direct credit worthiness between cloud user and source service, recommendation service to the recommendation reputation degree of user, The history credit worthiness of cloud user carries out prestige modeling, provides more accurate foundation for the dynamic authorization of user.User role tree structure Established model is associated with cloud user's history letter by mapping mode using inheriting thought hierarchical description and managing the access authority of cloud user The access authority of reputation degree and cloud service authorizes the different service access permission collection of cloud user, is finally reached cloud service dynamic authorization Purpose.
It proposes a kind of cloud access control trust framework based on dynamic authorization mechanism, introduces authentic authentication for each cloud service Module (Trusted Authentication Module, TAM), and give feasible trust and calculate, to ensure that user accesses Reliability, solving user cannot the critical problem such as adaptive dynamic authorization.
Frame includes four entities for participating in interaction, cloud user (Cloud User, CU), cloud service (Cloud altogether Service, CS), cloud authentication center (Cloud Certification Center, CCC), data management module (Data Management Module, DMM).Three phases:Cloud information initializing stage, cloud user identity authentication stage and cloud service are visited Ask the stage;Two models:Reputation model (Reputation Model, RM), user role tree building model (The Model of User Role Building Tree, MURBT).
The responsibility of main function components CCC is broadly divided into four parts, user role management, user authorization management, cloud clothes Business management and the prestige library for managing credit worthiness.DMM facilitates the reading of user information using directory type database and markup language It takes and modifies.
The life cycle of cloud access control can be divided into three phases, and the first stage is the cloud information initializing stage, including with The Role Management at family, the configuration of cloud service and the introducing etc. of authentic authentication module TAM.Second stage is cloud user identity authentication rank Section carries out permissions mapping with user role tree building model, distributes cloud user body according to the behavior and its history degree of belief of user Part token (CCC Access Token, CCCATu), recommend the cloud service for allowing to access for cloud user.Phase III is cloud service Dial-tone stage, cloud authentication center obtain the current synthesis credit worthiness of cloud user, if cloud by the variation of real time monitoring user behavior The synthesis credit worthiness of user reaches the access thresholds of cloud service, then authorizes user's cloud service access token (CS Access Token,CSATu), cloud user relies on unique cloud service access token CSATuAccess cloud service.After access, cloud service pair The behavior of user carries out credible evaluation, and credit worthiness is stored to the trust library of cloud authentication center.
RM is to the direct credit worthiness between cloud user and source service, recommendation reputation degree of the recommendation service to user, cloud user History credit worthiness carry out prestige modeling, provide more accurate foundation for the dynamic authorization of user.MURBT is divided using thought is inherited The access authority of layer description and management cloud user are associated with cloud user's history by mapping mode in the cloud user identity authentication stage The access authority of credit worthiness and cloud service authorizes the different service access permission collection of cloud user.In cloud service dial-tone stage, pass through Compare the synthesis credit worthiness of user and the access thresholds of cloud service, to judge cloud user to the accessibility of the service.
Define 1 (cloud service CSx) by single service or the entity of composite services completion service request.
It defines 2 (cloud user CU) and is known as cloud user using the individual of cloud service.
Define 3 (cloud user identity token CCCATu) access cloud authentication center user credential be known as cloud user identity order Board.
Define 4 (cloud service access token CSATu) access cloud service user identity voucher be known as cloud service access token.
Beneficial effects of the present invention are mainly manifested in:Cloud access control is studied, under cloud computing environment, is used The access authority of thought multi-zone supervision user is inherited, to simplify the mapping relations of user role and access authority, according to user Behavior carries out prestige modeling, to realize the dynamic credible authorization of service, ensures the reliability of user's access and the peace of sensitive data Quan Xing.
Detailed description of the invention
Fig. 1 is the schematic diagram of adaptive cloud service access control framework.
Fig. 2 is the schematic diagram of direct degree of belief.
Fig. 3 is the schematic diagram of recommendation trust degree.
Fig. 4 is the schematic diagram of user role tree building model.
Specific embodiment
The invention will be further described below in conjunction with the accompanying drawings.
Referring to Fig.1~Fig. 4, a kind of adaptive cloud service access control method based on dynamic authorization mechanism, the cloud are visited Ask that control method includes the following steps:
1) before cloud service may have access to, administrator Mana need to be in cloud authentication center CCC to cloud service CSxIt is configured, Add the access address add of cloud servicex, allow the prestige threshold value accessedThe service such as user authentication ser is provided {Login...};
2) service register center adds authentic authentication module TAM to the cloud service of each registration, intercepts the service of cloud user Access request, by the authentication information and cloud service access token CSAT of verifying cloud useruValidity, to determine whether Cloud user access;
3) cloud user CU issues platform validation request to CCC:User name Nu, log in password Cu, identifying code Idu, user identity Iu
4) cloud authentication center CCC carries out encryption E to password is logged inkkk{Cu, user information storage server DMM is requested, is tested Demonstrate,prove user information.
5) DMM server returns to user information verifying report and user's credit worthiness RxIf being verified, cloud user is generated Identity token CCCATu, otherwise prompt user platform authentication error;
6) after certification passes through, CCC is by the CCCAT of generationuCU is distributed to, and is stored in the cookie of user browser, User is according to CCCATuValidity to keep Entered state;
7) if cloud user CU accesses CSx, by CCC by the CSAT of generationxDistribute to CU.
8) cloud user is by token access service, CSxIn TAM to CSATxCarry out validation verification.If authentication failed, Refuse cloud user access, otherwise Service Source cloudSer is provided.
9) cloud service CSxThe behavior of user is assessed, and by assessment result RuserCloud authentication center is fed back to, and is stored to letter Ren Ku.
As shown in Figure 1, proposing a kind of cloud access control trust framework based on dynamic authorization mechanism first, taken for each cloud Business introduces authentic authentication module (Trusted Authentication Module, TAM), and gives feasible trust and calculate, To ensure the reliability of user's access, solving user cannot the critical problem such as adaptive dynamic authorization.
Frame includes four entities for participating in interaction, cloud user (Cloud User, CU), cloud service (Cloud altogether Service, CS), cloud authentication center (Cloud Certification Center, CCC), data management module (Data Management Module, DMM).Three phases:Cloud information initializing stage, cloud user identity authentication stage and cloud service are visited Ask the stage;Two models:Reputation model (Reputation Model, RM), user role tree building model (The Model of User Role Building Tree, MURBT).
The responsibility of main function components CCC is broadly divided into four parts, user role management, user authorization management, cloud clothes Business management and the prestige library for managing credit worthiness.DMM facilitates the reading of user information using directory type database and markup language It takes and modifies.
The life cycle of cloud access control can be divided into three phases, and the first stage is the cloud information initializing stage, including with The Role Management at family, the configuration of cloud service and the introducing etc. of authentic authentication module TAM.Second stage is cloud user identity authentication rank Section carries out permissions mapping with user role tree building model, distributes cloud user body according to the behavior and its history degree of belief of user Part token (CCC Access Token, CCCATu), recommend the cloud service for allowing to access for cloud user.Phase III is cloud service Dial-tone stage, cloud authentication center obtain the current synthesis credit worthiness of cloud user, if cloud by the variation of real time monitoring user behavior The synthesis credit worthiness of user reaches the access thresholds of cloud service, then authorizes user's cloud service access token (CS Access Token,CSATu), cloud user relies on unique cloud service access token CSATuAccess cloud service.After access, cloud service pair The behavior of user carries out credible evaluation, and credit worthiness is stored to the trust library of cloud authentication center.
RM is to the direct credit worthiness between cloud user and source service, recommendation reputation degree of the recommendation service to user, cloud user History credit worthiness carry out prestige modeling, provide more accurate foundation for the dynamic authorization of user.MURBT is divided using thought is inherited The access authority of layer description and management cloud user are associated with cloud user's history by mapping mode in the cloud user identity authentication stage The access authority of credit worthiness and cloud service authorizes the different service access permission collection of cloud user.In cloud service dial-tone stage, pass through Compare the synthesis credit worthiness of user and the access thresholds of cloud service, to judge cloud user to the accessibility of the service.
Define 1 (cloud service CSx) by single service or the entity of composite services completion service request.
It defines 2 (cloud user CU) and is known as cloud user using the individual of cloud service.
Define 3 (cloud user identity token CCCATu) access cloud authentication center user credential be known as cloud user identity order Board.
Define 4 (cloud service access token CSATu) access cloud service user identity voucher be known as cloud service access token.
Referring to Fig. 2~Fig. 4, the adaptive cloud access control framework based on dynamic authorization mechanism, the cloud access control side Method includes the following steps:
1)
Before cloud service may have access to, administrator Mana need to be in cloud authentication center CCC to cloud service CSxIt is configured, is added Add the access address add of cloud servicex, allow the prestige threshold value accessedThe service such as user authentication ser is provided {Login...};
2)
Service register center adds authentic authentication module TAM to the cloud service of each registration, and effect is to intercept cloud user Service access request, pass through verifying cloud user authentication information and cloud service access token CSATuValidity, with judgement be No permission cloud user access;
3)CU→CCC:Nu,Cu,Idu,Iu
Cloud user CU issues platform validation request to CCC:User name Nu, log in password Cu, identifying code Idu, user identity Iu
4)CCC→DMM:Nu,Ekkk{Cu},Idu,Iu
Cloud authentication center CCC carries out encryption E to password is logged inkkk{Cu, request user information storage server DMM, verifying User information.
5)DMM→CCC:false||(true∪Rx)
DMM server returns to user information verifying report and user's credit worthiness RxIf being verified, cloud user's body is generated Part token CCCATu, otherwise prompt user platform authentication error;
6)CCC→CU:CCCATu
After certification passes through, CCC is by the CCCAT of generationuCU is distributed to, and is stored in the cookie of user browser, is used Family is according to CCCATuValidity to keep Entered state;
7)
If cloud user CU accesses CSx, by CCC by the CSAT of generationxDistribute to CU.
8)
Cloud user is by token access service, CSxIn TAM to CSATxCarry out validation verification.If authentication failed is refused Exhausted cloud user access, otherwise provides Service Source cloudSer.
9)
Cloud service CSxThe behavior of user is assessed, and by assessment result RuserCloud authentication center is fed back to, and is stored to trust Library.
Further, the cloud access control method medium cloud user identity token CCCATu, cloud service access token CSATxIf It counts as follows:
10)CCCATuDesign
Each cloud user needs to verify user identity before accessing cloud authentication center, after being verified, can just obtain service. In initial phase, cloud authentication center need to obtain the current history credit worthiness of user according to reputation model RM, use user role Tree building model MURBT distributes cloud service access authority collection P according to user's degrees of comparison locating at presentuser, cloud authentication center According to PuserGenerate unique cloud user identity token CCCATu, the token by cloud user identity IDu, identity effectively starts Time Ts, identity effective time Tv, subscriber's main station mark HostxIt is determined, identifies the user of each access cloud authentication center, such as Shown in formula (1):
CCCATu={ IDu,Ts,Tv,Hostx,Puser} (1)
11)CSATxDesign
After user information initialization, in CCCATuEffective time in, cloud authentication center by parsing cloud user identity enable Board, recommends the cloud service for allowing cloud user to access, and user can carry out free certification to service.Cloud service authentication interface is called, If user authentication success, generates a cloud service access token CSATx, the token by identity user unique identities CCCATu, User is in cloud service CSxIn user name Nx, password CxIt is determined, as shown in formula (2)~(3):
CSATx={ CCCATu,CSx,Nx,Cx} (3)
Meanwhile depositing in the cloud service information authenticated encryption in User Catalog information database, as shown in formula (4):
CCC→DMM:IDu,CSx,Ekkk{Cx},Nx (4)
As shown in the formula of (5)~(6), if having stored cloud user in directory information base to the authentication information of cloud service, cloud certification Center obtains the current synthesis credit worthiness R of cloud user by RM firstuser, cloud user visiting to service is judged according to MURBT Asking property reads the phase in User Catalog information database DMM if the synthesis credit worthiness of user is greater than the access thresholds of cloud service Information is closed, cloud service access token CSAT is generatedx, without user's input authentication information again.Otherwise refusal cloud user visits It asks.
CU→DMM:false||(true∪Nx∪Cx) (5)
CSATx={ CCCATu,CSx,Nx,Cx,Ruser} (6)
Further, the step 10) and 11) in, by credit worthiness of the reputation model RM to cloud user carry out quantization comment Estimate and calculate, and hierarchical description is carried out using permission of the user role tree building model MURBT to user, is finally reached cloud service The purpose of dynamic authorization.
12) reputation model
The core concept of reputation model is to access sensitive number based on cloud access control framework proposed by the invention for user According to when safety guarantee is provided.Reputation model is a dynamic model, as user's access times increase, so that the credit value of user It is more accurate.
User's reputation model mainly includes four parts:Direct credit worthiness, recommendation reputation degree, comprehensive credit worthiness, history letter Reputation degree.Wherein direct credit worthiness is monitored based on the directly interactive historical experience of cloud user and cloud service and cloud authentication center The variation of cloud user's current behavior, the credit rating carried out to it.Recommendation reputation degree refers to that same user is gone through in other cloud services History access evaluation.Comprehensive credit worthiness refers to the Comprehensive quantitative evaluation based on direct credit worthiness and recommendation reputation degree.History credit worthiness is Summation is weighted to the synthesis credit worthiness of cloud user's history, represents the history prestige situation of cloud user.
For convenience of description, the entity in reputation model is divided into four classes by role by the present invention.
Target entity CU:Obtain the entity of its credit worthiness.Such as cloud user.
Source services CSo:Want to obtain the service of other entity credit worthinesses.Such as the service of cloud user's current accessed.
Recommendation service CSr:Service to source service feedback target entity trust information.
Behavior monitoring person BM:Monitor the entity of the Behavioral change of user in real time.Such as cloud authentication center.
A) direct credit worthiness
As shown in Fig. 2, the calculating of directly credit worthiness is serviced based on target entity and source, the direct interaction of behavior monitoring person, Major influence factors have:Service request number, the time interval of service request, history credit worthiness of service request etc..
If moment t, source services CSoSatisfaction to target entity CU isSatisfaction of the behavior monitoring person BM to CU ForUtmostly to embody nearest credit worthiness, the interference of credit worthiness remote is avoided, introduces time decay factor λ, i.e., The weight shared by the current time nearlyr credit worthiness is bigger, more credible.T is in time decay window win=[tstart,tend] Middle CU and CSoAt the time of interaction, tcurrentFor current time, then direct degree of belief is represented by:
B) recommendation reputation degree
As shown in figure 3, the calculation method of recommendation reputation degree is based primarily upon other recommendation service CSrWith same target entity CU The credible evaluation of history, major influence factors have:The credibility of recommendation service itself, recommendation service and target entity history are handed over Mutual credibility etc..
Evaluator is CSo, assessment object is CU, CSrFor CSoNominator, whereinFor t moment CSrTo CSoRecommend Trust,It is t moment CU to CSrDirect trust.Then recommendation reputation degree is represented by:
For same assessment object, it is understood that there may be multiple nominators, ifFor CSoNominator set, Then evaluator CSoIt is to the merging recommendation reputation degree for assessing object CU:
C) comprehensive credit worthiness
Comprehensive credit worthinessCalculating depend on direct credit worthiness and recommendation reputation degree.In view of not knowing feature pair The influence of prestige, the present invention is using comentropy to direct credit worthiness and recommendation reputation degree weight α1, α2It is automatically corrected.Information Entropy is smaller, and uncertainty is lower.Comentropy calculation formula is as follows:
For direct credit worthinessAnd recommendation reputation degree, calculate separately its entropy α1, α2
According to (13) formula, corresponding α is calculatedi, it is easy to get
Credit worthiness is then integrated to be represented by:
D) history credit worthiness
History credit worthinessCalculating depend on cloud user and all previous interaction of cloud service synthesis credit worthiness.History prestige Degree is similar to direct credit worthiness calculation, for the interference for avoiding credit worthiness remote, introduces time decay factor λ, history is trusted Degree is represented by:
13) user role tree building model
As shown in figure 4, passing through succession to the user right of each organizational unit org in user role tree building process Mode carry out hierarchical description, root node stores public permission.The each descendant node of organizational unit is except the institute for inheriting predecessor node Outside having permission, it is owned by its peculiar permission.Element definition in user role tree is as follows:U is user's collection, and P is authority set, according to Authority set can be divided into P=< P by its permission featureRoleTeam1,…,PRoleTeam2>, PformerThe power possessed by predecessor node Limit, PcurrentThe permission possessed by present node,PuserFor the authority set that user possesses, Puser= PRoleTeam1'∪PRoleTeam2'∪...∪PRoleTeamn', wherein RT is authority distribution table,
In the cloud user identity authentication stage, user role tree building model authorizes cloud use according to cloud user's history credit worthiness The corresponding cloud service access authority collection P in familyuser, according to shown in formula (1), cloud authentication center is according to the logon information and power of cloud user Limit collection, authorizes cloud user identity token CCCATu, cloud authentication center is by parsing CCCATuThe cloud clothes that recommended user allows to access Business.In cloud service dial-tone stage, according to the formula of (2)~(6), user role tree building model by comparing cloud user synthesis Credit worthiness and source service access threshold value, if the synthesis of user enjoys a good reputation in the access thresholds of source service, cloud authentication center is awarded Give user's cloud service access token CSATu

Claims (6)

1. a kind of adaptive cloud service access control method based on dynamic authorization mechanism, it is characterised in that:The cloud service is visited Ask that control method includes the following steps:
1) before cloud service may have access to, administrator Mana need to be in cloud authentication center CCC to cloud service CSxIt is configured, adds cloud The access address add of servicex, allow the prestige threshold value accessedUser authentication service ser { Login... } is provided;
2) service register center adds authentic authentication module TAM to the cloud service of each registration, intercepts the service access of cloud user Request, by the authentication information and cloud service access token CSAT of verifying cloud useruValidity, with determine whether cloud use Family access;
3) cloud user CU issues platform validation request to CCC:User name Nu, log in password Cu, identifying code Idu, user identity Iu
4) cloud authentication center CCC carries out encryption E to password is logged inkkk{Cu, user information storage server DMM is requested, verifying is used Family information;
5) DMM server returns to user information verifying report and user's credit worthiness RxIf being verified, cloud user identity is generated Token CCCATu, otherwise prompt user platform authentication error;
6) after certification passes through, CCC is by the CCCAT of generationuCU is distributed to, and is stored in the cookie of user browser, Yong Huyi According to CCCATuValidity to keep Entered state;
7) if cloud user CU accesses CSx, by CCC by the CSAT of generationxDistribute to CU;
8) cloud user is by token access service, CSxIn TAM to CSATxCarry out validation verification;If authentication failed is refused Cloud user access, otherwise provides Service Source cloudSer;
9) cloud service CSxThe behavior of user is assessed, and by assessment result RuserCloud authentication center is fed back to, and is stored to trust library.
2. a kind of adaptive cloud service access control method based on dynamic authorization mechanism as described in claim 1, feature It is:The cloud service access control method medium cloud user identity token CCCATu, cloud service access token CSATxIt designs as follows:
Each cloud user needs to verify user identity before accessing cloud authentication center, after being verified, can just obtain service;First Stage beginning, cloud authentication center need to obtain the current history credit worthiness of user according to reputation model RM, use user role tree structure Established model MURBT distributes cloud service access authority collection P according to user's degrees of comparison locating at presentuser, cloud authentication center foundation PuserGenerate unique cloud user identity token CCCATu, the token by cloud user identity IDu, identity effective time started Ts, identity effective time Tv, subscriber's main station mark HostxIt is determined, the user of each access cloud authentication center is identified, such as formula (1) It is shown:
CCCATu={ IDu,Ts,Tv,Hostx,Puser} (1)
After user information initialization, in CCCATuEffective time in, cloud authentication center by parsing cloud user identity token, push away The cloud service for allowing cloud user to access is recommended, user can carry out free certification to service, cloud service authentication interface be called, if user It authenticates successfully, then generates a cloud service access token CSATx, the token by identity user unique identities CCCATu, Yong Hu Cloud service CSxIn user name Nx, password CxIt is determined, as shown in formula (2)~(3):
CSATx={ CCCATu,CSx,Nx,Cx} (3)
Meanwhile depositing in the cloud service information authenticated encryption in User Catalog information database, as shown in formula (4):
CCC→DMM:IDu,CSx,Ekkk{Cx},Nx (4)
As shown in the formula of (5)~(6):
CU→DMM:false||(true∪Nx∪Cx) (5)
CSATx={ CCCATu,CSx,Nx,Cx,Ruser} (6)
If having stored cloud user in directory information base to the authentication information of cloud service, cloud authentication center obtains cloud by RM first and uses The current synthesis credit worthiness R in familyuser, cloud user is judged to the accessibility of service, if the synthesis credit worthiness of user according to MURBT Greater than the access thresholds of cloud service, then the relevant information in User Catalog information database DMM is read, generates cloud service access and enable Board CSATx, without user's input authentication information again, otherwise refuse cloud user access.
3. a kind of adaptive cloud service access control method based on dynamic authorization mechanism as claimed in claim 2, feature It is:Quantitative evaluation and calculating are carried out by credit worthiness of user's reputation model RM to cloud user, and uses user role tree structure Established model MURBT carries out hierarchical description to the permission of user, is finally reached the purpose of cloud service dynamic authorization.
4. a kind of adaptive cloud service access control method based on dynamic authorization mechanism as claimed in claim 3, feature It is:User's reputation model includes four parts:Direct credit worthiness, recommendation reputation degree, comprehensive credit worthiness and history prestige Degree, direct credit worthiness are based on the directly interactive historical experience of cloud user and cloud service and cloud authentication center monitoring cloud user Current behavior variation, the credit rating carried out to it;Recommendation reputation degree refers to that other cloud services access the history of same user Evaluation;Comprehensive credit worthiness refers to the Comprehensive quantitative evaluation based on direct credit worthiness and recommendation reputation degree;History credit worthiness is used cloud The synthesis credit worthiness of family history is weighted summation, represents the history prestige situation of cloud user.
5. a kind of adaptive cloud service access control method based on dynamic authorization mechanism as claimed in claim 4, feature It is:Entity in reputation model is divided into four classes, target entity CU by role:Obtain the entity of its credit worthiness;Source service CSo:Want to obtain the service of other entity credit worthinesses;Recommendation service CSr:Service to source service feedback target entity trust information; Behavior monitoring person BM:Monitor the entity of the Behavioral change of user in real time;
The calculating of direct credit worthiness is had based on target entity and source service, the direct interaction of behavior monitoring person, major influence factors: Service request number, the time interval of service request, the history credit worthiness of service request;
If moment t, source services CSoSatisfaction to target entity CU isBehavior monitoring person BM is to the satisfaction of CUUtmostly to embody nearest credit worthiness, avoid the interference of credit worthiness remote, introduce time decay factor λ, i.e., away from Weight shared by credit worthiness closer from current time is bigger, more credible;T is in time decay window win=[tstart,tend] in CU and CSoAt the time of interaction, tcurrentFor current time, then direct credit worthiness is expressed as:
The calculation method of recommendation reputation degree is based on other recommendation service CSrWith the credible evaluation of history of same target entity CU, influence Because being known as:The credibility of recommendation service itself, the credibility that recommendation service is interacted with target entity history;
Evaluator is CSo, assessment object is CU, CSrFor CSoNominator, whereinFor t moment CSrTo CSoRecommendation trust,It is t moment CU to CSrDirect trust, then recommendation reputation degree is expressed as:
For same assessment object, it is understood that there may be multiple nominators, ifFor CSoNominator set,Then comment The person of estimating CSoIt is to the merging recommendation reputation degree for assessing object CU:
Comprehensive credit worthinessCalculating depend on direct credit worthiness and recommendation reputation degree, using comentropy to direct credit worthiness and Recommendation reputation degree weight α1, α2It is automatically corrected, information entropy is smaller, and uncertainty is lower;Comentropy calculation formula is such as Under:
For direct credit worthinessAnd recommendation reputation degreeCalculate separately its entropy α1, α2
According to (13) formula, corresponding α is calculatedi, it is easy to get
Credit worthiness is then integrated to be expressed as:
History credit worthinessCalculating depend on cloud user and all previous interaction of cloud service synthesis credit worthiness, introduce the time decay Factor lambda, history degree of belief are expressed as:
6. a kind of adaptive cloud service access control method based on dynamic authorization mechanism as described in one of claim 2~5, It is characterized in that:In user role tree building process, to the user right of each organizational unit org by way of succession into Row hierarchical description, root node store public permission;The each descendant node of organizational unit except inherit predecessor node all permissions in addition to, It is owned by its peculiar permission;Element definition in user role tree is as follows:U is user's collection, and P is authority set, according to its permission spy Authority set can be divided into P=< P by pointRoleTeam1,...,PRoleTeam2>, PformerThe permission possessed by predecessor node, Pcurrent The permission possessed by present node,PuserFor the authority set that user possesses, Puser=PRoleTeam1' ∪PRoleTeam2'∪...∪PRoleTeamn', wherein RT is authority distribution table,
In the cloud user identity authentication stage, user role tree building model authorizes cloud user couple according to cloud user's history credit worthiness The cloud service access authority collection P answereduser, according to shown in formula (1), cloud authentication center is according to the logon information and permission of cloud user Collection, authorizes cloud user identity token CCCATu, cloud authentication center is by parsing CCCATuRecommended user allows the cloud service accessed, In cloud service dial-tone stage, according to the formula of (2)~(6), user role tree building model is believed by comparing the comprehensive of cloud user Reputation degree and source service access threshold value, if the synthesis of user enjoys a good reputation in the access thresholds of source service, cloud authentication center is authorized User's cloud service access token CSATu
CN201610221444.7A 2016-04-11 2016-04-11 Adaptive cloud access control method based on dynamic authorization mechanism Active CN105871854B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610221444.7A CN105871854B (en) 2016-04-11 2016-04-11 Adaptive cloud access control method based on dynamic authorization mechanism

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610221444.7A CN105871854B (en) 2016-04-11 2016-04-11 Adaptive cloud access control method based on dynamic authorization mechanism

Publications (2)

Publication Number Publication Date
CN105871854A CN105871854A (en) 2016-08-17
CN105871854B true CN105871854B (en) 2018-11-20

Family

ID=56636600

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610221444.7A Active CN105871854B (en) 2016-04-11 2016-04-11 Adaptive cloud access control method based on dynamic authorization mechanism

Country Status (1)

Country Link
CN (1) CN105871854B (en)

Families Citing this family (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106685933B (en) 2016-12-08 2020-06-19 腾讯科技(深圳)有限公司 Authorization policy recommendation and device
CN108234383B (en) * 2016-12-09 2021-01-08 中国电信股份有限公司 Information access method and security access server
CN106845946A (en) * 2017-02-08 2017-06-13 深圳市金政软件技术有限公司 A kind of financial data access analysis system and application method
US10693867B2 (en) 2017-03-01 2020-06-23 Futurewei Technologies, Inc. Apparatus and method for predictive token validation
CN106982136B (en) * 2017-03-07 2020-03-10 西安电子科技大学 Multi-domain layered multi-domain Internet of things platform and multi-domain management method
CN107122655B (en) * 2017-03-29 2020-01-03 西安电子科技大学 Trust management based mobile application security setting recommendation system
CN106961441B (en) * 2017-04-06 2020-05-22 中国民航大学 User dynamic access control method for Hadoop cloud platform
CN106997440A (en) * 2017-04-10 2017-08-01 中经汇通电子商务有限公司 A kind of role access control method
EP3474509B1 (en) * 2017-10-18 2021-10-06 ABB Schweiz AG Methods for controlling a device and control system
US10817619B1 (en) * 2017-12-05 2020-10-27 Jagannadha babu Kolli Method and system for securing data stored in a cloud-based software system
CN108090803A (en) * 2017-12-06 2018-05-29 上海电机学院 A kind of negotiation degree of belief computational methods
CN108460258A (en) * 2018-01-31 2018-08-28 中国电子科技集团公司第三十研究所 A kind of users to trust comprehensive estimation method
CN110365483B (en) * 2018-04-11 2022-06-14 中国移动通信集团广东有限公司 Cloud platform authentication method, client, middleware and system
CN110784433B (en) * 2018-07-31 2022-08-23 阿里巴巴集团控股有限公司 User access processing method, device and equipment
CN109495444B (en) * 2018-09-30 2022-02-22 北京工业职业技术学院 Encryption request processing method
CN109274683A (en) * 2018-10-30 2019-01-25 国网安徽省电力有限公司信息通信分公司 A kind of combined crosswise Verification System and its authentication method
CN109688119B (en) * 2018-12-14 2020-08-07 北京科技大学 Anonymous traceability identity authentication method in cloud computing
CN109743161B (en) * 2018-12-29 2022-04-26 上海掌门科技有限公司 Information encryption method, electronic device and computer readable medium
CN109886005B (en) * 2019-01-29 2022-11-08 南京邮电大学 Method and system for risk assessment of authorized user aiming at Web collaboration
CN110245925A (en) * 2019-05-20 2019-09-17 陈旭 Electric paying method, system, device and computer readable storage medium
CN110493301A (en) * 2019-06-19 2019-11-22 莫毓昌 The generic structure platform delivered for cloud combination and cloud user negotiation service
CN111177743B (en) * 2019-12-06 2022-02-22 西安交通大学 Credit big data oriented risk control method and system thereof
CN111107099B (en) * 2019-12-28 2021-12-03 北京工业大学 Self-adaptive access control method suitable for mixed cloud environment
CN112104625B (en) * 2020-09-03 2024-04-16 腾讯云计算(北京)有限责任公司 Process access control method and device
CN112311804B (en) * 2020-11-06 2021-08-24 东北大学 Multi-tenant service resource dynamic access authorization and authentication system and method
CN116491103A (en) * 2021-01-08 2023-07-25 Oppo广东移动通信有限公司 Access token processing method, equipment and cloud
CN112953920B (en) * 2021-02-01 2022-07-01 福建多多云科技有限公司 Monitoring management method based on cloud mobile phone
CN114650184B (en) * 2022-04-15 2023-05-26 四川中电启明星信息技术有限公司 Docker process security access control method based on trust degree
CN115622798A (en) * 2022-11-22 2023-01-17 国网湖北省电力有限公司营销服务中心(计量中心) User authority distribution method of power load management system
CN117278329B (en) * 2023-11-21 2024-01-16 大连凌一科技发展有限公司 Application resource dynamic control access method based on zero trust gateway

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1677455B1 (en) * 2003-10-22 2013-05-01 Huawei Technologies Co., Ltd. A method of analyzing the accessing process of the selected service in the wireless local area network
CN103179115A (en) * 2013-03-18 2013-06-26 中国科学院信息工程研究所 Cloud service accessing control method of cross-cloud application facing to cloud television terminal
CN103237019A (en) * 2013-04-03 2013-08-07 中国科学院合肥物质科学研究院 Cloud service accessing gateway system and cloud service accessing method
CN103236969A (en) * 2013-04-03 2013-08-07 中国科学院合肥物质科学研究院 Gateway system and gateway method for Cloud service accounting management
CN103532981A (en) * 2013-10-31 2014-01-22 中国科学院信息工程研究所 Identity escrow and authentication cloud resource access control system and method for multiple tenants

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20130046155A (en) * 2011-10-27 2013-05-07 인텔렉추얼디스커버리 주식회사 Access control system for cloud computing service

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1677455B1 (en) * 2003-10-22 2013-05-01 Huawei Technologies Co., Ltd. A method of analyzing the accessing process of the selected service in the wireless local area network
CN103179115A (en) * 2013-03-18 2013-06-26 中国科学院信息工程研究所 Cloud service accessing control method of cross-cloud application facing to cloud television terminal
CN103237019A (en) * 2013-04-03 2013-08-07 中国科学院合肥物质科学研究院 Cloud service accessing gateway system and cloud service accessing method
CN103236969A (en) * 2013-04-03 2013-08-07 中国科学院合肥物质科学研究院 Gateway system and gateway method for Cloud service accounting management
CN103532981A (en) * 2013-10-31 2014-01-22 中国科学院信息工程研究所 Identity escrow and authentication cloud resource access control system and method for multiple tenants

Also Published As

Publication number Publication date
CN105871854A (en) 2016-08-17

Similar Documents

Publication Publication Date Title
CN105871854B (en) Adaptive cloud access control method based on dynamic authorization mechanism
Uriarte et al. Distributed service‐level agreement management with smart contracts and blockchain
US8332922B2 (en) Transferable restricted security tokens
Sun et al. A billion keys, but few locks: the crisis of web single sign-on
US8726358B2 (en) Identity ownership migration
US20100299738A1 (en) Claims-based authorization at an identity provider
CN106161462A (en) A kind of network security certification method
Nogoorani et al. TIRIAC: A trust-driven risk-aware access control framework for Grid environments
Tormo et al. Towards the integration of reputation management in OpenID
CN103281259A (en) Inter-domain access control method based on dynamic self regulation
Barati et al. Privacy‐aware cloud ecosystems: Architecture and performance
Alshammari et al. Trust management systems in cloud services environment: Taxonomy of reputation attacks and defense mechanisms
Mármol et al. Enhancing OpenID through a reputation framework
Xu et al. AC2M: An Automated Consent Management Model for Blockchain Financial Services Platform
Chadwick et al. My private cloud overview: a trust, privacy and security infrastructure for the cloud
Manoj et al. A literature review on trust management in web services access control
An et al. Achieving Secure and Efficient P2P Data Trading based on Blockchain for Internet of Things
Sarfaraz Blockchain-Coordinated Frameworks for Scalable and Secure Supply Chain Networks
Dobbs IAM Reference Architecture (v2)
Marillonnet et al. Personal information self-management: A survey of technologies supporting administrative services
US20230370473A1 (en) Policy scope management
Marin et al. Equity-preserving management of privacy conflicts in social network systems
Waschke Cloud-Specific Standards: A Tide to Raise All Boats
Chandran et al. A requirements-driven trust framework for secure interoperation in open environments
Zhang et al. Improvements Based on JWT and RBAC for Spring Security Framework

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20190724

Address after: 310000 Room 2306, Starlight International Plaza, Changhe Street, Binjiang District, Hangzhou City, Zhejiang Province

Patentee after: HANGZHOU ZHIZHOU TECHNOLOGY CO., LTD.

Address before: The city Zhaohui six districts Chao Wang Road Hangzhou City, Zhejiang province 310014 18

Patentee before: Zhejiang University of Technology

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20190912

Address after: Room 510, Building 5, No. 17-1 Chuxin Road, Gongshu District, Hangzhou City, Zhejiang Province, 310000

Patentee after: Zhejiang Planer Technology Co., Ltd.

Address before: 310000 Room 2306, Starlight International Plaza, Changhe Street, Binjiang District, Hangzhou City, Zhejiang Province

Patentee before: HANGZHOU ZHIZHOU TECHNOLOGY CO., LTD.

TR01 Transfer of patent right