CN110839030A - Authority transfer method in block chain access control - Google Patents

Authority transfer method in block chain access control Download PDF

Info

Publication number
CN110839030A
CN110839030A CN201911115968.8A CN201911115968A CN110839030A CN 110839030 A CN110839030 A CN 110839030A CN 201911115968 A CN201911115968 A CN 201911115968A CN 110839030 A CN110839030 A CN 110839030A
Authority
CN
China
Prior art keywords
authority
transfer
access control
rights
receiver
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911115968.8A
Other languages
Chinese (zh)
Other versions
CN110839030B (en
Inventor
李茹
史锦山
张新
张晓东
张江徽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inner Mongolia University
Original Assignee
Inner Mongolia University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inner Mongolia University filed Critical Inner Mongolia University
Priority to CN201911115968.8A priority Critical patent/CN110839030B/en
Publication of CN110839030A publication Critical patent/CN110839030A/en
Application granted granted Critical
Publication of CN110839030B publication Critical patent/CN110839030B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a permission transfer method in block chain access control, which abstracts the permission of resources into non-homogeneous general evidence and stores the non-homogeneous general evidence in a block chain in the block chain access control. When a resource visitor wants to transmit the own authority to another user, the authority transmission intelligent contract deployed on the block chain is used for transmitting the permit representing the authority to the other user, whether the user receiving the permit has the authority to receive or not is automatically verified by the intelligent contract, and the authority is prevented from being transmitted to an illegal user. The permission transfer method enables access control based on the block chain to be more flexible and safer.

Description

Authority transfer method in block chain access control
Technical Field
The invention relates to the field of access control based on a block chain, in particular to a method for transferring authority in block chain access control.
Background
The block chain is used as a distributed decentralized calculation and storage framework, and the problems caused by the design of an access control centralized decision mechanism are solved. The problems of the centralized decision mechanism are mainly reflected in single point failure and the safety problem of the central mechanism. After a researcher introduces a blockchain into access control, various access control models based on the blockchain are provided, and the blockchain is originally used as a point-to-point distributed book technology based on a cryptographic algorithm, so that the permission of resources is abstracted into non-homogeneous general evidence based on the blockchain in the access control, and the permission is granted through transaction transfer of the general evidence.
The method for mapping the authority into the evidence naturally conforms to the authority transfer function, and the authority can be flexibly transferred through the transaction or the intelligent contract in the block chain. But also brings potential safety hazard, and the authority owner may transfer the authority to an illegal user, thereby causing the problem of authority disclosure. At present, the existing permission transfer methods implemented through transactions on a block chain have serious potential safety hazards, and the permission constraints are not considered in the transfer methods, namely, a user receiving the permission is not subjected to the decision of an access control strategy and is directly endowed with the permission by a permission owner, so that the transfer of the permission can cause that the access permission of resources can be transferred to illegal users by legal users. How to ensure the security of the authority in the authority transfer process is a problem which must be solved by the access control based on the block chain at present
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a method for transferring the authority in the block chain access control, which not only improves the flexibility of the authority management in the access control, but also avoids the safety problem caused by the transfer of the authority among users.
The purpose of the invention is realized by the following technical scheme: a method for transferring authority in block chain access control adds an access control strategy of authority as another party on the basis of the authority transfer method that only a sender and a receiver of the authority are needed to participate originally, and the authority receiver must meet the access control strategy of the corresponding authority if the receiver of the authority wants to receive the corresponding authority. The new rights delivery scheme is implemented by intelligent contracts deployed on blockchains.
A workflow of rights transfer in blockchain access control:
when the authority is allowed to be transferred, when an authority owner A who owns the resource access authority wants to transfer the authority to a resource visitor B, the authority transfer messages meeting the requirement of the intelligent contract for authority transfer need to be agreed together under the condition of meeting the authority constraint.
The content of the rights transfer message is that rights owner a transfers rights to resource visitor B.
The rights transfer message is required to be validated to obtain a joint approval of the rights owner A, B and the access control contract for the resource.
If the authority transfer message is sent to the authority transfer intelligent contract in the block chain, the contract sends the transferred content to the access control contract of the resource
The access control contract S can acquire the information of the resource visitor B from the PIP and make a decision by combining the constraint and the attribute of the authority.
If the transfer is approved, the access control contract sends the approval information to the authority transfer contract, and then the authority transfer contract changes the owner of the authority from the authority owner A to the resource visitor B. Otherwise the rights transfer fails.
The authority transfer method in block chain access control comprises three implementation methods, the first method is to perform a complete authorization decision process on an authority receiver during each authority transfer, the authority transfer can only occur when the authority receiver is judged by an access control system to meet the use of the authority, and otherwise the authority transfer fails.
In the second method for transferring the authority in the access control based on the block chain, the authority is usually represented in a non-homogeneous evidence-based access control mode, and the expression of the authority transfer in the block chain is the evidence-based transfer. The first method of authority transfer requires a complete authorization decision process for an authority receiver, for example, in a complex environment such as the internet of things, an access control system has a large number of access policies, and policies corresponding to a certain authority often need to be searched and combined in the large number of access policies, and the search time increases with the increase of the number of access policies.
Therefore, the second method of authority transfer integrates the index of the access strategy corresponding to the authority into the authority pass certificate, and during each authority transfer, the corresponding access control strategy is directly found according to the access strategy index in the pass certificate, and then the authority receiver makes a decision, and the authority transfer can only occur when the authority receiver is judged by the access control system to meet the requirement of using the authority, otherwise, the authority transfer fails.
The third method of authority transfer in block chain access control directly integrates the access control strategy corresponding to the authority into the pass-certificate, so that when the authority is transferred, the access control strategy in the pass-certificate is directly read for decision making, whether the authority receiver has the authority to use the authority is judged, the authority transfer can only occur when the authority receiver is judged to meet the requirement of using the authority, otherwise, the authority transfer fails.
The three permission transfer methods have respective advantages and disadvantages, and applicable scenes are different. If the first method of rights transfer takes too long, the second method may be used. If the second method takes a long time, the third method may be used, but the storage overhead required by the three methods is sequentially increased, and different methods for transferring the rights need to be selected according to different applications.
In general, the beneficial effects of the invention are as follows:
the three permission transferring methods of the invention verify the permission receiver in the permission transferring process, judge whether the permission receiver has the permission to use the transferred permission, and only when the permission receiver is judged to meet the permission, the permission transfer can occur, otherwise the permission transfer fails. The invention avoids the possibility that the authority is obtained by an illegal user in the process of transmission, and solves an unauthorized access vulnerability in access control.
Drawings
FIG. 1 is a diagram illustrating a method of transferring permissions in blockchain access control according to the present invention;
FIG. 2 is a flowchart illustrating a method for transferring permissions in blockchain access control according to a first embodiment of the present invention;
FIG. 3 is a flowchart illustrating a method for transferring permissions in blockchain access control according to a second embodiment of the present invention;
fig. 4 is a flowchart illustrating a method for transferring permissions in blockchain access control according to a third embodiment of the present invention.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As shown in fig. 1, fig. 1 is a schematic diagram of a block chain access control-based privilege delivery flow according to the present invention. The method uses an intelligent contract for transferring the rights. The transfer of the authority refers to a process of transferring the authority to the user B after the authority of a certain resource is acquired by the user a, and the term used in the application is explained as follows:
(1) the token is an entity representing access control authority in a block chain, and the token in the present invention refers to a non-homogeneous token.
(2) A Policy Enforcement Point (PEP) is an entity that performs access control in a specific application environment.
(3) Policy Information Point (PIP) refers to an entity that provides access control system Information through which attribute Information of a subject, a resource, and an environment can be acquired.
The rights transfer flow shown in fig. 1 completes the transfer of rights according to the following steps:
step 1: and the authority owner A and the resource visitor B, which have the access authority of the resource s, negotiate to decide to pass the authority permit of the resource s to the resource visitor B.
Step 2: the authority owner A sends the authority transfer message generated by the negotiation result to the intelligent contract of authority transfer in the block chain network, and the content of the authority transfer message is the authority T of the authority owner ASTo resource visitor B.
And 3, step 3: resource accessor B directionAuthority transfer intelligent contract sending confirmation receiving authorization token TSThe request of (1).
And 4, step 4: validation of rights delivery requires full agreement by A, B and the access control contract for resource s, so SCACInformation of the entitlement delivery message is to be sent to the SCT
And 5, step 5: SC (Single chip computer)ACThe access control policy in (1) requires a decision to be made whether to grant the passing of the authorization token, and therefore requires the verification of the authorization token TSAnd then obtaining relevant information of B from PIP to verify whether B is legal.
And 6, step 6: SC (Single chip computer)TMaking a decision according to the collected information and then returning the decision result to the SCAC
And 7, step 7: if yes, SCACGeneral certificate TSSending the information to B and informing A; if rejected, SCACThe rejection information is sent to B and informed to a.
Based on the above-mentioned permission transfer flow, various embodiments of permission transfer in block chain access control are proposed.
Referring to fig. 2, fig. 2 is a flowchart illustrating a method for transferring permissions in blockchain access control according to a first embodiment of the present invention.
While a logical order is shown in the flow chart, in some cases, the steps shown or described may be performed in an order different than that shown.
The first embodiment of the authority transfer method in block chain access control comprises the following steps:
and after the authority transfer parties determine to transfer the authority, the authority sender sends an authority transfer message to the authority transfer intelligent contract in the block chain.
After receiving the authority transfer message, the authority transfer contract first verifies whether the message is correct, then sends the transferred message and the information of the authority receiver to the access control intelligent contract, and the access control contract judges whether the authority receiver has the authority to use the authority according to the access control strategy of the authority.
If the authority receiver has the right to use, the authority transfer contract date changes the owner of the authority from the authority sender to the authority receiver, records the content of the authority transfer in the block chain, and returns the result.
If the authority receiver does not have the authority of using the authority, the authority transfer fails, and a failure result is returned.
Referring to fig. 3, fig. 3 is a flowchart illustrating a method for transferring permissions in blockchain access control according to a second embodiment of the present invention. The second embodiment of the method for transferring rights differs from the first embodiment of the method for controlling block chain access in that:
(1) and the authority pass certificate is integrated with an index of the authority corresponding to the access control strategy.
(2) After receiving the authority transfer message, the authority transfer contract firstly verifies whether the message is correct, then extracts the index of the access control strategy corresponding to the authority from the authority pass certificate, and then sends the index information and the information of the authority receiver to the access control intelligent contract.
(3) And combining the received strategy indexes into a complete access control strategy corresponding to the authority, and then judging an authority receiver to judge whether the authority receiver can use the authority.
Referring to fig. 4, fig. 4 is a flowchart illustrating a method for transferring permissions in blockchain access control according to a third embodiment of the present invention. The third embodiment of the rights transfer method differs from the previous two embodiments in that:
(1) the access control strategy corresponding to the authority is directly integrated into the pass certificate, so that after the authority transfer contract receives the authority transfer message, the access control strategy in the pass certificate can be directly extracted to judge whether the authority receiver has the right to use the authority.
(2) No information needs to be passed to the access control contract arbitration and therefore the time taken for transfer is shorter, but the storage cost of the voucher is higher.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and although the invention has been described in detail with reference to the foregoing examples, it will be apparent to those skilled in the art that various changes in the form and details of the embodiments may be made and equivalents may be substituted for elements thereof. All modifications, equivalents and the like which come within the spirit and principle of the invention are intended to be included within the scope of the invention.

Claims (6)

1. A method for transferring permissions in blockchain access control, comprising: the method uses the authority granted in the block chain access control of the intelligent contract transfer, the authority transfer intelligent contract can detect whether the authority receiver is qualified to use the authority, if the detection is passed, the owner of the authority is changed from the authority sender to the authority receiver by the intelligent contract, otherwise, the transfer is failed.
2. As claimed in claim 1, a method for transferring rights in blockchain access control comprises the following steps: step 1: the authority owner A and the resource visitor B, which have the access authority of the resource s, negotiate to decide to transmit the authority permit of the resource s to the resource visitor B; step 2: the authority owner A sends the authority transfer message generated by the negotiation result to the intelligent contract of authority transfer in the block chain network, and the content of the authority transfer message is the authority T of the authority owner ASPassed to resource accessor B; and 3, step 3: resource accessor B sends confirmation receiving authorization token T to authority transfer intelligent contractSA request for (2); and 4, step 4: validation of rights delivery requires full agreement by A, B and the access control contract for resource s, so SCACInformation of the entitlement delivery message is to be sent to the SCT(ii) a And 5, step 5: SC (Single chip computer)ACThe access control policy in (1) requires a decision to be made whether to grant the passing of the authorization token, and therefore requires the verification of the authorization token TSWhether the attribute and the constraint of the system are legal or not, then obtaining related information of the B from the PIP and verifying whether the B is legal or not; and 6, step 6: SC (Single chip computer)TMaking a decision according to the collected information and then returning the decision result to the SCAC(ii) a And 7, step 7: if yes, SCACGeneral certificate TSIs sent toB and informing A; if rejected, SCACThe rejection information is sent to B and informed to a.
3. The method is characterized in that the permission comprises data reading, data writing, data creating, data deleting, operation on Internet of things equipment and the like, and a certain permission can be granted to a subject through fine-grained selection.
4. A first method for transferring rights, as claimed in claim 1, is characterized in that, in each transfer of rights, a complete authorization decision process is performed on the rights receiver, and the transfer of rights can only take place if the rights receiver is judged by the access control system to be satisfactory for using the rights, otherwise the transfer of rights fails.
5. The first authority transferring method as claimed in claim 1, wherein the method integrates the index of the access policy corresponding to the authority into the authority pass certificate, and during each authority transfer, the corresponding access control policy is directly found according to the access policy index in the pass certificate, and then the authority receiver makes a decision, and the authority transfer can occur only when the authority receiver is judged by the access control system to satisfy the use of the authority, otherwise, the authority transfer fails.
6. The first authority transferring method as claimed in claim 1, wherein the method integrates the access control policy corresponding to the authority directly into the pass certificate, so that when the authority is transferred, the access control policy in the pass certificate is directly read to make a decision, and whether the authority receiver has the right to use the authority is judged, and the authority transfer can occur only when the authority receiver is judged to satisfy the use of the authority, otherwise, the authority transfer fails.
CN201911115968.8A 2019-11-15 2019-11-15 Authority transfer method in block chain access control Active CN110839030B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911115968.8A CN110839030B (en) 2019-11-15 2019-11-15 Authority transfer method in block chain access control

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911115968.8A CN110839030B (en) 2019-11-15 2019-11-15 Authority transfer method in block chain access control

Publications (2)

Publication Number Publication Date
CN110839030A true CN110839030A (en) 2020-02-25
CN110839030B CN110839030B (en) 2021-11-19

Family

ID=69576392

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911115968.8A Active CN110839030B (en) 2019-11-15 2019-11-15 Authority transfer method in block chain access control

Country Status (1)

Country Link
CN (1) CN110839030B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111478890A (en) * 2020-03-30 2020-07-31 中国科学院计算技术研究所 Network service access control method and system based on intelligent contract
CN111641586A (en) * 2020-04-24 2020-09-08 杭州溪塔科技有限公司 Account authority management method and system based on block chain

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170244864A1 (en) * 2016-02-22 2017-08-24 Fuji Xerox Co., Ltd. Information processing apparatus, for issuing temporary identification information to user and for obtaining authorization information from service providing apparatus
CN107682331A (en) * 2017-09-28 2018-02-09 复旦大学 Internet of Things identity identifying method based on block chain
CN108632035A (en) * 2018-05-17 2018-10-09 湖北工业大学 A kind of Oblivious Transfer system and method with access control
CN108764898A (en) * 2018-04-03 2018-11-06 武汉龙津科技有限公司 A kind of logical method and system for demonstrate,proving design and its operating right management
CN109117668A (en) * 2018-08-10 2019-01-01 广东工业大学 A kind of identification authorization safety access method based on block chain building
CN110097467A (en) * 2019-05-05 2019-08-06 华中科技大学 A kind of side chain test method for intelligent contract safety and stability
CN110519066A (en) * 2019-09-29 2019-11-29 广东电网有限责任公司 A kind of Internet of Things secret protection access control method based on block chain technology

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170244864A1 (en) * 2016-02-22 2017-08-24 Fuji Xerox Co., Ltd. Information processing apparatus, for issuing temporary identification information to user and for obtaining authorization information from service providing apparatus
CN107682331A (en) * 2017-09-28 2018-02-09 复旦大学 Internet of Things identity identifying method based on block chain
CN108764898A (en) * 2018-04-03 2018-11-06 武汉龙津科技有限公司 A kind of logical method and system for demonstrate,proving design and its operating right management
CN108632035A (en) * 2018-05-17 2018-10-09 湖北工业大学 A kind of Oblivious Transfer system and method with access control
CN109117668A (en) * 2018-08-10 2019-01-01 广东工业大学 A kind of identification authorization safety access method based on block chain building
CN110097467A (en) * 2019-05-05 2019-08-06 华中科技大学 A kind of side chain test method for intelligent contract safety and stability
CN110519066A (en) * 2019-09-29 2019-11-29 广东电网有限责任公司 A kind of Internet of Things secret protection access control method based on block chain technology

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
史锦山: "物联网下的区块链访问控制综述", 《软件学报》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111478890A (en) * 2020-03-30 2020-07-31 中国科学院计算技术研究所 Network service access control method and system based on intelligent contract
CN111641586A (en) * 2020-04-24 2020-09-08 杭州溪塔科技有限公司 Account authority management method and system based on block chain

Also Published As

Publication number Publication date
CN110839030B (en) 2021-11-19

Similar Documents

Publication Publication Date Title
US10454927B2 (en) Systems and methods for managing relationships among digital identities
US8601535B2 (en) Mobile authorization using policy based access control
US9021113B2 (en) Inter-service sharing of content between users from different social networks
US7386513B2 (en) Networked services licensing system and method
CN101415001B (en) Composite application using security annotations
US9769137B2 (en) Extensible mechanism for securing objects using claims
US8417964B2 (en) Software module management device and program
US20150026080A1 (en) Methods and apparatus for title protocol, authentication, and sharing
TW200836085A (en) Reputation-based authorization decisions
WO2007115468A1 (en) A method and system for information security authentication
CN109388957B (en) Block chain-based information transfer method, device, medium and electronic equipment
US10726141B2 (en) Dynamically constructed capability for enforcing object access order
CN110839030B (en) Authority transfer method in block chain access control
JP2002351661A (en) Method and system for architecting secure solution
JP2023527811A (en) Method, apparatus, and computer readable medium for authentication and authorization of networked data transactions
US20140013447A1 (en) Method for User Access Control in a Multitenant Data Management System
CN110138767A (en) Processing method, device, equipment and the storage medium of transactions requests
di Vimercati et al. Empowering owners with control in digital data markets
CN102972005B (en) Pay authentication method
EP1505530A1 (en) Networked services licensing system and method
Ibrahim et al. Towards Collaborative Security Approaches Based on the European Digital Sovereignty Ecosystem
CN116244725A (en) File processing method and device based on block chain, equipment and file contribution system
CN108108310A (en) A kind of data processing method, device and server
CN110807189A (en) Authority segmentation method in block chain access control
CN116415307B (en) Distributed trusted data service system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant