CN113612724B - Internet of things access control method and device based on capability - Google Patents

Internet of things access control method and device based on capability Download PDF

Info

Publication number
CN113612724B
CN113612724B CN202110649002.3A CN202110649002A CN113612724B CN 113612724 B CN113612724 B CN 113612724B CN 202110649002 A CN202110649002 A CN 202110649002A CN 113612724 B CN113612724 B CN 113612724B
Authority
CN
China
Prior art keywords
user
capability
token
capacity
tree
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110649002.3A
Other languages
Chinese (zh)
Other versions
CN113612724A (en
Inventor
殷丽华
李超
李凡
罗天杰
罗熙
孙哲
王滨
王星
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou University
Original Assignee
Guangzhou University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou University filed Critical Guangzhou University
Priority to CN202110649002.3A priority Critical patent/CN113612724B/en
Publication of CN113612724A publication Critical patent/CN113612724A/en
Application granted granted Critical
Publication of CN113612724B publication Critical patent/CN113612724B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y30/00IoT infrastructure
    • G16Y30/10Security thereof
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a method and a device for controlling access to the Internet of things based on capability, wherein the method comprises the following steps: generating an initial capacity token corresponding to the authority of the first user through a strategy decision point, and sending the initial capacity token to the first user; receiving a first resource request sent by a first user and a signed initial capacity token, and sending a resource object corresponding to the first resource request to the first user after the first resource request and the signed initial capacity token are verified to be legal; establishing a time capacity tree, and sending an initial capacity token of a first user to a second user to enable the second user to have the capacity of the first user; and updating the time capacity tree according to the capacity token sent by the second user, receiving a third resource request sent by the first user, issuing the capacity corresponding to the third resource request to the first user, and recording the time at the moment into the time node sequence of the time capacity tree. The embodiment of the invention can reduce the calculation amount of the verification capability token of the resource server and effectively improve the safety of the access control of the Internet of things.

Description

Internet of things access control method and device based on capability
Technical Field
The invention relates to the technical field of Internet of things, in particular to a method and a device for access control of the Internet of things based on capability.
Background
An access control technology, that is, a technology for managing whether a user has access right to a resource, is regarded and developed by people as a crucial member of a computer system security mechanism at the beginning of birth of a computer. The development process of the method spans the whole computer development history, and Access Control Lists (ACL), role-based access control models (RBAC), attribute-based access control models (ABAC), capability-based access control models (CapBAC) and the like which can be applied to different scenes are generated.
As a new technology, the Internet of things brings convenience to our life, and meanwhile, the incompleteness of the safety mechanism of the Internet of things brings many potential safety hazards to people. Different from computer system vulnerabilities or webpage-side vulnerabilities, the vulnerabilities of the internet of things bring privacy disclosure risks, and meanwhile, the vulnerabilities of the internet of things can be directly related to all internet of things equipment around people, and therefore the vulnerabilities of the life and property safety of people are directly threatened. Most of the vulnerabilities of the internet of things are caused by access control mechanisms. The existing access control method of the internet of things needs to verify signatures of the whole capability propagation chain one by one, so that the calculated amount is large.
Disclosure of Invention
The invention provides a method and a device for controlling access to the Internet of things based on the capability, and aims to solve the technical problem that the existing method for controlling access to the Internet of things needs to verify signatures of the whole capability propagation chain one by one, so that the calculated amount is large.
The first embodiment of the invention provides a capability-based access control method for the Internet of things, which comprises the following steps:
after a first user obtains an access control authority, generating an initial capacity token corresponding to the authority of the first user through a policy decision point, sending the initial capacity token to the first user, enabling the first user to receive the initial capacity token, and encrypting the initial capacity token through a digital signature;
receiving a first resource request sent by the first user and the signed initial capability token, verifying whether the initial capability token is legal or not, and if so, sending a resource object corresponding to the first resource request to the first user;
establishing a time capacity tree, storing the time capacity tree into a time capacity tree library of the first user by adopting a child brother method, encrypting by using a resource-source public key, sending an initial capacity token of the first user to a second user, verifying a digital signature of the capacity token of the second user, and enabling the second user to have the capacity of the first user after verifying that the digital signature of the capacity token is legal;
updating the time capacity tree according to the capacity token sent by the second user, receiving a third resource request sent by the first user, if the node of the time capacity tree corresponding to the third resource request is in the first user and the time capacity tree is in the capacity effective time period, issuing the capacity corresponding to the third resource request to the first user, and recording the time at the moment into the time node sequence of the time capacity tree.
Further, before the first user obtains the access control right, the method further includes:
receiving first authority information sent by a first user, verifying whether the first authority information accords with an access control strategy, and if so, granting access control authority to the first user.
Further, the verifying whether the initial capability token is legal specifically includes:
and decrypting the initial capacity token to obtain the public key of the first user, and verifying whether the initial capacity token of the first user is legal or not according to the public key.
Further, the updating the time capability tree according to the capability token sent by the second user specifically includes:
and receiving the capability token sent by the second user, carrying out validity verification on the digital signature in the capability token, issuing the corresponding capability of the capability token to the second user after the verification is passed, and updating the time capability tree.
Further, the time capability tree includes a capability tree name, capability tree nodes, and node relationships.
A second embodiment of the present invention provides a capability-based access control device for an internet of things, including:
the system comprises a capacity token sending module, a capacity token sending module and a capacity token sending module, wherein the capacity token sending module is used for generating an initial capacity token corresponding to the authority of a first user through a strategy decision point after the first user obtains an access control authority, sending the initial capacity token to the first user, enabling the first user to receive the initial capacity token, and encrypting the initial capacity token through a digital signature;
a resource object sending module, configured to receive a first resource request sent by the first user and the signed initial capability token, verify whether the initial capability token is legal, and if so, send a resource object corresponding to the first resource request to the first user;
the digital signature verification module is used for establishing a time capacity tree, storing the time capacity tree into a time capacity tree library of the first user by adopting a child brother method, encrypting the time capacity tree by using a resource-source public key, sending an initial capacity token of the first user to a second user, verifying a digital signature of the capacity token of the second user, and enabling the second user to have the capacity of the first user after verifying that the digital signature of the capacity token is legal;
and the capacity issuing module is used for updating the time capacity tree according to the capacity token sent by the second user, receiving a third resource request sent by the first user, issuing the capacity corresponding to the third resource request to the first user if the node of the time capacity tree corresponding to the third resource request is in the first user and the time capacity tree is in a capacity effective time period, and recording the time at the moment into the time node sequence of the time capacity tree.
Further, before the first user obtains the access control right, the method further includes:
receiving first authority information sent by a first user, verifying whether the first authority information accords with an access control strategy, and if so, granting access control authority to the first user.
Further, the verifying whether the initial capability token is legal specifically includes:
and decrypting the initial capacity token to obtain the public key of the first user, and verifying whether the initial capacity token of the first user is legal or not according to the public key.
Further, the updating the time capability tree according to the capability token sent by the second user specifically includes:
and receiving the capability token sent by the second user, carrying out validity verification on the digital signature in the capability token, issuing the corresponding capability of the capability token to the second user after the verification is passed, and updating the time capability tree.
A third embodiment of the present invention provides a computer-readable storage medium, where the computer-readable storage medium includes a stored computer program, where when the computer program runs, the apparatus where the computer-readable storage medium is located is controlled to execute a method for controlling access to an internet of things based on capabilities as described above.
In the embodiment of the invention, when each user distributes the capacity token, a part of known capacity transmission chains are stored in the capacity token in a capacity tree form and distributed to new users, the capacity trees existing in the tokens used by the users who finally visit the resource manager are combined by the resource manager and combined with the original life cycle of the capacity token to form a complete capacity tree by combining the access time of nodes, and the complete capacity tree is utilized to finish the target effects of reducing the calculation amount, recording the complete capacity flow direction and the like.
Furthermore, the embodiment of the invention maintains the time capability tree at the resource server end, the verification is carried out only when a new capability tree node requires access, and the repeated verification is not needed after the verification is successful, so that the verification times under the control scene of the internet of things can be effectively reduced, the calculation amount of the resource server verification capability token can be reduced, and the access control effect of the internet of things can be improved; the embodiment of the invention can effectively increase the security of the access control of the Internet of things by improving the structure and the transmission mode of the time capability tree.
Drawings
Fig. 1 is a schematic flowchart of a method for controlling access to an internet of things based on capabilities according to an embodiment of the present invention;
FIG. 2 is a schematic diagram illustrating the capability tree delivery principle provided by an embodiment of the present invention;
FIG. 3 is a schematic diagram of a complete capability tree composition principle provided by an embodiment of the present invention;
fig. 4 is another schematic flow chart of a method for controlling access to the internet of things based on capabilities according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an access control device of the internet of things according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a capability-based access control device of the internet of things according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In the description of the present application, it is to be understood that the terms "first", "second" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implying any number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature. In the description of the present application, "a plurality" means two or more unless otherwise specified.
In the description of the present application, it is to be noted that, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meaning of the above terms in the present application can be understood in a specific case by those of ordinary skill in the art.
Referring to fig. 1 to 4, in a first embodiment of the present invention, a first embodiment of the present invention provides a method for controlling access to an internet of things based on capabilities shown in fig. 1, including:
s1, after the first user obtains the access control authority, generating an initial capacity token corresponding to the authority of the first user through a strategy decision point, sending the initial capacity token to the first user, enabling the first user to receive the initial capacity token, and encrypting the initial capacity token through a digital signature;
s2, receiving a first resource request sent by a first user and the signed initial capacity token, verifying whether the initial capacity token is legal, and if so, sending a resource object corresponding to the first resource request to the first user;
s3, establishing a time capacity tree, storing the time capacity tree into a time capacity tree library of a first user by adopting a child brother method, encrypting by using a resource-side public key, sending an initial capacity token of the first user to a second user, verifying a digital signature of the capacity token of the second user, and enabling the second user to have the capacity of the first user after verifying that the digital signature of the capacity token is legal;
and S4, updating the time capacity tree according to the capacity token sent by the second user, receiving a third resource request sent by the first user, if the node of the time capacity tree corresponding to the third resource request is in the first user and the time capacity tree is in the capacity effective time period, issuing the capacity corresponding to the third resource request to the first user, and recording the time at the moment into the time node sequence of the time capacity tree.
In the embodiment of the invention, when each user distributes the capacity token, a part of known capacity transmission chains are stored in the capacity token in a capacity tree form and distributed to new users, the capacity trees existing in the tokens used by the users who finally visit the resource manager are combined by the resource manager and combined with the original life cycle of the capacity token to form a complete capacity tree by combining the access time of nodes, and the complete capacity tree is utilized to finish the target effects of reducing the calculation amount, recording the complete capacity flow direction and the like.
Furthermore, the embodiment of the invention maintains the time capability tree at the resource server end, the verification is carried out only when a new capability tree node requires access, and the repeated verification is not needed after the verification is successful, so that the verification times under the control scene of the internet of things can be effectively reduced, the calculation amount of the resource server verification capability token can be reduced, and the access control effect of the internet of things can be improved; the embodiment of the invention can effectively increase the security of the access control of the Internet of things by improving the structure and the transmission mode of the time capability tree.
Referring to FIG. 2, during the capability transfer process of the capability tree, the embodiment of the present invention replaces the corresponding node in the temporal capability tree with the first letter of each user's name. Wherein, Alice is an initial user having read (read) and write (write) rights to the resource File, and the embodiment of the present invention uses R and W to represent the two rights. Alice wants to perform capability transfer on other users, after taking the initial capability token omega 0 from the IoT cloud platform at t0, Alice has the capability of reading and writing the resource File, and then Alice transfers the reading and writing capability to Bob at t1, wherein the transfer mode is to generate a new capability token omega 1 and send the new capability token to Bob. In the newly generated capability token Ω 1, Alice needs to add information such as resource ID, operation, authorized person ID, parent token, time capability tree, and Alice's own signature thereto. Here, the parent token field does not refer to the ID of the capability token Ω 0, but the full capability token Ω 0. The capability tree in the omega 1 is divided into two according to different authorities, so that the known capability tree of Alice and the newly added node Bob form the capability tree, and the capability tree and the capability issuing time and the failure time corresponding to the node form a time capability tree together. At time t2, Alice transfers the reading capability to Candy, where all operations are the same as before, but the capability tree is changed, and on the basis of the capability tree transferred by Alice to Bob, Candy nodes and corresponding time information are added, and at the same time, Ω 2 only stores the capability tree of read, but not the write capability tree. Each node only receives the capability tree where the capability of the node is located, so that the capacity token volume can be reduced on one hand, and the privacy protection effect is achieved to a certain extent on the other hand. At time t3, Bob wants to pass read capabilities to David, at which time Bob does not know that Alice has passed the token to Candy, and then only adds a new node David based on the read capability tree that Bob has obtained itself. At time t4, Bob wants to pass to Edward part write capability, which is the ability to write to the File resource part, which is a write capability of smaller granularity, denoted as write-, and which needs to be defined in advance at the resource manager, otherwise the resource manager cannot recognize it. Edward then gets only the write-capability tree in the omega 2 token, which adds Edward as a new node on top of the write-capability tree passed by Alice to Bob, named as the write-capability tree.
As a specific implementation manner of the embodiment of the present invention, before the first user acquires the access control right, the method further includes:
and receiving first permission information sent by the first user, verifying whether the first permission information accords with an access control strategy, and if so, granting the access control permission to the first user.
As a specific implementation manner of the embodiment of the present invention, verifying whether the initial capability token is legal specifically includes:
and decrypting the initial capacity token to obtain a public key of the first user, and verifying whether the initial capacity token of the first user is legal or not according to the public key.
According to the embodiment of the invention, before the first user performs access control on the Internet of things, the resource server is enabled to have the public key of the first user through registration, the public key is obtained after the initial capacity token is decrypted, whether the initial capacity token of the first user is legal or not is verified according to the public key, and the reliability of verifying the initial token can be effectively improved.
As a specific implementation manner of the embodiment of the present invention, the updating the time capability tree according to the capability token sent by the second user specifically includes:
and receiving the capability token sent by the second user, carrying out validity verification on the digital signature in the capability token, issuing the corresponding capability of the capability token to the second user after the verification is passed, and updating the time capability tree.
According to the embodiment of the invention, the time tree is maintained at the resource server, after a new time capability tree is established, the verification is carried out when the node of the time capability tree requires access, and after the verification is successful, the repeated verification is not needed, so that the verification times under the control scene of the Internet of things can be effectively reduced, the calculation amount of the resource server verification capability token can be reduced, and the access control effect of the Internet of things is improved.
As a specific implementation of the embodiment of the present invention, the time capability tree includes a capability tree name, capability tree nodes, and node relationships.
In one embodiment, the capability tree is composed of a capability tree name, nodes and node relationships. Where the capability tree name is an identification of a particular capability for a particular resource, the nodes and node relationships represent the user and their relationship in the capability tree. To save resource resources, most of the time, the capability tree can only be built and stored for fast verification of the capability token. And when the accident tracing positioning and the capability orientation change are required, taking out the capability tree from the resource end and using the capability tree for the next calculation.
Referring to fig. 3, in the process of combining the capability trees, the resource manager stores the capability trees included in the individual tokens, and combines the time capability trees of the same capability of the same resource to obtain a complete capability tree; and simultaneously recording the time of each access of the user at the corresponding node. The arrows in fig. 3 indicate the corresponding capability trees received by the resource manager and their order, and the right indicates the final capability tree. It should be noted that, at this time, only the token that requires the resource manager to verify is collected by the resource manager, and if no access is made to the resource after the node takes the capability token at this time, the finally generated capability tree does not include its branch, but its existence can be captured from other capability trees.
Please refer to fig. 4, which is another flowchart illustrating a method for controlling access to an internet of things based on capabilities according to an embodiment of the present invention.
The embodiment of the invention has the following beneficial effects:
according to the embodiment of the invention, the time capability tree is maintained at the resource server, the verification is carried out only when a new capability tree node requires access, and repeated verification is not needed after the verification is successful, so that the verification times under the control scene of the Internet of things can be effectively reduced, and the resource consumption caused by repeated decryption verification for many times can be reduced; according to the embodiment of the invention, by designing the storage mode and the encryption mode of the capacity tree in the token, a new user can only obtain one pointer, and the capacity node of the next user is added at the position pointed by the pointer, so that the complete capacity tree cannot be known, and the hop count of the capacity chain where the new user is located and the reverse analysis capacity chain are difficult to guess, thereby not only realizing the security monitoring of the Capbase AC, but also protecting the privacy of the user; according to the embodiment of the invention, the capability tree is added in the capability token structure of the original Capbase AC by modifying the capability token structure, the capability tree is continuously grown in the capability transmission process, and finally the capturing and combining of the capability tree are completed at the resource server, so that a complete capability tree is obtained to represent the complete capability flow direction in the Capbase AC, and the security of the access control of the Internet of things is improved.
Referring to fig. 5, a third embodiment of the present invention, in which the access control server is the above backend server, as the issuer of the initial capability, Alice is the owner of the album cloud, and Bob is the friend of Alice, and Alice wants Bob print a photo. The specific process of application is as follows:
1) three users who need to access the photo album cloud resources, as represented by Alice, Bob and printer in the example, only Alice has to register at the access control server in advance, the registration information is shared with the photo album cloud, and Bob and printer need to prove their identities;
2) after receiving the initial token transmitted by the access control server, Alice has the capability of reading, downloading, uploading and deleting all photos in the photo album cloud;
3) alice wants to ask Bob to help her print a photo, and then gives Bob the right to read and download the photo through the capability token;
4) bob can not know whether the Bob is the only person authorized by Alice from the information of the token;
5) bob gives the reading right of the photo to a printer through the capability token, and the printer has the reading capability on the photo in the photo album cloud, so that the photo is printed successfully;
6) the next day, Alice needs Bob to help. After Bob proves identity to the resource manager, the printer manager finds that Bob already exists in the capability tree stored by the printer manager, and then does not decrypt and verify the capability token presented by Bob any more, and directly allows Bob to print the photo.
Referring to fig. 6, a third embodiment of the present invention provides a capability-based access control device for internet of things, including:
the capability token sending module 10 is configured to generate an initial capability token corresponding to the authority of the first user through a policy decision point after the first user obtains the access control authority, send the initial capability token to the first user, enable the first user to receive the initial capability token, and encrypt the initial capability token through a digital signature;
the resource object sending module 20 is configured to receive a first resource request sent by a first user and a signed initial capability token, verify whether the initial capability token is legal, and send a resource object corresponding to the first resource request to the first user if the initial capability token is legal;
the digital signature verification module 30 is configured to establish a time capability tree, store the time capability tree into a time capability tree library of a first user by using a child brother method, encrypt the time capability tree by using a resource-source public key, send an initial capability token of the first user to a second user, verify a digital signature of a capability token of the second user, and enable the second user to have the capability of the first user after verifying that the digital signature of the capability token is legal;
and the capacity issuing module 40 is configured to update the time capacity tree according to the capacity token sent by the second user, receive a third resource request sent by the first user, issue, if a node of the time capacity tree corresponding to the third resource request is in the first user and the time capacity tree is within the capacity validation time period, a capacity corresponding to the third resource request to the first user, and record the time at this time in the time node sequence of the time capacity tree.
In the embodiment of the invention, when each user distributes the capacity token, a part of known capacity transmission chains are stored in the capacity token in a capacity tree form and distributed to new users, the capacity trees existing in the tokens used by the users who finally visit the resource manager are combined by the resource manager and combined with the original life cycle of the capacity token to form a complete capacity tree by combining the access time of nodes, and the complete capacity tree is utilized to finish the target effects of reducing the calculation amount, recording the complete capacity flow direction and the like.
Furthermore, the embodiment of the invention maintains the time capability tree at the resource server end, the verification is carried out only when a new capability tree node requires access, and the repeated verification is not needed after the verification is successful, so that the verification times under the control scene of the internet of things can be effectively reduced, the calculation amount of the resource server verification capability token can be reduced, and the access control effect of the internet of things can be improved; the embodiment of the invention can effectively increase the security of the access control of the Internet of things by improving the structure and the transmission mode of the time capability tree.
Referring to FIG. 2, during the capability transfer process of the capability tree, the embodiment of the present invention replaces the corresponding node in the temporal capability tree with the first letter of each user's name. Wherein, Alice is an initial user having read (read) and write (write) rights to the resource File, and the embodiment of the present invention uses R and W to represent the two rights. Alice wants to perform capability transfer on other users, after taking the initial capability token omega 0 from the IoT cloud platform at t0, Alice has the capability of reading and writing the resource File, and then Alice transfers the reading and writing capability to Bob at t1, wherein the transfer mode is to generate a new capability token omega 1 and send the new capability token to Bob. In the newly generated capability token Ω 1, Alice needs to add information such as resource ID, operation, authorized person ID, parent token, time capability tree, and Alice's own signature thereto. Here, the parent token field does not refer to the ID of the capability token Ω 0, but the full capability token Ω 0. The capability tree in the omega 1 is divided into two according to different authorities, so that the known capability tree of Alice and the newly added node Bob form the capability tree, and the capability tree and the capability issuing time and the failure time corresponding to the node form a time capability tree together. At time t2, Alice transfers the reading capability to Candy, where all operations are the same as before, but the capability tree is changed, and on the basis of the capability tree transferred by Alice to Bob, Candy nodes and corresponding time information are added, and at the same time, Ω 2 only stores the capability tree of read, but not the write capability tree. Each node only receives the capability tree where the capability of the node is located, so that the capacity token volume can be reduced on one hand, and the privacy protection effect is achieved to a certain extent on the other hand. At time t3, Bob wants to pass read capabilities to David, at which time Bob does not know that Alice has passed the token to Candy, and then only adds a new node David based on the read capability tree that Bob has obtained itself. At time t4, Bob wants to pass to Edward part write capability, which is the ability to write to the File resource part, which is a write capability of smaller granularity, denoted as write-, and which needs to be defined in advance at the resource manager, otherwise the resource manager cannot recognize it. Edward then gets only the write-capability tree in the omega 2 token, which adds Edward as a new node on top of the write-capability tree passed by Alice to Bob, named as the write-capability tree.
As a specific implementation manner of the embodiment of the present invention, before the first user acquires the access control right, the method further includes:
and receiving first permission information sent by the first user, verifying whether the first permission information accords with an access control strategy, and if so, granting the access control permission to the first user.
As a specific implementation manner of the embodiment of the present invention, verifying whether the initial capability token is legal specifically includes:
and decrypting the initial capacity token to obtain a public key of the first user, and verifying whether the initial capacity token of the first user is legal or not according to the public key.
According to the embodiment of the invention, before the first user performs access control on the Internet of things, the resource server is enabled to have the public key of the first user through registration, the public key is obtained after the initial capacity token is decrypted, whether the initial capacity token of the first user is legal or not is verified according to the public key, and the reliability of verifying the initial token can be effectively improved.
As a specific implementation manner of the embodiment of the present invention, the updating the time capability tree according to the capability token sent by the second user specifically includes:
and receiving the capability token sent by the second user, carrying out validity verification on the digital signature in the capability token, issuing the corresponding capability of the capability token to the second user after the verification is passed, and updating the time capability tree.
According to the embodiment of the invention, the time tree is maintained at the resource server, after a new time capability tree is established, the verification is carried out when the node of the time capability tree requires access, and after the verification is successful, the repeated verification is not needed, so that the verification times under the control scene of the Internet of things can be effectively reduced, the calculation amount of the resource server verification capability token can be reduced, and the access control effect of the Internet of things is improved.
As a specific implementation of the embodiment of the present invention, the time capability tree includes a capability tree name, capability tree nodes, and node relationships.
In one embodiment, the capability tree is composed of a capability tree name, nodes and node relationships. Where the capability tree name is an identification of a particular capability for a particular resource, the nodes and node relationships represent the user and their relationship in the capability tree. To save resource resources, most of the time, the capability tree can only be built and stored for fast verification of the capability token. And when the accident tracing positioning and the capability orientation change are required, taking out the capability tree from the resource end and using the capability tree for the next calculation.
Referring to fig. 3, in the process of combining the capability trees, the resource manager stores the capability trees included in the individual tokens, and combines the time capability trees of the same capability of the same resource to obtain a complete capability tree; and simultaneously recording the time of each access of the user at the corresponding node. The arrows in fig. 3 indicate the corresponding capability trees received by the resource manager and their order, and the right indicates the final capability tree. It should be noted that, at this time, only the token that requires the resource manager to verify is collected by the resource manager, and if no access is made to the resource after the node takes the capability token at this time, the finally generated capability tree does not include its branch, but its existence can be captured from other capability trees.
The embodiment of the invention has the following beneficial effects:
according to the embodiment of the invention, the time capability tree is maintained at the resource server, the verification is carried out only when a new capability tree node requires access, and repeated verification is not needed after the verification is successful, so that the verification times under the control scene of the Internet of things can be effectively reduced, and the resource consumption caused by repeated decryption verification for many times can be reduced; according to the embodiment of the invention, by designing the storage mode and the encryption mode of the capacity tree in the token, a new user can only obtain one pointer, and the capacity node of the next user is added at the position pointed by the pointer, so that the complete capacity tree cannot be known, and the hop count of the capacity chain where the new user is located and the reverse analysis capacity chain are difficult to guess, thereby not only realizing the security monitoring of the Capbase AC, but also protecting the privacy of the user; according to the embodiment of the invention, the capability tree is added in the capability token structure of the original Capbase AC by modifying the capability token structure, the capability tree is continuously grown in the capability transmission process, and finally the capturing and combining of the capability tree are completed at the resource server, so that a complete capability tree is obtained to represent the complete capability flow direction in the Capbase AC, and the security of the access control of the Internet of things is improved.
A third embodiment of the present invention provides a computer-readable storage medium, where the computer-readable storage medium includes a stored computer program, and when the computer program runs, the apparatus where the computer-readable storage medium is located is controlled to execute the method for controlling access to the internet of things based on capabilities.
The invention provides a method and a device for controlling access to the Internet of things based on energy, and aims to solve the technical problems of large calculated amount and large potential safety hazard in the existing method for controlling access to the Internet of things.
The foregoing is a preferred embodiment of the present invention, and it should be noted that it would be apparent to those skilled in the art that various modifications and enhancements can be made without departing from the principles of the invention, and such modifications and enhancements are also considered to be within the scope of the invention.

Claims (9)

1. A method for controlling access to the Internet of things based on capability is characterized by comprising the following steps:
after a first user obtains an access control authority, generating an initial capacity token corresponding to the authority of the first user through a policy decision point, sending the initial capacity token to the first user, enabling the first user to receive the initial capacity token, and encrypting the initial capacity token through a digital signature;
receiving a first resource request sent by the first user and the signed initial capability token, verifying whether the initial capability token is legal or not, and if so, sending a resource object corresponding to the first resource request to the first user;
establishing a time capacity tree, storing the time capacity tree into a time capacity tree library of the first user by adopting a child brother method, encrypting by using a resource-source public key, sending an initial capacity token of the first user to a second user, verifying a digital signature of the capacity token of the second user, and enabling the second user to have the capacity of the first user after verifying that the digital signature of the capacity token is legal; the establishing of the time capability tree specifically comprises the following steps: storing the capability trees contained in the individual tokens through a resource server, combining the time capability trees of the same capability of the same resource, and recording the time of each access of a user at a corresponding node of the resource server to obtain a complete time capability tree, wherein the time capability tree is maintained at a resource server end and consists of a capability tree name, nodes and a node relation;
updating the time capacity tree according to the capacity token sent by the second user, receiving a third resource request sent by the first user, if the node of the time capacity tree corresponding to the third resource request is in the first user and the time capacity tree is in the capacity effective time period, issuing the capacity corresponding to the third resource request to the first user, and recording the time at the moment into the time node sequence of the time capacity tree.
2. The method for controlling access to the internet of things based on the capability of claim 1, further comprising, before the first user obtains the access control right:
receiving first authority information sent by a first user, verifying whether the first authority information accords with an access control strategy, and if so, granting access control authority to the first user.
3. The method for controlling access to the internet of things based on the capability of claim 1, wherein the verifying whether the initial capability token is legal includes:
and decrypting the initial capacity token to obtain the public key of the first user, and verifying whether the initial capacity token of the first user is legal or not according to the public key.
4. The method for controlling access to the internet of things based on capabilities of claim 1, wherein the updating the temporal capability tree according to the capability token sent by the second user specifically comprises:
and receiving the capability token sent by the second user, carrying out validity verification on the digital signature in the capability token, issuing the corresponding capability of the capability token to the second user after the verification is passed, and updating the time capability tree.
5. An internet of things access control device based on capability, comprising:
the system comprises a capacity token sending module, a capacity token sending module and a capacity token sending module, wherein the capacity token sending module is used for generating an initial capacity token corresponding to the authority of a first user through a strategy decision point after the first user obtains an access control authority, sending the initial capacity token to the first user, enabling the first user to receive the initial capacity token, and encrypting the initial capacity token through a digital signature;
a resource object sending module, configured to receive a first resource request sent by the first user and the signed initial capability token, verify whether the initial capability token is legal, and if so, send a resource object corresponding to the first resource request to the first user;
the digital signature verification module is used for establishing a time capacity tree, storing the time capacity tree into a time capacity tree library of the first user by adopting a child brother method, encrypting the time capacity tree by using a resource-source public key, sending an initial capacity token of the first user to a second user, verifying a digital signature of the capacity token of the second user, and enabling the second user to have the capacity of the first user after verifying that the digital signature of the capacity token is legal; the establishing of the time capability tree specifically comprises the following steps: storing the capability trees contained in the individual tokens through a resource server, combining the time capability trees of the same capability of the same resource, and recording the time of each access of a user at a corresponding node of the resource server to obtain a complete time capability tree, wherein the time capability tree is maintained at a resource server end and consists of a capability tree name, nodes and a node relation;
and the capacity issuing module is used for updating the time capacity tree according to the capacity token sent by the second user, receiving a third resource request sent by the first user, issuing the capacity corresponding to the third resource request to the first user if the node of the time capacity tree corresponding to the third resource request is in the first user and the time capacity tree is in a capacity effective time period, and recording the time at the moment into the time node sequence of the time capacity tree.
6. The access control device of the internet of things based on the capability of claim 5, further comprising, before the first user obtains the access control right:
receiving first authority information sent by a first user, verifying whether the first authority information accords with an access control strategy, and if so, granting access control authority to the first user.
7. The access control device of the internet of things based on the capability as claimed in claim 5, wherein the verifying whether the initial capability token is legal is specifically:
and decrypting the initial capacity token to obtain the public key of the first user, and verifying whether the initial capacity token of the first user is legal or not according to the public key.
8. The access control device of the internet of things based on the capability as claimed in claim 5, wherein the updating the temporal capability tree according to the capability token sent by the second user specifically comprises:
and receiving the capability token sent by the second user, carrying out validity verification on the digital signature in the capability token, issuing the corresponding capability of the capability token to the second user after the verification is passed, and updating the time capability tree.
9. A computer-readable storage medium, comprising a stored computer program, wherein when the computer program runs, the computer-readable storage medium is controlled by a device to execute a method for controlling access to the internet of things based on capabilities according to any one of claims 1 to 4.
CN202110649002.3A 2021-06-10 2021-06-10 Internet of things access control method and device based on capability Active CN113612724B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110649002.3A CN113612724B (en) 2021-06-10 2021-06-10 Internet of things access control method and device based on capability

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110649002.3A CN113612724B (en) 2021-06-10 2021-06-10 Internet of things access control method and device based on capability

Publications (2)

Publication Number Publication Date
CN113612724A CN113612724A (en) 2021-11-05
CN113612724B true CN113612724B (en) 2022-01-25

Family

ID=78336498

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110649002.3A Active CN113612724B (en) 2021-06-10 2021-06-10 Internet of things access control method and device based on capability

Country Status (1)

Country Link
CN (1) CN113612724B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102724647A (en) * 2012-06-06 2012-10-10 电子科技大学 Method and system for access capability authorization
CN111669386A (en) * 2020-05-29 2020-09-15 武汉理工大学 Access control method and device based on token and supporting object attribute
CN111935131A (en) * 2020-08-06 2020-11-13 中国工程物理研究院计算机应用研究所 SaaS resource access control method based on resource authority tree
CN112784283A (en) * 2019-11-08 2021-05-11 华为技术有限公司 Capability management method and computer equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7774601B2 (en) * 2004-04-06 2010-08-10 Bea Systems, Inc. Method for delegated administration

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102724647A (en) * 2012-06-06 2012-10-10 电子科技大学 Method and system for access capability authorization
CN112784283A (en) * 2019-11-08 2021-05-11 华为技术有限公司 Capability management method and computer equipment
CN111669386A (en) * 2020-05-29 2020-09-15 武汉理工大学 Access control method and device based on token and supporting object attribute
CN111935131A (en) * 2020-08-06 2020-11-13 中国工程物理研究院计算机应用研究所 SaaS resource access control method based on resource authority tree

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Capability-based Access Control Delegation Model;Bayu Anggorojati, Parikshit Narendra Mahalle, Neeli Rashmi Prasa;《IEEE》;20121231;第1-5页 *
Capability-Based Access Control for the;Yuta Nakamura, Yuanyu Zhang, Masahiro Sasabe and Shoji Kasahara;《IEEE》;20200227;第1-6页 *
物联网环境下的访问控制技术探析;罗洪等;《西南民族大学学报(自然科学版)》;20161125(第06期);第1-6页 *

Also Published As

Publication number Publication date
CN113612724A (en) 2021-11-05

Similar Documents

Publication Publication Date Title
US9674156B2 (en) Event-triggered release through third party of pre-encrypted digital data from data owner to data assignee
KR101238490B1 (en) Binding content licenses to portable storage devices
US8181266B2 (en) Method for moving a rights object between devices and a method and device for using a content object based on the moving method and device
KR20210040078A (en) Systems and methods for safe storage services
US8572372B2 (en) Method for selectively enabling access to file systems of mobile terminals
US20040255137A1 (en) Defending the name space
JP5180203B2 (en) System and method for controlling information supplied from a memory device
CN109067528A (en) Crypto-operation, method, cryptographic service platform and the equipment for creating working key
US20070124313A1 (en) Method and apparatus for secure digital content distribution
KR20230041971A (en) Method, apparatus and computer readable medium for secure data transfer over a distributed computer network
CN114175580B (en) Enhanced secure encryption and decryption system
JP2009543211A (en) Content management system and method using a generic management structure
JP5178716B2 (en) Content management system and method using certificate revocation list
JP2004110197A (en) Information processing method and method of managing access authority for use at center system
JP2009543208A (en) Content management system and method using certificate chain
CN117097526A (en) Block chain-based data security sharing method and device
CN113612724B (en) Internet of things access control method and device based on capability
JP4972165B2 (en) Control system and method using identity objects
CN116263834A (en) Multi-issuer anonymous credentials for licensed blockchains
Piechotta et al. A secure dynamic collaboration environment in a cloud context
CN113505098A (en) File sharing system, method and storage medium
Jacobino et al. TrustVault: A privacy-first data wallet for the European Blockchain Services Infrastructure
Abedin et al. An advance cryptographic solutions in cloud computing security
Mounnan et al. Efficient distributed access control using blockchain for big data in clouds
Fiore Providing trust to multi-cloud storage platforms through the blockchain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant