CN100542092C - Distributed access control method in multistage securities - Google Patents
Distributed access control method in multistage securities Download PDFInfo
- Publication number
- CN100542092C CN100542092C CNB2006101163016A CN200610116301A CN100542092C CN 100542092 C CN100542092 C CN 100542092C CN B2006101163016 A CNB2006101163016 A CN B2006101163016A CN 200610116301 A CN200610116301 A CN 200610116301A CN 100542092 C CN100542092 C CN 100542092C
- Authority
- CN
- China
- Prior art keywords
- user
- role
- territory
- certificate
- resource
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
What the present invention relates to is the distributed access control method in multistage securities in a kind of network security technology field.Provide corresponding authentication and information encryption mechanism by the PKI technology, retrain resource access under the relative dispersion condition, note down corresponding user access information and system safety information by log pattern by resource descriptor; The user lands this trust domain by the letter of identity that uses oneself, after obtaining the trust of certificate server, playing two-way authentication with certificate server is connected, the user can propose the access request to a certain resource after determining one's identity, the pairing final judging result of this access request is by the user role Attribute certificate, the domain policy Attribute certificate, and the decision function of three kinds of attribute certificates of policy attribute certificate decides between the territory, into database is noted down in simultaneously corresponding important system daily record, convenient inspection in the future.The real-time visit situation to occurring in the system of the present invention is carried out log record, can be good at the fail safe of analytical system.
Description
Technical field
What the present invention relates to is the control method in a kind of network security technology field, specifically is a kind of distributed access control method in multistage securities.
Background technology
Increasing distributed system has appearred in develop rapidly and widespread usage along with Internet and distributed object technology.Owing to the promotion of technology such as ecommerce and supply chain, working in coordination with between system also becomes very general simultaneously, and this also impels the scale of distributed system to become increasing, and complexity is more and more stronger.Whom entity in the distributed system allows use, and allows how to use and who defines service regeulations, the access control problem in the distributed system that Here it is.Make distributed system fully and safely bring into play its effect, cooperate safely between system, a kind of access control method is efficiently realized the first step of its application.
Access control is meant the different granted access that some control strategy of main body basis or authority are carried out object itself or its resource.Traditional access control model, as autonomous access control DAC (Discretionary AccessControl) model, the visit system RBAC model based on the role of forcing access control MAC (Mandatory Access Control) model and proposing recently operates mainly in the system of centralized security control.
Corresponding problem in distributed:
What time following distributed multi-stage safe access control technology must be considered in conjunction with the basis of original central access control:
(1) how to carry out the checking of identity and the interoperability of safety between multiple domain
(2) how to realize the exchanging visit of resource effectively
Through retrieval, do not find identical with theme of the present invention or similar bibliographical information as yet to prior art.
The control method in network security technology field
Summary of the invention
The objective of the invention is to overcome deficiency of the prior art, a kind of distributed access control method in multistage securities is provided.Make it make full use of method in the centralized safe access control system, consider the difference between the same trust domain of distributed environment and different trust domain, the framework of whole distributed security access control has been proposed, and provide and provide concrete implementation step under this framework, and the role who is applied to therein is privately owned, the conversion of inheriting and shining upon, the model of the foundation of corresponding security log.
The present invention is achieved by the following technical solutions, the present invention provides corresponding authentication and information encryption mechanism by the PKI technology, the relation the between-authority by RBAC technology and PMI technological constraint user--role--, retrain resource access under the relative dispersion condition by resource descriptor, note down corresponding user access information and system safety information by log pattern.The present invention is for a plurality of trust domain in the practical application, the user lands this trust domain by the letter of identity that uses oneself, after obtaining the trust of certificate server, playing two-way authentication with certificate server is connected: the user can propose the access request to a certain resource after determining one's identity: the pairing final judging result of this access request is by three kinds of attribute certificate (user role Attribute certificates, the domain policy Attribute certificate, policy attribute certificate between the territory) decision function decides, into database is noted down in simultaneously corresponding important system daily record, convenient inspection in the future.
Comprise following concrete steps:
1. the system bidirectional authentication mechanism allows requesting party and response side all determine the other side's identity, and whether authentication server will be verified the signature and the term of validity of user certificate and be cancelled.If certificate is legal, can information extraction from certificate, as certificate serial number, user name etc. enter next step, connect otherwise disconnect.No matter whether checking is passed through, and the system journal module all will write database with access request and court verdict.The information that checking back both sides transmit is effectively encrypted.
2. the user creates user object as visiting the resource in this territory according to the sequence number of public key certificate, generates a session id, and the inquiry ldap server by retrieval user role-certificate storehouse, obtains all roles of this user.Enter next step user as visiting the resource in other territories, the user role Attribute certificate of oneself should be provided, territory safety management person checks whether Attribute certificate is effective, the request of invalid then refusal.To obtain " tactful certificate between the territory " between territory, user place and the access domain with time domain safety management person, if do not have interoperation relation between two territories, refusing user's request then, on the contrary carry out role's mapping, with this territory role-map role that is other territories.
3. territory safety management person checks user object, and the role that this user is assigned with returns to the user, creates a session object for the user simultaneously.
4. the user selects the role of own needs according to oneself requirement from some roles that territory safety management person returns, and selected role is sent back to territory safety management person.
5. territory safety management person access domain policy attribute certificate obtains all sub-roles of role that the user requires, structure character object.System checks character object, see and whether satisfy role's constraints, session object is checked, after guaranteeing that the role added session object, can not activate the role of two mutual exclusions simultaneously, if there is no the mutual exclusion role then adds session object with the role, carry out next step, otherwise the request of refusing user's.
6. territory safety management person makes up permission object.Can obtain all authorities of user in conjunction with character object and permission object.System carries out binding character inspection to permission object, obtains all lawful authorities of this user.
7. lawful authority collection that this user is authorized to and desired authority set compare, if the former comprises the latter, then allow its visit to resource, otherwise refuse its access resources.Visit is closed session free system resources after finishing.
Whole access control step still corresponding to the relation of the role-map between the territory, should add certain authority restriction as shown above, and the role-security that is mapped to this territory in other territories is limited within certain scope.That is: Privilege (being mapped to this territory role)<Privilege (this territory user uses this role).This is applied among the improved RBAC too, is not whole authorities of inheriting father role fully this model system neutron role, but herids partially, allows father role to have the privately owned authority of oneself like this.Correspond to equally in the distributed access control, be not the authority of inheriting mapping role in this accessed territory fully by the role of shining upon between the territory, but herid partially, can well protect the safety of resource information in the accessed territory like this.
Effect of the present invention is significant, make in this way the distributed security access control system of design merge the PKI of current trend, PMI, RBAC technology, high performance ldap servers etc. have been showed a kind of access process of distributed security access control system to the user.Simultaneously, by increasing " domain policy Attribute certificate, policy attribute certificate between the territory ", original safety access control method well is applied in the distributed access control system from concentrate the territory by role-map.
Description of drawings
Fig. 1 is an improved RBAC model structure schematic diagram in the system of the present invention.
Fig. 2 is a mapping constraint process schematic diagram between the territory of RBAC+PMI in the system of the present invention.
Embodiment
Present embodiment is implemented the hardware environment of employing: server: Tomcat is more than 5.0, and the JAVA environment is supported JAAS, and client hardware requires: Windows 2000/XP, and more than the Pentium 2400Mhz, 256 MB of memory is connected with the network of server; Client software: IE browser.
Dispose:
1., in each trust domain, build the authentication server of this trust domain, be deployed on the Tomcat, in each trust domain, dispose ldap server, comprising following database:
A. subscriber identity information database (PKI certificate information table, etc.)
B. Attribute certificate database (PMI certificate information table, policy mappings table in the territory, policy mappings table between the territory, role-certificate table, role-map table etc.)
C. resource information database (the configurable resource information in this trust domain and the corresponding authority that provides)
2., be authentication server configuration two-way authentication trusting relationship, dispose the trust management module of each trust domain, comprise the mapping relations constraint in this trust domain tied mechanism and the different trust domain.Prepare the letter of identity in each trust domain, the application of Attribute certificate and administration module and corresponding strategy customization, administration module.In building the process of each trust domain, all there are each self-defining role and their corresponding authority.There are role's inheritances such as sub-role in complicated system entails, consider the principle of sound accounting of distributed multi-stage safe access control, this programme has proposed to use the conception of improved RBAC model here, for father role adds corresponding privately owned authority, this part authority does not allow sub-role succession to this model on original RBAC model based.This method also is applied in the role-map between different trust domain, and promptly the authority of Ying She role in the territory should be less than the authority of directly using this role in this territory.The benefit of doing like this is that the resource of well having protected this trust domain is not destroyed or unauthorized access by outer trust domain entity, allows overseas trusted entity to visit resource in this trust domain equally to a certain extent.Improved RBAC model, as shown in Figure 1:
3., start LDAP and Tomcat server, the user in each trust domain is by load the legal identity certificate of oneself in IE, with connecting of this trust domain certificate server.
Mode: IE->instrument->internet option->content->certificate adds X.509 certificate.
After the trust through this trust domain certificate server, trust server provides session id for the user, and the user has the right to visit this trust domain resource or visits the resource of other trust domain by role-map.Main body when the role that visit this overseas resource and selecting can be shone upon, the result of this selection be subjected to this trust domain and and the mapping trust domain in the common judgement of strategy, can not select the role of mutual exclusion, as shown in Figure 2.
With respect to the safety label scheme of using in the small distributed system, the present invention can well be applied in the large-scale distributed system, and the identity that described bidirectional authentication mechanism can fine definite user is guaranteed not to be forged, for interactive information provides encryption, guarantee not eavesdropped simultaneously.The widely-used authority that makes of Attribute certificate and RBAC is better separated with identity, is convenient to the Policy Administrator and better manages.The both convenient distributed visit of mapping mechanism is given and certain role-map constrained again between the territory, guarantees access security.
Adopt above method to can be good at providing the distributed resource access control, be convenient to domain administrator and manage and dispose, can satisfy the concurrent use of large-scale and multiple users safely and efficiently, effect is fine.
Claims (7)
1, a kind of distributed access control method in multistage securities, it is characterized in that, provide corresponding authentication and information encryption mechanism by the Public Key Infrastructure technology, by based on role's access control technology and the relation between empowerment management infrastructure technological constraint user-role-authority, retrain resource access under the relative dispersion condition by resource descriptor, note down corresponding user access information and system safety information by log pattern; For a plurality of trust domain in the practical application, the user lands this trust domain by the letter of identity that uses oneself, after obtaining the trust of certificate server, setting up two-way authentication with certificate server is connected, the user can propose the access request to a certain resource after determining one's identity, the pairing final judging result of this access request is by the user role Attribute certificate, the domain policy Attribute certificate, the decision function of three kinds of attribute certificates of policy attribute certificate decides between the territory, into database is noted down in simultaneously corresponding important system daily record, convenient inspection in the future specifically comprises the steps:
1. the system bidirectional authentication mechanism allow requesting party and response side all determine the other side's identity, certificate server to verify the user letter of identity the signature and the term of validity and whether cancelled;
2. user access resources comprises resource in this territory of user capture and the resource in other territories of user capture;
3. territory safety management person checks user object, and the role that this user is assigned with returns to the user, creates a session object for the user simultaneously;
4. the user selects the role of own needs according to oneself requirement from some roles that territory safety management person returns, and selected role is sent back to territory safety management person;
5. territory safety management person access domain policy attribute certificate obtains all sub-roles of role that the user requires, structure character object;
6. territory safety management person makes up permission object;
7. lawful authority collection that this user is authorized to and desired authority set compare, if the former comprises the latter, then allow its visit to resource, otherwise refuse its access resources.
2, distributed access control method in multistage securities according to claim 1, it is characterized in that, described authentication if letter of identity is legal, can be extracted certificate serial number from letter of identity, username information, enter next step, otherwise disconnect to connect, no matter verify by whether, the system journal module all will write database with access request and court verdict, and the information that checking back both sides transmit is effectively encrypted.
3, distributed access control method in multistage securities according to claim 1, it is characterized in that, resource in this territory of described user capture, sequence number according to public key certificate is created user object, generate a session id, the inquiry ldap server by retrieval user role-certificate storehouse, obtains all roles of this user.
4, distributed access control method in multistage securities according to claim 1, it is characterized in that the resource in other territories of described user capture should provide oneself user role Attribute certificate, territory safety management person checks whether Attribute certificate is effective, the request of invalid then refusal.
5, distributed access control method in multistage securities according to claim 1, it is characterized in that, described territory safety management person, obtain " policy attribute certificate between the territory " between territory, user place and the access domain, if do not have interoperation relation between two territories, refusing user's request then, on the contrary carry out role's mapping, with this territory role-map role that is other territories.
6, distributed access control method in multistage securities according to claim 1, it is characterized in that, described character object, system checks character object, see and whether satisfy role's constraints, session object is checked, after guaranteeing that the role added session object, can not activated the role of two mutual exclusions simultaneously, if there is no mutual exclusion role, then the role is added session object, carry out next step, otherwise the request of refusing user's.
7, distributed access control method in multistage securities according to claim 1, it is characterized in that, described structure permission object, be meant: can obtain all authorities of user in conjunction with character object and permission object, system carries out binding character inspection to permission object, obtains all lawful authorities of this user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006101163016A CN100542092C (en) | 2006-09-21 | 2006-09-21 | Distributed access control method in multistage securities |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006101163016A CN100542092C (en) | 2006-09-21 | 2006-09-21 | Distributed access control method in multistage securities |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1960255A CN1960255A (en) | 2007-05-09 |
| CN100542092C true CN100542092C (en) | 2009-09-16 |
Family
ID=38071760
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2006101163016A Expired - Fee Related CN100542092C (en) | 2006-09-21 | 2006-09-21 | Distributed access control method in multistage securities |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100542092C (en) |
Families Citing this family (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101039186B (en) * | 2007-05-08 | 2010-08-04 | 中国科学院软件研究所 | Method for auditing safely system log |
| CN101232424B (en) * | 2008-03-04 | 2010-06-30 | 中国移动通信集团设计院有限公司 | Access method, access system, trust service center, network trust platform |
| CN101296230B (en) * | 2008-06-17 | 2011-05-11 | 浙江大学 | Web service security control mechanism based on PKI and PMI |
| CN101335626B (en) * | 2008-08-06 | 2011-05-18 | 中国网通集团宽带业务应用国家工程实验室有限公司 | Multi-stage authentication method and multi-stage authentication system |
| CN101453388B (en) * | 2008-12-30 | 2011-02-09 | 公安部第三研究所 | Inspection method for Internet service operation field terminal safety |
| US8898318B2 (en) * | 2010-06-03 | 2014-11-25 | Microsoft Corporation | Distributed services authorization management |
| CN101888341B (en) * | 2010-07-20 | 2013-02-27 | 上海交通大学 | Calculable creditworthiness-based access control method under distributed environment of multiple trusting domains |
| CN101997876B (en) * | 2010-11-05 | 2014-08-27 | 重庆大学 | Attribute-based access control model and cross domain access method thereof |
| CN102654864A (en) * | 2011-03-02 | 2012-09-05 | 华北计算机系统工程研究所 | Independent transparent security audit protection method facing real-time database |
| CN102857488B (en) * | 2012-05-10 | 2015-06-10 | 中国人民解放军理工大学 | Network access control model as well as method and terminal thereof |
| CN103699828A (en) * | 2013-12-25 | 2014-04-02 | 柳州市欧博科技有限公司 | Information security management method |
| CN104506480B (en) * | 2014-06-27 | 2018-11-23 | 深圳市永达电子信息股份有限公司 | The cross-domain access control method and system combined based on label with audit |
| CA2996296C (en) * | 2015-08-21 | 2023-04-18 | Veridium Ip Limited | System and method for biometric protocol standards |
| US11329980B2 (en) | 2015-08-21 | 2022-05-10 | Veridium Ip Limited | System and method for biometric protocol standards |
| CN105743885B (en) * | 2016-01-22 | 2019-09-27 | 山东大学(威海) | Data file receiving/transmission method and device based on multistage server client mode |
| CN107204978B (en) * | 2017-05-24 | 2019-10-15 | 北京邮电大学 | A kind of access control method and device based on multi-tenant cloud environment |
| CN110414257A (en) * | 2018-04-26 | 2019-11-05 | 中移(苏州)软件技术有限公司 | A kind of data access method and server |
| CN110753044A (en) * | 2019-10-12 | 2020-02-04 | 山东英信计算机技术有限公司 | Identity authentication method, system, electronic equipment and storage medium |
| CN111241519B (en) * | 2020-01-19 | 2022-07-26 | 北京工业大学 | Certificate-based access control system and method |
| CN112532591B (en) * | 2020-11-06 | 2022-03-11 | 西安电子科技大学 | Cross-domain access control method, system, storage medium, computer equipment and terminal |
| CN112953920B (en) * | 2021-02-01 | 2022-07-01 | 福建多多云科技有限公司 | Monitoring management method based on cloud mobile phone |
-
2006
- 2006-09-21 CN CNB2006101163016A patent/CN100542092C/en not_active Expired - Fee Related
Non-Patent Citations (4)
| Title |
|---|
| 分布式环境下的访问控制. 卜宏等.计算机应用研究,第8期. 2004 |
| 分布式环境下的访问控制. 卜宏等.计算机应用研究,第8期. 2004 * |
| 网格环境下的分布式RBAC模型框架,. 徐松等.计算机工程,第32卷第6期. 2006 |
| 网格环境下的分布式RBAC模型框架,. 徐松等.计算机工程,第32卷第6期. 2006 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1960255A (en) | 2007-05-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100542092C (en) | Distributed access control method in multistage securities | |
| CN110598394B (en) | Authority verification method and device and storage medium | |
| CN101399671B (en) | Cross-domain authentication method and system thereof | |
| US9825938B2 (en) | System and method for managing certificate based secure network access with a certificate having a buffer period prior to expiration | |
| CN100469000C (en) | System and method for creating a secure network using identity credentials of batches of devices | |
| CN102597981B (en) | Modular device authentication framework | |
| CN112580102A (en) | Multi-dimensional digital identity authentication system based on block chain | |
| CN101741860B (en) | Computer remote security control method | |
| CN107483491A (en) | The access control method of distributed storage under a kind of cloud environment | |
| CN109728903B (en) | Block chain weak center password authorization method using attribute password | |
| JP2006053923A5 (en) | ||
| CN101321064A (en) | Information system access control method and apparatus based on digital certificate technique | |
| CN103152179A (en) | Uniform identity authentication method suitable for multiple application systems | |
| CN104767731A (en) | Identity authentication protection method of Restful mobile transaction system | |
| CN1731723A (en) | Electron/handset token dynamic password identification system | |
| CN109962890A (en) | A kind of the authentication service device and node access, user authen method of block chain | |
| KR100561629B1 (en) | Integrated Security Information Management System and Its Method | |
| CN101686127A (en) | Novel USBKey secure calling method and USBKey device | |
| CN106921678A (en) | A kind of unified safety authentication platform of the carrier-borne information system of integrated isomery | |
| CN105518689A (en) | Method and system related to authentication of users for accessing data networks | |
| CN106789059A (en) | A kind of long-range two-way access control system and method based on trust computing | |
| US20170104748A1 (en) | System and method for managing network access with a certificate having soft expiration | |
| CN104506480A (en) | Cross-domain access control method and system based on marking and auditing combination | |
| CN114567491A (en) | Medical record sharing method and system based on zero trust principle and block chain technology | |
| Weerasinghe et al. | Security framework for mobile banking |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090916 Termination date: 20180921 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |