CN101039322A - Dynamic access control method of pervasive computing - Google Patents

Dynamic access control method of pervasive computing Download PDF

Info

Publication number
CN101039322A
CN101039322A CN 200710051922 CN200710051922A CN101039322A CN 101039322 A CN101039322 A CN 101039322A CN 200710051922 CN200710051922 CN 200710051922 CN 200710051922 A CN200710051922 A CN 200710051922A CN 101039322 A CN101039322 A CN 101039322A
Authority
CN
China
Prior art keywords
trust
role
trust value
access control
context
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN 200710051922
Other languages
Chinese (zh)
Inventor
郭亚军
王玉林
陈丽华
刘庆华
李洪力
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huazhong Normal University
Original Assignee
Huazhong Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huazhong Normal University filed Critical Huazhong Normal University
Priority to CN 200710051922 priority Critical patent/CN101039322A/en
Publication of CN101039322A publication Critical patent/CN101039322A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The present invention discloses an access control method for common computing environment. The method realizes dynamic access control by combining a hierarchy credit mode with a role-based access control mode. The hierarchy credit mode is a structure with two hierarchies, wherein the bottom credit value determines the role assignment; the upper credit value determines the role activation and the permitted activation. The upper credit value is related to applied context, different upper credit values correspond to different activated roles and permission, thus the obtained service is different. The method is mainly applied in solving the problem of authorization in common computing environment as well as in realizing access control to the applied resources in other dynamic environments.

Description

A kind of dynamic accesses control method of general fit calculation
Affiliated technical field
The present invention relates to a kind of dynamic accesses control method, be mainly used in the licensing issue that solves in the general calculation entironment.
Background technology
General fit calculation is the fusion of information space and physical space, and in the space of this fusion, people can obtain digitized service whenever and wherever possible, pellucidly.But this have ubiquitous property and ambulant environment has brought new safety problem.Because the main body of cooperating with each other has prior unpredictability, traditional can not be used for general calculation entironment at static network or closed system access control technology.
Principal character of general fit calculation is that the interactive interface between user and the resource is abundant, can use multiple multimedia I/O mode, participates in the operation and the management maintenance of intelligent space.Because the character of user interactions mode, intelligent space prevent easily unlikely that the user from " seeing " and " hearing " space in the information and the resource of having no right to visit with this user that are taken place.Therefore, when the design access controlling mechanism, must consider the user interactions problem.Need to implement suitable access control policy and prevent that unauthorized resource is used.Access control mechanisms should be considered the characteristics of information space and physical space simultaneously, and the access control decision here also may depend on time or other special situations.Access control also should be transparent to a certain extent in addition, and its introducing can not cause the attention that the user is too many excessively.
The researcher has done many work in the access control field, but mainly concentrates on the access control based on user identity, perhaps uses implicit trust to entrust visit.
Traditional access control has the access control DAC (Discretionary Access Control) from principal mode and the access control MAC (Mandatory Access Control) of pressure type, these methods are directly authorized the user or are cancelled authority, but when huge and relation is complicated when number of users, the coupling of entity and object and authority authorize and management becomes complicated and difficult.Access control model RBAC based on the role introduces some defective that the role has remedied conventional method between user and authority.Its core concept interrelates access rights and role exactly, by distribute suitable role to the user, allows user and access rights interrelate.Authority is endowed the role, rather than the user.When a role was assigned to a user, this user had just had the authority that this role comprised.Whole access control process just is divided into two parts, and promptly access rights are associated with the role, and the role is related with the user again, thereby has realized the logical separation of user and access rights.But the mandate decision that is based on role access control is based on identity of entity, and does not consider contextual information.
GRBAC (Generalized Role Based Access Control) has expanded the access control model based on the role.It has introduced target roles and environment role, uses the security strategy of the abundant easy understanding of these two easier definition of role.But they need more complicated system configuration to support the role who expands.
Trust management provides access control method more flexibly with trusting the trust problem that solves certificate.It uses certificate to entrust privilege to carry out safety management, the user certificate scope of authority of strange user by having authorized, and each certificate is entrusted some authority, and these certificates constitute entrusts chain.It has solved traditional access control can not handle the distributed authorization problem, but this ability style (capability-style) system can not really solve the distributed authorization characteristic, and why it will trust if not solving.Some researchers have carried out some useful explorations to the access control of general fit calculation and association area thereof now, but how they do not have to consider the control that conducts interviews of strange main body, do not consider the characteristics of information space and physical space simultaneously, and have too problem such as complexity of licensing process.
Summary of the invention
The objective of the invention is in order to overcome above-mentioned deficiency, proposed the security solution method of the dynamic access control of a suitable general calculation entironment.This method has taken into full account the characteristics of information space and physical space, and user's access rights are along with the application context dynamic change, and is transparent to the user in access process.
For achieving the above object, the invention provides a kind of dynamic accesses control method based on the level trust model, the level trust model is a double-layer structure, bottom is the basic trust layer, the upper strata is to use trust layer, the trust value of basic trust layer depends on attributes of entities, and the trust value of using trust layer is determined by application context.
Technical scheme of the present invention is:
The security solution method of the access control in a kind of general calculation entironment, it may further comprise the steps:
Step 1, the level trust model is combined with access control based on the role, realize the dynamic authorization of general fit calculation, described level trust model is a double-layer structure, bottom is the basic trust layer, the upper strata is to use trust layer, the trust value of basic trust layer depends on attributes of entities, and the trust value of using trust layer is determined by application context.
After described step 1, also comprise:
Step 2, service request direction are served the provider asks required service;
Step 3, serve the provider and receive request message, according to the trusted policy that is requested to serve, evaluation services requesting party's basic trust value is if reach the trust threshold value of regulation, execution in step 4; Otherwise require to carry out trust negotiation, trust negotiation is based on the attribute that both sides have.If consult failure, then service request failure;
Step 4, determine one group of role that service requester is assigned with according to role assignments strategy and basic trust value;
Step 5, according to user-dependent context, user's characteristic, position, time, near personnel and current interpersonal relationships, assessment request person's relevant application trust value T C1
Step 6, according to computational context: the bandwidth of the connection situation of network, communications cost, communication and near resource, the context of physics: illumination, noise level, transportation condition and temperature evaluation are used trust value T C2
Step 7, according to using trust value T C1Determine the role of activation;
Step 8, according to using trust value T C2Determine the permission of activation.
After described step 8, also comprise:
Step 9, when user-dependent change in context, reappraise and use trust value T C1
Step 10, when calculating and during the physics change in context, reappraising and use trust value T C2
After described step 8, also comprise:
Step 11, when using trust value and change, then change user's access rights thereupon.
As shown from the above technical solution, the present invention has following beneficial effect:
1, sets up basic trust by entity attribute, realize strange entity mandate;
2, activate role and permission by using trust value, realized dynamic access control general fit calculation;
3, simplify the mandate decision, guaranteed the safety that general fit calculation is used.
Below by drawings and Examples, technical scheme of the present invention is described in further detail.
Description of drawings
Fig. 1 consults the forming process schematic diagram for the basic trust value;
Fig. 2 distributes schematic diagram for user role;
Fig. 3 is user's a role hierarchies schematic diagram;
Fig. 4 activates schematic diagram for the role;
Fig. 5 is role's a permission hierarchy schematic diagram;
Fig. 6 is the license activation schematic diagram;
Fig. 7 is general fit calculation dynamic accesses control method implementing procedure figure of the present invention.
Embodiment
The present invention realizes dynamic access control according to the level trust model by having expanded based on role's access control model.
Service provider evaluation services requesting party's basic trust value T a
Trust value T aFormation with reference to figure 1, service requester is initiated service request 10; The service provider requires service requester that some attributes 11 are provided according to the trusted policy of the service of visit; Service requester shows these attributes 12, perhaps in order to protect the responsive attribute of oneself, before showing these attributes, need serve the provider and show some attribute 13, and behind the attribute access strategy that satisfies oneself, service request direction the other side provides attribute 14.
Trust value T based on main body a, this main body is assigned with one group of role.
User role distributes referring to Fig. 2, according to user's trust value T aWith the role assignments strategy, the user is assigned with one group of role.
Relation between the role is referring to Fig. 3, wherein r 0, r 1, r 2, r 3The expression role, null represents there is not the role.Relation between the role is a partial ordering relation.
According to trusted policy, the trust value T of the context of assesses user (user's characteristic, position, time, near personnel, current interpersonal relationships etc.) C1, decision role's activation is referring to Fig. 4.
Each role has the permission collection of oneself, referring to Fig. 5, and p wherein 0, p 1, p 2, p 3, p 4, expression permission, null represents there is not authority.Relation between the permission is a partial ordering relation.
By trusted policy, the application trust value T of evaluating system and environmental correclation C2, by the permission of its decision activation.Referring to Fig. 6.
The full implementation flow chart is referring to Fig. 7.Service requester request required service 101, the service provider receives request message, according to the trusted policy that is requested to serve, evaluation services requesting party's basic trust value 102, judge whether security strategy satisfies 103, carry out role assignments 104 after satisfying, according to user-dependent context, evaluate application trust value T C1105, according to using trust value T C1Determine the role 106 of activation, according to the context evaluate application trust value T of computational context and physics C2107, according to using trust value T C2Determine the permission 108 of activation.When user-dependent change in context, reappraise and use trust value T C1110, when computational context physics change in context, use trust value T again C2111, the back process of flow chart also changes thereupon.
The operating process of dynamic accesses control method is described with a general fit calculation scene below:
Scene: professor Bob comes into the office of oneself, and he uses the mobile device of oneself by being wirelessly connected to printer, requires to print a file.If printer is idle, printer can provide service to professor; If printer is when busy, then Jiao Shou printing requirement can not be satisfied.When professor Bob was outside office, he can not use the mobile device of oneself by wireless connections, and a file is printed by " order " indoor printer group oneself.
Operating process:
Step 1, when professor Bob requires to obtain serving with wireless device, wireless device and ISP carry out trust negotiation;
Step 2, according to the basic trust value T of negotiation result a, Bob is assigned to role's subclass, as roles such as " professor ", " personnel ", " students ";
If trust value T is used in the definition of step 3 security strategy C1Be " in " (using the trust value assessment strategy is when the visitor is inner in office, T C1Value be " in ") time, " professor " role is activated;
Step 4, each role (as roles such as " professor ", " personnel ", " students ") have the permission collection (as " printing " and permissions such as " can not print ") of oneself;
Step 5, application trust value T C2The permission of adjustment activity;
Step 6, be when own when idle as the assessment strategy of the application trust value of printer resource, T C2Be height, when oneself is busy, T C2For low;
Step 7, suppose to work as T C2When high, role's " professor " activity permission is " printing ", works as T C2When low, role's " professor " activity is permitted and is transferred " can not print " to;
Step 8, when professor Bob come into office, " professor " role is activated, and supposes that the sets of permissions that " professor " role has is " printing " and " can not print ", when printer is the free time, " professor " role's permission " printing " is activated, and Bob can obtain print service;
Step 9, when printer busy, " professor " role's permission " can not be printed " and is activated, Bob can not obtain print service;
Step 10, if Bob walks out office, " student " role is activated, " student " role does not have " printings " to permit, so Bob can not obtain print service.

Claims (4)

1, the security solution method of the access control in a kind of general calculation entironment is characterized in that may further comprise the steps:
Step 1, the level trust model is combined with access control based on the role, realize the dynamic authorization of general fit calculation, described level trust model is a double-layer structure, bottom is the basic trust layer, the upper strata is to use trust layer, the trust value of basic trust layer depends on attributes of entities, and the trust value of using trust layer is determined by application context.
2, method according to claim 1 is characterized in that also comprising after the described step 1:
Step 2, service request direction are served the provider asks required service;
Step 3, serve the provider and receive request message, according to the trusted policy that is requested to serve, evaluation services requesting party's basic trust value is if reach the trust threshold value of regulation, execution in step 4; Otherwise require to carry out trust negotiation, trust negotiation is based on the attribute that both sides have, if consult failure, and then service request failure;
Step 4, determine one group of role that service requester is assigned with according to role assignments strategy and basic trust value;
Step 5, characteristic, position, time, near personnel and current interpersonal relationships according to user-dependent context, user, assessment request person's relevant application trust value T C1
Step 6, according to computational context: the bandwidth of the connection situation of network, communications cost, communication and near resource, the context of physics: illumination, noise level, transportation condition and temperature evaluation are used trust value T C2
Step 7, according to using trust value T C1, determine the role who activates;
Step 8, according to using trust value T C2, determine the activation of permission.
3, method according to claim 2 is characterized in that also comprising after the described step 8:
Step 9, when user-dependent change in context, reappraise and use trust value T C1
Step 10, when calculating and during the physics change in context, reappraising and use trust value T C2
4, method according to claim 3 is characterized in that also comprising after the described step 10:
Step 11, when using trust value and change, then change user's access rights thereupon.
CN 200710051922 2007-04-20 2007-04-20 Dynamic access control method of pervasive computing Pending CN101039322A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200710051922 CN101039322A (en) 2007-04-20 2007-04-20 Dynamic access control method of pervasive computing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200710051922 CN101039322A (en) 2007-04-20 2007-04-20 Dynamic access control method of pervasive computing

Publications (1)

Publication Number Publication Date
CN101039322A true CN101039322A (en) 2007-09-19

Family

ID=38889954

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200710051922 Pending CN101039322A (en) 2007-04-20 2007-04-20 Dynamic access control method of pervasive computing

Country Status (1)

Country Link
CN (1) CN101039322A (en)

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009105976A1 (en) * 2008-02-26 2009-09-03 华为技术有限公司 Method, system and device for permission control
CN101304321B (en) * 2008-07-09 2010-06-02 南京邮电大学 Method for defending equity network virus based on trust
CN102081712A (en) * 2011-01-14 2011-06-01 中国人民解放军国防科学技术大学 Role dynamic transition method supporting difference measurement
CN101727559B (en) * 2009-11-30 2011-08-17 陕西师范大学 Initiative access control method based on initiative fuzzy rule
CN102546543A (en) * 2010-12-16 2012-07-04 中国银联股份有限公司 Cognos-based data service system
CN101577622B (en) * 2009-06-24 2012-07-04 贵阳易特软件有限公司 Method for controlling access to shared component of leveled partition
CN103782288A (en) * 2011-09-08 2014-05-07 国际商业机器公司 Generating security permissions
CN103929426A (en) * 2014-04-22 2014-07-16 清华大学 Access control method for applications in social cloud service system
CN104243453A (en) * 2014-08-26 2014-12-24 中国科学院信息工程研究所 Access control method and system based on attribute and role
CN104767723A (en) * 2014-01-08 2015-07-08 中国移动通信集团河北有限公司 Authentication method and device
CN104967620A (en) * 2015-06-17 2015-10-07 中国科学院信息工程研究所 Access control method based on attribute-based access control policy
CN106997440A (en) * 2017-04-10 2017-08-01 中经汇通电子商务有限公司 A kind of role access control method
CN107204978A (en) * 2017-05-24 2017-09-26 北京邮电大学 A kind of access control method and device based on multi-tenant cloud environment
CN108156129A (en) * 2016-12-02 2018-06-12 亚洲大学 Access Control Method with Negotiation Mechanism for Ubiquitous Resource Management
CN109274779A (en) * 2017-07-17 2019-01-25 华为技术有限公司 A kind of alias management method and equipment
CN114567489A (en) * 2022-03-02 2022-05-31 临沂大学 Dynamic access control method based on service body
CN114567473A (en) * 2022-02-23 2022-05-31 南通大学 Zero-trust mechanism-based Internet of vehicles access control method

Cited By (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101521885B (en) * 2008-02-26 2012-01-11 华为技术有限公司 Authority control method, system and equipment
WO2009105976A1 (en) * 2008-02-26 2009-09-03 华为技术有限公司 Method, system and device for permission control
CN101304321B (en) * 2008-07-09 2010-06-02 南京邮电大学 Method for defending equity network virus based on trust
CN101577622B (en) * 2009-06-24 2012-07-04 贵阳易特软件有限公司 Method for controlling access to shared component of leveled partition
CN101727559B (en) * 2009-11-30 2011-08-17 陕西师范大学 Initiative access control method based on initiative fuzzy rule
CN102546543A (en) * 2010-12-16 2012-07-04 中国银联股份有限公司 Cognos-based data service system
CN102081712B (en) * 2011-01-14 2012-10-24 中国人民解放军国防科学技术大学 Role dynamic transition method supporting difference measurement
CN102081712A (en) * 2011-01-14 2011-06-01 中国人民解放军国防科学技术大学 Role dynamic transition method supporting difference measurement
CN103782288A (en) * 2011-09-08 2014-05-07 国际商业机器公司 Generating security permissions
CN103782288B (en) * 2011-09-08 2017-03-29 国际商业机器公司 For the mthods, systems and devices of security clearance are generated for application
CN104767723A (en) * 2014-01-08 2015-07-08 中国移动通信集团河北有限公司 Authentication method and device
CN103929426B (en) * 2014-04-22 2017-04-19 清华大学 Access control method for applications in social cloud service system
CN103929426A (en) * 2014-04-22 2014-07-16 清华大学 Access control method for applications in social cloud service system
CN104243453A (en) * 2014-08-26 2014-12-24 中国科学院信息工程研究所 Access control method and system based on attribute and role
CN104967620A (en) * 2015-06-17 2015-10-07 中国科学院信息工程研究所 Access control method based on attribute-based access control policy
CN104967620B (en) * 2015-06-17 2019-01-25 中国科学院信息工程研究所 A kind of access control method based on attribute access control strategy
CN108156129A (en) * 2016-12-02 2018-06-12 亚洲大学 Access Control Method with Negotiation Mechanism for Ubiquitous Resource Management
CN106997440A (en) * 2017-04-10 2017-08-01 中经汇通电子商务有限公司 A kind of role access control method
CN107204978A (en) * 2017-05-24 2017-09-26 北京邮电大学 A kind of access control method and device based on multi-tenant cloud environment
CN107204978B (en) * 2017-05-24 2019-10-15 北京邮电大学 A kind of access control method and device based on multi-tenant cloud environment
CN109274779A (en) * 2017-07-17 2019-01-25 华为技术有限公司 A kind of alias management method and equipment
CN109274779B (en) * 2017-07-17 2020-09-25 华为技术有限公司 Alias management method and device
US11483315B2 (en) 2017-07-17 2022-10-25 Huawei Technologies Co., Ltd. Alias management method and device
CN114567473A (en) * 2022-02-23 2022-05-31 南通大学 Zero-trust mechanism-based Internet of vehicles access control method
CN114567473B (en) * 2022-02-23 2024-01-09 南通大学 Internet of vehicles access control method based on zero trust mechanism
CN114567489A (en) * 2022-03-02 2022-05-31 临沂大学 Dynamic access control method based on service body
CN114567489B (en) * 2022-03-02 2023-09-15 临沂大学 Dynamic access control method based on service body

Similar Documents

Publication Publication Date Title
CN101039322A (en) Dynamic access control method of pervasive computing
Qiu et al. A survey on access control in the age of internet of things
CN102761551B (en) System and method for multilevel cross-domain access control
JP2009539183A5 (en)
Feng et al. A trust and context based access control model for distributed systems
US20120246738A1 (en) Resource Sharing and Isolation in Role Based Access
CN102857488B (en) Network access control model as well as method and terminal thereof
CN1584843A (en) Fine grain privileges in an operating system
US20080120264A1 (en) Method and Apparatus for Efficient Spectrum Management in a Communications Network
CN110933093A (en) Block chain data sharing platform and method based on differential privacy protection technology
Wei et al. An attribute and role based access control model for service-oriented environment
CN103107899A (en) Separation-of-three-powers hierarchical authorization management system and method thereof
WO2021238399A1 (en) Method for securely accessing data, and electronic device
Yao et al. Dynamic role and context-based access control for grid applications
CN1633085A (en) An access control method based on non-grade inter-role mapping
CN1791026A (en) Gridding authorization realizing method
CN101039178A (en) Method for building hierachical trust model in open system
Liu et al. An attribute and role based access control model for Web services
KR20070076342A (en) User Group Role / Permission Management System and Access Control Methods in a Grid Environment
CN1741464A (en) Network user management system and method thereof
Li et al. A security access strategy for sensitive resource of intelligent production line system with dynamic attribute collaboration
CN1627690A (en) Method for intelligent sharing file resources wireless network grids
CN110414213A (en) A kind of method and device to rights management in operation management system based on keycloak
Cheng et al. An improved privacy-preserving and security hybrid access control mechanism
CN113660240B (en) Internet of things access control method based on federal structure

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Open date: 20070919