CN101039322A - Dynamic access control method of pervasive computing - Google Patents
Dynamic access control method of pervasive computing Download PDFInfo
- Publication number
- CN101039322A CN101039322A CN 200710051922 CN200710051922A CN101039322A CN 101039322 A CN101039322 A CN 101039322A CN 200710051922 CN200710051922 CN 200710051922 CN 200710051922 A CN200710051922 A CN 200710051922A CN 101039322 A CN101039322 A CN 101039322A
- Authority
- CN
- China
- Prior art keywords
- trust
- role
- trust value
- access control
- context
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The present invention discloses an access control method for common computing environment. The method realizes dynamic access control by combining a hierarchy credit mode with a role-based access control mode. The hierarchy credit mode is a structure with two hierarchies, wherein the bottom credit value determines the role assignment; the upper credit value determines the role activation and the permitted activation. The upper credit value is related to applied context, different upper credit values correspond to different activated roles and permission, thus the obtained service is different. The method is mainly applied in solving the problem of authorization in common computing environment as well as in realizing access control to the applied resources in other dynamic environments.
Description
Affiliated technical field
The present invention relates to a kind of dynamic accesses control method, be mainly used in the licensing issue that solves in the general calculation entironment.
Background technology
General fit calculation is the fusion of information space and physical space, and in the space of this fusion, people can obtain digitized service whenever and wherever possible, pellucidly.But this have ubiquitous property and ambulant environment has brought new safety problem.Because the main body of cooperating with each other has prior unpredictability, traditional can not be used for general calculation entironment at static network or closed system access control technology.
Principal character of general fit calculation is that the interactive interface between user and the resource is abundant, can use multiple multimedia I/O mode, participates in the operation and the management maintenance of intelligent space.Because the character of user interactions mode, intelligent space prevent easily unlikely that the user from " seeing " and " hearing " space in the information and the resource of having no right to visit with this user that are taken place.Therefore, when the design access controlling mechanism, must consider the user interactions problem.Need to implement suitable access control policy and prevent that unauthorized resource is used.Access control mechanisms should be considered the characteristics of information space and physical space simultaneously, and the access control decision here also may depend on time or other special situations.Access control also should be transparent to a certain extent in addition, and its introducing can not cause the attention that the user is too many excessively.
The researcher has done many work in the access control field, but mainly concentrates on the access control based on user identity, perhaps uses implicit trust to entrust visit.
Traditional access control has the access control DAC (Discretionary Access Control) from principal mode and the access control MAC (Mandatory Access Control) of pressure type, these methods are directly authorized the user or are cancelled authority, but when huge and relation is complicated when number of users, the coupling of entity and object and authority authorize and management becomes complicated and difficult.Access control model RBAC based on the role introduces some defective that the role has remedied conventional method between user and authority.Its core concept interrelates access rights and role exactly, by distribute suitable role to the user, allows user and access rights interrelate.Authority is endowed the role, rather than the user.When a role was assigned to a user, this user had just had the authority that this role comprised.Whole access control process just is divided into two parts, and promptly access rights are associated with the role, and the role is related with the user again, thereby has realized the logical separation of user and access rights.But the mandate decision that is based on role access control is based on identity of entity, and does not consider contextual information.
GRBAC (Generalized Role Based Access Control) has expanded the access control model based on the role.It has introduced target roles and environment role, uses the security strategy of the abundant easy understanding of these two easier definition of role.But they need more complicated system configuration to support the role who expands.
Trust management provides access control method more flexibly with trusting the trust problem that solves certificate.It uses certificate to entrust privilege to carry out safety management, the user certificate scope of authority of strange user by having authorized, and each certificate is entrusted some authority, and these certificates constitute entrusts chain.It has solved traditional access control can not handle the distributed authorization problem, but this ability style (capability-style) system can not really solve the distributed authorization characteristic, and why it will trust if not solving.Some researchers have carried out some useful explorations to the access control of general fit calculation and association area thereof now, but how they do not have to consider the control that conducts interviews of strange main body, do not consider the characteristics of information space and physical space simultaneously, and have too problem such as complexity of licensing process.
Summary of the invention
The objective of the invention is in order to overcome above-mentioned deficiency, proposed the security solution method of the dynamic access control of a suitable general calculation entironment.This method has taken into full account the characteristics of information space and physical space, and user's access rights are along with the application context dynamic change, and is transparent to the user in access process.
For achieving the above object, the invention provides a kind of dynamic accesses control method based on the level trust model, the level trust model is a double-layer structure, bottom is the basic trust layer, the upper strata is to use trust layer, the trust value of basic trust layer depends on attributes of entities, and the trust value of using trust layer is determined by application context.
Technical scheme of the present invention is:
The security solution method of the access control in a kind of general calculation entironment, it may further comprise the steps:
After described step 1, also comprise:
Step 2, service request direction are served the provider asks required service;
Step 3, serve the provider and receive request message, according to the trusted policy that is requested to serve, evaluation services requesting party's basic trust value is if reach the trust threshold value of regulation, execution in step 4; Otherwise require to carry out trust negotiation, trust negotiation is based on the attribute that both sides have.If consult failure, then service request failure;
Step 4, determine one group of role that service requester is assigned with according to role assignments strategy and basic trust value;
Step 5, according to user-dependent context, user's characteristic, position, time, near personnel and current interpersonal relationships, assessment request person's relevant application trust value T
C1
Step 6, according to computational context: the bandwidth of the connection situation of network, communications cost, communication and near resource, the context of physics: illumination, noise level, transportation condition and temperature evaluation are used trust value T
C2
Step 7, according to using trust value T
C1Determine the role of activation;
Step 8, according to using trust value T
C2Determine the permission of activation.
After described step 8, also comprise:
Step 9, when user-dependent change in context, reappraise and use trust value T
C1
After described step 8, also comprise:
As shown from the above technical solution, the present invention has following beneficial effect:
1, sets up basic trust by entity attribute, realize strange entity mandate;
2, activate role and permission by using trust value, realized dynamic access control general fit calculation;
3, simplify the mandate decision, guaranteed the safety that general fit calculation is used.
Below by drawings and Examples, technical scheme of the present invention is described in further detail.
Description of drawings
Fig. 1 consults the forming process schematic diagram for the basic trust value;
Fig. 2 distributes schematic diagram for user role;
Fig. 3 is user's a role hierarchies schematic diagram;
Fig. 4 activates schematic diagram for the role;
Fig. 5 is role's a permission hierarchy schematic diagram;
Fig. 6 is the license activation schematic diagram;
Fig. 7 is general fit calculation dynamic accesses control method implementing procedure figure of the present invention.
Embodiment
The present invention realizes dynamic access control according to the level trust model by having expanded based on role's access control model.
Service provider evaluation services requesting party's basic trust value T
a
Trust value T
aFormation with reference to figure 1, service requester is initiated service request 10; The service provider requires service requester that some attributes 11 are provided according to the trusted policy of the service of visit; Service requester shows these attributes 12, perhaps in order to protect the responsive attribute of oneself, before showing these attributes, need serve the provider and show some attribute 13, and behind the attribute access strategy that satisfies oneself, service request direction the other side provides attribute 14.
Trust value T based on main body
a, this main body is assigned with one group of role.
User role distributes referring to Fig. 2, according to user's trust value T
aWith the role assignments strategy, the user is assigned with one group of role.
Relation between the role is referring to Fig. 3, wherein r
0, r
1, r
2, r
3The expression role, null represents there is not the role.Relation between the role is a partial ordering relation.
According to trusted policy, the trust value T of the context of assesses user (user's characteristic, position, time, near personnel, current interpersonal relationships etc.)
C1, decision role's activation is referring to Fig. 4.
Each role has the permission collection of oneself, referring to Fig. 5, and p wherein
0, p
1, p
2, p
3, p
4, expression permission, null represents there is not authority.Relation between the permission is a partial ordering relation.
By trusted policy, the application trust value T of evaluating system and environmental correclation
C2, by the permission of its decision activation.Referring to Fig. 6.
The full implementation flow chart is referring to Fig. 7.Service requester request required service 101, the service provider receives request message, according to the trusted policy that is requested to serve, evaluation services requesting party's basic trust value 102, judge whether security strategy satisfies 103, carry out role assignments 104 after satisfying, according to user-dependent context, evaluate application trust value T
C1105, according to using trust value T
C1Determine the role 106 of activation, according to the context evaluate application trust value T of computational context and physics
C2107, according to using trust value T
C2Determine the permission 108 of activation.When user-dependent change in context, reappraise and use trust value T
C1110, when computational context physics change in context, use trust value T again
C2111, the back process of flow chart also changes thereupon.
The operating process of dynamic accesses control method is described with a general fit calculation scene below:
Scene: professor Bob comes into the office of oneself, and he uses the mobile device of oneself by being wirelessly connected to printer, requires to print a file.If printer is idle, printer can provide service to professor; If printer is when busy, then Jiao Shou printing requirement can not be satisfied.When professor Bob was outside office, he can not use the mobile device of oneself by wireless connections, and a file is printed by " order " indoor printer group oneself.
Operating process:
Step 2, according to the basic trust value T of negotiation result
a, Bob is assigned to role's subclass, as roles such as " professor ", " personnel ", " students ";
If trust value T is used in the definition of step 3 security strategy
C1Be " in " (using the trust value assessment strategy is when the visitor is inner in office, T
C1Value be " in ") time, " professor " role is activated;
Step 4, each role (as roles such as " professor ", " personnel ", " students ") have the permission collection (as " printing " and permissions such as " can not print ") of oneself;
Step 5, application trust value T
C2The permission of adjustment activity;
Step 6, be when own when idle as the assessment strategy of the application trust value of printer resource, T
C2Be height, when oneself is busy, T
C2For low;
Step 7, suppose to work as T
C2When high, role's " professor " activity permission is " printing ", works as T
C2When low, role's " professor " activity is permitted and is transferred " can not print " to;
Step 8, when professor Bob come into office, " professor " role is activated, and supposes that the sets of permissions that " professor " role has is " printing " and " can not print ", when printer is the free time, " professor " role's permission " printing " is activated, and Bob can obtain print service;
Step 9, when printer busy, " professor " role's permission " can not be printed " and is activated, Bob can not obtain print service;
Claims (4)
1, the security solution method of the access control in a kind of general calculation entironment is characterized in that may further comprise the steps:
Step 1, the level trust model is combined with access control based on the role, realize the dynamic authorization of general fit calculation, described level trust model is a double-layer structure, bottom is the basic trust layer, the upper strata is to use trust layer, the trust value of basic trust layer depends on attributes of entities, and the trust value of using trust layer is determined by application context.
2, method according to claim 1 is characterized in that also comprising after the described step 1:
Step 2, service request direction are served the provider asks required service;
Step 3, serve the provider and receive request message, according to the trusted policy that is requested to serve, evaluation services requesting party's basic trust value is if reach the trust threshold value of regulation, execution in step 4; Otherwise require to carry out trust negotiation, trust negotiation is based on the attribute that both sides have, if consult failure, and then service request failure;
Step 4, determine one group of role that service requester is assigned with according to role assignments strategy and basic trust value;
Step 5, characteristic, position, time, near personnel and current interpersonal relationships according to user-dependent context, user, assessment request person's relevant application trust value T
C1
Step 6, according to computational context: the bandwidth of the connection situation of network, communications cost, communication and near resource, the context of physics: illumination, noise level, transportation condition and temperature evaluation are used trust value T
C2
Step 7, according to using trust value T
C1, determine the role who activates;
Step 8, according to using trust value T
C2, determine the activation of permission.
3, method according to claim 2 is characterized in that also comprising after the described step 8:
Step 9, when user-dependent change in context, reappraise and use trust value T
C1
Step 10, when calculating and during the physics change in context, reappraising and use trust value T
C2
4, method according to claim 3 is characterized in that also comprising after the described step 10:
Step 11, when using trust value and change, then change user's access rights thereupon.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN 200710051922 CN101039322A (en) | 2007-04-20 | 2007-04-20 | Dynamic access control method of pervasive computing |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN 200710051922 CN101039322A (en) | 2007-04-20 | 2007-04-20 | Dynamic access control method of pervasive computing |
Publications (1)
Publication Number | Publication Date |
---|---|
CN101039322A true CN101039322A (en) | 2007-09-19 |
Family
ID=38889954
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN 200710051922 Pending CN101039322A (en) | 2007-04-20 | 2007-04-20 | Dynamic access control method of pervasive computing |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101039322A (en) |
Cited By (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2009105976A1 (en) * | 2008-02-26 | 2009-09-03 | 华为技术有限公司 | Method, system and device for permission control |
CN101304321B (en) * | 2008-07-09 | 2010-06-02 | 南京邮电大学 | Method for defending equity network virus based on trust |
CN102081712A (en) * | 2011-01-14 | 2011-06-01 | 中国人民解放军国防科学技术大学 | Role dynamic transition method supporting difference measurement |
CN101727559B (en) * | 2009-11-30 | 2011-08-17 | 陕西师范大学 | Initiative access control method based on initiative fuzzy rule |
CN102546543A (en) * | 2010-12-16 | 2012-07-04 | 中国银联股份有限公司 | Cognos-based data service system |
CN101577622B (en) * | 2009-06-24 | 2012-07-04 | 贵阳易特软件有限公司 | Method for controlling access to shared component of leveled partition |
CN103782288A (en) * | 2011-09-08 | 2014-05-07 | 国际商业机器公司 | Generating security permissions |
CN103929426A (en) * | 2014-04-22 | 2014-07-16 | 清华大学 | Access control method for applications in social cloud service system |
CN104243453A (en) * | 2014-08-26 | 2014-12-24 | 中国科学院信息工程研究所 | Access control method and system based on attribute and role |
CN104767723A (en) * | 2014-01-08 | 2015-07-08 | 中国移动通信集团河北有限公司 | Authentication method and device |
CN104967620A (en) * | 2015-06-17 | 2015-10-07 | 中国科学院信息工程研究所 | Access control method based on attribute-based access control policy |
CN106997440A (en) * | 2017-04-10 | 2017-08-01 | 中经汇通电子商务有限公司 | A kind of role access control method |
CN107204978A (en) * | 2017-05-24 | 2017-09-26 | 北京邮电大学 | A kind of access control method and device based on multi-tenant cloud environment |
CN108156129A (en) * | 2016-12-02 | 2018-06-12 | 亚洲大学 | Access Control Method with Negotiation Mechanism for Ubiquitous Resource Management |
CN109274779A (en) * | 2017-07-17 | 2019-01-25 | 华为技术有限公司 | A kind of alias management method and equipment |
CN114567489A (en) * | 2022-03-02 | 2022-05-31 | 临沂大学 | Dynamic access control method based on service body |
CN114567473A (en) * | 2022-02-23 | 2022-05-31 | 南通大学 | Zero-trust mechanism-based Internet of vehicles access control method |
-
2007
- 2007-04-20 CN CN 200710051922 patent/CN101039322A/en active Pending
Cited By (27)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101521885B (en) * | 2008-02-26 | 2012-01-11 | 华为技术有限公司 | Authority control method, system and equipment |
WO2009105976A1 (en) * | 2008-02-26 | 2009-09-03 | 华为技术有限公司 | Method, system and device for permission control |
CN101304321B (en) * | 2008-07-09 | 2010-06-02 | 南京邮电大学 | Method for defending equity network virus based on trust |
CN101577622B (en) * | 2009-06-24 | 2012-07-04 | 贵阳易特软件有限公司 | Method for controlling access to shared component of leveled partition |
CN101727559B (en) * | 2009-11-30 | 2011-08-17 | 陕西师范大学 | Initiative access control method based on initiative fuzzy rule |
CN102546543A (en) * | 2010-12-16 | 2012-07-04 | 中国银联股份有限公司 | Cognos-based data service system |
CN102081712B (en) * | 2011-01-14 | 2012-10-24 | 中国人民解放军国防科学技术大学 | Role dynamic transition method supporting difference measurement |
CN102081712A (en) * | 2011-01-14 | 2011-06-01 | 中国人民解放军国防科学技术大学 | Role dynamic transition method supporting difference measurement |
CN103782288A (en) * | 2011-09-08 | 2014-05-07 | 国际商业机器公司 | Generating security permissions |
CN103782288B (en) * | 2011-09-08 | 2017-03-29 | 国际商业机器公司 | For the mthods, systems and devices of security clearance are generated for application |
CN104767723A (en) * | 2014-01-08 | 2015-07-08 | 中国移动通信集团河北有限公司 | Authentication method and device |
CN103929426B (en) * | 2014-04-22 | 2017-04-19 | 清华大学 | Access control method for applications in social cloud service system |
CN103929426A (en) * | 2014-04-22 | 2014-07-16 | 清华大学 | Access control method for applications in social cloud service system |
CN104243453A (en) * | 2014-08-26 | 2014-12-24 | 中国科学院信息工程研究所 | Access control method and system based on attribute and role |
CN104967620A (en) * | 2015-06-17 | 2015-10-07 | 中国科学院信息工程研究所 | Access control method based on attribute-based access control policy |
CN104967620B (en) * | 2015-06-17 | 2019-01-25 | 中国科学院信息工程研究所 | A kind of access control method based on attribute access control strategy |
CN108156129A (en) * | 2016-12-02 | 2018-06-12 | 亚洲大学 | Access Control Method with Negotiation Mechanism for Ubiquitous Resource Management |
CN106997440A (en) * | 2017-04-10 | 2017-08-01 | 中经汇通电子商务有限公司 | A kind of role access control method |
CN107204978A (en) * | 2017-05-24 | 2017-09-26 | 北京邮电大学 | A kind of access control method and device based on multi-tenant cloud environment |
CN107204978B (en) * | 2017-05-24 | 2019-10-15 | 北京邮电大学 | A kind of access control method and device based on multi-tenant cloud environment |
CN109274779A (en) * | 2017-07-17 | 2019-01-25 | 华为技术有限公司 | A kind of alias management method and equipment |
CN109274779B (en) * | 2017-07-17 | 2020-09-25 | 华为技术有限公司 | Alias management method and device |
US11483315B2 (en) | 2017-07-17 | 2022-10-25 | Huawei Technologies Co., Ltd. | Alias management method and device |
CN114567473A (en) * | 2022-02-23 | 2022-05-31 | 南通大学 | Zero-trust mechanism-based Internet of vehicles access control method |
CN114567473B (en) * | 2022-02-23 | 2024-01-09 | 南通大学 | Internet of vehicles access control method based on zero trust mechanism |
CN114567489A (en) * | 2022-03-02 | 2022-05-31 | 临沂大学 | Dynamic access control method based on service body |
CN114567489B (en) * | 2022-03-02 | 2023-09-15 | 临沂大学 | Dynamic access control method based on service body |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101039322A (en) | Dynamic access control method of pervasive computing | |
Qiu et al. | A survey on access control in the age of internet of things | |
CN102761551B (en) | System and method for multilevel cross-domain access control | |
JP2009539183A5 (en) | ||
Feng et al. | A trust and context based access control model for distributed systems | |
US20120246738A1 (en) | Resource Sharing and Isolation in Role Based Access | |
CN102857488B (en) | Network access control model as well as method and terminal thereof | |
CN1584843A (en) | Fine grain privileges in an operating system | |
US20080120264A1 (en) | Method and Apparatus for Efficient Spectrum Management in a Communications Network | |
CN110933093A (en) | Block chain data sharing platform and method based on differential privacy protection technology | |
Wei et al. | An attribute and role based access control model for service-oriented environment | |
CN103107899A (en) | Separation-of-three-powers hierarchical authorization management system and method thereof | |
WO2021238399A1 (en) | Method for securely accessing data, and electronic device | |
Yao et al. | Dynamic role and context-based access control for grid applications | |
CN1633085A (en) | An access control method based on non-grade inter-role mapping | |
CN1791026A (en) | Gridding authorization realizing method | |
CN101039178A (en) | Method for building hierachical trust model in open system | |
Liu et al. | An attribute and role based access control model for Web services | |
KR20070076342A (en) | User Group Role / Permission Management System and Access Control Methods in a Grid Environment | |
CN1741464A (en) | Network user management system and method thereof | |
Li et al. | A security access strategy for sensitive resource of intelligent production line system with dynamic attribute collaboration | |
CN1627690A (en) | Method for intelligent sharing file resources wireless network grids | |
CN110414213A (en) | A kind of method and device to rights management in operation management system based on keycloak | |
Cheng et al. | An improved privacy-preserving and security hybrid access control mechanism | |
CN113660240B (en) | Internet of things access control method based on federal structure |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20070919 |