CN102081712B - Role dynamic transition method supporting difference measurement - Google Patents

Abstract

The invention discloses a role dynamic transition method supporting difference measurement, which reduces the risk of role transition on the premise of not adding user load and reducing the flexibility of application. The technical scheme comprises the following steps of: designing an authentication trustworthiness-based pluggable authentication module (AT-PAM) by adopting the idea of authentication credibility reasoning; deducing to obtain user credibility according to different registration modes of the user by the AT-PAM; measuring role difference degree by an analytic hierarchy process (AHP); and comparing the role difference degree and the role transition threshold value under the current user credibility to judge whether the role transition can be performed. By the method, the corresponding control of the application can be kept while the flexibility of the application is improved, the problems caused when the authentication and the access control are independent of each other are solved, and safety of a system is guaranteed while the flexibility of the system is kept.

Description

A kind of role's dynamic converting method of supporting difference measurement

Technical field

The present invention relates to role's in the operating system dynamic converting method, role's dynamic converting method of a large amount of roles and complicated applications is especially arranged.

Background technology

Access control is one type of important technology in the information security field; Its effect is that the main body (user or process) of needs visit is carried out authentication; The restriction main body uses computer system to the access rights of visit object (file or system) in legal scope.Research shows 80% attack and invades all from organization internal, derives from the illegal use and the unauthorized access of validated user.Access control can stop this destruction from inside to greatest extent.It guarantees that through the control of authoring system the user can only obtain the minimum authority of access resources, avoids the generation of unauthorized access.Along with development of internet technology and universal; The importance of access control more and more is familiar with by people; It joins with some other information security technology; Such as password, authentication isolation and access agent, anti-virus etc. with between identification, audit, net, be devoted to make the multiple security service of a kind of support, have the infosystem of strong security mechanism.

To the different security strategy many access control models have been proposed, like autonomous type access control (DAC), forced action type access control (MAC) with based on role's access control (RBAC).The workload of single autonomous type and forced action type access control policy is big; And be not easy to management, and have such as safe based on role's access control (RBAC), dirigibility is strong; Near advantages such as real worlds; Once proposing just to have obtained concern widely, obtained number of applications in a lot of fields at present, development is comparatively ripe.

Based on the principle of least privilege, in existing operating system,, no matter pass through which kind of authentication for the major applications in the system based on RBAC, all be least privilege role of user binding at the beginning.Role's authority has determined user's authority, and when the user need carry out some limited operation, no matter before whether the user carried out authentication, all need land once more the user.System repeats to land the workload that has increased the user, has reduced application flexibility.

Role's dynamic translation is a good method that addresses the above problem, but role's dynamic translation has changed original role's translative mode, has brought series of new problems.To changing whether perception, role transforming can be divided into explicit conversion and implicit conversion according to the user, and two types of conversions all exist difficult point separately.In the explicit conversion, need select the interface, select the interface and the remote access user can't eject the role for the user provides the role.In the implicit conversion, if adopt the mode of creating new process, then the interruption of former process is difficult to recover on-the-spot, does not also have the method for local role's dynamic translation in a kind of suitable operating system at present.

In current SOS, along with soaring of computer speed and popularizing that network parallel calculates, a little less than more and more old authentication mechanisms become and are highly brittle; Simultaneously, also need easily from user management, the marquis need remove to change the verification process of application program sometimes.It is very inconvenient that the authentication mechanism of traditional application program just seems.Unified Login With Pluggable Authentication Modules (PAM) (V.Samar; R.Schemers.http: ∥ Www.opengroup.org/tech/rfc/mirror-rfc/rfc86.0.txt), October 1995) the insertable authentication module announced is that PAM (PLUGGABLE AUTHENTICATION MODULES) has solved this problem.PAM is mainly by PAM engine (in the PAM storehouse the among/lib, comprising PAM API and PAM SPI), authentication module, and three parts of configuration file are formed.If certain application program has been used PAM, when it need carry out authentification of user, through reading authentication module with the configuration file loading configuration file appointment of this application name./ etc/pam.d catalogue is used to store the configuration file of all PAM application programs, and each application program (exactly being each service) all has its configuration file.Configuration file is made up of rule, and every rule comprises that four fields---module type (has been specified the PAM module type.Existing 4 kinds of module types are respectively auth, account, session and password), the control sign (specified to PAM module result the action that should take.4 values that might use are required, requisite, optional and sufficient), module path (the absolute path name position that has comprised the PAM module), variable (sign of module or option).

Application program only need be given PAM verification process simply, then, by PAM the user is carried out authentication, and PAM returns to application program with authentication result again, and application program is not also known that PAM makes on earth and how the user carried out authentication.

The user successfully thinks just that through the authentication mechanism of system this user is " credible " user.Yet the hacker can successfully gain user's Service Ticket through number of ways by cheating, bypassing authentication module login system, but the hacker obviously is not " credible " user.And credible be irrational, be a kind of embodiment of experience, concrete content is not only arranged, the division of degree also should be arranged.

To how embodying the problem of user through the authentication mechanism of varying strength, University of Science and Technology for National Defence has proposed authentication confidence level inference pattern, wherein uses for reference the thought of uncertain inference in the expert system, utilizes confidence level to come these uncertain factors are measured.

Define 1 confidence level and represent a things or phenomenon x subjective believable degree in system, with t (x) expression, t (x) ∈ [0,1].T (x) is that 0 expression is insincere fully, is that 1 expression is credible fully.

Define 2 authentication confidence levels and represent the confidence level that obtains after Verification System is to user u authentication, use t _Au(u) expression, t _Au(u) ∈ [0,1], E is the precondition of conclusion H, promptly the user is through the authentication of authentication mechanism.

t _au(u)=p(H|E)

Precondition is separate with respect to conclusion H (user is credible) and

(user is insincere).

Define 3 CF enhancers and represent that the user is satisfying the relative extent that the confidence level acquisition strengthens under the authentication mechanism precondition, with TEF (H, E) expression.Wherein, E refers to the authentication mechanism that the user satisfies, and H representes the credible conclusion of user.

<math> <mrow> <mi>TEF</mi> <mrow> <mo>(</mo> <mi>H</mi> <mo>,</mo> <mi>E</mi> <mo>)</mo> </mrow> <mo>=</mo> <mfenced open='{' close=''> <mtable> <mtr> <mtd> <mfrac> <mrow> <mi>p</mi> <mrow> <mo>(</mo> <mi>H</mi> <mo>|</mo> <mi>E</mi> <mo>)</mo> </mrow> <mo>-</mo> <mi>p</mi> <mrow> <mo>(</mo> <mi>H</mi> <mo>)</mo> </mrow> </mrow> <mrow> <mn>1</mn> <mo>-</mo> <mi>p</mi> <mrow> <mo>(</mo> <mi>H</mi> <mo>)</mo> </mrow> </mrow> </mfrac> </mtd> <mtd> <mi>p</mi> <mrow> <mo>(</mo> <mi>H</mi> <mo>)</mo> </mrow> <mo>&lt;;</mo> <mn>1</mn> </mtd> </mtr> <mtr> <mtd> <mn>0</mn> </mtd> <mtd> <mi>p</mi> <mrow> <mo>(</mo> <mi>H</mi> <mo>)</mo> </mrow> <mo>=</mo> <mn>1</mn> </mtd> </mtr> </mtable> </mfenced> <mo>-</mo> <mo>-</mo> <mo>-</mo> <mrow> <mo>(</mo> <mn>1</mn> <mo>)</mo> </mrow> </mrow></math>

The initial trusted degree of p (H) expression user, the confidence level when promptly the user is without any machine-processed authentication, the derivation formula of user's confidence level is under authentication mechanism E:

p(H|E)=TEF(H,E)+(1-TEF(H,E))p(H) （2）

On the believable basis of authentication mechanism, confidence level obtains the degree of increase under the system authentication success situation, is equivalent to the degree that the authentication confidence level weakens under the system authentication failure scenarios.When therefore only needing to consider that precondition satisfies, the situation that confidence level increases.To different authentication mechanism, two kinds of derivation methods of single authentication mechanism and many authentication mechanisms are arranged.Single authentication mechanism refers to the user only through a kind of authentication of authentication mechanism, and many authentication mechanisms refer to that the user passes through the authentication of two or more authentication mechanism.

The derivation formula of single authentication mechanism is obtained by (2): E wherein ₁Represent a kind of authentication mechanism, p (H|E ₁) represent through authentication mechanism E ₁Back user's confidence level.P (H) and TEF (H, E ₁) be priori value, confirm by the system manager.

p(H|E ₁)=TEF(H,E ₁)+(1-TEF(H,E ₁))p(H) （3）

Many authenticate rulers are on the basis of single authentication, to obtain through derivation: E wherein ₁E ₂... E _sThe different authentication mechanism of expression s kind.P (H|E ₁E ₂... E _s) expression passes through E ₁E ₂... E _sUser's confidence level after the mechanism authentication.

If user authentication information is associated with role's conversion, can when increasing application flexibility, guarantees the security of system, but also not have open source literature to relate at present.

Summary of the invention

The technical matters that the present invention will solve is, to explicit role transforming mode, increased user's use burden, reduced application flexibility; Though the role transforming of implicit expression can be accomplished role's conversion under the situation of not perception of user; But may opportunity be provided to the disabled user; Cause the problem out of control of System Privileges; A kind of role's dynamic converting method of supporting difference measurement is provided, is not increasing burden for users, do not reducing under the prerequisite of application flexibility, reduce the risk of role transforming.

Operating system is divided into ability to institute's privileged trading, and wherein each ability is represented a kind of privilege.Supposing the system has n ability, is designated as C ₀, C ₁..., C _n, then the ability complete or collected works are ∑={ C ₀, C ₁..., C _n.Because the function that various abilities are brought into play in system is different, residing status is also different, therefore, according to the status of powers and functions in system, it is divided different types, and give different weights.

Technical scheme of the present invention is: the authentification of user confidence level is associated with role's conversion, on the basis of PAM authentication framework, introduces the thought design AT-PAM of authentication confidence level reasoning, confirm the authentication confidence level.Different landing approaches according to the user adopts are divided different authentication confidence levels; Obtain role's weights through the difference of analyzing powers and functions between the role; Thereby obtain the diversity factor between the role, the authentification of user confidence level is combined with diversity factor between the role, mark off switching threshold.Through comparing, judge whether to allow role transforming with switching threshold.Concrete steps are:

The first step is associated the authentification of user confidence level with role's conversion, on the basis of PAM authentication framework, adopt the thought design AT-PAM of authentication confidence level reasoning, and method is:

1.1 revise the configuration file of PAM, it is capable to count s interpolation s at the configuration file end according to the kind of authentication mechanism:

Authentication mechanism title E ₁, TEF (H, E ₁), p (H);

Authentication mechanism title E _s, TEF (H, E _s), p (H);

TEF (H, E wherein _r) (1≤r≤s) is the confidence level enhancer, and the expression user is through authentication mechanism E _rThe increase degree of confidence level after the authentication.

1.2 keep the PAM primary structure constant, in the PAM engine, increase authentication confidence level derivation module, accomplish the authentication confidence level by authentication confidence level derivation module and derive.

In second step, AT-PAM derives according to user's different landing approaches and obtains user's authentication confidence level.In the User login process, AT-PAM reads configuration file, for single authentication mechanism, obtains authentication mechanism title E ₁, confidence level enhancer TEF (H, E ₁) and the initial trusted degree of user p (H), authentication confidence level derivation module is with TEF (H, E ₁) and p (H) substitution formula (3) calculate, obtain through authentication mechanism E ₁User's authentication confidence level p (H|E after the authentication ₁).For many authentication mechanisms, obtain authentication mechanism name E after reading configuration file ₁E ₂... E _s, confidence level enhancer TEF (H, E ₁), TEF (H, E ₂) ... TEF (H, E _s) and the initial trusted degree of user p (H), substitution formula (4) calculates, and obtains the authentication confidence level p (H|E through user after the authentication mechanism authentication ₁E ₂... E _s).After authentication is passed through with authentication confidence level p (H|E ₁) or p (H|E ₁E ₂... E _s) write in the access customer shell process, in process task_struct structure, increasing the confidence level zone bit, the confidence level zone bit is a floating point type, and zone bit is big more, and the expression user identity is credible more.Produce user's authentication confidence level set thus

(U) expression is through authentication mechanism au _iThe authentication confidence level of user U after the authentication.

The 3rd step, the diversity factor between the tolerance role.In order to embody the difference between the role, Hierarchy Analysis Method AHP (Analytic Hierarchy Process) the tolerance role difference degree that adopts The Analytic Hierarchy Processz1 (Saaty T L.New York:J McGraw Hill:lnc.1980.) to announce.The role difference degree refers to the difference of powers and functions that the role has, with D (R ₁, R ₂) expression, R ₁, R ₂Two different role for the user.For containing k role, exist the metrology step of the operating system of n kind powers and functions to be:

3.1 analyze role's internal relation, the synthem aggregated(particle) structure, because different powers and functions constitute and have caused role's difference between the role, therefore, with asking difference problem between the role to be divided into powers and functions and the role is two-layer; According to the difference in functionality of powers and functions, powers and functions are divided into m class T ₁, T ₂... T _j..., T _m(0<m≤n), and use

Expression role R _l(0<l≤k)

Middle type T _j(0<the powers and functions number of j≤m).

3.2 to all kinds of powers and functions of powers and functions layer, according to the significance level of its function in operating system, construct the paired comparator matrix V of all kinds of powers and functions, the row and column of V is represented m class powers and functions, wherein element a respectively _Ij(0<i≤m, 0<j≤m) is two types of powers and functions T _iAnd T _jThe comparison of significance level, the scale table of being announced by The Analytic Hierarchy Processz1 (Saaty T L.New York:J McGraw Hill:Inc.1980.) obtains,

1 expression T _iAnd T _jHas equal importance; 3 expression T _iCompare T _jImportant slightly; 5 expression T _iCompare T _jObviously important; 7 expression T _iCompare T _jImportant strongly; 9 expression T _iCompare T _jExtremely important; The intermediate value that the above-mentioned adjacent significance level of 2,4,6,8 expressions is judged.

3.3 the paired comparator matrix of all kinds of powers and functions is carried out consistency check.When matrix V during, can accept not to be on all four paired comparator matrix through consistency check.Foundation Consistency Ratio CR=CI/RI at random judges whether paired comparator matrix is consistent.When CR < 0.1 the time, thinks that paired comparator matrix has satisfied consistance.As CR>0.1 the time, must readjust all types of relatively weights and make the paired comparator matrix of all types of powers and functions reach satisfied consistance, wherein

λ _Max(V) eigenvalue of maximum of representing matrix V, m representes the kind of powers and functions.RI is the mean random coincident indicator that The Analytic Hierarchy Processz1 (Saaty T L.New York:J McGraw Hill:Inc.1980.) announces, m is big more, and desired value is big more.

Adopt the judgment matrix consistance method of adjustment (Yan Shihua ..Armament Automation, 2008 are imitated in the field) based on analytical hierarchy process to carry out the consistance correction to the paired comparator matrix of the unsatisfied all types of powers and functions of consistance, step is:

3.3.1 with the element a in m * m matrix _IjDivided by

1<i≤m, i≤j≤m, $\stackrel{\&OverBar;}{a_{\mathrm{Ij}}}=\frac{1}{n}\underset{k=1}{\overset{n}{\mathrm{\&Sigma;}}}{a}_{\mathrm{Ik}}{a}_{\mathrm{Kj}},$ Make variable $b_{\mathrm{Ij}}=a_{\mathrm{Ij}}/\stackrel{\&OverBar;}{a_{\mathrm{Ij}}}.$

3.3.2 if b _Ij<1 and a _Ij≠ 9, or b _Ij>1 and a _Ij≠ 1/9, calculate deviation distance d _Ij, $d_{\mathrm{Ij}}=1|1-\frac{a_{\mathrm{Ij}}}{\stackrel{\&OverBar;}{a_{\mathrm{Ij}}}}|.$

3.3.3 all deviation distances to trying to achieve compare, and obtain maximum d _Max, and record d _MaxSequence number i and the value of j of element, get in 1～9 scale that defines among the AHP near a _Ij/ b _IjNumber replace element a _Ij

3.3.4 with power method (Li Xiaohong, stifled elegant phoenix, Zhang Yongsheng. computing method, the 127th page, the Chinese Aero-Space .2006 of university press) obtain λ _Max(V), check adjusted matrix consistance,, change 3.3.1 if inconsistent.

3.4 the paired comparator matrix V of structure in the foundation 3.3 calculates λ _Max(V) proper vector of V the time obtains the shared weights W of all kinds of powers and functions after the unitization _v

3.5 for type T _j, structure role R _o, R _p(0<o≤k, 0<paired comparator matrix between the p≤k) $B_j=\left[\begin{array}{cc}{a^{\&prime;}}_{\mathrm{Oo}}& {a^{\&prime;}}_{\mathrm{Op}}\\ {a^{\&prime;}}_{\mathrm{Po}}& {a^{\&prime;}}_{\mathrm{Pp}}\end{array}\right],$ A ' wherein _Oo, a ' _PpBe 1, a ' _PoBe a ' _OpInverse, according to role R _oAnd R _pT _jThe difference of the powers and functions number of class powers and functions promptly With

Difference and type T _jPowers and functions sums CN ^j, by formula

Obtain a ' _Op, a ' _OpDecision is for type T _j, role R _oAnd R _pBetween difference degree.Compute matrix B _jThe proper vector of eigenvalue of maximum obtains T after the unitization _jClass powers and functions role differences weights W _j=(b _Jo, b _Jp); According to all kinds of powers and functions weights and all kinds of role's differences weight, obtain the diversity factor between the role.Role R _o, R _pBetween the diversity factor computing formula be:

$D(R_o,R_p)={\mathrm{\&Sigma;}}_{n=1}^m{W}_{v\&times;\left|(b_{\mathrm{pn}}-b_{\mathrm{on}})\right|}---\left(6\right)$

The 4th step combined user's authentication confidence level with the role difference degree, role's under role's differences degree and the active user's confidence level switching threshold is compared, and judged whether role transforming can take place, and method is:

Confirm the role transforming threshold value 4.1 adopt following method:

4.1.1 two roles' maximum difference is as maximum difference degree between the role in theory, maximum difference is that two role's powers and functions are different fully, uses D _MaxExpression is chosen 0 and is minimum role difference degree, and obtaining role difference degree scope is 0～D _Max

4.1.2 confirm that by user initial trusted degree p (H) scope of authentification of user confidence level is p (H)～1.With 0 in the corresponding role difference degree of P (H), with the D in the 1 corresponding role difference degree _Max, be horizontal ordinate with the authentification of user confidence level, the role difference degree is an ordinate, obtains linear function $y=\frac{D_{\mathrm{Max}}}{1-p\left(H\right)}x-\frac{p\left(H\right)D_{\mathrm{Max}}}{1-p\left(H\right)}.$ Authentication confidence level set with the user

In the x of each this function of authentication confidence level substitution, the value y that obtains is the threshold value t of the pairing role transforming of different authentication confidence level _Ac(U).

4.2 with role R _o, R _pBetween diversity factor and switching threshold t _Ac(U) compare, if the diversity factor between the role is less than threshold value t _Ac(U), allow role R _oConvert role R to _pIf the diversity factor between the role is greater than threshold value t _Ac(U), do not allow the role from role R _oConvert role R to _p

Adopt the present invention can reach following beneficial effect:

(1) under the situation of not perception of user, the conversion range of persona limits in role's implicit conversion.Kept corresponding control when having increased application flexibility to using.Kept RBAC96 (Role Basic Access Control96) model (Sandhu R S.Role-based Access Control Models [J] .IEEE Computer; 1996) superiority aspect rights management; Constraint through switch condition simultaneously; Satisfy actual needs better, solve authentication and the independent mutually existing problem of access control.For system provides further safety assurance, prevented that conversion owing to the role from causing the out of control of important privilege in the system.

(2) after increasing or deleting the role, need not to repartition the role transforming threshold value, need not artificial interference.

(3) combine the authentification of user confidence level, the difference between user role is measured, better described the difference between the role.User's confidence level is associated with role's differences, has limited role's conversion range, when keeping system flexibility, guaranteed the security of system.

Description of drawings

The demonstration flow path switch figure that Fig. 1 background technology is announced;

Fig. 2 is the implicit conversion process flow diagram that background technology is announced;

Fig. 3 is the PAM authentication framework that background technology is announced;

Fig. 4 is an overview flow chart of the present invention;

Fig. 5 is an AHP method flow diagram in the 3rd step of the present invention;

Fig. 6 compares the weight correspondence table between two factors that define in (The Analytic Hierarchy Process.Saaty T L.1980);

Fig. 7 is the paired comparator matrix synoptic diagram of all types of powers and functions in the step 3.2 of the present invention;

Fig. 8 is the numerical tabular of Rl in the consistency check of announcing in (The Analytic Hierarchy Process.Saaty T L, 1980);

Fig. 9 is different authentication mode and a corresponding authentication success CF table thereof among the CentOS 5.4;

Figure 10 is the comparison weight of every type of powers and functions of step 3.2 among the CentOS 5.4 and the powers and functions numerical statement that comprises;

Figure 11 is the paired comparator matrix of all types of powers and functions of step 3.2 among the CentOS 5.4;

Figure 12 is the capability list that every kind of role of step 3.3 is comprised among the CentOS 5.4;

Figure 13 is the powers and functions numerical statement of all types of powers and functions of step 3.3 role among the CentOS 5.4;

Figure 14 is the corresponding diagram of step 4 authentification of user confidence level and role difference among the CentOS 5.4.

Embodiment

Fig. 1 has described the flow process of traditional explicit role transforming, when current role lacks authority, ejects the role transforming window, and the user selects corresponding role to change, and role's conversion is not then carried out in cancellation.

Fig. 2 has described the flow process of traditional role's implicit conversion, when current role lacks authority, if the user related have the role of this authority, then be transformed on the role who has this authority automatically; There is not related this role, then role transforming failure.

Fig. 3 has described the PAM authentication framework, comprises PAM engine (in the PAM storehouse the among/lib, comprising PAM API and PAM SPI), authentication module, and three parts of configuration file are formed.

Fig. 4 has represented overview flow chart of the present invention, the present invention includes following steps:

The first step on the basis of PAM authentication framework, adopts the thought design AT-PAM of authentication confidence level reasoning;

Second goes on foot, and confirms user's authentication confidence level.Through AT-PAM the user is carried out authentication, according to the landing approach that the user adopts, AT-PAM generates corresponding authentification of user reliability information.

The 3rd step, the diversity factor between the tolerance role;

The 4th step, confirm that the role transforms threshold value under the role active user authentication confidence level, the diversity factor between the 3rd role that obtain of step to be compared with switching threshold, diversity factor just can change less than threshold value.

Fig. 5 representes the flow process of the tolerance role difference of the present invention's the 3rd step AHP method, and metrology step is: suppose that operating system has k role now, exists n kind powers and functions.

1) analyze role's internal relation, the synthem aggregated(particle) structure, because different powers and functions constitute and have caused role's difference between the role, therefore, with asking difference problem between the role to be divided into powers and functions and the role is two-layer; According to the difference in functionality of powers and functions, powers and functions are divided into m class T<sub >1</sub>, T<sub >2</sub>... T<sub >j</sub>..., T<sub >m</sub>(0<m≤n), and use<img file="GDA00001765722500101.GIF" he="55" img-content="drawing" img-format="GIF" inline="yes" orientation="portrait" wi="88" />Expression role R<sub >l</sub>(0<type T among the l≤k)<sub >j</sub>(0<the powers and functions number of j≤m).

2) to all kinds of powers and functions of powers and functions layer, according to the significance level of its function in operating system, construct the paired comparator matrix V of all kinds of powers and functions, the row and column of matrix has been represented m class powers and functions, wherein element a respectively _Ij(0<i≤m, 0<j≤m) is two types of powers and functions T _iAnd T _j, the comparison of significance level, the scale table of being announced by The Analytic Hierarchy Processz1 (Saaty T L.New York:J McGraw Hill:Inc.1980.) (as shown in Figure 6) obtains, 1 expression T _iAnd T _jHas equal importance; 3 expression T _iCompare T _jImportant slightly; 5 expression T _iCompare T _jObviously important; 7 expression T _iCompare T _jImportant strongly; 9 expression T _iCompare T _jExtremely important; The intermediate value that the above-mentioned adjacent significance level of 2,4,6,8 expressions is judged.

3) the paired comparator matrix of all kinds of powers and functions is carried out consistency check.When matrix V during, can accept not to be on all four paired comparator matrix through consistency check.Foundation Consistency Ratio CR=CI/RI at random judges whether paired comparator matrix is consistent.When CR < 0.1 the time, thinks that paired comparator matrix has satisfied consistance.As CR>0.1 the time, must readjust all types of relatively weights and make the paired comparator matrix of all types of powers and functions reach satisfied consistance, wherein

λ _Max(V) eigenvalue of maximum of representing matrix V, m representes the kind of powers and functions.RI is the mean random coincident indicator that The Analytic Hierarchy Processz1 (Saaty T L.New York:J McGraw Hill:Inc.1980.) announces, m is big more, and desired value is big more.

4) according to 3) the middle paired comparator matrix V that constructs, calculate λ _Max(V) proper vector of V the time obtains the shared weights W of all kinds of powers and functions after the unitization _v

5) persona compares in twos, and the structure role calculates role's layer for the difference weight between dissimilar powers and functions roles about the paired comparator matrix of every type of powers and functions; For type T _j, structure role R _o, R _p(0<o≤k, 0<paired comparator matrix between the p≤k) $B_j=\left[\begin{array}{cc}{a^{\&prime;}}_{\mathrm{Oo}}& {a^{\&prime;}}_{\mathrm{Op}}\\ {a^{\&prime;}}_{\mathrm{Po}}& {a^{\&prime;}}_{\mathrm{Pp}}\end{array}\right],$ According to role R _oAnd R _pT _jThe difference of the powers and functions number of class powers and functions promptly

With

Difference and type T _j

Powers and functions sums CN ^j, determine for type T by formula (5) _j, role R _oAnd R _pBetween difference degree.Compute matrix B _jThe proper vector of eigenvalue of maximum obtains T after the unitization _jClass powers and functions role differences weights W _j=(b _Jo, b _Jp); According to all kinds of powers and functions weights and all kinds of role's differences weight, obtain the diversity factor between the role.Fig. 7 is the paired comparator matrix that (The Analytic Hierarchy Process.Saaty T L.1980) announces, comparator matrix is mainly used in the difference degree between performance two factors in pairs.The row and column of matrix has been represented m class powers and functions, wherein element a respectively _IjBe two types of powers and functions T _iAnd T _j, the comparison of significance level.

Fig. 8 is the numerical tabular of RI in (the The Analytic Hierarchy Process.Saaty T L.1980) consistency check of announcing, and matrix dimension m is high more, and RI is big more.The present invention (for example: RedHat can realize in several operation systems; CentOS, KylinOS etc.), be example with CentOS5.4; At DELL OPTIPLEX 960; CPU is Intel Pentium Dual_Core2 2.66GHz, and internal memory is 3G, and hard disk is to realize on the hardware platform of 500G that process of the present invention is:

CentOS 5.4 is a kind of operating system of current main-stream, and role capability and user capability pass to user's shell process through PAM mechanism when landing.For the user, if the Insufficient privilege that current role had then needs changing role.This system supports 31 abilities at present, adopts 64 integer representation, and each representes an ability.Based on demand, can add ability, further refinement access control granularity.Set up three kinds of authentication modes of present main flow in CentOS 5.4 operating systems; The confidence level enhancer of every kind of authentication mode correspondence is as shown in Figure 9; Mainly contain three kinds of password authentication, Ukey authentication and finger print identifyings; Corresponding confidence level enhancer is respectively 0.2,0.4 and 0.6, the initial trusted degree of system default user P (H)=0.5.

The first step, configuration file is made amendment among right/etc/pam.d, the confidence level enhancer and the initial trusted degree of user of configuration authentication mechanism, configuration information can be represented like this: (auth_passwd); (0.2,0.5), wherein auth_passwd has represented the user through password authentication, 0.2 expression confidence level enhancer, the initial trusted degree of 0.5 expression user,

Second step is behind password, with the TEF (H in the confidence level enhancer 0.2 substitution formula (3); E); P (H) in the initial trusted degree 0.5 substitution formula (3) of user, the authentication reliability information 0.6 that obtains is write in the access customer shell process task_struct structure.If in like manner can respectively through other two kinds of authentication mechanisms, according to formula (3), user's confidence level is respectively 0.7 and 0.8.If the user passes through these three kinds of authentication mechanism authentications, then with 0.6,0.7, the p (H|E in the 0.8 substitution formula (4) ₁), p (H|E ₂) and p (H|E ₃), in 0.4,0.3, the 0.2 substitution formula (4)

With

With 1-p (H) substitution

Obtaining user's confidence level is 0.94.

The 3rd step; In CentOS 5.4 operating systems default setting five kinds of roles; Comprise safety officer S (security admin); Audit management person A (audit admin), system manager R (system admin), network manager N (net admin) and acquiescence default role D (default role).According to the present invention's the 3rd step diversity factor computing method, calculate the diversity factor between different role.

1) according to difference in functionality, powers and functions is divided into: five types of common management powers and functions, network management powers and functions, system management powers and functions, safety management powers and functions and audit management powers and functions.Figure 10 has provided the powers and functions numerical statement that all kinds of powers and functions comprise, and wherein common management powers and functions have 13, and the network management powers and functions have 4, and the system management powers and functions have 11, and the safety management powers and functions have 1, and the audit management powers and functions have 2.

2) construct the paired comparator matrix of all types of powers and functions according to significance levels different between type, like Figure 11, a ₁₂=1 expression type of audit powers and functions have identical significance level, a with the security type powers and functions ₁₅=5 expression type of audit powers and functions are obviously more important than general type powers and functions.

3) carry out consistency check, satisfy the inspection condition.Ask the proper vector of the paired comparator matrix eigenvalue of maximum of all types of powers and functions, the weight vector that obtains five types of powers and functions proportions after the unitization is: W _v=(0.28894,0.28894,0.28894,0.0802,0.053).

4) at role's layer, for role's powers and functions, its powers and functions in system are used hexadecimal representation C _s(R)=<c _i(R), C _p(R), C _e() > R; , provided role's powers and functions in the system among Figure 12, powers and functions of each expression in the sexadecimal, 1 expression role has this powers and functions, and 0 expression does not have.Because system is according to role's inheritance capability set C _i(R) effective powers and functions set C of decision initial processes _eSo role's powers and functions refer to is exactly inheritance capability set C (R), _i(R).Analyze role's powers and functions, thereby obtain for every kind powers and functions, the powers and functions number that the role comprised like Figure 13, has shown among the figure that five kinds of roles that give tacit consent in the system comprise the powers and functions number of all kinds of powers and functions.With default role and system manager is example, and the difference of the powers and functions number that is comprised according to two roles couple and all kinds of powers and functions obtains all kinds of powers and functions two role's differences degree according to formula (5), thereby is configured to the comparison matrix $\left[\begin{array}{cc}1& 9\\ 1/9& 1\end{array}\right],\left[\begin{array}{cc}1& 9\\ 1/9& 1\end{array}\right],\left[\begin{array}{cc}1& 9\\ 1/9& 1\end{array}\right],\left[\begin{array}{cc}1& 1\\ 1& 1\end{array}\right],\left[\begin{array}{cc}1& 1\\ 1& 1\end{array}\right],$

Calculate weight (0.1,0.9), (0.1,0.9), (0.1,0.9), (0.5,0.5), (0.5,0.5) for this type powers and functions role differences.With 3) weight of all types of powers and functions that obtain and the weight substitution formula (6) of all types of powers and functions role's differences, obtain between two roles diversity factor D (R, D)=0.34.

5) confirm role difference degree scope.When getting the difference maximum between the role, role's the paired comparator matrix of all types of powers and functions can be expressed as $\left[\begin{array}{cc}1& 9\\ 1/9& 1\end{array}\right],$ It is right to calculate the maximum angular aberration different time with this

Difference weight (0.1,0.9) between all types of powers and functions roles, (0.1,0.9), (0.1,0.9), (0.1,0.9).Thereby obtain two roles' maximum role difference D _Max=0.8.

In the 4th step, by diversity factor scope (0～0.8), the initial trusted degree of user is 0.5, obtains linear function y=1.6x-0.8.With different authentication confidence level (0.6,0.7,0.8,0.94) substitution linear function, obtained role's under each authentication confidence level switching threshold, like Figure 14.When the user through password authentication, its role transforming threshold value is 0.15; When the user through smart card authentication, its role transforming threshold value is 0.30; When the user through the fingerprint instrument authentication, its role transforming threshold value is 0.45; When the user through three kinds of machine-processed authentications, its role transforming threshold value is 0.7.

The convertible scope of role is only relevant with initial roles, and no matter the role is through the how many times conversion, and convertible scope can not change.

6) last, the role difference degree is compared with switching threshold, if the role difference degree less than switching threshold then allow conversion, otherwise refusal is changed.

The present invention not only can be used in the role transforming of single authenticate ruler, can also extend to the role transforming of many authenticate rulers.The multiple authentication mechanism that can either combine the user to pass through obtains corresponding authentication confidence level, carries out role transforming with this, also can be used for other comprehensive complicacy Verification System fields.

Claims (2)

1. role's dynamic converting method of supporting difference measurement is characterized in that may further comprise the steps:

The first step is associated the authentification of user confidence level with role's conversion, on the basis of PAM authentication framework, adopt the thought design AT-PAM of authentication confidence level reasoning, and method is:

1.1 revise the configuration file of PAM, add line at the configuration file end:

Authentication mechanism title E ₁, TEF (H, E ₁), p (H);

Authentication mechanism title E _s, TEF (H, E _s), p (H);

TEF (H, E wherein _r) be the confidence level enhancer, the expression user is through authentication mechanism E _rThe increase degree of confidence level after the authentication, H representes the credible conclusion of user, user's confidence level when p (H) refers to not pass through any authentication, 1≤r≤s;

1.2 keep the PAM primary structure constant, in the PAM engine, increase authentication confidence level derivation module, accomplish the authentication confidence level by authentication confidence level derivation module and derive;

In second step, AT-PAM derives according to user's different landing approaches and obtains user's authentication confidence level: in the User login process, AT-PAM reads configuration file, for single authentication mechanism, obtains authentication mechanism title E ₁, confidence level enhancer TEF (H, E ₁) and the initial trusted degree of user p (H), authentication confidence level derivation module is with TEF (H, E ₁) and p (H) substitution formula p (H|E ₁)=TEF (H, E ₁)+(1-TEF (H, E ₁)) p (H) calculates, obtain through authentication mechanism E ₁User's authentication confidence level p (H|E after the authentication ₁); For many authentication mechanisms, obtain authentication mechanism name E after reading configuration file ₁E ₂... E _s, confidence level enhancer TEF (H, E ₁), TEF (H, E ₂) ... ..TEF (H, E _s) and the initial trusted degree of user p (H), the substitution formula

Calculate, obtain authentication confidence level p (H|E through user after the authentication mechanism authentication ₁E ₂... E _s), The insincere conclusion of expression user; With authentication confidence level p (H|E ₁) or p (H|E ₁E ₂... E _s) write in the access customer shell process, in process task_struct structure, increasing the confidence level zone bit, the confidence level zone bit is a floating point type, and zone bit is big more, and the expression user identity is credible more; Produce user's authentication confidence level set thus

Expression is through authentication mechanism au _iThe authentication confidence level of user U after the authentication;

In the 3rd step, adopting Hierarchy Analysis Method is AHP tolerance role difference degree, and the role difference degree refers to the difference of powers and functions that the role has, with D (R ₁, R ₂) expression, R ₁, R ₂Be two different role of user,, exist the metrology step of the operating system of n kind powers and functions to be for containing k role:

3.1 analyze role's internal relation, the synthem aggregated(particle) structure is with asking the difference problem between the role to be divided into powers and functions and angle

Look two-layer; According to the difference in functionality of powers and functions, powers and functions are divided into m class T ₁, T ₂... T _j..., T _m, 0<m≤n, and use

Expression role R _lMiddle type T _jThe powers and functions number; 0<l≤k, 0<j≤m;

3.2 to all kinds of powers and functions of powers and functions layer, according to the significance level of its function in operating system, construct the paired comparator matrix V of all kinds of powers and functions, the row and column of V is represented m class powers and functions, wherein element a respectively _IjBe two types of powers and functions T _iAnd T _jThe comparison of significance level, the scale table of being announced by The Analytic Hierarchy Processz1 obtains, 1 expression T _iAnd T _jHas equal importance; 3 expression T _iCompare T _jImportant slightly; 5 expression T _iCompare T _jObviously important; 7 expression T _iCompare T _jImportant strongly; 9 expression T _iCompare T _jExtremely important; The intermediate value that the above-mentioned adjacent significance level of 2,4,6,8 expressions is judged, 0<i≤m, 0<j≤m;

3.3 judge according to Consistency Ratio CR=CI/RI at random whether paired comparator matrix is consistent: when CR < 0.1 the time, thinks that paired comparator matrix has satisfied consistance; As CR>0.1 the time, adjust all types of relatively weights and make the paired comparator matrix of all types of powers and functions reach satisfied consistance; Wherein

λ _Max(V) eigenvalue of maximum of representing matrix V, m representes the kind of powers and functions; RI is the mean random coincident indicator that The Analytic Hierarchy Processz1 announces, m is big more, and desired value is big more;

3.4 calculate λ according to paired comparator matrix V _Max(V) proper vector of V the time obtains the shared weights W of all kinds of powers and functions after the unitization _v

3.5 for type T<sub >j</sub>, structure role R<sub >o</sub>, R<sub >p</sub>Between paired comparator matrix<img file="FDA00001765722400023.GIF" he="135" id="ifm0007" img-content="drawing" img-format="GIF" inline="no" orientation="portrait" wi="312" />A ' wherein<sub >Oo</sub>, a '<sub >Pp</sub>Be 1, a '<sub >Po</sub>Be a '<sub >Op</sub>Inverse, 0<o≤k, 0<p≤k is according to role R<sub >o</sub>And R<sub >p</sub>T<sub >j</sub>The difference of the powers and functions number of class powers and functions promptly<img file="FDA00001765722400024.GIF" he="59" id="ifm0008" img-content="drawing" img-format="GIF" inline="no" orientation="portrait" wi="90" />With<img file="FDA00001765722400025.GIF" he="66" id="ifm0009" img-content="drawing" img-format="GIF" inline="no" orientation="portrait" wi="90" />Difference and type T<sub >j</sub>Powers and functions sums CN<sup >j</sup>, obtain a ' by formula (5)<sub >Op</sub>, a '<sub >Op</sub>Decision is for type T<sub >j</sub>, role R<sub >o</sub>And R<sub >p</sub>Between difference degree:

Compute matrix B _jThe proper vector of eigenvalue of maximum obtains T after the unitization _jClass powers and functions role differences weights W _j=(b _Jo, b _Jp); According to all kinds of powers and functions weights and all kinds of role's differences weight, obtain the diversity factor between the role, role R _o, R _pBetween the diversity factor computing formula be:

The 4th step combined user's authentication confidence level with the role difference degree, role's under role's differences degree and the active user's confidence level switching threshold is compared, and judged whether role transforming can take place, and method is:

Confirm the role transforming threshold value 4.1 adopt following method:

4.1.1 two roles' maximum difference is as maximum difference degree between the role in theory, maximum difference is two roles

Powers and functions are different fully, use D _MaxExpression is chosen 0 and is minimum role difference degree, and obtaining role difference degree scope is 0～D _Max

4.1.2 confirm that by user initial trusted degree p (H) scope of authentification of user confidence level is p (H)～1, with 0 in the corresponding role difference degree of p (H), with the D in the 1 corresponding role difference degree _Max, be horizontal ordinate with the authentification of user confidence level, the role difference degree is an ordinate, obtains linear function

Authentication confidence level set with the user

In the x of each this function of authentication confidence level substitution, the value y that obtains is the threshold value t of the pairing role transforming of different authentication confidence level _Ac(U);

4.2 with role R _o, R _pBetween diversity factor and switching threshold t _Ac(U) compare, if the diversity factor between the role is less than threshold value t _Ac(U), allow role R _oConvert role R to _pIf the diversity factor between the role is greater than threshold value t _Ac(U), do not allow the role from role R _oConvert role R to _p

2. a kind of role's dynamic converting method of supporting difference measurement as claimed in claim 1; It is characterized in that paired comparator matrix employing is carried out the consistance correction based on the judgment matrix consistance method of adjustment of analytical hierarchy process to the unsatisfied all types of powers and functions of consistance, step is:

2.1 with the element a in m * m matrix<sub >Ij</sub>Divided by<img file="FDA00001765722400041.GIF" he="38" id="ifm0014" img-content="drawing" img-format="GIF" inline="no" orientation="portrait" wi="96" />1<i≤m, i≤j≤m,<img file="FDA00001765722400042.GIF" he="93" id="ifm0015" img-content="drawing" img-format="GIF" inline="no" orientation="portrait" wi="387" />Make variable<img file="FDA00001765722400043.GIF" he="89" id="ifm0016" img-content="drawing" img-format="GIF" inline="no" orientation="portrait" wi="272" />

2.2 if b _Ij<1 and a _Ij≠ 9, or b _Ij>1 and a _Ij≠ 1/9, calculate deviation distance d _Ij,

2.3 all deviation distances to trying to achieve compare, and obtain maximum d _Max, and record d _MaxSequence number i and the value of j of element, get in l～9 scales that define among the AHP near a _Ij/ b _IjNumber replace element a _Ij

2.4 obtain λ with power method _Max(V), check adjusted matrix consistance,, change 2.1 if inconsistent.

Images