CN103338194A - Credibility based cross- security domain access control system and method - Google Patents
Credibility based cross- security domain access control system and method Download PDFInfo
- Publication number
- CN103338194A CN103338194A CN201310236492XA CN201310236492A CN103338194A CN 103338194 A CN103338194 A CN 103338194A CN 201310236492X A CN201310236492X A CN 201310236492XA CN 201310236492 A CN201310236492 A CN 201310236492A CN 103338194 A CN103338194 A CN 103338194A
- Authority
- CN
- China
- Prior art keywords
- security domain
- user
- credit worthiness
- server
- stride
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 22
- 238000011156 evaluation Methods 0.000 claims description 12
- 238000013507 mapping Methods 0.000 claims description 8
- 238000012550 audit Methods 0.000 claims description 3
- 230000005540 biological transmission Effects 0.000 claims description 3
- 238000013475 authorization Methods 0.000 abstract 2
- 230000003993 interaction Effects 0.000 abstract 1
- 238000012935 Averaging Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 208000027418 Wounds and injury Diseases 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000012141 concentrate Substances 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 208000014674 injury Diseases 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Images
Abstract
Description
Claims (13)
- One kind based on credit worthiness assessment stride the security domain access control system, it is characterized in that: described system comprises strides in security domain access proxies, delegated strategy server, the security domain credit worthiness server between credit worthiness server and security domain; The described security domain access proxies of striding receives and to stride security domain shared resource accessing request information, and the described security domain shared resource accessing request information of striding sent to the judgement of making a strategic decision of described delegated strategy server, in the described security domain between credit worthiness server and security domain the credit worthiness server respectively safe intra domain user credit worthiness is stored with different security domain user credit worthinesses and upgrades.
- According to claim 1 based on credit worthiness assessment stride the security domain access control system, it is characterized in that: described stride that the security domain access proxies receives from the safety intra domain user and stride the security domain shared resource accessing request information of striding that safe intra domain user sends and comprise user ID, user cipher and need stride security domain accessed resources information.
- 3. according to claim 1ly stride the security domain access control system based on credit worthiness assessment, it is characterized in that: the described security domain access proxies of striding receives from what the safety intra domain user sent and strides security domain shared resource accessing request information, to stride security domain shared resource accessing request information and send to the delegated strategy server, the delegated strategy server is inquired about this user's credit worthiness value of credit worthiness server stores in the described security domain according to striding security domain shared resource accessing request information, and according to the secure access strategy of the setting judgement of making a strategic decision.
- According to claim 3 based on credit worthiness assessment stride the security domain access control system, it is characterized in that: after adopting online mode or adopting off-line editing access rule file the secure access strategy is imported the delegated strategy server mode and set the secure access strategy.
- 5. according to claim 1ly stride the security domain access control system based on credit worthiness assessment, it is characterized in that: the described security domain access proxies of striding receives from what stride that safe intra domain user sends and strides security domain shared resource accessing request information, to stride security domain shared resource accessing request information and send to the delegated strategy server, the delegated strategy server is striden the credit worthiness renewal of safe intra domain user in this security domain according to this credit worthiness of striding safe intra domain user place security domain with this and is striden safe intra domain user credit worthiness, carries out roles evaluates and provides or refuse to stride security domain shared resource access services according to assessment result.
- According to claim 5 based on credit worthiness assessment stride the security domain access control system, it is characterized in that: the delegated strategy server is striden the credit worthiness of security domain at safe intra domain user place and this to this and is striden the credit worthiness of safe intra domain user in this security domain and stride the renewal of safe intra domain user credit worthiness by the weighting value method that multiplies each other.
- 7. according to claim 1ly stride the security domain access control system based on credit worthiness assessment, it is characterized in that: credit worthiness server stores and upgrade the credit worthiness of this safe intra domain user in the described security domain, according to this safe intra domain user in security domain and stride the credit worthiness that historical record that security domain carries out the shared resource visit is revised this safe intra domain user.
- 8. according to claim 1ly stride the security domain access control system based on credit worthiness assessment, it is characterized in that: security domain user's credit worthiness is striden in credit worthiness server stores and renewal between described security domain, each security domain is safeguarded overall credit worthiness value in the credit worthiness server between security domain, described overall confidence level represents the whole confidence level of security domain.
- One kind based on credit worthiness assessment stride the security domain access control method, it is characterized in that: said method comprising the steps of:Step 1: shared resource access request audit in the security domain;Step 2: accept to stride security domain shared resource access request, and provide and stride security domain shared resource access services.
- According to claim 9 based on credit worthiness assessment stride the security domain access control method, it is characterized in that: described step 1 may further comprise the steps:Step 1-1: user X provides user ID, user cipher and need stride security domain accessed resources information among the security domain A, and security domain shared resource accessing request information is striden in the security domain access proxies transmission of striding in the intrinsic safety universe;Step 1-2: the security domain access proxies of striding among the security domain A sends the security domain shared resource accessing request information of striding that user X sends among the security domain A delegated strategy server;Step 1-3: the delegated strategy server among the security domain A is striden the judgement of making a strategic decision of security domain shared resource access request according to user X's;Step 1-4: the security domain access proxies of striding among the security domain A notifies user X to stride security domain shared resource access request results, if pass through, then execution in step 2.
- 11. according to claim 10 based on credit worthiness assessment stride the security domain access control method, it is characterized in that: described step 1-3 may further comprise the steps:Step 1-3-1: the delegated strategy server among the security domain A is according to the credit worthiness record of user X in the credit worthiness server in the security domain of striding among the security domain shared resource accessing request information query safe territory A;Step 1-3-2: the delegated strategy server among the security domain A judges whether the credit worthiness of user X is higher than the default shared resource secure access threshold value of secure access strategy among the security domain A, if then determine the role of user X according to the credit worthiness of user X, and issue user certificate; If do not satisfy, then refusing user's X's strides security domain shared resource access request;Step 1-3-3: the delegated strategy server among the security domain A returns result of determination to striding the security domain access proxies among the security domain A.
- 12. according to claim 9 based on credit worthiness assessment stride the security domain access control method, it is characterized in that: described step 2 may further comprise the steps:Step 2-1: the security domain access request of striding of user X sends security domain B to by network channel among the security domain A;Step 2-2: among the security domain B stride that the security domain access proxies receives user X stride security domain shared resource accessing request information, and will stride security domain shared resource accessing request information and send delegated strategy server among the security domain B to;Step 2-3: the delegated strategy server among the security domain B is to striding the judgement of making a strategic decision of security domain shared resource accessing request information;Step 2-4: the delegated strategy server among the security domain B returns result of determination to striding the security domain access proxies among the security domain B;Step 2-5: stride that user Y provides the service of striding security domain shared resource access request to the user X among the security domain A among the security domain access proxies notice security domain B among the security domain B, service finishes back user X and user Y both sides comment mutually;Step 2-6: the evaluation result of the user Y of user X is submitted to credit worthiness server in the security domain among the security domain B, this credit worthiness server carries out the renewal of user Y credit worthiness according to the credit worthiness of the user Y that records in the credit worthiness server among the evaluation result of the user Y of user X and the security domain B by weighting phase multiplication;Step 2-7: the evaluation result of the user X of user Y sends back credit worthiness server in the security domain among the security domain A, this credit worthiness server carries out the renewal of user Y credit worthiness according to the credit worthiness of the user X that records in the credit worthiness server among the evaluation result of the user X of user Y and the security domain A by weighting phase multiplication.
- 13. according to claim 12 based on credit worthiness assessment stride the security domain access control method, it is characterized in that: described step 2-3 may further comprise the steps:Step 2-3-1: the user certificate of delegated strategy server lookup certificate mapping table among security domain B checking user X, if can't obtain the certificate mapping relations by inquiry certificate mapping table, then refusing user's X's strides security domain shared resource access request;Step 2-3-2: after the user certificate of user X passes through checking, the credit worthiness of user X in security domain A that the delegated strategy server lookup among the security domain B is independently recorded in the credit worthiness server between security domain;Step 2-3-3: the delegated strategy server among the security domain B according to user X in security domain A credit worthiness and security domain A in the credit worthiness of the user X that records in the credit worthiness server, calculate the final credit worthiness of user X in security domain B by weighting phase multiplication;Step 2-3-4: the delegated strategy server carries out roles evaluates according to the final credit worthiness of user X in security domain B among the security domain B:A) if the final credit worthiness of user X in security domain B is lower than the default shared resource secure access threshold value of secure access strategy among the security domain B, the delegated strategy server refusing user's X among the security domain B strides security domain shared resource access request;B) if finally enjoy a good reputation in security domain B in the secure access strategy default shared resource secure access threshold value of user X in security domain B, and satisfy user X finally enjoying a good reputation in the default complete access thresholds of shared resource of secure access strategy in security domain B, then the delegated strategy server among the security domain B allows user X to stride security domain visit shared resource according to the role of former first to file; If do not satisfy, with giving user X the role in security domain B again, carry out the shared resource secure access.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310236492.XA CN103338194B (en) | 2013-03-06 | 2013-06-14 | A kind of based on credit worthiness assessment across security domain access control system and method |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310071327 | 2013-03-06 | ||
CN2013100713273 | 2013-03-06 | ||
CN201310071327.3 | 2013-03-06 | ||
CN201310236492.XA CN103338194B (en) | 2013-03-06 | 2013-06-14 | A kind of based on credit worthiness assessment across security domain access control system and method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103338194A true CN103338194A (en) | 2013-10-02 |
CN103338194B CN103338194B (en) | 2016-04-20 |
Family
ID=49246291
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310236492.XA Active CN103338194B (en) | 2013-03-06 | 2013-06-14 | A kind of based on credit worthiness assessment across security domain access control system and method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103338194B (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104780159A (en) * | 2015-03-23 | 2015-07-15 | 中国科学院信息工程研究所 | Access control method based on dynamic trust thresholds |
CN104871509A (en) * | 2012-10-23 | 2015-08-26 | 诺基亚技术有限公司 | Method and apparatus for managing access rights |
CN105282160A (en) * | 2015-10-23 | 2016-01-27 | 绵阳师范学院 | Credibility-based dynamic access control method |
CN105610780A (en) * | 2015-10-22 | 2016-05-25 | 东北师范大学 | Interoperation platform among clouds used for education mechanism and method thereof |
CN106302334A (en) * | 2015-05-22 | 2017-01-04 | 中兴通讯股份有限公司 | Access role acquisition methods, Apparatus and system |
CN108259363A (en) * | 2016-12-29 | 2018-07-06 | 中国移动通信集团公司 | A kind of method and device of staged service traffics control |
CN110086779A (en) * | 2019-03-26 | 2019-08-02 | 中国人民武装警察部队工程大学 | A kind of communication security method of discrimination of multi-area optical network crosstalk attack |
CN111181979A (en) * | 2019-12-31 | 2020-05-19 | 奇安信科技集团股份有限公司 | Access control method, device, computer equipment and computer readable storage medium |
CN115189906A (en) * | 2022-05-24 | 2022-10-14 | 湖南师范大学 | Multi-domain safety management method of network management system |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1805336A (en) * | 2005-01-12 | 2006-07-19 | 北京航空航天大学 | Single entering method and system facing ASP mode |
US20060168022A1 (en) * | 2004-12-09 | 2006-07-27 | Microsoft Corporation | Method and system for processing a communication based on trust that the communication is not unwanted as assigned by a sending domain |
CN101453476A (en) * | 2009-01-06 | 2009-06-10 | 中国人民解放军信息工程大学 | Cross domain authentication method and system |
-
2013
- 2013-06-14 CN CN201310236492.XA patent/CN103338194B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060168022A1 (en) * | 2004-12-09 | 2006-07-27 | Microsoft Corporation | Method and system for processing a communication based on trust that the communication is not unwanted as assigned by a sending domain |
CN1805336A (en) * | 2005-01-12 | 2006-07-19 | 北京航空航天大学 | Single entering method and system facing ASP mode |
CN101453476A (en) * | 2009-01-06 | 2009-06-10 | 中国人民解放军信息工程大学 | Cross domain authentication method and system |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104871509A (en) * | 2012-10-23 | 2015-08-26 | 诺基亚技术有限公司 | Method and apparatus for managing access rights |
CN104780159A (en) * | 2015-03-23 | 2015-07-15 | 中国科学院信息工程研究所 | Access control method based on dynamic trust thresholds |
CN106302334B (en) * | 2015-05-22 | 2020-06-12 | 中兴通讯股份有限公司 | Access role obtaining method, device and system |
CN106302334A (en) * | 2015-05-22 | 2017-01-04 | 中兴通讯股份有限公司 | Access role acquisition methods, Apparatus and system |
CN105610780A (en) * | 2015-10-22 | 2016-05-25 | 东北师范大学 | Interoperation platform among clouds used for education mechanism and method thereof |
CN105610780B (en) * | 2015-10-22 | 2018-12-11 | 东北师范大学 | Interoperable platform and method between a kind of Yun Yuyun for educational institution |
CN105282160A (en) * | 2015-10-23 | 2016-01-27 | 绵阳师范学院 | Credibility-based dynamic access control method |
CN105282160B (en) * | 2015-10-23 | 2018-09-25 | 绵阳师范学院 | Dynamic accesses control method based on prestige |
CN108259363B (en) * | 2016-12-29 | 2021-08-27 | 中国移动通信集团公司 | Method and device for controlling stepped service flow |
CN108259363A (en) * | 2016-12-29 | 2018-07-06 | 中国移动通信集团公司 | A kind of method and device of staged service traffics control |
CN110086779A (en) * | 2019-03-26 | 2019-08-02 | 中国人民武装警察部队工程大学 | A kind of communication security method of discrimination of multi-area optical network crosstalk attack |
CN110086779B (en) * | 2019-03-26 | 2021-05-04 | 中国人民武装警察部队工程大学 | Communication safety discrimination method for multi-domain optical network crosstalk attack |
CN111181979A (en) * | 2019-12-31 | 2020-05-19 | 奇安信科技集团股份有限公司 | Access control method, device, computer equipment and computer readable storage medium |
CN111181979B (en) * | 2019-12-31 | 2022-06-07 | 奇安信科技集团股份有限公司 | Access control method, device, computer equipment and computer readable storage medium |
CN115189906A (en) * | 2022-05-24 | 2022-10-14 | 湖南师范大学 | Multi-domain safety management method of network management system |
CN115189906B (en) * | 2022-05-24 | 2023-07-07 | 湖南师范大学 | Multi-domain security management method for network management system |
Also Published As
Publication number | Publication date |
---|---|
CN103338194B (en) | 2016-04-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103338194A (en) | Credibility based cross- security domain access control system and method | |
Li et al. | Blockchain-based trust management in cloud computing systems: a taxonomy, review and future directions | |
Zhang et al. | A survey on access control in fog computing | |
Sookhak et al. | Security and privacy of smart cities: a survey, research issues and challenges | |
Awan et al. | Holitrust-a holistic cross-domain trust management mechanism for service-centric Internet of Things | |
Gessner et al. | Trustworthy infrastructure services for a secure and privacy-respecting internet of things | |
Triantafyllou et al. | The challenges of privacy and access control as key perspectives for the future electric smart grid | |
Yan et al. | Controlling cloud data access based on reputation | |
CN105282160A (en) | Credibility-based dynamic access control method | |
Nogoorani et al. | TIRIAC: A trust-driven risk-aware access control framework for Grid environments | |
Wu et al. | Cross-domain fine-grained data usage control service for industrial wireless sensor networks | |
Yahaya et al. | A secure and efficient energy trading model using blockchain for a 5G-deployed smart community | |
Li et al. | A survey of extended role-based access control in cloud computing | |
Pal et al. | Towards a secure access control architecture for the Internet of Things | |
Wu et al. | A fine-grained cross-domain access control mechanism for social internet of things | |
Jaithunbi et al. | Trust evaluation of public cloud service providers using genetic algorithm with intelligent rules | |
Li et al. | Evolutionary trust scheme of certificate game in mobile cloud computing | |
Wijesekara | A Literature Review on Access Control in Networking Employing Blockchain | |
Liu et al. | Digital rights management and access control in multimedia social networks | |
Demchenko et al. | Access control infrastructure for on-demand provisioned virtualised infrastructure services | |
Sun et al. | A blockchain-based access control protocol for secure resource sharing with mobile edge-cloud collaboration | |
Benjamin Franklin et al. | Machine learning-based trust management in cloud using blockchain technology | |
Zhu et al. | MicrothingsChain: Blockchain-based controlled data sharing platform in multi-domain IoT | |
Feng et al. | A trust management model based on bi-evaluation in p2p networks | |
Manimegalai et al. | Performance analysis of smart meters for enabling a new era for power and utilities with securing data transmission and distribution using end-to-end encryption (E2EE) in smart grid |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
ASS | Succession or assignment of patent right |
Owner name: CHINA ELECTRIC POWER RESEARCH INSTITUTE YINCHUAN P Free format text: FORMER OWNER: STATE GRID CORPORATION OF CHINA Effective date: 20140208 Owner name: STATE GRID CORPORATION OF CHINA Free format text: FORMER OWNER: CHINA ELECTRIC POWER RESEARCH INSTITUTE Effective date: 20140208 |
|
COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100192 HAIDIAN, BEIJING TO: 100031 XICHENG, BEIJING |
|
TA01 | Transfer of patent application right |
Effective date of registration: 20140208 Address after: 100031 Xicheng District West Chang'an Avenue, No. 86, Beijing Applicant after: State Grid Corporation of China Applicant after: China Electric Power Research Institute Applicant after: Yinchuan Power Supply Company, State Grid Ningxia Electric Power Co., Ltd. Address before: 100192 Beijing city Haidian District Qinghe small Camp Road No. 15 Applicant before: China Electric Power Research Institute Applicant before: State Grid Corporation of China |
|
TA01 | Transfer of patent application right | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant |