CN104811454A - Access control method based on threshold cryptography - Google Patents
Access control method based on threshold cryptography Download PDFInfo
- Publication number
- CN104811454A CN104811454A CN201510236907.2A CN201510236907A CN104811454A CN 104811454 A CN104811454 A CN 104811454A CN 201510236907 A CN201510236907 A CN 201510236907A CN 104811454 A CN104811454 A CN 104811454A
- Authority
- CN
- China
- Prior art keywords
- service
- access control
- background
- security strategy
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Abstract
The invention relates to an access control method based on threshold cryptography. The access control method comprises the following steps of: defining security policies and necessary conditions in strategy service, distributing the security strategies, secret key fragments and metadata on a security event channel, requesting to access to composite service by a user and obtaining access permission. According to the access control method, the threshold cryptography is applied to access control in SOA (Service-Oriented Architecture) multi-domain environment, the threshold cryptography and a heterogeneous senior background are combined, so as to generate an access control policy, the background condition in the SOA multi-domain environment is applied to the access control, and the safety and accuracy of an access control decision process are increased.
Description
Technical field
The present invention relates to a kind of control method, be specifically related to a kind of access control method based on threshold cryptography theory.
Background technology
In SOA multi-domain environment, usually can provide value added service with the form of composite services, and each Component service participating in composite services is often distributed in different Autonomy secure domains, there is autonomous control ability in each territory to its service.Multiple self-control territory may be structured on the platform of isomery simultaneously, and these platforms may adopt different security mechanisms.In addition, according to the functional requirement of requestor, discovery and the combination of service may dynamically complete, and the state of service also may change dynamically within a period of time.This makes SOA multi-domain environment have the autonomy of height, professional platform independence, the features such as dynamic.Traditional RBAC access control method, often only describes the characteristic of access main body, and lacks the characteristic of access object and consider, constraint granularity is comparatively thick, and extensibility is strong, well can not adapt to the demand of access control under distributed environment.Therefore, under a kind of distributed SOA multi-domain environment, fine-grained access control and efficient key management can be provided, and the seamless access control method of flexible access control policy just becomes necessary.But there is no outstanding case in existing method.
Summary of the invention
In order to overcome above-mentioned the deficiencies in the prior art, the invention provides a kind of access control method based on threshold cryptography theory, taking following technical scheme:
A kind of access control method based on threshold cryptography theory of the present invention, said method comprising the steps of:
Step 1: security strategy and necessary condition are defined in policy service;
Step 2: the distribution of security strategy, key fragments and metadata on security incident channel;
Step 3: the composite services of user's request access, and gain access.
Described step 1 specifically comprises the following steps:
Step 1-1: determine security strategy, described security strategy is made up of multiple security strategy layer;
Step 1-2: specify according to security strategy and meet the necessary condition that reaches needed for corresponding senior background and the identity of authorized object or role;
Step 1-3: the primitive provided in Utilization strategies service, is defined in security strategy and necessary condition in policy service.
Described necessary condition be composition respective combination service each Component service ready or allow accessed time the required state reached.
Described step 2 specifically comprises the following steps:
Step 2-1: according to described security strategy layer, policy service uses the mutation RSA Algorithm based on Shamir threshold cryptography mechanism, generates the metadata of trigger condition when some key fragments and this key fragments of application;
Step 2-2: Event Service utilizes Observer Pattern, Establishment strategy service and respective background serve between based on the security incident channel of SSL; Wherein background service comprises background management and each Component service agency;
Step 2-3: based on the end to end connection of SSL on the security incident channel that policy service is provided by Event Service, security strategy layer is sent to the background management that background service provides, the communication process on this security incident channel is by RSA Algorithm asymmetric encryption;
Step 2-4: policy service by Event Service end to end connection based on SSL on security incident channel is provided, the metadata of trigger condition when key fragments and this key fragments of application is distributed to corresponding assembly service broker, and now in composite services, encryption layer is formed;
Step 2-5: if there is multiple security strategy layer, performs step 2-1 to step 2-4, repeatedly until all security strategy layers all form respective encrypted layer.
In described step 2-4, key fragments and metadata adopt AES-128 algorithm symmetric cryptography, unified in its key platform, communication data on security incident channel group key symmetric cryptography corresponding to this security incident channel, and this group key transmits after RSA Algorithm asymmetric encryption between policy service and background service and each Component service agency.
Described step 3 comprises the following steps:
Step 3-1: user's request access composite services;
Step 3-2: background service monitoring assembly service place security incident channel, if background condition conforms to the metadata of trigger condition during application key fragments, then corresponding assembly service broker contributes the key fragments held; When background service receives the key fragments meeting the definition of certain security strategy layer, then respective encrypted layer is removed;
Step 3-3: if all encryption layers are successfully removed, user can obtain the access rights of respective combination service.
Compared with prior art, beneficial effect of the present invention is:
1) in the access control being applied in SOA multi-domain environment by threshold cryptography theory, the theoretical and senior background of isomery of conbined usage threshold cryptography produces access control policy, the background in SOA multi-domain environment has been applied in access control;
2) seamless access control method complete under providing a kind of SOA multi-domain environment, while easy to implement, improves the fail safe of access control decision process;
3) fine-grained access control and efficient key management can be provided, access control can be carried out in any granularity;
4) support flexible access control policy, support multi-layer security, in most complex scenarios with still can efficient operation when increasing cipher key size;
5) trust is distributed in whole SOA multi-domain environment, improves the accuracy of access control policy.
Accompanying drawing explanation
Fig. 1 is the access control method flow chart based on threshold cryptography theory provided by the invention;
Fig. 2 is access control schematic diagram in the embodiment of the present invention.
Embodiment
Below in conjunction with accompanying drawing, the present invention is described in further detail.
A kind of access control method based on threshold cryptography theory of the present invention, said method comprising the steps of:
Step 1: security strategy and necessary condition are defined in policy service;
Step 2: the distribution of security strategy, key fragments and metadata on security incident channel;
Step 3: the composite services of user's request access, and gain access.
Described step 1 specifically comprises the following steps:
Step 1-1: determine security strategy, described security strategy is made up of multiple security strategy layer;
Step 1-2: specify according to security strategy and meet the necessary condition that reaches needed for corresponding senior background and the identity of authorized object or role;
Step 1-3: the primitive provided in Utilization strategies service, is defined in security strategy and necessary condition in policy service.
Described necessary condition be composition respective combination service each Component service ready or allow accessed time the required state reached.
Described step 2 specifically comprises the following steps:
Step 2-1: according to described security strategy layer, policy service uses the mutation RSA Algorithm based on Shamir threshold cryptography mechanism, generates the metadata of trigger condition when some key fragments and this key fragments of application;
Step 2-2: Event Service utilizes Observer Pattern, Establishment strategy service and respective background serve between based on the security incident channel of SSL; Wherein background service comprises background management and each Component service agency;
Step 2-3: based on the end to end connection of SSL on the security incident channel that policy service is provided by Event Service, security strategy layer is sent to the background management that background service provides, the communication process on this security incident channel is by RSA Algorithm asymmetric encryption;
Step 2-4: policy service by Event Service end to end connection based on SSL on security incident channel is provided, the metadata of trigger condition when key fragments and this key fragments of application is distributed to corresponding assembly service broker, and now in composite services, encryption layer is formed;
Step 2-5: if there is multiple security strategy layer, performs step 2-1 to step 2-4, repeatedly until all security strategy layers all form respective encrypted layer.
In described step 2-4, key fragments and metadata adopt AES-128 algorithm symmetric cryptography, unified in its key platform, communication data on security incident channel group key symmetric cryptography corresponding to this security incident channel, and this group key transmits after RSA Algorithm asymmetric encryption between policy service and background service and each Component service agency.
Described step 3 comprises the following steps:
Step 3-1: user's request access composite services;
Step 3-2: background service monitoring assembly service place security incident channel, if background condition conforms to the metadata of trigger condition during application key fragments, then corresponding assembly service broker contributes the key fragments held; When background service receives the key fragments meeting the definition of certain security strategy layer, then respective encrypted layer is removed;
Step 3-3: if all encryption layers are successfully removed, user can obtain the access rights of respective combination service.
Principle of the present invention is: in order to seamless access complete under realizing distributed SOA multi-domain environment controls, and invention introduces the idea of being encrypted by composite services secret sharing scheme (threshold cryptography is theoretical).This mechanism is based on the thought sharing same key between different entities.A key will be divided into different key fragments.Produce a key, one group specifies several destination entity in advance and must mutually cooperate.The RSA cryptographic algorithms of mutation have employed the thought of threshold cryptography theory.For the secret sharing scheme based on polynomial interpolation.Suppose that key d is a numeral, d be divided into some key fragments d
i, choose a random k-1 order polynomial:
f(x)=a
0+a
1x+...+a
k-1x
k-1
Wherein a
0=d, the coefficient providing any subset k, the f (x) in (i, f (i)) and can make f (0) obtain for d by interpolation method.But only know that k-1 is calculate d not.
Suppose, for certain composite services S, to serve S1, Component service S2 at corresponding assembly, under the condition that Component service S3 is ready, and user identity R can access for during engineers and technicians E or senior executive M.So safety officer should adopt two-layer encipherment protection, the background information whether corresponding Component service of ground floor is ready, the identity information of second layer corresponding requests person.Meanwhile, ground floor needs all to meet, and the second layer needs part to meet.
For ground floor encryption layer:
After determining security strategy, security strategy is defined in policy service by the Interaction function that safety officer need be provided by policy service.Now, policy service by RSA Threshold Signature mechanism according to described security strategy, can generate corresponding key d and key fragments d1 thereof, d2, d3.
After this, key fragments and described trigger condition by security policy distribution to corresponding background management c1, can be distributed to Component service S1, the service broker b1 that S2, S3 are corresponding, b2, b3 by policy service.Described service broker is generally small, dedicated computer.Described key fragments needs by AES-128 algorithm symmetric cryptography before sending.The channel that described process of transmitting adopts must by a group key symmetric cryptography, and this group key can be distributed with its public key encryption respectively after Channel subscription person mutually certification.
If there is access request, then first checks each Component service information, work as S1, when the whether ready background information of S2, S3 satisfies condition, then corresponding service broker b1, b2, b3 can contribute its key fragments d1 held, d2, d3, so ground floor encryption layer is removed, otherwise, denied access.
The decrypting process of second layer encryption layer is see ground floor.
After two-layer encryption layer is all removed, visitor can access composite services S.
Finally should be noted that: above embodiment is only in order to illustrate that technical scheme of the present invention is not intended to limit; those of ordinary skill in the field still can modify to the specific embodiment of the present invention with reference to above-described embodiment or equivalent replacement; these do not depart from any amendment of spirit and scope of the invention or equivalent replacement, are all applying within the claims of the present invention awaited the reply.
Claims (6)
1. based on an access control method for threshold cryptography theory, it is characterized in that: said method comprising the steps of:
Step 1: security strategy and necessary condition are defined in policy service;
Step 2: the distribution of security strategy, key fragments and metadata on security incident channel;
Step 3: the composite services of user's request access, and gain access.
2. the access control method based on threshold cryptography theory according to claim 1, is characterized in that: described step 1 specifically comprises the following steps:
Step 1-1: determine security strategy, described security strategy is made up of multiple security strategy layer;
Step 1-2: specify according to security strategy and meet the necessary condition that reaches needed for corresponding senior background and the identity of authorized object or role;
Step 1-3: the primitive provided in Utilization strategies service, is defined in security strategy and necessary condition in policy service.
3. the access control method based on threshold cryptography theory according to claim 2, is characterized in that: described necessary condition be composition respective combination service each Component service ready or allow accessed time the required state reached.
4. the access control method based on threshold cryptography theory according to claim 1, is characterized in that: described step 2 specifically comprises the following steps:
Step 2-1: according to described security strategy layer, policy service uses the mutation RSA Algorithm based on Shamir threshold cryptography mechanism, generates the metadata of trigger condition when some key fragments and this key fragments of application;
Step 2-2: Event Service utilizes Observer Pattern, Establishment strategy service and respective background serve between based on the security incident channel of SSL; Wherein background service comprises background management and each Component service agency;
Step 2-3: based on the end to end connection of SSL on the security incident channel that policy service is provided by Event Service, security strategy layer is sent to the background management that background service provides, the communication process on this security incident channel is by RSA Algorithm asymmetric encryption;
Step 2-4: policy service by Event Service end to end connection based on SSL on security incident channel is provided, the metadata of trigger condition when key fragments and this key fragments of application is distributed to corresponding assembly service broker, and now in composite services, encryption layer is formed;
Step 2-5: if there is multiple security strategy layer, performs step 2-1 to step 2-4, repeatedly until all security strategy layers all form respective encrypted layer.
5. the access control method based on threshold cryptography theory according to claim 4, it is characterized in that: in described step 2-4, key fragments and metadata adopt AES-128 algorithm symmetric cryptography, unified in its key platform, communication data on security incident channel group key symmetric cryptography corresponding to this security incident channel, and this group key transmits after RSA Algorithm asymmetric encryption between policy service and background service and each Component service agency.
6. the access control method based on threshold cryptography theory according to claim 1, is characterized in that: described step 3 comprises the following steps:
Step 3-1: user's request access composite services;
Step 3-2: background service monitoring assembly service place security incident channel, if background condition conforms to the metadata of trigger condition during application key fragments, then corresponding assembly service broker contributes the key fragments held; When background service receives the key fragments meeting the definition of certain security strategy layer, then respective encrypted layer is removed;
Step 3-3: if all encryption layers are successfully removed, user can obtain the access rights of respective combination service.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510236907.2A CN104811454B (en) | 2015-05-11 | 2015-05-11 | A kind of access control method theoretical based on threshold cryptography |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510236907.2A CN104811454B (en) | 2015-05-11 | 2015-05-11 | A kind of access control method theoretical based on threshold cryptography |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104811454A true CN104811454A (en) | 2015-07-29 |
| CN104811454B CN104811454B (en) | 2018-01-19 |
Family
ID=53695947
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510236907.2A Active CN104811454B (en) | 2015-05-11 | 2015-05-11 | A kind of access control method theoretical based on threshold cryptography |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104811454B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106548345A (en) * | 2016-12-07 | 2017-03-29 | 北京信任度科技有限公司 | The method and system of block chain private key protection are realized based on Secret splitting |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101692207A (en) * | 2009-09-17 | 2010-04-07 | 上海第二工业大学 | Method for achieving system application integration based on SOA architecture |
| CN101816006A (en) * | 2007-09-12 | 2010-08-25 | 国际商业机器公司 | Security policy validation for web services |
| CN102012989A (en) * | 2010-12-07 | 2011-04-13 | 江苏风云网络服务有限公司 | Threshold and key-based authorization method in software as a service (SaaS) |
| CN102694867A (en) * | 2012-06-06 | 2012-09-26 | 江苏大学 | Attribution-based cross-security domain access control method and system in SOA (Service Oriented Architecture) |
| CN104520805A (en) * | 2012-08-29 | 2015-04-15 | 赛门铁克公司 | Secure app ecosystem with key and data exchange according to enterprise information control policy |
-
2015
- 2015-05-11 CN CN201510236907.2A patent/CN104811454B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101816006A (en) * | 2007-09-12 | 2010-08-25 | 国际商业机器公司 | Security policy validation for web services |
| CN101692207A (en) * | 2009-09-17 | 2010-04-07 | 上海第二工业大学 | Method for achieving system application integration based on SOA architecture |
| CN102012989A (en) * | 2010-12-07 | 2011-04-13 | 江苏风云网络服务有限公司 | Threshold and key-based authorization method in software as a service (SaaS) |
| CN102694867A (en) * | 2012-06-06 | 2012-09-26 | 江苏大学 | Attribution-based cross-security domain access control method and system in SOA (Service Oriented Architecture) |
| CN104520805A (en) * | 2012-08-29 | 2015-04-15 | 赛门铁克公司 | Secure app ecosystem with key and data exchange according to enterprise information control policy |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106548345A (en) * | 2016-12-07 | 2017-03-29 | 北京信任度科技有限公司 | The method and system of block chain private key protection are realized based on Secret splitting |
| CN106548345B (en) * | 2016-12-07 | 2020-08-21 | 北京信任度科技有限公司 | Method and system for realizing block chain private key protection based on key partitioning |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104811454B (en) | 2018-01-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Riad et al. | A dynamic and hierarchical access control for IoT in multi-authority cloud storage | |
| WO2016106752A1 (en) | Shared data access control method, device and system | |
| CN106059763B (en) | The properties base multi-mechanism hierarchical Ciphertext policy weight encryption method of cloud environment | |
| CN104935590A (en) | HDFS access control method based on role and user trust value | |
| Majumder et al. | Taxonomy and classification of access control models for cloud environments | |
| Liu et al. | Hierarchical attribute-based access control with authentication for outsourced data in cloud computing | |
| Shabir et al. | Analysis of classical encryption techniques in cloud computing | |
| CN108632030A (en) | A kind of fine-grained access control method efficient and safe based on CP-ABE | |
| CN103227789B (en) | The fine-grained access control method of lightweight under a kind of cloud environment | |
| CN108111540A (en) | The hierarchical access control system and method for data sharing are supported in a kind of cloud storage | |
| Yan et al. | Controlling cloud data access based on reputation | |
| WO2017061950A1 (en) | Data security system and method for operation thereof | |
| CN101707524B (en) | Method for encrypting public key broadcasts with hierarchical relationship | |
| Sethia et al. | CP-ABE for selective access with scalable revocation: A case study for mobile-based healthfolder. | |
| CN108429749B (en) | Outsourcing mandatory access control method based on hierarchical attribute encryption | |
| Athena et al. | An identity attribute–based encryption using elliptic curve digital signature for patient health record maintenance | |
| Zhang et al. | A dynamic cryptographic access control scheme in cloud storage services | |
| Li et al. | A novel cyberspace-oriented access control model | |
| Yan et al. | Traceable and weighted attribute-based encryption scheme in the cloud environment | |
| Wu et al. | A fine-grained cross-domain access control mechanism for social internet of things | |
| CN113055164A (en) | Cipher text strategy attribute encryption algorithm based on state cipher | |
| CN104811454A (en) | Access control method based on threshold cryptography | |
| CN111698085A (en) | CP-ABE decryption outsourcing | |
| CN110098926A (en) | One attribute cancelling method | |
| Charanya et al. | A Review on Access Control Issues in Ehealth Application in Cloud Computing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 100192 Beijing city Haidian District Qinghe small Camp Road No. 15 Applicant after: China Electric Power Research Institute Applicant after: GLOBAL ENERGY INTERCONNECTION RESEARCH INSTITUTE Applicant after: State Grid Corporation of China Applicant after: State Grid Anhui Electric Power Company Address before: 100192 Beijing city Haidian District Qinghe small Camp Road No. 15 Applicant before: China Electric Power Research Institute Applicant before: State Grid Smart Grid Institute Applicant before: State Grid Corporation of China Applicant before: State Grid Anhui Electric Power Company |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |