CN104811454B - A kind of access control method theoretical based on threshold cryptography - Google Patents
A kind of access control method theoretical based on threshold cryptography Download PDFInfo
- Publication number
- CN104811454B CN104811454B CN201510236907.2A CN201510236907A CN104811454B CN 104811454 B CN104811454 B CN 104811454B CN 201510236907 A CN201510236907 A CN 201510236907A CN 104811454 B CN104811454 B CN 104811454B
- Authority
- CN
- China
- Prior art keywords
- service
- security strategy
- access control
- security
- background
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 29
- 239000012634 fragment Substances 0.000 claims abstract description 34
- 239000002131 composite material Substances 0.000 claims abstract description 13
- 230000006854 communication Effects 0.000 claims description 6
- 230000007246 mechanism Effects 0.000 claims description 6
- 230000035772 mutation Effects 0.000 claims description 4
- 238000004891 communication Methods 0.000 claims description 3
- 239000000203 mixture Substances 0.000 claims description 3
- 238000012544 monitoring process Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 abstract description 3
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Abstract
A kind of access control method theoretical based on threshold cryptography of the present invention, comprises the following steps:Security strategy and necessary condition are defined in policy service;The distribution of security strategy, key fragments and metadata on security incident channel;User asks to access composite services, and gain access.The present invention applies threshold cryptography theory in the access control in SOA multi-domain environments, threshold cryptography theory and the advanced background of isomery has been used in combination to produce access control policy, background in SOA multi-domain environments has been applied in access control, and has improved the security and accuracy of access control decision process.
Description
Technical field
The present invention relates to a kind of control method, and in particular to a kind of access control method theoretical based on threshold cryptography.
Background technology
In SOA multi-domain environments, it will usually value-added service is provided in the form of composite services, and participates in each of composite services
Component service is often distributed in different Autonomy secure domains, and each domain services it control ability of autonomy.Multiple self-controls simultaneously
Domain may be built on the platform of isomery, and these platforms may use different security mechanisms.In addition, the function according to requestor
Demand, the discovery and combination of service are probably what is be dynamically completed, and the state of service be able to may also dynamically change within a period of time
Become.This causes SOA multi-domain environments to have the features such as the autonomy of height, professional platform independence, dynamic.Traditional RBAC access controls
Method, the characteristic for accessing main body is often only described, and the characteristic to accessing object lacks consideration, constraint granularity is thicker, can expand
Malleability is not strong, it is impossible to well adapts to the demand of access control under distributed environment.Therefore, a kind of distributed SOA multi-domain environments
Under, it is possible to provide fine-grained access control and efficient key management, and the seamless access control of the access control policy of elasticity
Method processed just becomes necessary.But outstanding case is there is no in existing method.
The content of the invention
In order to overcome the above-mentioned deficiencies of the prior art, the present invention provides a kind of access control side theoretical based on threshold cryptography
Method, adopt the following technical scheme that:
A kind of access control method theoretical based on threshold cryptography of the present invention, the described method comprises the following steps:
Step 1:Security strategy and necessary condition are defined in policy service;
Step 2:The distribution of security strategy, key fragments and metadata on security incident channel;
Step 3:User asks to access composite services, and gain access.
The step 1 specifically includes following steps:
Step 1-1:Security strategy is determined, the security strategy is made up of multiple security strategy layers;
Step 1-2:The necessary condition for meeting to reach needed for corresponding advanced background is specified according to security strategy and has been authorized
The identity of object or role;
Step 1-3:The primitive provided in Utilization strategies service, security strategy and necessary condition are defined on policy service
In.
The necessary condition is ready or required when allowing accessed reach for each Component service of composition respective combination service
The state arrived.
The step 2 specifically includes following steps:
Step 2-1:According to the security strategy layer, policy service uses the mutation based on Shamir threshold cryptography mechanism
RSA Algorithm, the metadata of trigger condition when generating some key fragments and the application key fragments;
Step 2-2:Event Service utilizes Observer Pattern, and SSL is based between establishment strategy service and respective background service
Security incident channel;Wherein background service includes background management and each component service broker;
Step 2-3:End-to-end company based on SSL on the security incident channel that policy service is provided by Event Service
Connect, security strategy layer is sent to the background management provided to background service, the communication process on the security incident channel is calculated by RSA
Method asymmetric encryption;
Step 2-4:Policy service provides the end to end connection based on SSL on security incident channel by Event Service,
The metadata of trigger condition when key fragments and the application key fragments is distributed to corresponding assembly service broker, now combination clothes
Encryption layer is formed in business;
Step 2-5:If there are multiple security strategy layers, step 2-1 to step 2-4 is performed repeatedly, until all security strategies
Layer all forms respective encrypted layer.
In the step 2-4, key fragments and metadata use AES-128 algorithm symmetric cryptographies, are united in its key platform
One, communication data on the security incident channel group key symmetric cryptography corresponding to the security incident channel, and the group key passes through
Transmitted after RSA Algorithm asymmetric encryption between policy service and background service and each component service broker.
The step 3 comprises the following steps:
Step 3-1:User asks to access composite services;
Step 3-2:Security incident channel where the service of background service monitoring assembly, if background condition is same to apply key fragments
When trigger condition metadata be consistent, then corresponding assembly service broker contributes the key fragments held;When background service receives
Meet the key fragments that certain security strategy layer defines, then respective encrypted layer is removed;
Step 3-3:If all encryption layers are successfully removed, user can obtain the access rights of respective combination service.
Compared with prior art, the beneficial effects of the present invention are:
1) threshold cryptography theory is applied in the access control in SOA multi-domain environments, threshold cryptography reason has been used in combination
By access control policy is produced with the advanced background of isomery, the background in SOA multi-domain environments access control has been applied to
In;
2) complete seamless access control method under a kind of SOA multi-domain environments is provided, easy to implement while, is improved
The security of access control decision process;
3) fine-grained access control and efficient key management can be provided so that access control can be in any granularity
Carry out;
4) access control policy of elasticity is supported, supports multi-layer security, in most complex scenarios and increase cipher key size still
Can be with efficient operation;
5) trust is distributed in whole SOA multi-domain environments, improves the accuracy of access control policy.
Brief description of the drawings
Fig. 1 is the access control method flow chart theoretical based on threshold cryptography provided by the invention;
Fig. 2 is access control schematic diagram in the embodiment of the present invention.
Embodiment
The present invention is described in further detail below in conjunction with the accompanying drawings.
A kind of access control method theoretical based on threshold cryptography of the present invention, the described method comprises the following steps:
Step 1:Security strategy and necessary condition are defined in policy service;
Step 2:The distribution of security strategy, key fragments and metadata on security incident channel;
Step 3:User asks to access composite services, and gain access.
The step 1 specifically includes following steps:
Step 1-1:Security strategy is determined, the security strategy is made up of multiple security strategy layers;
Step 1-2:The necessary condition for meeting to reach needed for corresponding advanced background is specified according to security strategy and has been authorized
The identity of object or role;
Step 1-3:The primitive provided in Utilization strategies service, security strategy and necessary condition are defined on policy service
In.
The necessary condition is ready or required when allowing accessed reach for each Component service of composition respective combination service
The state arrived.
The step 2 specifically includes following steps:
Step 2-1:According to the security strategy layer, policy service uses the mutation based on Shamir threshold cryptography mechanism
RSA Algorithm, the metadata of trigger condition when generating some key fragments and the application key fragments;
Step 2-2:Event Service utilizes Observer Pattern, and SSL is based between establishment strategy service and respective background service
Security incident channel;Wherein background service includes background management and each component service broker;
Step 2-3:End-to-end company based on SSL on the security incident channel that policy service is provided by Event Service
Connect, security strategy layer is sent to the background management provided to background service, the communication process on the security incident channel is calculated by RSA
Method asymmetric encryption;
Step 2-4:Policy service provides the end to end connection based on SSL on security incident channel by Event Service,
The metadata of trigger condition when key fragments and the application key fragments is distributed to corresponding assembly service broker, now combination clothes
Encryption layer is formed in business;
Step 2-5:If there are multiple security strategy layers, step 2-1 to step 2-4 is performed repeatedly, until all security strategies
Layer all forms respective encrypted layer.
In the step 2-4, key fragments and metadata use AES-128 algorithm symmetric cryptographies, are united in its key platform
One, communication data on the security incident channel group key symmetric cryptography corresponding to the security incident channel, and the group key passes through
Transmitted after RSA Algorithm asymmetric encryption between policy service and background service and each component service broker.
The step 3 comprises the following steps:
Step 3-1:User asks to access composite services;
Step 3-2:Security incident channel where the service of background service monitoring assembly, if background condition is same to apply key fragments
When trigger condition metadata be consistent, then corresponding assembly service broker contributes the key fragments held;When background service receives
Meet the key fragments that certain security strategy layer defines, then respective encrypted layer is removed;
Step 3-3:If all encryption layers are successfully removed, user can obtain the access rights of respective combination service.
The present invention principle be:In order to realize, complete seamless access control, the present invention draw under distributed SOA multi-domain environments
Enter the idea of composite services secret sharing scheme (threshold cryptography is theoretical) encryption.The mechanism is based between different entities altogether
Enjoy the thought of same key.One key will be divided into different key fragments.A key is produced, one group refers in advance
Having determined several destination entities must cooperate.The RSA cryptographic algorithms of mutation employ the theoretical thought of threshold cryptography.With based on more
Exemplified by the secret sharing scheme of item formula interpolation method.Assuming that key d is a numeral, d is divided into some key fragments di, choose
One random k-1 order polynomial:
F (x)=a0+a1x+...+ak-1xk-1
Wherein a0=d, provides any subset k in (i, f (i)), and f (x) coefficient by interpolation method and can make f (0)
Obtained for d.But just know that k-1 are not enough to calculate d.
Assuming that for certain composite services S, it is necessary to service S1 in corresponding assembly, Component service S2, Component service S3 are ready
Under the conditions of, and can access when user identity R is engineers and technicians E or senior executive M.So safety officer
Two layers of encipherment protection should be used, first layer corresponds to the whether ready background information of Component service, second layer corresponding requests person's
Identity information.Meanwhile first layer need to all meet, the second layer needs part to meet.
By taking first layer encryption layer as an example:
After security strategy is determined, the Interaction function that safety officer need to be provided by policy service determines security strategy
Justice is in policy service.Now, policy service can be close corresponding to generation by RSA Threshold Signatures mechanism according to the security strategy
Key d and its key fragments d1, d2, d3.
Hereafter, policy service can by security policy distribution to corresponding background manage c1, by key fragments and it is described touch
Clockwork spring part is distributed to service broker b1, b2, b3 corresponding to Component service S1, S2, S3.The service broker is usually small, dedicated
Computer.The key fragments are needed by AES-128 algorithm symmetric cryptographies before sending.The channel that the transmission process uses must be by
One group key symmetric cryptography, the group key can be distributed with its public key encryption respectively after Channel subscription person is mutually authenticated.
If there is access request, each component information on services is first checked, works as S1, S2, S3 whether ready background information meets
During condition, then corresponding service broker b1, b2, b3 can contribute its key fragments d1, d2, d3 for holding, then first layer adds
Close layer is removed, otherwise, denied access.
The decrypting process of second layer encryption layer is referring to first layer.
After two layers of encryption layer is removed, visitor may have access to composite services S.
Finally it should be noted that:The above embodiments are merely illustrative of the technical scheme of the present invention and are not intended to be limiting thereof, institute
The those of ordinary skill in category field with reference to above-described embodiment still can to the present invention embodiment modify or
Equivalent substitution, these are applying for this pending hair without departing from any modification of spirit and scope of the invention or equivalent substitution
Within bright claims.
Claims (5)
- A kind of 1. access control method theoretical based on threshold cryptography, it is characterised in that:It the described method comprises the following steps:Step 1:Security strategy and necessary condition are defined in policy service;Step 2:The distribution of security strategy, key fragments and metadata on security incident channel;Step 3:User asks to access composite services, and gain access;The step 2 specifically includes following steps:Step 2-1:According to the security strategy layer, policy service is calculated with the mutation RSA based on Shamir threshold cryptography mechanism Method, the metadata of trigger condition when generating some key fragments and the application key fragments;Step 2-2:Event Service utilizes Observer Pattern, the peace based on SSL between establishment strategy service and respective background service Total event channel;Wherein background service includes background management and each component service broker;Step 2-3:End to end connection based on SSL on the security incident channel that policy service is provided by Event Service, will Security strategy layer sends the background management provided to background service, and the communication process on the security incident channel is non-by RSA Algorithm Symmetric cryptography;Step 2-4:Policy service provides the end to end connection based on SSL on security incident channel by Event Service, will be close The metadata of trigger condition is distributed to corresponding assembly service broker when key fragment and the application key fragments, now in composite services Encryption layer is formed;Step 2-5:If there are multiple security strategy layers, step 2-1 to step 2-4 is performed repeatedly, until all security strategy layers are all Form respective encrypted layer.
- 2. the access control method theoretical based on threshold cryptography according to claim 1, it is characterised in that:The step 1 Specifically include following steps:Step 1-1:Security strategy is determined, the security strategy is made up of multiple security strategy layers;Step 1-2:The necessary condition that reaches needed for meeting corresponding advanced background and authorized object are specified according to security strategy Identity or role;Step 1-3:The primitive provided in Utilization strategies service, security strategy and necessary condition are defined in policy service.
- 3. the access control method theoretical based on threshold cryptography according to claim 2, it is characterised in that:The necessary bar Part is each Component service of composition respective combination service is ready or the required state reached when allowing accessed.
- 4. the access control method theoretical based on threshold cryptography according to claim 1, it is characterised in that:The step 2- In 4, key fragments and metadata use AES-128 algorithm symmetric cryptographies, unify in its key platform, on security incident channel Communication data group key symmetric cryptography corresponding to the security incident channel, and the group key is after RSA Algorithm asymmetric encryption Transmitted between policy service and background service and each component service broker.
- 5. the access control method theoretical based on threshold cryptography according to claim 1, it is characterised in that:The step 3 Comprise the following steps:Step 3-1:User asks to access composite services;Step 3-2:Security incident channel where the service of background service monitoring assembly, if background condition touches when applying key fragments together The metadata of clockwork spring part is consistent, then corresponding assembly service broker contributes the key fragments held;When background service is received in compliance with The key fragments that certain security strategy layer defines, then respective encrypted layer be removed;Step 3-3:If all encryption layers are successfully removed, user can obtain the access rights of respective combination service.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510236907.2A CN104811454B (en) | 2015-05-11 | 2015-05-11 | A kind of access control method theoretical based on threshold cryptography |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510236907.2A CN104811454B (en) | 2015-05-11 | 2015-05-11 | A kind of access control method theoretical based on threshold cryptography |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104811454A CN104811454A (en) | 2015-07-29 |
| CN104811454B true CN104811454B (en) | 2018-01-19 |
Family
ID=53695947
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510236907.2A Active CN104811454B (en) | 2015-05-11 | 2015-05-11 | A kind of access control method theoretical based on threshold cryptography |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104811454B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106548345B (en) * | 2016-12-07 | 2020-08-21 | 北京信任度科技有限公司 | Method and system for realizing block chain private key protection based on key partitioning |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101692207A (en) * | 2009-09-17 | 2010-04-07 | 上海第二工业大学 | Method for achieving system application integration based on SOA architecture |
| CN101816006A (en) * | 2007-09-12 | 2010-08-25 | 国际商业机器公司 | Security policy validation for web services |
| CN102012989A (en) * | 2010-12-07 | 2011-04-13 | 江苏风云网络服务有限公司 | Threshold and key-based authorization method in software as a service (SaaS) |
| CN102694867A (en) * | 2012-06-06 | 2012-09-26 | 江苏大学 | Attribution-based cross-security domain access control method and system in SOA (Service Oriented Architecture) |
| CN104520805A (en) * | 2012-08-29 | 2015-04-15 | 赛门铁克公司 | Secure app ecosystem with key and data exchange according to enterprise information control policy |
-
2015
- 2015-05-11 CN CN201510236907.2A patent/CN104811454B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101816006A (en) * | 2007-09-12 | 2010-08-25 | 国际商业机器公司 | Security policy validation for web services |
| CN101692207A (en) * | 2009-09-17 | 2010-04-07 | 上海第二工业大学 | Method for achieving system application integration based on SOA architecture |
| CN102012989A (en) * | 2010-12-07 | 2011-04-13 | 江苏风云网络服务有限公司 | Threshold and key-based authorization method in software as a service (SaaS) |
| CN102694867A (en) * | 2012-06-06 | 2012-09-26 | 江苏大学 | Attribution-based cross-security domain access control method and system in SOA (Service Oriented Architecture) |
| CN104520805A (en) * | 2012-08-29 | 2015-04-15 | 赛门铁克公司 | Secure app ecosystem with key and data exchange according to enterprise information control policy |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104811454A (en) | 2015-07-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109768987B (en) | Block chain-based data file safe and private storage and sharing method | |
| US10803194B2 (en) | System and a method for management of confidential data | |
| Riad et al. | A dynamic and hierarchical access control for IoT in multi-authority cloud storage | |
| Kumar et al. | Secure storage and access of data in cloud computing | |
| Barua et al. | ESPAC: Enabling Security and Patient-centric Access Control for eHealth in cloud computing | |
| US8059818B2 (en) | Accessing protected data on network storage from multiple devices | |
| CN113553574A (en) | Internet of things trusted data management method based on block chain technology | |
| CN104063334A (en) | Encryption method and system based on data attributions | |
| CN103391192A (en) | Cross-safety-domain access control system and method based on privacy protection | |
| Sumathi et al. | A group-key-based sensitive attribute protection in cloud storage using modified random Fibonacci cryptography | |
| CN114239046A (en) | Data sharing method | |
| Athena et al. | An identity attribute–based encryption using elliptic curve digital signature for patient health record maintenance | |
| CN101707524A (en) | Method for encrypting public key broadcasts with hierarchical relationship | |
| CN115426136A (en) | Cross-domain access control method and system based on block chain | |
| Liu et al. | A blockchain-based secure cloud files sharing scheme with fine-grained access control | |
| CN106992978A (en) | Network safety managing method and server | |
| CN114826702A (en) | Database access password encryption method and device and computer equipment | |
| Yan et al. | Traceable and weighted attribute-based encryption scheme in the cloud environment | |
| Moghaddam et al. | A reliable data protection model based on re-encryption concepts in cloud environments | |
| CN104811454B (en) | A kind of access control method theoretical based on threshold cryptography | |
| CN114244567B (en) | CP-ABE method for supporting circuit structure in cloud environment | |
| Wu et al. | A trusted and efficient cloud computing service with personal health record | |
| Fu et al. | Secure storage of data in cloud computing | |
| CN111698085A (en) | CP-ABE decryption outsourcing | |
| Tu et al. | An efficient attribute-based access control system with break-glass capability for cloud-assisted industrial control system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 100192 Beijing city Haidian District Qinghe small Camp Road No. 15 Applicant after: China Electric Power Research Institute Applicant after: GLOBAL ENERGY INTERCONNECTION RESEARCH INSTITUTE Applicant after: State Grid Corporation of China Applicant after: State Grid Anhui Electric Power Company Address before: 100192 Beijing city Haidian District Qinghe small Camp Road No. 15 Applicant before: China Electric Power Research Institute Applicant before: State Grid Smart Grid Institute Applicant before: State Grid Corporation of China Applicant before: State Grid Anhui Electric Power Company |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |