CN105471868A - Cross-domain fine-grained control system of Internet of things under social network environment - Google Patents
Cross-domain fine-grained control system of Internet of things under social network environment Download PDFInfo
- Publication number
- CN105471868A CN105471868A CN201510819929.1A CN201510819929A CN105471868A CN 105471868 A CN105471868 A CN 105471868A CN 201510819929 A CN201510819929 A CN 201510819929A CN 105471868 A CN105471868 A CN 105471868A
- Authority
- CN
- China
- Prior art keywords
- user
- server
- domain
- access
- random number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000013475 authorization Methods 0.000 claims abstract description 26
- 238000007670 refining Methods 0.000 claims abstract description 4
- 238000000034 method Methods 0.000 claims description 31
- 238000013507 mapping Methods 0.000 claims description 5
- 230000004044 response Effects 0.000 claims description 5
- 238000012795 verification Methods 0.000 claims description 4
- 230000005540 biological transmission Effects 0.000 abstract description 3
- 239000010410 layer Substances 0.000 description 5
- 230000008569 process Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 239000002356 single layer Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
- G06Q50/01—Social networking
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
Landscapes
- Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Business, Economics & Management (AREA)
- General Health & Medical Sciences (AREA)
- Strategic Management (AREA)
- Tourism & Hospitality (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Primary Health Care (AREA)
- Marketing (AREA)
- Human Resources & Organizations (AREA)
- Economics (AREA)
- Health & Medical Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a cross-domain fine-grained control system of Internet of things under a social network environment. The system comprises a certification authorization module, a user registration module, a cross-domain safety certification module and a cross-domain fine-grained access control module. The certification authorization module provides reliability of user access for a network under an open condition. The user registration module provides data access safety for a user. The cross-domain safety certification module provides safety of cross-domain data access for the user. The cross-domain fine-grained access control module is used for refining safety grades in a domain and between domains. In the invention, through simulating increase of a selected service quantity, time consumption of safety service selection is evaluated, when a node quantity and the domains in the network are increased, the time consumption is increased simultaneously; on an aspect of the time consumption, feasibility and validity are possessed; based on a condition that information safety transmission and access of the Internet of things under the social network environment are considered, cross-domain fine-grained access control of Internet of things nodes is guaranteed.
Description
Technical Field
The invention relates to the technical field of Internet of things, in particular to a cross-domain fine-grained control system of the Internet of things in a social network environment.
Background
The integration of the internet of things and social networks is one of the important trends in the development of network technologies in the future. On the basis that the Internet of things connects objects with objects, the objects are connected with people to form a huge and complex social network with all objects connected, so that nodes of the Internet of things can feel social characteristics, and a more flexible and efficient network system is formed.
Many existing systems assume the internet of things in a social network environment as a sensor network system in a single field, and provide a uniform access method and security service for all nodes in the system. However, in many application scenarios, the internet of things system in the social network environment is controlled by different departments, and network nodes belonging to different domains share sensor data through standard protocols. Meanwhile, various types of data generated by the nodes of the internet of things tend to belong to different security levels and can only be accessed by specific users. Therefore, access control of the internet of things system in a social network environment is very important. In summary, how to realize secure cross-domain fine-grained access is one of the problems that needs to be solved urgently by an internet of things system in a social network environment.
In fact, there have been many studies on cross-domain security, such as a cross-domain access control system based on attribute-based access control, in which a security domain including subject, object, authority, and environment attributes is added as a basis for decision making. This solves the cross-domain access control problem and improves the scalability and variability of the system to some extent. However, none of these existing systems take into account the openness, complexity and dynamics of the network in the social networking environment, and these characteristics increase the security risk, so that these systems do not fully meet the practical requirements.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a cross-domain fine-grained control system of the Internet of things in the social network environment for meeting the actual safety requirement on the basis of considering the openness, complexity and dynamics of the network in the social network environment.
In order to achieve the purpose, the invention is realized by the following technical scheme.
A cross-domain fine-grained control system of an Internet of things in a social network environment comprises: the system comprises an authentication authorization module, a user login module, a cross-domain security authentication module and a cross-domain fine-grained access control module; wherein,
the authentication and authorization module provides the reliability of accessing the user on the premise that the network is opened;
the user login module provides security for a user to access data;
the cross-domain security authentication module provides security for users to access data in a cross-domain manner;
the cross-domain fine-grained access control module is used for refining the security level of users in the domain and between the domains.
Preferably, the authentication and authorization module adopts a trusted model of an X.509-based certificate distribution method, and the trusted model of the X.509-based certificate distribution method is of a layered tree structure in one domain and of a mesh structure in a plurality of domains.
Preferably, the trusted model of the certificate distribution method based on x.509 includes a root, denoted as CA, in each domainxWherein the subscript x is a natural number, root CAxAs a baseA station or a sink node.
Preferably, the trusted model of the x.509-based certificate distribution method further includes at least one sub-layer, denoted as CA, in each domainxnWherein the subscript n is a natural number.
Preferably, the user login module adopts the following protocol:
in the step of S1,
when the user U logs in, the user login module generates an arbitrary number RN1Then the user login module passes the public key PKASEncrypting user password P, personal identification number IDUAnd random number RN1Obtaining a ciphertext a, and sending the ciphertext a to an access server AS for storing data by a user;
in the step of S2,
when the access server AS receives the request information sent by the user U, the access server AS passes through the private key SK of the access server ASASDecrypting the ciphertext a to obtain the personal identification number ID of the user UUUser password P and random number RN1And verifying the personal identity information of the user U; after verification is completed, the access server AS generates a random number RN2Then using the random number RN obtained by decryption1Encrypting a random number RN acting as a symmetric key2And a personal identification number IDUAnd sending the obtained ciphertext b to a user U;
step S3, after receiving the ciphertext b from the access server AS, the user U passes through the random number RN1Decrypting to obtain random number RN2I.e. the session key K used by the user U when accessing the ASu,AS。
Preferably, the cross-domain security authentication module adopts the following protocol:
in the step a1, the step b,
user U sends access request to access server AS in user U domainhTo request access to a server S in another domain; wherein, Ku,ASThe session key is finally obtained in a protocol adopted by a user login module; n is a radical ofUIs a random number generated by the user U to ensure the freshness of the request; time information TUAnd a random number RUAre two additional elements used to resist replay attacks; h () represents time information TUA random number RUThe hash value of (1); IDSA sign indicating the server S; the relationship between the user U and the server S is as follows: the object which the user U wishes to have access to is the server S;
in the step a2, the step b,
access server AShDecrypt the information obtained from user U and pass the IDSVerifying to which domain the server S the user U wants to access belongs; then access the server AShGenerating a random number NhvAnd calculateLast access server AShIdentify itself with IDAShAnd ShvAccess server AS sent to the domain to which server S belongsv(ii) a Wherein S ishvRepresenting by a random number NhvAnd calculating to obtain a result; p is produced by user URoot and root CAAshThe password of the exchange;
in the step a3, the step b,
at the access server AS to which the server S belongsvGenerating a random number NvhAnd calculateWhile at the same time according toDiffie-Hellman key exchange protocol, calculating
Wherein, KvhActing AS an Access Server ASvAnd access server AShA temporary session key to ask; access server ASvBy means of a temporary session key KvhEncrypted access server AShPublic key certificate chain and digital signature h (S)vh,Shv) And cipher texts c and S obtained therebyvhSent to the access server ASv(ii) a Wherein S isvhRepresenting by a random number NvhAnd calculating to obtain a result; khvRepresenting acting AS an Access Server ASvAnd access server AShA temporary session key to ask;
in the step a4, the step b,
access server AShAfter receiving the ciphertext c, obtaining SvhAnd calculating K by the method in the step a3hvAnd KvhThereby decrypting to obtain the access server ASvAnd a digital signature for verifying identity; verifies the access server ASvAfter the identity of (2), access to the server AShSent to the access server ASvBy KhvEncrypted information; the passage KhvThe encrypted information includes: access server AShAuthentication chain of (1), digital signature, identity information of the user U and the server S, random number sk between the user U and the server S as a session key, and certificate
In the step a5, the step b,
access server ASvAuthentication of an Access Server AS by the method in step a4hThen sent to the server S via KS,ASEncrypting the obtained information, wherein KS,ASIs the server AS in step a4hSent to the server ASvServer S and access server ASvA symmetric key exchanged therebetween; the passage KS,ASThe information obtained by encryption comprises: identity information of the user U and the server S, a random number sk serving as a session key between the user U and the server S, and time information TUAnd a random number RUCertificate and certificateV is generated as a random number Nv, wherein the root server v of the domain where the server to be accessed by the user U is located;
in the step a6, the step b,
after receiving the information, the server S passes the symmetric key KS,ASDecrypting the received information and thereafter sending the certificateGiving the user U, and simultaneously encrypting the personal information by the server S through the random number sk and sending the personal information to the user U;
step a7, U → S: n is a radical ofS+1:
User U passes through random number NUDecryptionThen, the address of the server S is obtained through decryption of the random number sk; the user U then sends N as a response message to the server SS+1 and certify the identity of the server S; finally, the user U passes through the session key KU,SAccessing data on the server S, i.e. the random number sk; wherein N isSRepresenting a random number generated by the server S.
Preferably, the cross-domain fine-grained access control module comprises a user allocation unit, a right allocation unit, an authorization unit, an obligation unit and a condition unit; wherein:
the user allocation unit and the right allocation unit are respectively used for correctly allocating user roles and user operation authorities;
the authorization unit, the obligation unit and the condition unit are used for correctly removing the user roles and the user operation rights which are allocated by the user before.
Preferably, the user role comprises an original right and a valid right of the user, wherein:
the original rights are all rights assigned to the user role;
the valid rights are rights of the user role under the restrictions of the authorization unit, the obligation unit and the condition unit.
Preferably, user roles having the same original rights can have different valid rights in different domains.
Preferably, a layered role model is adopted during cross-domain user role mapping; the hierarchical role model is based on inheritance, i.e., a parent role has all the rights of a child role.
Compared with the prior art, the invention has the following beneficial effects:
1. the invention evaluates the time overhead of the safety service selection by simulating the increase of the number of the selected services, and the time overhead is increased while the number of the nodes and the domains in the network are increased;
2. the method has feasibility and effectiveness in time overhead, and ensures cross-domain fine-grained access control of the nodes of the Internet of things on the basis of considering safe information transmission and access of the Internet of things in the social network environment.
Drawings
Other features, objects and advantages of the invention will become more apparent upon reading of the detailed description of non-limiting embodiments with reference to the following drawings:
FIG. 1 is a trust model of a certificate authority module;
FIG. 2 is a role-based access control model;
FIG. 3 is a cross-domain role mapping model;
fig. 4 is a diagram illustrating access response time.
Detailed Description
The following examples illustrate the invention in detail: the embodiment is implemented on the premise of the technical scheme of the invention, and a detailed implementation mode and a specific operation process are given. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention.
Examples
The embodiment provides a cross-domain fine-grained control system of an internet of things in a social network environment, which comprises: the system comprises an authentication authorization module, a user login module, a cross-domain security authentication module and a cross-domain fine-grained access control module; wherein,
the authentication and authorization module provides the reliability of accessing the user on the premise that the network is opened;
the user login module provides security for a user to access data;
the cross-domain security authentication module provides security for users to access data in a cross-domain manner;
the cross-domain fine-grained access control module is used for refining the security level of users in the domain and between the domains.
Further, the authentication and authorization module adopts a trusted model of the certificate distribution method based on X.509, and the trusted model of the certificate distribution method based on X.509 is of a layered tree structure in one domain and of a mesh structure in a plurality of domains.
Further, the trusted model of the certificate distribution method based on the X.509 comprises a root in each domain, and the root is marked as CAxWherein the subscript x is a natural number, root CAxAs a base station or sink node.
Further, the trusted model of the certificate distribution method based on the X.509 also comprises at least one sub-layer in each domain, which is denoted as CAxnWherein the subscript n is a natural number.
Further, the user login module adopts the following protocol:
in the step of S1,
when the user U logs in, the user login module generates an arbitrary number RN1Then the user login module passes the public key PKASEncrypting user password P, personal identification number IDUAnd random number RN1Obtaining a ciphertext a, and sending the ciphertext a to an access server AS for storing data by a user U;
in the step of S2,
when the access server AS receives the request information sent by the user U, the access server AS passes through the private key SK of the access server ASASDecrypting the ciphertext a to obtain the personal identification number ID of the user UUUser password P and random number RN1And verifying the personal identity information of the user U; after verification is completed, the access server AS generates a random number RN2Then using the random number RN obtained by decryption1Encrypting a random number RN acting as a symmetric key2And a personal identification number IDUAnd sending the obtained ciphertext b to a user U;
step S3, after receiving the ciphertext b from the access server AS, the user U passes through the random number RN1Decrypting to obtain random number RN2I.e. the session key K used by the user U when accessing the ASu,AS。
Further, the cross-domain security authentication module adopts the following protocol:
in the step a1, the step b,
user U sends access request to access server AS in user U domainhTo request access to a server S in another domain; wherein, Ku,ASThe session key is finally obtained in a protocol adopted by a user login module; n is a radical ofUIs a random number generated by the user U to ensure the freshness of the request; time information TUAnd a random number RUAre two additional elements used to resist replay attacks; h () represents time information TUA random number RUThe hash value of (1); IDSA sign symbol representing a subscriber S;
in the step a2, the step b,
access server AShDecrypt the information obtained from user U and pass the IDSVerifying to which domain the server S the user U wants to access belongs; then access the server AShGenerating a random number NhvAnd calculateLast access server AShIdentify itself with IDAShAnd ShvAccess server AS sent to the domain to which server S belongsv(ii) a Wherein S ishvRepresenting by a random number NhvAnd calculating to obtain a result; p is root CAxA password assigned to the user;
in the step a3, the step b,
at the access server AS to which the server S belongsvGenerating a random number NvhAnd calculateMeanwhile, according to a Diffie-Hellman key exchange protocol, the method calculates
Wherein, KvhActing AS an Access Server ASvAnd access server AShA temporary session key to ask; access server ASvBy means of a temporary session key KvhEncrypted access server AShPublic key certificate chain and digital signature h (S)vh,Shv) And cipher texts c and S obtained therebyvhSent to the access server ASv(ii) a Wherein S isvhRepresenting by a random number NvhAnd calculating to obtain a result; khvRepresenting acting AS an Access Server ASvAnd access server AShA temporary session key to ask;
in the step a4, the step b,
access server AShAfter receiving the ciphertext c, obtaining SvhAnd calculating K by the method in the step a3hvAnd KvhThereby decrypting to obtain the access server ASvAnd a digital signature for verifying identity; verifies the access server ASvAfter the identity of (2), access to the server AShSent to the access server ASvBy KhvEncrypted information; the passage KhvThe encrypted information includes: access server AShAuthentication chain of (1), digital signature, identity information of the user U and the server S, random number sk between the user U and the server S as a session key, and certificate
In the step a5, the step b,
access server ASvAuthentication of an Access Server AS by the method in step a4hThen sent to the server S via KS,ASEncrypting the obtained information, wherein KS,ASIs the server AS in step a4hSent to the server ASvServer S and access server ASvA symmetric key exchanged therebetween; the passage KS,ASThe information obtained by encryption comprises: identity information of the user U and the server S, a random number sk serving as a session key between the user U and the server S, and time information TUAnd a random number RUCertificate and certificateA random number Nv generated by v, wherein v represents a root server v of a domain where a server to be accessed by a user U is located;
in the step a6, the step b,
after receiving the information, the server S passes the symmetric key KS,ASDecrypting the received information and thereafter sending the certificateGiving the user U, and simultaneously encrypting the personal information by the server S through the random number sk and sending the personal information to the user U;
step a7, U → S: n is a radical ofS+1:
User U passes through random number NUDecryptionThen, the address of the server S is obtained through decryption of the random number sk; the user U then sends N as a response message to the server SS+1 and certify the identity of the server S; finally, the user U passes through the session key KU,SAccessing data on the server S, i.e. the random number sk; wherein N isSShow clothesA random number generated by the server S.
Further, the cross-domain fine-grained access control module comprises a user allocation unit, an entitlement allocation unit, an authorization unit, an obligation unit and a condition unit; wherein:
the user allocation unit and the right allocation unit are respectively used for correctly allocating user roles and user operation authorities;
the authorization unit, the obligation unit and the condition unit are used for correctly removing the user roles and the user operation rights which are allocated by the user before.
Further, the user role comprises an original right and an effective right of the user, wherein:
the original rights are all rights assigned to the user role;
the valid rights are rights of the user role under the restrictions of the authorization unit, the obligation unit and the condition unit.
Further, user roles having the same original rights can have different valid rights in different domains.
Furthermore, a layered role model is adopted when the cross-domain user role is mapped; the hierarchical role model is based on inheritance, i.e., a parent role has all the rights of a child role.
The present embodiment is further described below with reference to the accompanying drawings.
The embodiment comprises an authentication and authorization module, a user login module, a cross-domain security authentication module and a cross-domain fine-grained access control module. The symbols used hereinafter are as described in table 1.
TABLE 1
A. Trusted authentication authorization module
In order to realize the trusted authentication authorization, the module uses a trusted model based on the certificate distribution method of X.509. As shown in fig. 1.
The trusted model is a layered tree structure in one domain and a mesh structure in multiple domains. In FIG. 1, each CAxAre root CAs that are trust anchors for a domain.
For a wireless sensor network with distributed storage of data, similar to domain 1 in fig. 1, we use a two-layer tree structure. Highest layer of CA1I.e., the root CA, is designed as a base station that issues data certificates to a second level CA, e.g., a CA in domain 111The key is distributed. The CA of the second layer is designed as a place to store the sensed data, while it can issue data certificates and keys to the data server and the user. In the present model, a data server is a node used to store data.
For wireless sensor networks that store data centrally, we use only a single layer structure, similar to domain 2 in fig. 1. Root CA, i.e. CA2Designed as a base station or sink node, which issues data certificates and keys to data servers and users, while the servers are used to store data.
B. User login module
In this embodiment, when the user logs in to the wireless sensor network through the password when he needs to access data, the user will start logging in to the module, and the protocol used by this module is as follows.
Step S1:
when user U logs in, he will generate an arbitrary number RN1Then he passes the public key PKASEncrypting user password P, personal identification number IDUAnd random number RN1And obtaining the ciphertext a, and then sending the ciphertext a to an access server AS for storing data by the user U.
Step S2:
when the access server AS receives the request information sent by the user U, the access server AS passes through the private key SK of the access server ASASDecrypting the ciphertext a to obtain the personal identification number ID of the user UUUser password P and random number RN1And verifies the personal identification information of the user U. After verification is completed, the access server AS generates a random number RN2Then using the random number RN obtained by decryption1Encrypting a random number RN acting as a symmetric key2And a personal identification number IDUAnd sends the obtained ciphertext b to the user U.
Step S3: after receiving the ciphertext b from the access server AS, the user U passes through the random number RN1Decrypting to obtain random number RN2I.e. the session key K used by the user U when accessing the access server ASu,AS。
C. Cross-domain security authentication module
Step a 1:
user U sends access request to access server AS in user U domainhTo request access to the server S in the other domain. Ku,ASIs the session key RN finally obtained in the protocol adopted by the user login module2。NUIs a random number generated by the user U to ensure the freshness of the request, time information TUAnd a random number RUAre two additional elements used to resist replay attacks.
Step a 2:
access server AShDecrypt the information obtained from user U and pass the IDSIt is verified to which domain the server S the user U wants to access belongs. Then access the server AShGenerating a random number NhvAnd calculateLast access server AShIdentify itself with IDAShAnd ShvAccess server AS sent to the domain to which server S belongsv。
Step a 3:
access server ASvGenerating a random number NvhAnd calculateMeanwhile, according to a Diffie-Hellman key exchange protocol, the method calculates
KvhActing AS an Access Server ASvAnd access server AShThe temporary session key in question. Access server ASvBy KvhEncrypting the public key certificate chain and the digital signature h (S)vh,Shv) And the ciphertext c sum obtained therebySvhSent to the access server ASv。
Step a 4:
access server AShAfter receiving the ciphertext c, obtaining SvhAnd calculating K by the method in step 3hvAnd KvhThereby decrypting to obtain the access server ASvAnd a digital signature for verifying identity. Verifies the access server ASvAfter the identity of (2), access to the server AShSent to the access server ASvBy KhvEncrypted information. This information includes accessServer AShAuthentication chain, digital signature, identity information of the user U and the server S, random number sk as a session key between the user U and the server S, and certificate
When an AS needs to verify a chain of intra-domain certificates from another access server, he looks for CAs that can be trusted and cross-certified with the root CA to which the chain of intra-domain certificates belongs. Then, a chain of trust may be established and the AS may verify the chain of certificates with the public key of the root CA within the domain.
Step a 5:
access server ASvAuthentication of an Access Server AS by the method in step a4hThen sent to the server S via KS,ASEncrypting the resulting information (key d), where KS,ASIs S and AS in the last stagevThe symmetric key exchanged between. This information (key d) includes identity information of the user U and the server S, a random number sk serving as a session key between the user U and the server S, and time information TUAnd a random number RUCertificate and certificateA random number Nv generated by v.
Step a 6:
after the server S receives the secret key d, it passes KS,ASDecrypting the received information and thereafter sending the certificateAnd the server S encrypts personal information by using the random number sk and sends the personal information to the user U.
Step a 7: u → S: n is a radical ofS+1
User U passes through NUDecryptionAnd then the address of the server S is obtained through decryption of the random number sk. The user U then sends N as a response message to the server SS+1 and confirm its identity. Finally, the user U passes through the session key KU,SThe data on the server S, i.e. the random number sk, is accessed.
D. Cross-domain fine-grained access control module
The module realizes access control on the basis of RBAC. In this module, there are five control units, respectively: a user allocation unit, a rights allocation unit, an authorization unit, an obligation unit and a condition unit. The user allocation unit and the right allocation unit are for the correct allocation of functions (user role and operation right of the user role), while the other three units are for the correct removal.
The assignment process of the user assignment unit is a process in which the system assigns to the user role. The original rights are the rights that are owned by the role assigned to the user. A valid right is a right that is restricted under an authorization unit, an obligation unit and a condition unit. A principal having the same original rights may have different valid rights in different application scenarios. A role based usage control model is shown in fig. 2.
The model adopts a layered role model when the cross-domain role is mapped. This hierarchical character model is based on inheritance, i.e., a parent character has all the rights of a child character. The cross-domain role mapping is shown in fig. 3.
In FIG. 3, the "Secondary Administrator" in domain B is mapped to the "advanced user" role in domain A. This means that if some users in domain B are assigned the role of "secondary administrator", he has all the rights that the "premium users" in domain a have when he accesses domain a across domains. In addition, role mapping can be transferred, as shown in fig. 3, when "sub-administrator" maps to "advanced user", the parent node of "sub-administrator" in domain B can map to "advanced user" according to the hierarchical structure of roles.
The present embodiment evaluates the time overhead of security service selection by simulating an increase in the number of selected services. As shown in fig. 4, as the number of nodes and domains in the network increases, the time overhead increases.
The experimental results prove the feasibility of the embodiment in time overhead and the feasibility and effectiveness of the invention. In summary, according to the embodiment, on the basis of considering safe information transmission and access of the internet of things in the social network environment, cross-domain fine-grained access control of the nodes of the internet of things is ensured.
In this embodiment:
CA: authentication authorization (CertificateAuthority);
x.509: digital certificate standards established by the international telecommunications union;
Diffie-Hellman: a method of ensuring that a shared secret traverses an insecure network;
RBAC: role-based access control (Role-based access control).
The foregoing description of specific embodiments of the present invention has been presented. It is to be understood that the present invention is not limited to the specific embodiments described above, and that various changes and modifications may be made by one skilled in the art within the scope of the appended claims without departing from the spirit of the invention.
Claims (10)
1. A cross-domain fine-grained control system of an Internet of things in a social network environment is characterized by comprising: the system comprises an authentication authorization module, a user login module, a cross-domain security authentication module and a cross-domain fine-grained access control module; wherein,
the authentication and authorization module provides the reliability of accessing the user on the premise that the network is opened;
the user login module provides security for a user to access data;
the cross-domain security authentication module provides security for users to access data in a cross-domain manner;
the cross-domain fine-grained access control module is used for refining the security level of the user in the domain and between the domains.
2. The cross-domain fine-grained control system of the internet of things in the social network environment according to claim 1, characterized in that the authentication and authorization module adopts a trusted model of the certificate distribution method based on x.509, and the trusted model of the certificate distribution method based on x.509 has a layered tree structure in one domain and a mesh structure in a plurality of domains.
3. The cross-domain fine-grained control system of the internet of things in the social network environment of claim 2, wherein the trust model of the certificate distribution method based on the x.509 comprises a root in each domain, and the root is denoted as CAxWherein the subscript x is a natural number, root CAxAs a base station or sink node.
4. The cross-domain fine-grained control system of the internet of things in the social network environment according to claim 3, wherein the trusted model of the certificate distribution method based on X.509 further comprises at least one sub-layer in each domain, and the sub-layer is denoted as CAxnWherein the subscript n is a natural number.
5. The cross-domain fine-grained control system of the internet of things in the social network environment of claim 1, wherein the user login module adopts the following protocol:
in the step of S1,
when the user U logs in, the user login module generates an arbitrary number RN1Then the user login module passes the public key PKASEncrypting user password P, personal identification number IDUAnd random number RN1Obtaining a ciphertext a, and sending the ciphertext a to an access server AS for storing data by a user U;
in the step of S2,
when the access server AS receives the request information sent by the user U, the access server AS passes through the private key SK of the access server ASASDecrypting the ciphertext a to obtain the personal identification number ID of the user UUUser password P and random number RN1And verifying the personal identity information of the user U; after verification is completed, the access server AS generates a random number RN2Then using the random number RN obtained by decryption1Encrypting a random number RN acting as a symmetric key2And a personal identification number IDUAnd sending the obtained ciphertext b to a user U;
step S3, after receiving the ciphertext b from the access server AS, the user U passes through the random number RN1Decrypting to obtain random number RN2I.e. the session key K used by the user U when accessing the access server ASU,AS。
6. The cross-domain fine-grained control system of the internet of things in the social network environment of claim 1, wherein the cross-domain security authentication module adopts the following protocol:
in the step al, the step of the method,
user U sends access request to access server AS in user U domainhTo request access to a server S in another domain; wherein, Ku,ASThe session key is finally obtained in a protocol adopted by a user login module; n is a radical ofUIs a random number generated by the user U to ensure the freshness of the request; time information TUAnd a random number RUAre two additional elements used to resist replay attacks; h () represents time information YUA random number RUThe hash value of (1); IDSA sign indicating the server S; the server S is an object which the user U wants to access;
in the step a2, the step b,
access server AShDecrypt the information obtained from user U and pass the IDSVerifying to which domain the server S the user U wants to access belongs; then access the server AShGenerating a random number NhvAnd calculateLast access server AShIdentify itself with IDAShAnd ShvAccess server AS sent to the domain to which server S belongsv(ii) a Wherein S ishvRepresenting by a random number NhvAnd calculating to obtain a result; p is generated for user U and associated with root CAAshThe password of the exchange;
in the step a3, the step b,
at the access server AS to which the server S belongsvGenerating a random number NvhAnd calculateMeanwhile, according to a Diffie-Hellman key exchange protocol, the method calculates
Wherein, KvhActing AS an Access Server ASvAnd access server AShAn inter-temporary session key; access server ASvBy means of a temporary session key KvhEncrypted access server AShPublic key certificate chain and digital signature h (S)vh,Shv) And cipher texts c and S obtained therebyvhSent to the access server ASv(ii) a Wherein S isvhRepresenting by a random number NvhAnd calculating to obtain a result; khvRepresenting acting AS an Access Server ASvAnd access server AShAn inter-temporary session key;
in the step a4, the step b,
access server AShAfter receiving the ciphertext c, obtaining SvhAnd calculating K by the method in the step a3hvAnd KvhThereby decrypting to obtain the access server ASvAnd a digital signature for verifying identity; verifies the access server ASvAfter the identity of (2), access to the server AShSent to the access server ASvBy KhvEncrypted information; the passage KhvThe encrypted information includes: access server AShAuthentication chain of (1), digital signature, identity information of the user U and the server S, random number sk between the user U and the server S as a session key, and certificate
In the step a5, the step b,
access server ASvAuthentication of an Access Server AS by the method in step a4hThen sent to the server S via KS,ASEncrypting the resulting secret d, where KS,ASIs the server AS in step a4hSent to the server ASvServer S and access server ASvA symmetric key exchanged therebetween; the secret key d comprises: identity information of the user U and the server S, a random number sk serving as a session key between the user U and the server S, and time information TUAnd a random number RUCertificate and certificateA random number Nv generated by v, wherein v represents a root server v of a domain where a server to be accessed by a user U is located;
in the step a6, the step b,
after receiving the key d, the server S passes through the symmetric key KS,ASDecrypting the received information and thereafter sending the certificateGiving the user U, and simultaneously encrypting the personal information by the server S through the random number sk and sending the personal information to the user U;
step a7, U → S: n is a radical ofS+1:
User U passes through random number NUDecryptionThen, the address of the server S is obtained through decryption of the random number sk; the user U then sends N as a response message to the server SS+1 and certify the identity of the server S; finally, the user U passes through the session key KU,SAccessing data on the server S, i.e. random numberssk; wherein N isSRepresenting a random number generated by the server S.
7. The cross-domain fine-grained control system of the internet of things in the social network environment of claim 1, wherein the cross-domain fine-grained access control module comprises a user allocation unit, an entitlement allocation unit, an authorization unit, an obligation unit and a condition unit; wherein:
the user allocation unit and the right allocation unit are respectively used for correctly allocating user roles and user operation authorities;
the authorization unit, the obligation unit and the condition unit are used for correctly removing the user roles and the user operation rights which are allocated by the user before.
8. The cross-domain fine-grained control system of the internet of things in a social network environment according to claim 1, wherein the user role comprises an original right and an effective right of a user, wherein:
the original rights are all rights assigned to the user role;
the valid rights are rights of the user role under the restrictions of the authorization unit, the obligation unit and the condition unit.
9. The cross-domain fine-grained control system for the internet of things in the social network environment of claim 8, wherein user roles having the same original rights can have different effective rights in different domains.
10. The cross-domain fine-grained control system of the internet of things in the social network environment of claim 9, wherein a layered role model is adopted during cross-domain user role mapping; the hierarchical role model is based on inheritance, i.e., a parent role has all the rights of a child role.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510819929.1A CN105471868A (en) | 2015-11-23 | 2015-11-23 | Cross-domain fine-grained control system of Internet of things under social network environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510819929.1A CN105471868A (en) | 2015-11-23 | 2015-11-23 | Cross-domain fine-grained control system of Internet of things under social network environment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN105471868A true CN105471868A (en) | 2016-04-06 |
Family
ID=55609138
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510819929.1A Pending CN105471868A (en) | 2015-11-23 | 2015-11-23 | Cross-domain fine-grained control system of Internet of things under social network environment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105471868A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108737370A (en) * | 2018-04-05 | 2018-11-02 | 西安电子科技大学 | A kind of cross-domain Verification System of Internet of Things based on block chain and method |
-
2015
- 2015-11-23 CN CN201510819929.1A patent/CN105471868A/en active Pending
Non-Patent Citations (1)
Title |
---|
JUN WU等: "A Fine-Grained Cross-Domain Access Control Mechanism for Social Internet of Things", 《UBIQUITOUS INTELLIGENCE AND COMPUTING, 2014 IEEE 11TH INTL CONF ON AND IEEE 11TH INTL CONF ON AND AUTONOMIC AND TRUSTED COMPUTING, AND IEEE 14TH INTL CONF ON SCALABLE COMPUTING AND COMMUNICATIONS AND ITS ASSOCIATED WORKSHOPS (UTC-ATC-SCALCOM)》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108737370A (en) * | 2018-04-05 | 2018-11-02 | 西安电子科技大学 | A kind of cross-domain Verification System of Internet of Things based on block chain and method |
CN108737370B (en) * | 2018-04-05 | 2020-10-16 | 西安电子科技大学 | Block chain-based Internet of things cross-domain authentication system and method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103780618B (en) | A kind of based on across the isomery territory authentication accessing mandate bill and session cipher negotiating method | |
CN109687976A (en) | Fleet's establishment and management method and system based on block chain and PKI authentication mechanism | |
CN112528250B (en) | System and method for realizing data privacy and digital identity through block chain | |
CN109040045A (en) | A kind of cloud storage access control method based on the encryption of ciphertext policy ABE base | |
CN107852404A (en) | Secret communication is mutually authenticated | |
CN109728903B (en) | Block chain weak center password authorization method using attribute password | |
CN103401839B (en) | A kind of many authorization center encryption method based on attribute protection | |
JPH06223041A (en) | Rarge-area environment user certification system | |
CN103856477A (en) | Trusted computing system, corresponding attestation method and corresponding devices | |
US8806206B2 (en) | Cooperation method and system of hardware secure units, and application device | |
CN101989984A (en) | Electronic document safe sharing system and method thereof | |
CN104219055A (en) | NFC (near field communication)-based point-to-point trusted authentication method | |
GB2385955A (en) | Key certification using certificate chains | |
CN103684798B (en) | Authentication method used in distributed user service | |
CN108683501A (en) | Based on quantum communication network using timestamp as the multiple identity authorization system and method for random number | |
CN107465681A (en) | Cloud computing big data method for secret protection | |
CN107332858A (en) | Cloud date storage method | |
CN108833373A (en) | The instant messaging and anonymous access method of facing relation secret protection social networks | |
CN115883102B (en) | Cross-domain identity authentication method and system based on identity credibility and electronic equipment | |
Han et al. | Anonymous single sign-on with proxy re-verification | |
CN111447058B (en) | Book resource access control method based on Chinese remainder theorem | |
CN108712259A (en) | Identity-based acts on behalf of the efficient auditing method of cloud storage for uploading data | |
CN111917543A (en) | User access cloud platform security access authentication system and application method thereof | |
Feiri et al. | Efficient and secure storage of private keys for pseudonymous vehicular communication | |
CN114254284A (en) | Digital certificate generation and identity authentication method and quantum CA authentication center and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160406 |
|
RJ01 | Rejection of invention patent application after publication |