Background technology
Classical access control model is to indicate to access the row between participant by main body, object and license triple
For relationship.There are three types of classical access control models in access control field:Self contained navigation model (DAC,
Discretionary Access Control), Mandatory Access Control Model (MAC, Mandatory Access Control)
And the higher access control based roles of popularity rate (RBAC, Role-Based Access Control).They have respectively
From applicable scene and advantage and disadvantage.In past security system, the form of expression of this triple can be expressed well really
The scene of access mandate.But due to the development of universal and Internet of Things of the internet in more type equipments, cyberrelationship by
Gradually develop towards discretization, individuation, such as all kinds of social softwares and on its basis derivative all kinds of internets productions at present
Product, there is no apparent boundaries for subject and object, and are presented more like with a kind of structure of networking.The distribution of the network information simultaneously
Formula, the communication mode of P2P are increasing, need a kind of novel access control with adaptability, compatibility and scalability
Simulation.
Some scholars both domestic and external also propose in the access control in social networks unified main body to main body with
And the idea of main object access control, the research center of gravity of access control is to mobilism, Self-Reliance development, scholars
Want to find the access control between the individual that can be adapted for network structure.But their model nevertheless suffers from tradition and accesses control
The influence of simulation, such as when how discussion U2U (User to User) and U2R (User to Resource) are handled
Wait will they distinguish treated at Subjective and Objective;Still it is partial to when making access decision with logical language static or 1 pair 1
Mode, and when handling the access containing path, the mode that traversal is only used only finds node, easy tos produce safety problem.Or
It is the influence for having taken into consideration only propagation property, is but confined to imitate beam-based alignment, by complicated Internet communication ring
Border is summarized in multiple static attributes.
In order to adapt to diversification, complicate network application scene, scholar both domestic and external for conventional model it is certain not
Foot proposes some new access control models, they or corresponding optimization has been carried out on classical model, or be directed to
The part of properties of internet proposes the access control model being more suitable for, present invention is primarily concerned be recent domestic scholar
Study suitable for distributed network or have the research of complicated some access control models for propagating relational network:
Access control specificity analysis in big data/network
The new feature based on big data and its application such as Li Hao, analytic induction go out 5 big data access controls there is an urgent need to
It solves the problems, such as:Empowerment management problem, fine-granularity access control problem, access control policy specification problem, individual privacy protection
The implementation issue of problem and access control in distributed structure/architecture;The access control model for adapting to big data environment is refined
The characteristics of:Judgment basis diversification, judgement result fuzzy (or uncertain) are changed, a variety of access control technology syncretizations.
Old Yao female equal the characteristics of simply analyzing big data and architectural framework, show that access control should expire under big data environment
The principle of foot, i.e., independently, dynamic, fine granularity, cross-domain authorization.By comparative analysis access control model DAC, MAC, RBAC and
ABAC applicabilities under big data environment, it can be seen that among open network in big data and at present, independently dynamically award
Power is only more popular access control mould.
The novel access control model proposed for existing network environment
It is apparent that Liu Sha, Tan Liang think that the access control model in Hadoop cloud platform has the shortcomings that, i.e., is only authorizing
When consider the authenticity of user identity, do not account for the credibility of user's later stage behavior, and permission is once authorizing just no longer
Supervision.It proposes a kind of LT models based on trust suitable for Hadoop cloud platform, sets trust value for each user, pass through use
The behavior record of family in the cluster updates users' trust value in real time, meets dynamic in open network in this way and visits
Ask the demand of control.
Xiong Jun provides one and is based on shifty access control model, gives policy specification method and base based on operator
Strategy is classified in order to further describe strategy in the strategy detailed description specification of XML.For the adjustment of strategy, in detail
Thin increase, cancellation and the change that strategy is discussed.Selection for strategy and decision problem, by role, permission and safety
The Fuzzy processing of strategy and analysis introduce fuzzy algorithmic approach and judge the access rights of user, are actually intended to attempt knot
Different thinkings is closed to be controlled access.
Vishwamitra notices information by the network environment of multiple layers transmission, and user can not be pair relevant with itself
Information makes due access control.The access control model of entitled PMAC is proposed, it is by the one of identity user identity information
A little attribute such as facial characteristics, physical trait and some sharable data separations, in access control according to relation list and
Delegated strategy distinctively treats this category information, and user is allow to ensure that some crucial privacies are not leaked by generating strategy.
Access control model present Research based on network/relational network
Li Fenghua etc. proposes a kind of access control model in network-oriented space, is denoted as CoAC.The model covers access
The elements such as request entity, broad sense tense, access point, access equipment, network, resource, network interaction figure and resource propagation chain, can have
Effect, which prevents from detaching with administrative power due to data ownership, information is secondary multiple the safety problem brought such as forwards.
Cheng etc. proposes a kind of access control model based on relationship between user.They think between user and user
Relationship be OSN (social networks on Online social networks lines) foundation stone, then they propose one based on this
Kind novel access control model defines the relationship in social networks and connects user with this to standardization, and specify it is legal
The rule in path finally uses the path search algorithm of similar DFS, calculates its complexity and demonstrate its correctness.
Bruns etc. describes the access control model based on customer relationship using Hybrid Logic.The base in this model such as Cai Hongyun
The measurement of relationship strength and transmission are expanded on plinth.
Carminati etc. is equally to social networks instantly in order to which the promotion message safety that shared resource is brought in large quantities is asked
Topic, it is proposed that rule-based access control (Rule-Based Access Control), they are based on form, depth, have deposited
Access rule is specified in degree of belief that relationship is brought etc. and matches the certificate for the relationship between certification main body of closing to information
Propagation limit.
Hu et al. and Liu Na is discussed to be visited in many ways in OSN (social networks on Online social networks lines)
Ask control or there are the problem of, and propose a model M PAC (Multiparty Access Control).They with
Between the upper users of Facebook the scene of access information be example, be applicable in answer set programming (Answer Set Programming,
ASP mode) elaborates their model is how to solve the problems, such as that shared information manages on OSN.
Ma is directed to the network characteristic in social networks, it is proposed that the New model RuleSN of a suitable cloud computing environment,
The model has used logical language similar with Hu and Cheng, for a large amount of existing User to User in social networks
(U2U), User to Resource (U2R), Resource to Resource (R2R) relationships and user and resource it is specific
Attribute has good expressivity.
As can be seen that in the case where internet access controls the continuous change of scene in description above, conventional model is authorizing
Management, policy depiction and secret protection etc. are all no longer able to be well adapted for.Some investigators are attempting to tradition
Access control does the supplement in some details, or to pile up more and more decision conditions a certain to allow experimental result to be more suitable for
The access scene of type.But the Subjective and Objective of distributed network structure and diversification with rapid changepl. never-ending changes and improvements is constituted, and is required for accessing
Control is innovated from model level.Researchers start to start with from social networks, with its abundant node associated data
Establish the access control suitable for relational network.The thinking and building method of these models are all very novel, but they are still
User and resource are treated with a certain discrimination.And in the definition of strategy, to access (dereference) the only decision node with path
Between objective condition, such as the relationship strength between node or distance, and have ignored the independence and scalability of model, to protecting
Shield privacy of user has a certain impact.
Invention content
Shortcoming present in regarding to the issue above, the present invention provide the access control mould based on certificate in network structure
Type and access method.
To achieve the above object, the present invention provides the access control model based on certificate in a kind of network structure, including:It rises
Point, terminal and meshed network;
The starting point is the initiation node of access request, and the terminal is access node, and the meshed network is multiple
Node is connected the network-like topological structure to be formed by waiting for grant column list;
The starting point initiates access request to the terminal, and the terminal generation waits for the certificate of authority and is sent to described rise
Point, the starting point access to terminal by the certificate of authority;It is described to wait for that the certificate of authority includes origin information, application permission and Shen
Please the time, and for starting point and the application authority acquiring permission is required waits for grant column list;
The starting point waits for that grant column list initially enters certificate and traverses flow from terminal, and institute is traversed in a manner of depth-first
State meshed network, certificate traverse flow in, each node traverses complete itself after grant column list, can enter rule judgement
The access control policy that flow will be taken according to itself, provide the node finally returns that value;The certificate of authority is waited for after the completion of backtracking
Starting point is dateed back, waits for that the certificate of authority judges to authorize according to the logical expression of terminal and whether succeeds, warrant is waited for if success
Book becomes the certificate of authority, and corresponding operating use, this access denied if unsuccessful are carried out for starting point.
As a further improvement on the present invention, the meshed network includes multilayer node;
A node in lower level node with one or more nodes that grant column list is upper layer node.
As a further improvement on the present invention, the logical expression is will to wait for that grant column list and rule pass through logical operation
Symbol establishes connection.
The present invention also provides a kind of access methods of the access control model based on certificate in network structure, including:
Step 1, starting point initiate access request to terminal;
Step 2, terminal generation wait for the certificate of authority and are sent to starting point, described to wait for that the certificate of authority includes origin information, application
Permission and application time, and be directed to starting point and apply for that the authority acquiring permission is required and wait for grant column list;
Step 3, starting point enter certificate ergodic flow journey, and the meshed network is traversed in a manner of depth-first;
Step 4, certificate traverse flow in, each node traverses complete itself after grant column list, can enter rule
The access control policy that determination flow will be taken according to itself, provide the node finally returns that value;
It waits for that the certificate of authority dates back starting point after the completion of step 5, backtracking, waits for that the certificate of authority is sentenced according to the logical expression of terminal
Whether disconnected mandate succeeds, if success if wait for that the certificate of authority becomes the certificate of authority, for starting point carry out corresponding operating use, if not at
Work(then this access denied;
Step 6, starting point access to terminal by the certificate of authority.
As a further improvement on the present invention, the certificate traversal flow includes:
Step a, judge that present node waits for whether grant column list is empty to original request, if it is empty jump to step e;
Step b, judge the node waits for that grant column list whether there is in authorization node list, and if it exists, directly reads
The return value of the node in authorization node list is taken, if being not present, enters step c;
Step c, it waits for grant column list by what certificate passed to the node, grant column list, which calls certificate traversal, to be waited for the node
Flow obtains the return value that the node waits for grant column list;
Step d, the next item down repetition step b, the step c for treating grant column list wait for the institute of grant column list until obtaining the node
There is return value;
Step e, regular each section is obtained according to authorization rule used in own node into regular determination flow
Return value;
Step f, logical expression is read, logical expression is according to the return value of regular each section and waits for grant column list
All return values obtain the return value of the node by logical calculated, return value and record of the return value as whole flow process
Into authorization node list.
As a further improvement on the present invention, regular determination flow includes essential information rule and waits for that grant column list is regular;
Essential information rule is:Using the mode in beam-based alignment ABAC, for the various information of node
Carry out decision;Including:Limitation to starting point, the limitation to applying for permission, is saved to the limitation of time and to father the limitation to terminal
The inspection of point;
Wait for that grant column list rule is:Treat the judgement of grant column list performance.
Compared with prior art, beneficial effects of the present invention are:
The present invention provides the access control model based on certificate in a kind of network structure, Subjective and Objective is all considered as node and with
Certain node linked list connects each such node as bridge, forms network-like topological structure;Lead to again
Cross the novel licensing modes such as certificate transmission, dereference rule and make they according to the logical expression collective effect of regulation in
The decision of access control;Management compared to existing model permission more relies on the set rule of system, and the present invention makes nodes energy
It is more autonomous, dynamically administration authority and do not depend on or influence whole system;Meanwhile authorization decision uses the topology of meshed network
Structure makes model that can also fully take into account the privacy of each node when being propagated in face of complex information.
Specific implementation mode
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, ordinary skill people
The every other embodiment that member is obtained without making creative work, shall fall within the protection scope of the present invention.
Traditional access control model is indicated to access between subject and object by main body, object and access rights triple
With the relationship of mandate.But as mobile network is gradually developed towards distribution, there are complicated propagation relationship, node between the network information
Between it is associated with each other, there is no apparent boundaries for subject and object.In order to make the research of access control model level adapt to such net
Network environment, the present invention propose a kind of novel access control model, and Subjective and Objective is all considered as to node and is associated with certain node
List connects each such node as bridge, forms network-like topological structure.Further through certificate transmit,
It connects the novel licensing mode such as access rule and makes their logical expression collective effect determining in access control according to regulation
Plan.Management compared to existing model permission more relies on set rule, this design make nodes can it is more autonomous, dynamically manage
It manages permission and does not depend on or influence whole system.Meanwhile authorization decision uses the topological structure of meshed network, makes model in face
Also the privacy of each node can be fully taken into account when propagating complex information.
The present invention is described in further detail below in conjunction with the accompanying drawings:
The present invention receives the inspiration for the OAuth technologies being used widely, it is proposed that base in a kind of network structure
In the access control model of certificate, main body is broken with the relationship between object, participant (comprising access main body or has been interviewed
The resource asked) all it is considered as node.The access request needs that node proposes are realized by improving the certificate of access node demand.
And complete this kind of certificate of authority, then need scrupulously to traverse with the relevant node of access node, and according to their different visits
It asks that control strategy carries out decision, is finally authorized.The present invention attempts to annotate all kinds of complexity in internet from this new visual angle
Access control in environment while making it possible to cover classical access control model, can also make up their deficiency, for not
The complex access scene for generate in network environment development provides the space of extension;Make access control can not only be in new network rings
There are higher applicability and scalability in border, can also retain the compatibility to conventional model.Simultaneously in the access containing path
In can give node higher degree of freedom, without influencing their secret protection.
As shown in Figure 1, the present invention provides the access control model based on certificate in a kind of network structure, including:Starting point 1,
Terminal 2 and meshed network 3;
Starting point 1 is the initiation node of access request, and terminal 2 is access node, and meshed network 3 is multiple nodes by waiting for
Grant column list is connected the network-like topological structure to be formed;
Starting point 1 initiates access request to terminal 2, and generation waits for the certificate of authority and is sent to starting point 1 terminal 2, and starting point 1 is by awarding
Warrant book accesses to terminal 2;Wait for that the certificate of authority includes origin information, application permission and application time, and for starting point and
The application authority acquiring permission is required to wait for grant column list;
Starting point 1 waits for that grant column list initially enters certificate and traverses flow, the traverse node in a manner of depth-first from terminal 2
Network 3, in certificate traverses flow, each node traverses complete itself after grant column list, regular determination flow can be entered
The access control policy to be taken according to itself, provide the node finally returns that value;Wait for that the certificate of authority is recalled after the completion of backtracking
To starting point, waits for that the certificate of authority judges to authorize according to the logical expression of terminal and whether succeed, wait for that the certificate of authority becomes if success
For the certificate of authority, corresponding operating use, this access denied if unsuccessful are carried out for starting point.
The present invention also provides a kind of access methods of the access control model based on certificate in network structure, including:
Step 1, starting point initiate access request to terminal;
Step 2, terminal generation wait for the certificate of authority and are sent to starting point, wait for that the certificate of authority includes origin information, application permission
And the application time, and be directed to starting point and apply for that the authority acquiring permission is required and wait for grant column list;
Step 3, starting point enter certificate ergodic flow journey, the traverse node network in a manner of depth-first;
Step 4, certificate traverse flow in, each node traverses complete itself after grant column list, can enter rule
The access control policy that determination flow will be taken according to itself, provide the node finally returns that value;
It waits for that the certificate of authority dates back starting point after the completion of step 5, backtracking, waits for that the certificate of authority is sentenced according to the logical expression of terminal
Whether disconnected mandate succeeds, if success if wait for that the certificate of authority becomes the certificate of authority, for starting point carry out corresponding operating use, if not at
Work(then this access denied;
Step 6, starting point access to terminal by the certificate of authority.
Further, certificate traversal flow includes:
Step a, judge that present node waits for whether grant column list is empty to original request, if it is empty jump to step e;
Step b, judge the node waits for that grant column list whether there is in authorization node list, and if it exists, directly reads
The return value of the node in authorization node list is taken, if being not present, enters step c;
Step c, it waits for grant column list by what certificate passed to the node, grant column list, which calls certificate traversal, to be waited for the node
Flow obtains the return value that the node waits for grant column list;
Step d, the next item down repetition step b, the step c for treating grant column list wait for the institute of grant column list until obtaining the node
There is return value;
Step e, regular each section is obtained according to authorization rule used in own node into regular determination flow
Return value;
Step f, logical expression is read, logical expression is according to the return value of regular each section and waits for grant column list
All return values obtain the return value of the node by logical calculated, return value and record of the return value as whole flow process
Into authorization node list.
Further, regular determination flow includes essential information rule and waits for that grant column list is regular;
Essential information rule is:Using the mode in beam-based alignment ABAC, for the various information of node
Carry out decision;Including:Limitation to starting point, the limitation to applying for permission, is saved to the limitation of time and to father the limitation to terminal
The inspection of point;
Wait for that grant column list rule is:Treat the judgement of grant column list performance.
Specifically:
One, the construction process of the access control model based on certificate is in network structure provided by the invention:
Based on forefathers for distributed, access control model in interactive and complex network exploration, the present invention wants
Construction one is access control participant (containing the subject and object in traditional access control model) all as the net of node
Network model, then how to complete to authorize in such a configuration becomes the content that the present invention will introduce.The present invention with reference to
The building process of RBAC, the main basic ideas comprising tectonic model and the introduction to model component.
1, thinking is constructed:
1)、OAuth
In existing the Internet, applications environment, can it see to solution " between the node of dispersion in a network
Receiving is asked " trial of this problem.Such as such example:
Assuming that you register the information such as your essential information, work and hobby on a social network sites.When you
When browsing online shopping website (such as Taobao), recruitment website or game website, the personalization of this kind of website for convenience pushes away
It recommends, you can select to log in using existing social network sites account.If using traditional access control scheme, you
It needs the user name password authorization of social network sites to shopping website, by login, your social network sites obtain substantially shopping website
Information ultimately forms personalized recommendation.
This traditional mode can cause these problems:
1., shopping website when obtaining user basic information, have recorded the user name password of user, have serious safety hidden
Suffer from;
2., shopping website after having user name password, the unnecessary other information in the website such as work can be obtained
Work, hobby etc..User can not limit the range of information and service life of its acquisition;
If 3., user be not desired to continue to allow shopping website to obtain information, can only Modify password, but can lead to it again in this way
He is affected at such as recruitment website and game website;
4., user authorize numerous websites in, if there are one revealed user information will be caused to user it is prodigious
Trouble.
In order to solve this problem, scholars propose the authorization criteria of entitled OAuth and are widely applied.About
The specific standards of OAuth are described in detail in RFC files, and the present invention only borrows its thought as introduction.The substantially think of of OAuth
Want to contain three participants:Third-party application (hereinafter referred application), user, (hereinafter referred provides user resources owner
Source).As shown in figure 3, the flow of OAuth is:
1., user wish that application can obtain the part permission of resource, file a request to application;
2., using to resource bid by user obtain resource corresponding authority;
3., resource according to the application of application, generate a certificate to be certified for including authorization message, be presented to the user;
If 4., user understand authorized content after agree to, generate complete certificate;
5., resource be supplied to Application Certificate, using the certificate access be authorized to partial information.
Briefly, using this agreement by user, the dereference to resource is completed.But in this scene
In, user is the promoter accessed, and whole flow process is by Client-initiated, and resource-side is also required to directly link up with user.And
The present invention wishes that the scene discussed is to apply to dominate start flow, and in licensing process, resource-side can't participate in awarding
Power process, only judges whether access request is executed, and authorization decision is detached with Authorization execution two parts, more efficient to build
Model.
2) dereference, is expanded on range
Module-certificate (Access token) of a core in OAuth mentioned above.In the final acquisition certificate of application
Before, resource-side generates a certificate and contains using the authority information for wanting application, while may also include other in certificate
Information, such as certificate timeliness, the control rule that may be related in other access controls using limitation etc..Then resource-side will
Certificate is given user and authorize, and the certificate of one similar " pass " has been ultimately generated.It applies and is authorized later
It can directly be completed using certificate when interior operation.The present invention uses for reference this thought, has extracted the dereference between multiple target
Scene, as shown in Figure 4.
In this scenario, request is initiated by application, obtains a certificate for needing user to authorize, resource is no longer participate in certainly
Plan, only carry out whether allow access operation, and decision and authorize whether can complete depend on the 3rd step in user it is whether same
Meaning is to certificate granting.Such structure has reached the separation of decision-making level and execution level, while extending participant and only having tripartite's
Situation, in practical applications some request may need multi-party verification that can just come into force.
3) dereference, is expanded in depth
After expansion on solving range, it is also necessary to consider such situation:If some user needs other users
After certificate granting, he is just ready to authorize, such as the middle flow for needing successively to examine that works.So just need in view of tool
The access scene for having " path " feature adds depth that is, on the basis of range authorizing link.
Scene as shown in Figure 5 embodies the depth problem authorized in link, if user 1 indicates that the certificate is needed to pass through
The mandate of user A, it is just ready to authorize, then just producing this scene.The scene is very common in internet environment, than
It such as accesses one and needs the page logged in, need by account number cipher mandate and verification two nodes of code authentication.Under normal conditions,
Malice logs in (such as continuously attempting to password) in order to prevent, and account number cipher mandate needs completion verification code authentication that can just carry out.So
User, which wants completion account number cipher mandate, just must first obtain the mandate of identifying code node.
Step shown in fig. 5 provides a thinking for solving this scene, when a node acquisition certificate, but needs
Another node takes the lead in completing to authorize when can just continue authorisation step, which is sent to the node to be authorized by it, is waited for
It completes to obtain the certificate of authority returned after authorizing, is further continued for Authorized operation.Here the present invention considers the step for sending certificate
It is rapid why the scene unlike described in Fig. 4:Certificate, which is given back request originator, allows it to be sent to user A.First, in Fig. 4 scenes
It is empty certificate just to be returned to promoter in order to distinguish licensing process and implementation procedure it is allowed to complete, and in this example embodiment, itself
It is such to return to no actual meaning in authorization flow;And with the continuous complexity in certificate granting path, such behaviour
Work can greatly reduce the efficiency entirely authorized, so this intermediate node is allowed voluntarily to send the certificate to next node layer,
Unnecessary operation is saved.
4), the dereference in relational network
There is the above-mentioned expansion to depth and range, will recognize that naturally, if the structure between node is more complex again, than
Mandate as needed multiple interdependent nodes before a certain node mandate, therefore the mandate relationship between node forms a two-dimensional knot
Structure, then how to complete dereference in this structureIn order to be transitioned into the model that the present invention designs, this hair from OAuth
It is bright to be described on above-mentioned architecture basics, and will use " node " replacement " user " that can more be embodied as the participant of model
The marrow of network structure.As shown in fig. 6, it explains how this model solves the problems, such as this.
It is significant to note that meshed network is not the network of physical presence, but during authorization flow
A kind of data structure generated.From the off, each node that certificate passes through can wait for grant column list in the presence of one, in table
Including to obtain the mandates of other nodes needed for the node mandate.If each participant is " point " in network,
The grant column list that waits for of so these points is exactly " side " in network, they together constitute this data structure.
The dereference structure of such complexity may not be applied in existing OAuth or access control model.
But in network world or even actual life, such mandate is typical.It is expected that in the following Internet of Things
Etc. under the high speed development of technologies, the access mandate scene of this kind of relationships between nodes complexity can be more and more, so the present invention proposes
Model, attempt to give a thinking for solving access control under complicated dereference scene.Extended meeting is focused at this afterwards
How the licensing process of access control completed by certificate transmission in a network under kind of data structure.
2, model forms
Table 1 lists main composition part and their code name of model, and code name is mostly used when referring to below and is indicated:
Table 1
This table completely describes the element that the blank of entire model constructs and includes mainly.With traditional access control mould
Unlike type, such structure distinguishes the decision in access control model with operation is executed.Include the node of information,
Database server or PC etc., it is only necessary to directly carry out authorizing sentencing according to whether request carries complete certificate
It is disconnected, do not need complicated decision process.And this decision process can be carry by starting point and wait for that the certificate of authority is gone in meshed network
It completes.This separation makes the efficiency of access control greatly improve and is more suitable for distributed network.
Two, licensing process of the invention is:
In conjunction with access control model as shown in Figure 1, after having detached decision and execution level, for the tool of some request
Body decision is all that the authorization flow in meshed network is completed.This chapter is how to be asked to access from three introduction authorization flows
It asks and carries out decision, and strategy used in each process.
1, authorization flow
As shown in Fig. 2, in this model, a complete authorization flow operates in accordance with the following steps:
1), a node wishes to obtain the part permission of another node, initiates request;
2), access node (terminal) generates a certificate (T ') to be authorized, and contains the necessary information of flow, such as
Starting point relevant information, the permission of application, application time etc. is with access control in relation to common information;And for starting point and its application
Permission provide and obtain that the permission is required waits for grant column list (Lv,authority);
3), starting point obtains this and waits for the certificate of authority (T '), enters certificate ergodic flow journey from L (1), starts with depth-first
Mode traverse node network (N);
4), in certificate traverses flow, after each node traverses complete the L of itself, regular determination flow can be entered and want root
The access control policy (such as certification, RBAC, ABAC etc.) taken according to itself, provide the node finally returns that value;
5) T ' dates back starting point after the completion of, recalling, and whether T ' judges to authorize according to the logical expression E of terminal succeeds, such as
Fruit success then becomes T, and corresponding operating use, this access denied if unsuccessful are carried out for starting point;
6), starting point is using accessing to terminal under T rules specified in T.
2, certificate traverses flow
In the above-mentioned L referred to repeatedlyv,authorityIt is the certificate traversal main traversal target of flow, is opened from the L (1) of starting point
Begin, the node each traversed also has the L of oneself for this request, these L constitute the limb of meshed network.
This flow completes the traversal of certificate using this classical graph traversal algorithm of depth-first search.The algorithm is main
Use backtracking method realization, main thought as follows:
Algorithm-certificate traverses flow:
1), judge whether present node is empty to the L of original request, if it is empty jumps to step 5;
2), judge that L (n) (n is since initial position) whether there is in authorization node list (P), and if it exists, directly
The return value for reading the node in P enters step 3 if being not present;
3) certificate, is passed into L (n), calls certificate to traverse flow L (n), obtains the return value of L (n);
4), n=n+1 repeats all return values of step 2, step 3 until obtaining node L;
5) regular each section, is obtained according to authorization rule used in own node into rule (R) determination flow
Return value;
6) logical expression (E), is read, expression formula is led to according to the return value of regular each section and all return values of L
Cross the logical calculated provided and obtain the return value of the node, the return value as whole flow process return value and be recorded in P.
3, regular determination flow
The chapters and sections of whole authorization flow refer to node and need to judge flow into line discipline after completing L, in this flow,
Node needs the judgement for combining the information got to carry out logic rules.In waiting for certificate of authority T ', two parts are mainly contained
Information, one kind is the basic access information brought from starting point, and one kind is the information from L.So the rule followed in mandate
Also two classes are broadly divided into:Essential information rule and meshed network rule, the two may be to have certain correlation in reality,
For example some node needs the mandate of another node within some period, but this coupling can be by the scene of access control
What is become is sufficiently complex, so in research at this stage, the two is temporarily separated discussion by the present invention.
1), essential information rule
For the access control for essential information rule, can apply in similar beam-based alignment (ABAC)
Mode, for node various information carry out decision, such as:
Limitation (such as blacklist) to starting point;
Limitation to terminal;
Limitation to application permission (behavior);
The limitation (including behavior time of origin and application time) of time;
Inspection (ensuring that certificate is obtained from the father node of approval) to father node.
This rule-like is all set from the information carried to certificate and the case where each saving itself, is specifically being applied
In, different nodes can be according to the difference of itself usage scenario, and using different access control policy, (such as account information is recognized
Card, RBAC etc.) it exports result and is applied in network model eventually as return value.This setting also enables this model more preferable
Ground is compatible with all kinds of existing, common access control models, and specific application can be mentioned in following sections.
2) grant column list (L) rule, is waited for
Other than essential information, one of core of this model is exactly the judgement for L performances.The L of one completion
The authorization conditions that the required all nodes of ultimate authority access this will be completed by containing present node.With essential information one
Sample, present node can still carry out each return value of L more macroscopical according to access control policy used by itself
Operation.For example, certain node is accessed control using RBAC, it can read the angle of terminus in essential information rule
Color, and decide whether to authorize according to RBAC.At the same time, it can read each node in L after the L for completing itself
Role, and formulate need the return value of all certain role in L all and be 1 (agreeing to authorize) or at least contain it is several certain
The return value of role is just to allow to authorize.
4, logical expression (E)
After defining two kinds of rules, origin node needs to do a series of logic to authorization conditions derived from these rules
Operation finally obtains the judgement of node itself.This model defines a kind of expression formula:To standardize ground
Description rule.
Wherein, definition has been given in L and R above,Represent logical operator:
By 3,2), in for the node of the control that accessed using RBAC mentioned, its access control rule can be with table
It is shown as:
R1:roles=' r1′
The expression formula illustrates that the rule of present node is:If the role of start node is r1, and present node waits for
In grant column list, it is r to have more than n role2Node agreed to authorize, authorized then present node is just given.It can be in formula
Find out
R1Belong to essential information rule, R2Belong to grant column list rule.
It is the same with RBAC, for different nodes, traditional access control model of the mainstreams such as DAC, MAC or TRBAC, all
Different rules can be designed to realize their thought.It can even be used in mixed way, such as node can be taken according in certificate
The information such as the access path of band calculate trust value, and the return value of each node is calculated in conjunction with node role.In a model, they
Characteristic can be combined well with meshed network, to express the authorization rule in complex network scene.
In modern cyberspace, different participants may use different types of access control, and under this model
They with specification can state and combine, and different nodes can design the rule of itself according to demand.This three parts is determined
The design of plan layer allows model to have very strong scalability and compatibility, access control is enable to keep up with the hair of distributed network
Exhibition.
Three, access control model of the present invention has particular application as:
Detailed dismantling and description have partly been carried out to each of model above, lifted also for the operating process of each section
Some simply examples.This chapter will be started with the example of wechat circle of friends, describe the advantage and concrete application of this model.
Wechat circle of friends is a kind of social tool, its primitive rule is:
1, anyone can issue public information, these information can be commented on
2, everyone can only read or comment on the information of oneself good friend publication
3, user will read or comment on another comment, need be this comment both sides good friend
For example:
Access control scene 1:
A:I
B replys A (I):r1
Background:A, B and C good friends each other, but D is only the good friend of A
Request:R is read in C and D SEPARATE APPLICATION1Permission
Node:A、B、C、D、I、r1
According to primitive rule, the access control policy that wechat uses is to judge C ∈ (FriendListA∩
FriendListB) and D ∈ (FriendListA∩FriendListB) value, authorized if it is 1, on the contrary just refuse.That
The result of access control is exactly that the request of C receives, the request refusal of D.
And the model referred to according to the present invention, then there is 1 model table of scene shown in table 2:
Table 2
Node |
L |
R |
E |
A |
- |
C/D∈FriendListA |
C/D∈FriendListA |
B |
- |
C/D∈FriendListB |
C/D∈FriendListB |
I |
A |
- |
A |
r1 |
I,A,B |
- |
I∧A∧B |
The authorization flow of scene 1 is as shown in Figure 7.
New model is can be seen that under simple scene from authorization flow figure, although verification process is complex,
To result be also that the request of C receives, the request of D refusal is consistent with the model result that software uses.Following example is by explanation
Such issues that how some shortcomings of traditional access control model and this model solve.
Access control scene 2:
A:I
B replys A (I):r1
C replys A (I):r4
C replys B (r1):r2
A replys C (r2):r3
Background:A, good friend, D are the good friend of A, C each other by B, C, are not the good friends of B.
Request:R is read in D SEPARATE APPLICATION3And r4
Node:A、B、C、D、I、r1、r2、r3、r4
According to the access control policy of wechat itself, D ∈ (FriendListA∩FriendListC) for r3And r4All at
It is vertical, so the request of the two is all received.But in this scene, r3With r2It is relevant, then r3In may include pass
In r2The information of participant B, and B is not necessarily ready that this partial information is authorized to D to see, it may leakage which forms one
The security breaches of privacy of user.
According to this model, then there is 2 model table of scene of table 3:
Table 3
Node |
L |
R |
E |
A |
- |
D∈FriendListA |
D∈FriendListA |
B |
- |
D∈FriendListB |
D∈FriendListB |
C |
- |
D∈FriendListC |
D∈FriendListC |
I |
A |
- |
A |
r1 |
I,A,B |
- |
I∧A∧B |
r2 |
r1,B,C |
- |
r1∧B∧C |
r3 |
r2,A,C |
- |
r2∧A∧C |
r4 |
A,C |
- |
A∧C |
Compare r3And r4Request, r4E be similar to wechat itself used by access control policy, due to D ∈
(FriendListA∩FriendListC) it is 1, so after the mandate of A and C nodes, read r4Application received.Instead
See r3, due to r3With r2Correlation, its E contain r2, certificate will authorize will be by the mandate of B, it is clear that can not pass through.
This result compares the privacy that traditional access control policy preferably protects user, also embodies this model existing
For under the more complicated access control scene of network, the flow of mandate is more rigorous.Current network environment interactive relation is complicated,
Resource propagate it is more frequent, it is related to access path or there are the data of multilayer subordinate relation often to there is security risk.
The present invention constructs an access control model based on certificate.Model is not having clearly mainly for host-guest
Boundary network environment and distributed network in information propagate the characteristics of, define one have height expressiveness and extension
Property model structure, by node, certificate transmit and wait for the modes such as grant column list, annotated in the modern times with a new angle
Common access control scene, has detached the decision in access control and execution in cyberspace;It proposes based on DFS algorithms
Certificate traverses flow, and adds essential information rule wherein, waits for grant column list rule and logical expression, standardization ground
Authorization flow is defined, model is allow to express different types of traditional access control model;And give a specific reality
Example derives, and analyzes the applicable scene and advantage of this model.
It these are only the preferred embodiment of the present invention, be not intended to restrict the invention, for those skilled in the art
For member, the invention may be variously modified and varied.Any modification made by all within the spirits and principles of the present invention,
Equivalent replacement, improvement etc., should all be included in the protection scope of the present invention.