CN108390874A - Access control model and access method based on certificate in network structure - Google Patents

Access control model and access method based on certificate in network structure Download PDF

Info

Publication number
CN108390874A
CN108390874A CN201810145458.4A CN201810145458A CN108390874A CN 108390874 A CN108390874 A CN 108390874A CN 201810145458 A CN201810145458 A CN 201810145458A CN 108390874 A CN108390874 A CN 108390874A
Authority
CN
China
Prior art keywords
certificate
node
starting point
access
network
Prior art date
Application number
CN201810145458.4A
Other languages
Chinese (zh)
Other versions
CN108390874B (en
Inventor
何泾沙
黄辉祥
侯立夫
廖志钢
Original Assignee
北京工业大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京工业大学 filed Critical 北京工业大学
Priority to CN201810145458.4A priority Critical patent/CN108390874B/en
Publication of CN108390874A publication Critical patent/CN108390874A/en
Application granted granted Critical
Publication of CN108390874B publication Critical patent/CN108390874B/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance or administration or management of packet switching networks
    • H04L41/12Arrangements for maintenance or administration or management of packet switching networks network topology discovery or management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance or administration or management of packet switching networks
    • H04L41/14Arrangements for maintenance or administration or management of packet switching networks involving network analysis or design, e.g. simulation, network model or planning
    • H04L41/145Arrangements for maintenance or administration or management of packet switching networks involving network analysis or design, e.g. simulation, network model or planning involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/0823Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Abstract

The invention discloses the access control models and access method based on certificate in network structure, including:Starting point, terminal and meshed network;Starting point is the initiation node of access request, and terminal is access node, and meshed network is multiple nodes to be connected the network-like topological structure to be formed by waiting for grant column list;Starting point initiates access request to terminal, and terminal generation waits for the certificate of authority and is sent to starting point;Certificate enters meshed network and carries out authorization flow, and starting point uses the certificate access terminal authorized;Subjective and Objective is all considered as node and forms meshed network by the present invention, by licensing modes such as certificate transmission, dereference rules and makes them according to the logical expression collective effect of regulation in the decision of access control;Make nodes can it is more autonomous, dynamically administration authority and do not depend on or influence whole system;Meanwhile authorization decision uses the topological structure of meshed network, makes model that can also fully take into account the privacy of each node when being propagated in face of complex information.

Description

Access control model and access method based on certificate in network structure

Technical field

The present invention relates to based on certificate in field of information security technology more particularly to network structure access control model and Access method.

Background technology

Classical access control model is to indicate to access the row between participant by main body, object and license triple For relationship.There are three types of classical access control models in access control field:Self contained navigation model (DAC, Discretionary Access Control), Mandatory Access Control Model (MAC, Mandatory Access Control) And the higher access control based roles of popularity rate (RBAC, Role-Based Access Control).They have respectively From applicable scene and advantage and disadvantage.In past security system, the form of expression of this triple can be expressed well really The scene of access mandate.But due to the development of universal and Internet of Things of the internet in more type equipments, cyberrelationship by Gradually develop towards discretization, individuation, such as all kinds of social softwares and on its basis derivative all kinds of internets productions at present Product, there is no apparent boundaries for subject and object, and are presented more like with a kind of structure of networking.The distribution of the network information simultaneously Formula, the communication mode of P2P are increasing, need a kind of novel access control with adaptability, compatibility and scalability Simulation.

Some scholars both domestic and external also propose in the access control in social networks unified main body to main body with And the idea of main object access control, the research center of gravity of access control is to mobilism, Self-Reliance development, scholars Want to find the access control between the individual that can be adapted for network structure.But their model nevertheless suffers from tradition and accesses control The influence of simulation, such as when how discussion U2U (User to User) and U2R (User to Resource) are handled Wait will they distinguish treated at Subjective and Objective;Still it is partial to when making access decision with logical language static or 1 pair 1 Mode, and when handling the access containing path, the mode that traversal is only used only finds node, easy tos produce safety problem.Or It is the influence for having taken into consideration only propagation property, is but confined to imitate beam-based alignment, by complicated Internet communication ring Border is summarized in multiple static attributes.

In order to adapt to diversification, complicate network application scene, scholar both domestic and external for conventional model it is certain not Foot proposes some new access control models, they or corresponding optimization has been carried out on classical model, or be directed to The part of properties of internet proposes the access control model being more suitable for, present invention is primarily concerned be recent domestic scholar Study suitable for distributed network or have the research of complicated some access control models for propagating relational network:

Access control specificity analysis in big data/network

The new feature based on big data and its application such as Li Hao, analytic induction go out 5 big data access controls there is an urgent need to It solves the problems, such as:Empowerment management problem, fine-granularity access control problem, access control policy specification problem, individual privacy protection The implementation issue of problem and access control in distributed structure/architecture;The access control model for adapting to big data environment is refined The characteristics of:Judgment basis diversification, judgement result fuzzy (or uncertain) are changed, a variety of access control technology syncretizations.

Old Yao female equal the characteristics of simply analyzing big data and architectural framework, show that access control should expire under big data environment The principle of foot, i.e., independently, dynamic, fine granularity, cross-domain authorization.By comparative analysis access control model DAC, MAC, RBAC and ABAC applicabilities under big data environment, it can be seen that among open network in big data and at present, independently dynamically award Power is only more popular access control mould.

The novel access control model proposed for existing network environment

It is apparent that Liu Sha, Tan Liang think that the access control model in Hadoop cloud platform has the shortcomings that, i.e., is only authorizing When consider the authenticity of user identity, do not account for the credibility of user's later stage behavior, and permission is once authorizing just no longer Supervision.It proposes a kind of LT models based on trust suitable for Hadoop cloud platform, sets trust value for each user, pass through use The behavior record of family in the cluster updates users' trust value in real time, meets dynamic in open network in this way and visits Ask the demand of control.

Xiong Jun provides one and is based on shifty access control model, gives policy specification method and base based on operator Strategy is classified in order to further describe strategy in the strategy detailed description specification of XML.For the adjustment of strategy, in detail Thin increase, cancellation and the change that strategy is discussed.Selection for strategy and decision problem, by role, permission and safety The Fuzzy processing of strategy and analysis introduce fuzzy algorithmic approach and judge the access rights of user, are actually intended to attempt knot Different thinkings is closed to be controlled access.

Vishwamitra notices information by the network environment of multiple layers transmission, and user can not be pair relevant with itself Information makes due access control.The access control model of entitled PMAC is proposed, it is by the one of identity user identity information A little attribute such as facial characteristics, physical trait and some sharable data separations, in access control according to relation list and Delegated strategy distinctively treats this category information, and user is allow to ensure that some crucial privacies are not leaked by generating strategy.

Access control model present Research based on network/relational network

Li Fenghua etc. proposes a kind of access control model in network-oriented space, is denoted as CoAC.The model covers access The elements such as request entity, broad sense tense, access point, access equipment, network, resource, network interaction figure and resource propagation chain, can have Effect, which prevents from detaching with administrative power due to data ownership, information is secondary multiple the safety problem brought such as forwards.

Cheng etc. proposes a kind of access control model based on relationship between user.They think between user and user Relationship be OSN (social networks on Online social networks lines) foundation stone, then they propose one based on this Kind novel access control model defines the relationship in social networks and connects user with this to standardization, and specify it is legal The rule in path finally uses the path search algorithm of similar DFS, calculates its complexity and demonstrate its correctness. Bruns etc. describes the access control model based on customer relationship using Hybrid Logic.The base in this model such as Cai Hongyun The measurement of relationship strength and transmission are expanded on plinth.

Carminati etc. is equally to social networks instantly in order to which the promotion message safety that shared resource is brought in large quantities is asked Topic, it is proposed that rule-based access control (Rule-Based Access Control), they are based on form, depth, have deposited Access rule is specified in degree of belief that relationship is brought etc. and matches the certificate for the relationship between certification main body of closing to information Propagation limit.

Hu et al. and Liu Na is discussed to be visited in many ways in OSN (social networks on Online social networks lines) Ask control or there are the problem of, and propose a model M PAC (Multiparty Access Control).They with Between the upper users of Facebook the scene of access information be example, be applicable in answer set programming (Answer Set Programming, ASP mode) elaborates their model is how to solve the problems, such as that shared information manages on OSN.

Ma is directed to the network characteristic in social networks, it is proposed that the New model RuleSN of a suitable cloud computing environment, The model has used logical language similar with Hu and Cheng, for a large amount of existing User to User in social networks (U2U), User to Resource (U2R), Resource to Resource (R2R) relationships and user and resource it is specific Attribute has good expressivity.

As can be seen that in the case where internet access controls the continuous change of scene in description above, conventional model is authorizing Management, policy depiction and secret protection etc. are all no longer able to be well adapted for.Some investigators are attempting to tradition Access control does the supplement in some details, or to pile up more and more decision conditions a certain to allow experimental result to be more suitable for The access scene of type.But the Subjective and Objective of distributed network structure and diversification with rapid changepl. never-ending changes and improvements is constituted, and is required for accessing Control is innovated from model level.Researchers start to start with from social networks, with its abundant node associated data Establish the access control suitable for relational network.The thinking and building method of these models are all very novel, but they are still User and resource are treated with a certain discrimination.And in the definition of strategy, to access (dereference) the only decision node with path Between objective condition, such as the relationship strength between node or distance, and have ignored the independence and scalability of model, to protecting Shield privacy of user has a certain impact.

Invention content

Shortcoming present in regarding to the issue above, the present invention provide the access control mould based on certificate in network structure Type and access method.

To achieve the above object, the present invention provides the access control model based on certificate in a kind of network structure, including:It rises Point, terminal and meshed network;

The starting point is the initiation node of access request, and the terminal is access node, and the meshed network is multiple Node is connected the network-like topological structure to be formed by waiting for grant column list;

The starting point initiates access request to the terminal, and the terminal generation waits for the certificate of authority and is sent to described rise Point, the starting point access to terminal by the certificate of authority;It is described to wait for that the certificate of authority includes origin information, application permission and Shen Please the time, and for starting point and the application authority acquiring permission is required waits for grant column list;

The starting point waits for that grant column list initially enters certificate and traverses flow from terminal, and institute is traversed in a manner of depth-first State meshed network, certificate traverse flow in, each node traverses complete itself after grant column list, can enter rule judgement The access control policy that flow will be taken according to itself, provide the node finally returns that value;The certificate of authority is waited for after the completion of backtracking Starting point is dateed back, waits for that the certificate of authority judges to authorize according to the logical expression of terminal and whether succeeds, warrant is waited for if success Book becomes the certificate of authority, and corresponding operating use, this access denied if unsuccessful are carried out for starting point.

As a further improvement on the present invention, the meshed network includes multilayer node;

A node in lower level node with one or more nodes that grant column list is upper layer node.

As a further improvement on the present invention, the logical expression is will to wait for that grant column list and rule pass through logical operation Symbol establishes connection.

The present invention also provides a kind of access methods of the access control model based on certificate in network structure, including:

Step 1, starting point initiate access request to terminal;

Step 2, terminal generation wait for the certificate of authority and are sent to starting point, described to wait for that the certificate of authority includes origin information, application Permission and application time, and be directed to starting point and apply for that the authority acquiring permission is required and wait for grant column list;

Step 3, starting point enter certificate ergodic flow journey, and the meshed network is traversed in a manner of depth-first;

Step 4, certificate traverse flow in, each node traverses complete itself after grant column list, can enter rule The access control policy that determination flow will be taken according to itself, provide the node finally returns that value;

It waits for that the certificate of authority dates back starting point after the completion of step 5, backtracking, waits for that the certificate of authority is sentenced according to the logical expression of terminal Whether disconnected mandate succeeds, if success if wait for that the certificate of authority becomes the certificate of authority, for starting point carry out corresponding operating use, if not at Work(then this access denied;

Step 6, starting point access to terminal by the certificate of authority.

As a further improvement on the present invention, the certificate traversal flow includes:

Step a, judge that present node waits for whether grant column list is empty to original request, if it is empty jump to step e;

Step b, judge the node waits for that grant column list whether there is in authorization node list, and if it exists, directly reads The return value of the node in authorization node list is taken, if being not present, enters step c;

Step c, it waits for grant column list by what certificate passed to the node, grant column list, which calls certificate traversal, to be waited for the node Flow obtains the return value that the node waits for grant column list;

Step d, the next item down repetition step b, the step c for treating grant column list wait for the institute of grant column list until obtaining the node There is return value;

Step e, regular each section is obtained according to authorization rule used in own node into regular determination flow Return value;

Step f, logical expression is read, logical expression is according to the return value of regular each section and waits for grant column list All return values obtain the return value of the node by logical calculated, return value and record of the return value as whole flow process Into authorization node list.

As a further improvement on the present invention, regular determination flow includes essential information rule and waits for that grant column list is regular;

Essential information rule is:Using the mode in beam-based alignment ABAC, for the various information of node Carry out decision;Including:Limitation to starting point, the limitation to applying for permission, is saved to the limitation of time and to father the limitation to terminal The inspection of point;

Wait for that grant column list rule is:Treat the judgement of grant column list performance.

Compared with prior art, beneficial effects of the present invention are:

The present invention provides the access control model based on certificate in a kind of network structure, Subjective and Objective is all considered as node and with Certain node linked list connects each such node as bridge, forms network-like topological structure;Lead to again Cross the novel licensing modes such as certificate transmission, dereference rule and make they according to the logical expression collective effect of regulation in The decision of access control;Management compared to existing model permission more relies on the set rule of system, and the present invention makes nodes energy It is more autonomous, dynamically administration authority and do not depend on or influence whole system;Meanwhile authorization decision uses the topology of meshed network Structure makes model that can also fully take into account the privacy of each node when being propagated in face of complex information.

Description of the drawings

Fig. 1 is the frame diagram of the access control model based on certificate in network structure disclosed in an embodiment of the present invention;

Fig. 2 is the access method of the access control model based on certificate in network structure disclosed in an embodiment of the present invention Flow chart;

Fig. 3 is the basic block diagram of existing OAuth;

Fig. 4 is for the present invention to the exploded view of OAuth basic structures from range;

Fig. 5 is for the present invention to the exploded view of OAuth basic structures from depth;

Fig. 6 is the formation basic theory figure of meshed network of the present invention;

Fig. 7 is the authorization flow figure of scene 1 of the present invention.

In figure:

1, starting point;2, terminal;3, meshed network.

Specific implementation mode

In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, ordinary skill people The every other embodiment that member is obtained without making creative work, shall fall within the protection scope of the present invention.

Traditional access control model is indicated to access between subject and object by main body, object and access rights triple With the relationship of mandate.But as mobile network is gradually developed towards distribution, there are complicated propagation relationship, node between the network information Between it is associated with each other, there is no apparent boundaries for subject and object.In order to make the research of access control model level adapt to such net Network environment, the present invention propose a kind of novel access control model, and Subjective and Objective is all considered as to node and is associated with certain node List connects each such node as bridge, forms network-like topological structure.Further through certificate transmit, It connects the novel licensing mode such as access rule and makes their logical expression collective effect determining in access control according to regulation Plan.Management compared to existing model permission more relies on set rule, this design make nodes can it is more autonomous, dynamically manage It manages permission and does not depend on or influence whole system.Meanwhile authorization decision uses the topological structure of meshed network, makes model in face Also the privacy of each node can be fully taken into account when propagating complex information.

The present invention is described in further detail below in conjunction with the accompanying drawings:

The present invention receives the inspiration for the OAuth technologies being used widely, it is proposed that base in a kind of network structure In the access control model of certificate, main body is broken with the relationship between object, participant (comprising access main body or has been interviewed The resource asked) all it is considered as node.The access request needs that node proposes are realized by improving the certificate of access node demand. And complete this kind of certificate of authority, then need scrupulously to traverse with the relevant node of access node, and according to their different visits It asks that control strategy carries out decision, is finally authorized.The present invention attempts to annotate all kinds of complexity in internet from this new visual angle Access control in environment while making it possible to cover classical access control model, can also make up their deficiency, for not The complex access scene for generate in network environment development provides the space of extension;Make access control can not only be in new network rings There are higher applicability and scalability in border, can also retain the compatibility to conventional model.Simultaneously in the access containing path In can give node higher degree of freedom, without influencing their secret protection.

As shown in Figure 1, the present invention provides the access control model based on certificate in a kind of network structure, including:Starting point 1, Terminal 2 and meshed network 3;

Starting point 1 is the initiation node of access request, and terminal 2 is access node, and meshed network 3 is multiple nodes by waiting for Grant column list is connected the network-like topological structure to be formed;

Starting point 1 initiates access request to terminal 2, and generation waits for the certificate of authority and is sent to starting point 1 terminal 2, and starting point 1 is by awarding Warrant book accesses to terminal 2;Wait for that the certificate of authority includes origin information, application permission and application time, and for starting point and The application authority acquiring permission is required to wait for grant column list;

Starting point 1 waits for that grant column list initially enters certificate and traverses flow, the traverse node in a manner of depth-first from terminal 2 Network 3, in certificate traverses flow, each node traverses complete itself after grant column list, regular determination flow can be entered The access control policy to be taken according to itself, provide the node finally returns that value;Wait for that the certificate of authority is recalled after the completion of backtracking To starting point, waits for that the certificate of authority judges to authorize according to the logical expression of terminal and whether succeed, wait for that the certificate of authority becomes if success For the certificate of authority, corresponding operating use, this access denied if unsuccessful are carried out for starting point.

The present invention also provides a kind of access methods of the access control model based on certificate in network structure, including:

Step 1, starting point initiate access request to terminal;

Step 2, terminal generation wait for the certificate of authority and are sent to starting point, wait for that the certificate of authority includes origin information, application permission And the application time, and be directed to starting point and apply for that the authority acquiring permission is required and wait for grant column list;

Step 3, starting point enter certificate ergodic flow journey, the traverse node network in a manner of depth-first;

Step 4, certificate traverse flow in, each node traverses complete itself after grant column list, can enter rule The access control policy that determination flow will be taken according to itself, provide the node finally returns that value;

It waits for that the certificate of authority dates back starting point after the completion of step 5, backtracking, waits for that the certificate of authority is sentenced according to the logical expression of terminal Whether disconnected mandate succeeds, if success if wait for that the certificate of authority becomes the certificate of authority, for starting point carry out corresponding operating use, if not at Work(then this access denied;

Step 6, starting point access to terminal by the certificate of authority.

Further, certificate traversal flow includes:

Step a, judge that present node waits for whether grant column list is empty to original request, if it is empty jump to step e;

Step b, judge the node waits for that grant column list whether there is in authorization node list, and if it exists, directly reads The return value of the node in authorization node list is taken, if being not present, enters step c;

Step c, it waits for grant column list by what certificate passed to the node, grant column list, which calls certificate traversal, to be waited for the node Flow obtains the return value that the node waits for grant column list;

Step d, the next item down repetition step b, the step c for treating grant column list wait for the institute of grant column list until obtaining the node There is return value;

Step e, regular each section is obtained according to authorization rule used in own node into regular determination flow Return value;

Step f, logical expression is read, logical expression is according to the return value of regular each section and waits for grant column list All return values obtain the return value of the node by logical calculated, return value and record of the return value as whole flow process Into authorization node list.

Further, regular determination flow includes essential information rule and waits for that grant column list is regular;

Essential information rule is:Using the mode in beam-based alignment ABAC, for the various information of node Carry out decision;Including:Limitation to starting point, the limitation to applying for permission, is saved to the limitation of time and to father the limitation to terminal The inspection of point;

Wait for that grant column list rule is:Treat the judgement of grant column list performance.

Specifically:

One, the construction process of the access control model based on certificate is in network structure provided by the invention:

Based on forefathers for distributed, access control model in interactive and complex network exploration, the present invention wants Construction one is access control participant (containing the subject and object in traditional access control model) all as the net of node Network model, then how to complete to authorize in such a configuration becomes the content that the present invention will introduce.The present invention with reference to The building process of RBAC, the main basic ideas comprising tectonic model and the introduction to model component.

1, thinking is constructed:

1)、OAuth

In existing the Internet, applications environment, can it see to solution " between the node of dispersion in a network Receiving is asked " trial of this problem.Such as such example:

Assuming that you register the information such as your essential information, work and hobby on a social network sites.When you When browsing online shopping website (such as Taobao), recruitment website or game website, the personalization of this kind of website for convenience pushes away It recommends, you can select to log in using existing social network sites account.If using traditional access control scheme, you It needs the user name password authorization of social network sites to shopping website, by login, your social network sites obtain substantially shopping website Information ultimately forms personalized recommendation.

This traditional mode can cause these problems:

1., shopping website when obtaining user basic information, have recorded the user name password of user, have serious safety hidden Suffer from;

2., shopping website after having user name password, the unnecessary other information in the website such as work can be obtained Work, hobby etc..User can not limit the range of information and service life of its acquisition;

If 3., user be not desired to continue to allow shopping website to obtain information, can only Modify password, but can lead to it again in this way He is affected at such as recruitment website and game website;

4., user authorize numerous websites in, if there are one revealed user information will be caused to user it is prodigious Trouble.

In order to solve this problem, scholars propose the authorization criteria of entitled OAuth and are widely applied.About The specific standards of OAuth are described in detail in RFC files, and the present invention only borrows its thought as introduction.The substantially think of of OAuth Want to contain three participants:Third-party application (hereinafter referred application), user, (hereinafter referred provides user resources owner Source).As shown in figure 3, the flow of OAuth is:

1., user wish that application can obtain the part permission of resource, file a request to application;

2., using to resource bid by user obtain resource corresponding authority;

3., resource according to the application of application, generate a certificate to be certified for including authorization message, be presented to the user;

If 4., user understand authorized content after agree to, generate complete certificate;

5., resource be supplied to Application Certificate, using the certificate access be authorized to partial information.

Briefly, using this agreement by user, the dereference to resource is completed.But in this scene In, user is the promoter accessed, and whole flow process is by Client-initiated, and resource-side is also required to directly link up with user.And The present invention wishes that the scene discussed is to apply to dominate start flow, and in licensing process, resource-side can't participate in awarding Power process, only judges whether access request is executed, and authorization decision is detached with Authorization execution two parts, more efficient to build Model.

2) dereference, is expanded on range

Module-certificate (Access token) of a core in OAuth mentioned above.In the final acquisition certificate of application Before, resource-side generates a certificate and contains using the authority information for wanting application, while may also include other in certificate Information, such as certificate timeliness, the control rule that may be related in other access controls using limitation etc..Then resource-side will Certificate is given user and authorize, and the certificate of one similar " pass " has been ultimately generated.It applies and is authorized later It can directly be completed using certificate when interior operation.The present invention uses for reference this thought, has extracted the dereference between multiple target Scene, as shown in Figure 4.

In this scenario, request is initiated by application, obtains a certificate for needing user to authorize, resource is no longer participate in certainly Plan, only carry out whether allow access operation, and decision and authorize whether can complete depend on the 3rd step in user it is whether same Meaning is to certificate granting.Such structure has reached the separation of decision-making level and execution level, while extending participant and only having tripartite's Situation, in practical applications some request may need multi-party verification that can just come into force.

3) dereference, is expanded in depth

After expansion on solving range, it is also necessary to consider such situation:If some user needs other users After certificate granting, he is just ready to authorize, such as the middle flow for needing successively to examine that works.So just need in view of tool The access scene for having " path " feature adds depth that is, on the basis of range authorizing link.

Scene as shown in Figure 5 embodies the depth problem authorized in link, if user 1 indicates that the certificate is needed to pass through The mandate of user A, it is just ready to authorize, then just producing this scene.The scene is very common in internet environment, than It such as accesses one and needs the page logged in, need by account number cipher mandate and verification two nodes of code authentication.Under normal conditions, Malice logs in (such as continuously attempting to password) in order to prevent, and account number cipher mandate needs completion verification code authentication that can just carry out.So User, which wants completion account number cipher mandate, just must first obtain the mandate of identifying code node.

Step shown in fig. 5 provides a thinking for solving this scene, when a node acquisition certificate, but needs Another node takes the lead in completing to authorize when can just continue authorisation step, which is sent to the node to be authorized by it, is waited for It completes to obtain the certificate of authority returned after authorizing, is further continued for Authorized operation.Here the present invention considers the step for sending certificate It is rapid why the scene unlike described in Fig. 4:Certificate, which is given back request originator, allows it to be sent to user A.First, in Fig. 4 scenes It is empty certificate just to be returned to promoter in order to distinguish licensing process and implementation procedure it is allowed to complete, and in this example embodiment, itself It is such to return to no actual meaning in authorization flow;And with the continuous complexity in certificate granting path, such behaviour Work can greatly reduce the efficiency entirely authorized, so this intermediate node is allowed voluntarily to send the certificate to next node layer, Unnecessary operation is saved.

4), the dereference in relational network

There is the above-mentioned expansion to depth and range, will recognize that naturally, if the structure between node is more complex again, than Mandate as needed multiple interdependent nodes before a certain node mandate, therefore the mandate relationship between node forms a two-dimensional knot Structure, then how to complete dereference in this structureIn order to be transitioned into the model that the present invention designs, this hair from OAuth It is bright to be described on above-mentioned architecture basics, and will use " node " replacement " user " that can more be embodied as the participant of model The marrow of network structure.As shown in fig. 6, it explains how this model solves the problems, such as this.

It is significant to note that meshed network is not the network of physical presence, but during authorization flow A kind of data structure generated.From the off, each node that certificate passes through can wait for grant column list in the presence of one, in table Including to obtain the mandates of other nodes needed for the node mandate.If each participant is " point " in network, The grant column list that waits for of so these points is exactly " side " in network, they together constitute this data structure.

The dereference structure of such complexity may not be applied in existing OAuth or access control model. But in network world or even actual life, such mandate is typical.It is expected that in the following Internet of Things Etc. under the high speed development of technologies, the access mandate scene of this kind of relationships between nodes complexity can be more and more, so the present invention proposes Model, attempt to give a thinking for solving access control under complicated dereference scene.Extended meeting is focused at this afterwards How the licensing process of access control completed by certificate transmission in a network under kind of data structure.

2, model forms

Table 1 lists main composition part and their code name of model, and code name is mostly used when referring to below and is indicated:

Table 1

This table completely describes the element that the blank of entire model constructs and includes mainly.With traditional access control mould Unlike type, such structure distinguishes the decision in access control model with operation is executed.Include the node of information, Database server or PC etc., it is only necessary to directly carry out authorizing sentencing according to whether request carries complete certificate It is disconnected, do not need complicated decision process.And this decision process can be carry by starting point and wait for that the certificate of authority is gone in meshed network It completes.This separation makes the efficiency of access control greatly improve and is more suitable for distributed network.

Two, licensing process of the invention is:

In conjunction with access control model as shown in Figure 1, after having detached decision and execution level, for the tool of some request Body decision is all that the authorization flow in meshed network is completed.This chapter is how to be asked to access from three introduction authorization flows It asks and carries out decision, and strategy used in each process.

1, authorization flow

As shown in Fig. 2, in this model, a complete authorization flow operates in accordance with the following steps:

1), a node wishes to obtain the part permission of another node, initiates request;

2), access node (terminal) generates a certificate (T ') to be authorized, and contains the necessary information of flow, such as Starting point relevant information, the permission of application, application time etc. is with access control in relation to common information;And for starting point and its application Permission provide and obtain that the permission is required waits for grant column list (Lv,authority);

3), starting point obtains this and waits for the certificate of authority (T '), enters certificate ergodic flow journey from L (1), starts with depth-first Mode traverse node network (N);

4), in certificate traverses flow, after each node traverses complete the L of itself, regular determination flow can be entered and want root The access control policy (such as certification, RBAC, ABAC etc.) taken according to itself, provide the node finally returns that value;

5) T ' dates back starting point after the completion of, recalling, and whether T ' judges to authorize according to the logical expression E of terminal succeeds, such as Fruit success then becomes T, and corresponding operating use, this access denied if unsuccessful are carried out for starting point;

6), starting point is using accessing to terminal under T rules specified in T.

2, certificate traverses flow

In the above-mentioned L referred to repeatedlyv,authorityIt is the certificate traversal main traversal target of flow, is opened from the L (1) of starting point Begin, the node each traversed also has the L of oneself for this request, these L constitute the limb of meshed network.

This flow completes the traversal of certificate using this classical graph traversal algorithm of depth-first search.The algorithm is main Use backtracking method realization, main thought as follows:

Algorithm-certificate traverses flow:

1), judge whether present node is empty to the L of original request, if it is empty jumps to step 5;

2), judge that L (n) (n is since initial position) whether there is in authorization node list (P), and if it exists, directly The return value for reading the node in P enters step 3 if being not present;

3) certificate, is passed into L (n), calls certificate to traverse flow L (n), obtains the return value of L (n);

4), n=n+1 repeats all return values of step 2, step 3 until obtaining node L;

5) regular each section, is obtained according to authorization rule used in own node into rule (R) determination flow Return value;

6) logical expression (E), is read, expression formula is led to according to the return value of regular each section and all return values of L Cross the logical calculated provided and obtain the return value of the node, the return value as whole flow process return value and be recorded in P.

3, regular determination flow

The chapters and sections of whole authorization flow refer to node and need to judge flow into line discipline after completing L, in this flow, Node needs the judgement for combining the information got to carry out logic rules.In waiting for certificate of authority T ', two parts are mainly contained Information, one kind is the basic access information brought from starting point, and one kind is the information from L.So the rule followed in mandate Also two classes are broadly divided into:Essential information rule and meshed network rule, the two may be to have certain correlation in reality, For example some node needs the mandate of another node within some period, but this coupling can be by the scene of access control What is become is sufficiently complex, so in research at this stage, the two is temporarily separated discussion by the present invention.

1), essential information rule

For the access control for essential information rule, can apply in similar beam-based alignment (ABAC) Mode, for node various information carry out decision, such as:

Limitation (such as blacklist) to starting point;

Limitation to terminal;

Limitation to application permission (behavior);

The limitation (including behavior time of origin and application time) of time;

Inspection (ensuring that certificate is obtained from the father node of approval) to father node.

This rule-like is all set from the information carried to certificate and the case where each saving itself, is specifically being applied In, different nodes can be according to the difference of itself usage scenario, and using different access control policy, (such as account information is recognized Card, RBAC etc.) it exports result and is applied in network model eventually as return value.This setting also enables this model more preferable Ground is compatible with all kinds of existing, common access control models, and specific application can be mentioned in following sections.

2) grant column list (L) rule, is waited for

Other than essential information, one of core of this model is exactly the judgement for L performances.The L of one completion The authorization conditions that the required all nodes of ultimate authority access this will be completed by containing present node.With essential information one Sample, present node can still carry out each return value of L more macroscopical according to access control policy used by itself Operation.For example, certain node is accessed control using RBAC, it can read the angle of terminus in essential information rule Color, and decide whether to authorize according to RBAC.At the same time, it can read each node in L after the L for completing itself Role, and formulate need the return value of all certain role in L all and be 1 (agreeing to authorize) or at least contain it is several certain The return value of role is just to allow to authorize.

4, logical expression (E)

After defining two kinds of rules, origin node needs to do a series of logic to authorization conditions derived from these rules Operation finally obtains the judgement of node itself.This model defines a kind of expression formula:To standardize ground Description rule.

Wherein, definition has been given in L and R above,Represent logical operator:

By 3,2), in for the node of the control that accessed using RBAC mentioned, its access control rule can be with table It is shown as:

R1:roles=' r1

The expression formula illustrates that the rule of present node is:If the role of start node is r1, and present node waits for In grant column list, it is r to have more than n role2Node agreed to authorize, authorized then present node is just given.It can be in formula Find out

R1Belong to essential information rule, R2Belong to grant column list rule.

It is the same with RBAC, for different nodes, traditional access control model of the mainstreams such as DAC, MAC or TRBAC, all Different rules can be designed to realize their thought.It can even be used in mixed way, such as node can be taken according in certificate The information such as the access path of band calculate trust value, and the return value of each node is calculated in conjunction with node role.In a model, they Characteristic can be combined well with meshed network, to express the authorization rule in complex network scene.

In modern cyberspace, different participants may use different types of access control, and under this model They with specification can state and combine, and different nodes can design the rule of itself according to demand.This three parts is determined The design of plan layer allows model to have very strong scalability and compatibility, access control is enable to keep up with the hair of distributed network Exhibition.

Three, access control model of the present invention has particular application as:

Detailed dismantling and description have partly been carried out to each of model above, lifted also for the operating process of each section Some simply examples.This chapter will be started with the example of wechat circle of friends, describe the advantage and concrete application of this model.

Wechat circle of friends is a kind of social tool, its primitive rule is:

1, anyone can issue public information, these information can be commented on

2, everyone can only read or comment on the information of oneself good friend publication

3, user will read or comment on another comment, need be this comment both sides good friend

For example:

Access control scene 1:

A:I

B replys A (I):r1

Background:A, B and C good friends each other, but D is only the good friend of A

Request:R is read in C and D SEPARATE APPLICATION1Permission

Node:A、B、C、D、I、r1

According to primitive rule, the access control policy that wechat uses is to judge C ∈ (FriendListA∩ FriendListB) and D ∈ (FriendListA∩FriendListB) value, authorized if it is 1, on the contrary just refuse.That The result of access control is exactly that the request of C receives, the request refusal of D.

And the model referred to according to the present invention, then there is 1 model table of scene shown in table 2:

Table 2

Node L R E A - C/D∈FriendListA C/D∈FriendListA B - C/D∈FriendListB C/D∈FriendListB I A - A r1 I,A,B - I∧A∧B

The authorization flow of scene 1 is as shown in Figure 7.

New model is can be seen that under simple scene from authorization flow figure, although verification process is complex, To result be also that the request of C receives, the request of D refusal is consistent with the model result that software uses.Following example is by explanation Such issues that how some shortcomings of traditional access control model and this model solve.

Access control scene 2:

A:I

B replys A (I):r1

C replys A (I):r4

C replys B (r1):r2

A replys C (r2):r3

Background:A, good friend, D are the good friend of A, C each other by B, C, are not the good friends of B.

Request:R is read in D SEPARATE APPLICATION3And r4

Node:A、B、C、D、I、r1、r2、r3、r4

According to the access control policy of wechat itself, D ∈ (FriendListA∩FriendListC) for r3And r4All at It is vertical, so the request of the two is all received.But in this scene, r3With r2It is relevant, then r3In may include pass In r2The information of participant B, and B is not necessarily ready that this partial information is authorized to D to see, it may leakage which forms one The security breaches of privacy of user.

According to this model, then there is 2 model table of scene of table 3:

Table 3

Node L R E A - D∈FriendListA D∈FriendListA B - D∈FriendListB D∈FriendListB C - D∈FriendListC D∈FriendListC I A - A r1 I,A,B - I∧A∧B r2 r1,B,C - r1∧B∧C r3 r2,A,C - r2∧A∧C r4 A,C - A∧C

Compare r3And r4Request, r4E be similar to wechat itself used by access control policy, due to D ∈ (FriendListA∩FriendListC) it is 1, so after the mandate of A and C nodes, read r4Application received.Instead See r3, due to r3With r2Correlation, its E contain r2, certificate will authorize will be by the mandate of B, it is clear that can not pass through.

This result compares the privacy that traditional access control policy preferably protects user, also embodies this model existing For under the more complicated access control scene of network, the flow of mandate is more rigorous.Current network environment interactive relation is complicated, Resource propagate it is more frequent, it is related to access path or there are the data of multilayer subordinate relation often to there is security risk.

The present invention constructs an access control model based on certificate.Model is not having clearly mainly for host-guest Boundary network environment and distributed network in information propagate the characteristics of, define one have height expressiveness and extension Property model structure, by node, certificate transmit and wait for the modes such as grant column list, annotated in the modern times with a new angle Common access control scene, has detached the decision in access control and execution in cyberspace;It proposes based on DFS algorithms Certificate traverses flow, and adds essential information rule wherein, waits for grant column list rule and logical expression, standardization ground Authorization flow is defined, model is allow to express different types of traditional access control model;And give a specific reality Example derives, and analyzes the applicable scene and advantage of this model.

It these are only the preferred embodiment of the present invention, be not intended to restrict the invention, for those skilled in the art For member, the invention may be variously modified and varied.Any modification made by all within the spirits and principles of the present invention, Equivalent replacement, improvement etc., should all be included in the protection scope of the present invention.

Claims (6)

1. the access control model based on certificate in a kind of network structure, which is characterized in that including:Starting point, terminal and node net Network;
The starting point is the initiation node of access request, and the terminal is access node, and the meshed network is multiple nodes It is connected the network-like topological structure to be formed by waiting for grant column list;
The starting point initiates access request to the terminal, and the terminal generation waits for the certificate of authority and is sent to the starting point, institute Starting point is stated to access to terminal by the certificate of authority;It is described when the certificate of authority include origin information, application permission and application when Between, and be directed to starting point and apply for that the authority acquiring permission is required and wait for grant column list;
The starting point waits for that grant column list initially enters certificate and traverses flow from terminal, and the section is traversed in a manner of depth-first Spot net, in certificate traverses flow, each node traverses complete itself after grant column list, regular determination flow can be entered The access control policy to be taken according to itself, provide the node finally returns that value;Wait for that the certificate of authority is recalled after the completion of backtracking To starting point, waits for that the certificate of authority judges to authorize according to the logical expression of terminal and whether succeed, wait for that the certificate of authority becomes if success For the certificate of authority, corresponding operating use, this access denied if unsuccessful are carried out for starting point.
2. the access control model based on certificate in network structure as described in claim 1, which is characterized in that the node net Network includes multilayer node;
A node in lower level node with one or more nodes that grant column list is upper layer node.
3. the access control model based on certificate in network structure as described in claim 1, which is characterized in that the logical table It is that will wait for that grant column list and rule are established by logical operator to connect up to formula.
4. the access side of the access control model based on certificate in a kind of network structure as claimed in any one of claims 1-3 Method, which is characterized in that including:
Step 1, starting point initiate access request to terminal;
Step 2, terminal generation wait for the certificate of authority and are sent to starting point, described to wait for that the certificate of authority includes origin information, application permission And the application time, and be directed to starting point and apply for that the authority acquiring permission is required and wait for grant column list;
Step 3, starting point enter certificate ergodic flow journey, and the meshed network is traversed in a manner of depth-first;
Step 4, certificate traverse flow in, each node traverses complete itself after grant column list, can enter rule judgement The access control policy that flow will be taken according to itself, provide the node finally returns that value;
It waits for that the certificate of authority dates back starting point after the completion of step 5, backtracking, waits for that the certificate of authority is awarded according to the judgement of the logical expression of terminal Whether power succeeds, and waits for that the certificate of authority becomes the certificate of authority if success, corresponding operating use is carried out for starting point, if unsuccessful This access denied;
Step 6, starting point access to terminal by the certificate of authority.
5. the access method of the access control model based on certificate in network structure as claimed in claim 4, which is characterized in that The certificate traverses flow:
Step a, judge that present node waits for whether grant column list is empty to original request, if it is empty jump to step e;
Step b, judge the node waits for that grant column list whether there is in authorization node list, and if it exists, directly reads The return value of the node enters step c if being not present in authorization node list;
Step c, it waits for grant column list by what certificate passed to the node, grant column list, which calls certificate ergodic flow, to be waited for the node Journey obtains the return value that the node waits for grant column list;
Step d, the next item down for treating grant column list repeats step b, step c waits for that all of grant column list return until obtaining the node Return value;
Step e, the return of regular each section is obtained according to authorization rule used in own node into regular determination flow Value;
Step f, logical expression is read, logical expression is according to the return value of regular each section and waits for all of grant column list Return value obtains the return value of the node by logical calculated, the return value as whole flow process return value and be recorded In authorization node list.
6. the access method of the access control model based on certificate in network structure as claimed in claim 4, which is characterized in that Regular determination flow includes essential information rule and waits for that grant column list is regular;
Essential information rule is:Using the mode in beam-based alignment ABAC, carried out for the various information of node Decision;Including:Limitation to starting point, the limitation to terminal, to apply permission limitation, to the limitation of time and to father node It checks;
Wait for that grant column list rule is:Treat the judgement of grant column list performance.
CN201810145458.4A 2018-02-12 2018-02-12 Certificate-based access control system and access method in network structure CN108390874B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810145458.4A CN108390874B (en) 2018-02-12 2018-02-12 Certificate-based access control system and access method in network structure

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810145458.4A CN108390874B (en) 2018-02-12 2018-02-12 Certificate-based access control system and access method in network structure

Publications (2)

Publication Number Publication Date
CN108390874A true CN108390874A (en) 2018-08-10
CN108390874B CN108390874B (en) 2020-08-07

Family

ID=63069428

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810145458.4A CN108390874B (en) 2018-02-12 2018-02-12 Certificate-based access control system and access method in network structure

Country Status (1)

Country Link
CN (1) CN108390874B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080289036A1 (en) * 2007-05-19 2008-11-20 Madhusudanan Kandasamy Time-based control of user access in a data processing system incorporating a role-based access control model
CN101321064A (en) * 2008-07-17 2008-12-10 上海众恒信息产业有限公司 Information system access control method and apparatus based on digital certificate technique
CN101997876A (en) * 2010-11-05 2011-03-30 重庆大学 Attribute-based access control model and cross domain access method thereof
US20170163684A1 (en) * 2015-12-08 2017-06-08 Sap Se Electronic access controls

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080289036A1 (en) * 2007-05-19 2008-11-20 Madhusudanan Kandasamy Time-based control of user access in a data processing system incorporating a role-based access control model
CN101321064A (en) * 2008-07-17 2008-12-10 上海众恒信息产业有限公司 Information system access control method and apparatus based on digital certificate technique
CN101997876A (en) * 2010-11-05 2011-03-30 重庆大学 Attribute-based access control model and cross domain access method thereof
US20170163684A1 (en) * 2015-12-08 2017-06-08 Sap Se Electronic access controls

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
ARINDAM KHALED 等: "A Token-Based Access Control System for RDF Data in the Clouds", 《2010 IEEE SECOND INTERNATIONAL CONFERENCE ON CLOUD COMPUTING TECHNOLOGY AND SCIENCE》 *
刘恒强: "基于属性证书的访问控制模型研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *
苏雪 等: "基于证书的服务组合动态访问控制策略", 《计算机应用与软件》 *

Also Published As

Publication number Publication date
CN108390874B (en) 2020-08-07

Similar Documents

Publication Publication Date Title
Atlam et al. Blockchain with internet of things: Benefits, challenges, and future directions
Jesus et al. A survey of how to use blockchain to secure internet of things and the stalker attack
De Hert et al. The right to data portability in the GDPR: Towards user-centric interoperability of digital services
US20190349261A1 (en) Object Identification For Groups Of IoT Devices
Braun et al. Security and privacy challenges in smart cities
Nocetti Contest and conquest: Russia and global internet governance
Hatfield Social engineering in cybersecurity: The evolution of a concept
Owen Disruptive power: The crisis of the state in the digital age
Kerr Norms of Computer Trespass
Burns Systemic action research: Changing system dynamics to support sustainable change
Stutzman et al. Boundary regulation in social media
Marsden Net neutrality: Towards a co-regulatory solution
TWI633455B (en) Social device security in a social network
CN103532981B (en) A kind of identity trustship towards many tenants authenticates cloud resource access control system and control method
KR101586447B1 (en) Play time dispenser for electronic applications
Barzilai‐Nahon Toward a theory of network gatekeeping: A framework for exploring information control
Purcell City‐regions, neoliberal globalization and democracy: a research agenda
Carlson Dueling, dancing, or dominating? Journalists and their sources
Ward Cyber-ethnography and the emergence of the virtually new community
US9825936B2 (en) System and method for providing a certificate for network access
Radaelli et al. Conceptual issues
CN100474835C (en) Semantic information network (SION)
Lovink et al. Dawn of the Organised Networks, Fiberculture Journal, 5
Christiansen et al. International handbook on informal governance
Mueller Networks and states: The global politics of Internet governance

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant