CN109743331A - One kind being based on matched access control method - Google Patents

One kind being based on matched access control method Download PDF

Info

Publication number
CN109743331A
CN109743331A CN201910086089.0A CN201910086089A CN109743331A CN 109743331 A CN109743331 A CN 109743331A CN 201910086089 A CN201910086089 A CN 201910086089A CN 109743331 A CN109743331 A CN 109743331A
Authority
CN
China
Prior art keywords
token
attribute
user
score
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910086089.0A
Other languages
Chinese (zh)
Other versions
CN109743331B (en
Inventor
吕秋云
祁伊祯
郑宁
姜妍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Dianzi University
Original Assignee
Hangzhou Dianzi University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dianzi University filed Critical Hangzhou Dianzi University
Priority to CN201910086089.0A priority Critical patent/CN109743331B/en
Publication of CN109743331A publication Critical patent/CN109743331A/en
Application granted granted Critical
Publication of CN109743331B publication Critical patent/CN109743331B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention discloses one kind to be based on matched access control method, and related entity includes content provider, content requestor and router.In the present invention, CQ first initiates to request by trustable network to CP;When CP receives request, CP is CQ generation access token and is sent to CQ by configuring and calculating user property;Then, the access token request content can be used in CQ;Finally, CP realizes access token verifying, access content matching and the offer to CQ by access token module, content rights module and matching module.The present invention carries out data transmission ensuring the safety of content using trusted channel, designed access token improves access efficiency, according to content rights and requestor's attribute score, the matching way combined by coarseness with fine granularity realizes multi-level and efficient access control.

Description

One kind being based on matched access control method
Technical field
The present invention relates to access control technology fields, and in particular to one kind is based on matched access control method.
Background technique
Access control refers to that system is limited it and provided using data to user identity and its affiliated tactful group predetermined The means of source capability.Access of the user to Internet resources such as server, catalogue, files is controlled commonly used in system manager.It visits It asks that control is system security, integrality, the important foundation of availability and legal usability, is that Protection of Network Security and resource are protected The difference that one of Key Strategy of shield and the certain control strategies of main body basis or permission carry out object itself or its resource is awarded Power access.
Current access control type mainly includes self contained navigation, forced symmetric centralization, the access of based role Control and beam-based alignment etc..But access control scheme has reliability low, poor expandability does not consider to access The stratification of content, the deficiencies such as access efficiency is low.
Summary of the invention
Deficiency present invention is generally directed to the access control scheme pre-existed, the one kind provided are based on matched access control Method.The present invention includes content rights module, user property module, matching module and access token module, modules interaction Steps are as follows:
(1) system initialization initializes the permit operation of content rights module definition content, initialising subscriber attribute module Define user property;
(2) content provider end initializes, and initializes content rights module and user property module, content rights module mark Remember the permit operation of accessible resource and score, user property module contents supplier is that potential requestor configures user's base class With subclass attribute, weight simultaneously calculates subclass attribute score;
(3) content requestor CQ initiates access request and responds CQ and backward reference token to content provider CP, CP;In CP End, first user property module calculate the attribute score of CQ, and then access token module is that CQ generates access token, finally send To CQ;
(4) CQ accesses the content of CP using the access token;At the end CP, access token module first carries out token authentication, Then matching module accessible content collection according to provided by user property score and content rights module is matched, finally License to the requestor accesses content set;In addition the access token can be used for multiple times within its validity period.
Content rights module, CP define allowing operation and calculating according to defined permit operation content for content And grade classification is implemented as follows with realizing multi-level resource set:
1-1 defines the permit operation of content
Definition 1: atomic operation collection (Atomic Operation Set, AOp)
AOp=..., Modify, Execute, Delegate, Share, Read } (1)
According to existing remote access resource requirement, define five kinds of atomic operations: modification (Modify) executes (Execute), (Delegate) is entrusted, shared (Share), read (Read);
Wherein, Modify refers to the ability of more new resources, and Execute expression can execute resource, and Delegate expression can With by delegation of resources, to secondary user, Share refers to that the resource can share to multiple users, and Read indicates that resource is readable 's;This five atomic operations can be expressed as M, E, D, S, R for ease of description;
In order to define the permit operation of each resource, the structuring byte based on five kinds of atomic operations is introduced;Wherein every Atomic operation is indicated and if so, corresponding position is 1, is 0 if there is no position then correspond to;
The permit operations of 1-2 markup resources and score
CP is each resource mark permit operation using additional extended byte upon power-up of the system;All resources of CP will It is re-organized to permit operation of the multi-level set according to them, is detailed in definition 2;
Definition 2: the resource set (ResourcesSet, RSet) with permit operation
RSet={ (Popi,{Rj}i), i=0,1,3,5...n, j=1,2 ..., m (2)
In the resource set RSet of CP, basic binary group is (Popi,{Rj}i), one of PopiPossess one group of resource Rj, I indicates the score of the permit operation of resource, and wherein the bigger expression of i allows more operations;To sum up, a POpiRepresent one The resource of a grade.
User property module: allow CP to define and configure the attribute of potential CQ, and particular community is distributed into current CQ;With This mode, the CQ will be classified as different access levels, be implemented as follows:
2-1 defines user property
Definition 3: user property collection (UserAttributeSet, AttrSet)
It is defining in 3, TypeiIndicate the user property of i-th of base class,Indicate that the user of i-th of base class belongs to The subclass property set of property can also use binary group (Attrj,Scorej) indicate, wherein AttrjIndicate j-th of subclass attribute-name, ScorejIndicate corresponding attribute score;One-dimensional vector in equation (3)The wherein quantity of the subclass attribute of i-th of base class attribute of subscript m, If what CQ was distributed is j-th of subclass attribute, j-th of tuple is set to 1 by us, and other elements are set to 0;
Definition 3: user property score (User AttributeScore)
User property score (Suser) can pass throughWithIt is calculated according to according to equation (4), whereinIt is's One group of score is shown in equation (5),It is then the weight vectors of attribute,For convenience of calculation, we will be defined in 3It is simplified shown as
2-2 configures the attribute of potential requestor
Upon power-up of the system, for potential CQ, CP firstly the need of configuration user property type of foundation, that is, base class attribute, and To the corresponding weight of each base class attribute configuration and subclass attribute, while being subclass attribute computation attribute score, calculates and realize step It is rapid as follows:
(1) the maximum resource permit operation score (MaxS that CP in the system is defined is inputtedop), the quantization strategy of attribute score (Strategy) and need to carry out the attribute set { (Type of score calculatingi,{Attrj}i)};
(2) Strategy that selection executes, wherein 1 indicates the subclass attribute Score quantifies strategy of class equal difference, 2 indicate class etc. The subclass attribute Score quantifies strategy of ratio;When attribute score calculates, maximum attribute is set and is scored at MaxSop- 1, the smallest category Property is scored at 1;
(3) the property set { (Type containing attribute score is exportedi,{(Attrj,Scorej)}i)};
The attribute score of 2-3 computation requests person
When receiving the request from content requestor, content provider needs attribute distributing to content requestor;It is right In the attribute of every kind of base class, content provider need to select a sub- generic attribute, and the category provided according to definition 4 for content requestor Property score calculation formula be requestor's computation attribute score.
Access token module: when the request of CP response CQ, access token will be returned to CQ;Access token is by CP pairs A kind of effective and unique access authority identifier that CQ is defined;
3-1 access token format
The format of access token consists of two parts: token header and token payload;Token header includes three words Section: token ID (tokenId), token type (typx) and Encryption Algorithm (Enc) be respectively as follows: and award wherein there are three types of token types Give (typg), share (typs) and commission (typd);Token payload includes six fields, including token data (datatoken), source address (IPCP), destination address (IPCQ), generate time (Tgen), expiration time (Texp) and verify data
3-2 token generates
CP generates a typgThe access token of type realizes that steps are as follows:
(1) end CP initializes;System generates the character string number that length is n, [str at random first0,str1,..., strn-1] each length is 32 bytes, then utilize TgenAnd TexpCalculate sn=(Texp-Tgen) modn, finally obtain current calculating The Hash used adds salt figure salt=strsn
(2) token header is generated;It randomly chooses 64bit and is set as typ as token ID, and by token typeg, selection pair Claim Encryption Algorithm DES perhaps AES selects hash algorithm SHA-1 or SHA-2;
(3) access token is generated;Generate authentication dataAnd it calculates Required symmetric cryptographic keyToken data is obtained using key encryption user property datatoken=EncsymKey(Suser||salt);The access token ultimately produced is
(4) access token is stored;The address of the cryptographic Hash of the token and requestor are stored in local effective token together In database;It needs to delete the token from effective token database if CP wants to cancel some token, and is added to failure number According in library;
And participator or principal generate typsType or typdThe generating mode of the token of type is same as described above, In addition to datatokenWith, wherein datatokenIt is to authorize order plus participator or authorized person by sharing code or authorization code What board was constituted, and two kinds of tokensFor sky;
3-3 token authentication
Token AccToken is authorized when CP receives oneg, first he whether before the deadline verify token;If so, The token is then verified whether in local effective token database;If so, extracting in tokenIt generatesAnd decrypt datatokenIt obtainsIf successful decryption Obtain S 'user, while verifying the user property score S at current timeuserWhether S ' that decryption obtain is greater than or equal touserIf It is to continue to verifyIt is calculated using the field extracted in token VerifyingIt is whether true, if it is, indicating AccTokengIt is effectively, the attribute of user is scored at Suser
When CP receives a commission token AccTokend, first he whether before the deadline verify token;If so, The token is then verified whether in local effective token database;If it is, illustrating AccTokendEffectively;
When participator receives a sharing token AccTokens, first he whether before the deadline verify token;If It is then to illustrate AccTokensEffectively.
Matching module: after access token is verified, CP will extract S from the tokenuser, and use SuserMatching money The POp that source is concentratedi, obtain the accessible resource set of CQ;Requestor and content matching are broadly divided into two parts: coarseness With being matched with fine granularity;
The matching of 4-1 coarseness
Coarseness matching is to match maximum addressable resource set RSet for CQaccessAccording to Suser
(1) it looks for closest to SuserAnd less than its even number Z;
(2) the boundary grade B=MaxS of accessible resource collection is calculatedop-Z;
(3) the maximum addressable resource set RSet of CQ is obtainedaccess, wherein the ranking score of all resources is all larger than B;
The matching of 4-2 fine granularity
Due to RSetaccessIn not only include that the resource set accessed is allowed to also include corresponding permit operation, in order into one Step distinguishes same user or the close different user of score in varying environment, introduces fine granularity matching, and match in fine granularity In, only In Grade is POpBResource set handled;
(1) calculating difference D=Suser-Z;
(2) subset mask is obtained
(3) POp is matchedBThe permit operation subset POp of level resourceallow=POpB&SPOpB
(4) the final accessible content RSet of CQ is obtainedallow
The present invention has the beneficial effect that:
The present invention carries out data transmission ensuring the safety of content using trusted channel, and designed access token improves Access efficiency, according to content rights and requestor's attribute score, the matching way combined by coarseness with fine granularity is realized Multi-level and efficient access control.
Detailed description of the invention
Fig. 1 is based on matched access control system structure chart;
Fig. 2 structuring byte representation permit operation;
Specific embodiment
Present invention will be further explained below with reference to the attached drawings and examples.
As illustrated in fig. 1 and 2, a kind of to be based on matched access control method, including content rights module, user property mould Block, access token module and matching module.The modules interactive step of the invention is following (such as Fig. 1), modules it is specific It is accomplished by
For 1 content rights module in the module, content provider (content provider, CP) defines the permission of content It operates and calculating and grade classification is carried out to content according to defined permit operation, to realize multi-level resource set.
1-3 defines the permit operation of content
In order to facilitate the concrete operations for illustrating each resource, we introduce atomic operation collection (referring to Def.1).
Definition 1: atomic operation collection (Atomic Operation Set, AOp)
AOp=..., Modify, Execute, Delegate, Share, Read } (1)
According to existing remote access resource requirement, we define five kinds of atomic operations: modification (Modify) executes (Execute), (Delegate) is entrusted, shared (Share), read (Read).
Wherein, Modify refers to the ability of more new resources, and Execute expression can execute resource, and Delegate is indicated Can be by delegation of resources to secondary user, Share refers to that the resource can share to multiple users, and Read expression resource is can It reads.For ease of description, this five atomic operations can be expressed as M, E, D, S, R.Certainly, for new in application program Demand, we also allow to introduce more atomic operations.
In order to define the permit operation of each resource, we introduce the structuring word based on above-mentioned five kinds of atomic operations Section.Structuring byte (POp, as shown in Figure 2), wherein every expressions atomic operation is if there is (corresponding position is 1), if not In the presence of (corresponding position is 0).In Fig. 2, if some resource does not allow to remotely access, the rank of POp 0, the resource are indicated For POp0Or POpmin.If some resource allows all atomic operations, POp 31, the grade of the resource when being accessed remotely through computer networks POp is not expressed as it31Or POpmax.We are by POpiIn i score of the value as the level resource, it is assumed that MaxSopFor 31, MinSopIt is 1.
In existing 5 kinds of atomic operations, because read operation is the prerequisite of other four kinds of atomic operations, have The permit operation mode and corresponding content rating (being shown in Table 1) of 17 kinds of resources.
The permit operations of 1-4 markup resources and score
CP is each resource mark permit operation using additional extended byte upon power-up of the system (according to defining 1).CP All resources will be re-organized to permit operation of the multi-level set according to them, be detailed in definition 2.
Definition 2: the resource set (Resources Set, RSet) with permit operation
RSet={ (Popi,{Rj}i), i=0,1,3,5...n, j=1,2 ..., m (2)
In the resource set RSet of CP, basic binary group is (Popi,{Rj}i), one of PopiPossess one group of resource Rj, I indicates the score of the permit operation of resource, and wherein the bigger expression of i allows more operations.To sum up, a POpiRepresent one The resource of a grade, table 1 have been illustrated 31 kinds of resources grade mark and corresponding permit operation.
The permit operation of 1 resource of table
In table 1, R1Grade is POp0, R3,R9Grade is POp27。R1It is scored at 0, further our available SR3 =27, SR9=27, SR13=1 etc..If some resource RjWith can sharing operation, then it represents that the resource allow requestor by it Other users are shared with, and CP will be generated for these resources and be shared codeWhereinFor obtaining for the resource Point, st is timestamp.For with can delegation resource operation resource, CP will for it generate commission code
2 user property module modules allow CP define and configure potential content requestor (content requester, CQ attribute), and particular community is distributed into current CQ.In this way, which will be classified as different access levels.
2-1 defines user property
Definition 3: user property collection (User Attribute Set, AttrSet)
It is defining in 3, TypeiIndicate the user property of i-th of base class,Indicate that the user of i-th of base class belongs to The subclass property set of property can also use binary group (Attrj,Scorej) indicate, wherein AttrjIndicate j-th of subclass attribute-name, ScorejIndicate corresponding attribute score (algorithm 1 is shown in specific implementation).One-dimensional vector in equation (3)The wherein quantity of the subclass attribute of i-th of base class attribute of subscript m, If what CQ was distributed is j-th of subclass attribute, j-th of tuple is set to 1 by us, and other elements are set to 0.
In order to preferably be adapted with practical application, we introduce user's base class attribute when calculating user property score Weight, to determine the significance level of each attribute in attribute ratings.For all base class attributes, (such as k), we haveTherefore, we are it can be concluded that calculate the formula of user property score, referring to definition 4.
Definition 4: user property score (UserAttribute Score)
User property score SuserIt can pass throughWithIt is calculated according to according to equation (4), whereinIt isOne Group score is shown in equation (5),It is then the weight vectors of attribute.For convenience of calculation, we will be defined in 3Letter Change is expressed as
2-2 configures the attribute of potential requestor
Upon power-up of the system, for potential CQ, CP firstly the need of configuration user property type of foundation, that is, base class attribute, and It is subclass attribute computation attribute score to the corresponding weight of each base class attribute configuration and subclass attribute, while according to algorithm 1.It calculates Steps are as follows for the realization of method 1:
(4) the maximum resource permit operation score (MaxS that CP in the system is defined is inputtedop), the quantization strategy of attribute score (Strategy) and need to carry out the attribute set { (Type of score calculatingi,{Attrj}i)}。
(5) Strategy that selection executes, wherein 1 indicates the subclass attribute Score quantifies strategy of class equal difference, 2 indicate class etc. The subclass attribute Score quantifies strategy of ratio.When attribute score calculates, we are arranged maximum attribute and are scored at MaxSop- 1, it is minimum Attribute be scored at 1.
(6) the property set { (Type containing attribute score is exportedi,{(Attrj,Scorej)}i)}。
As described above, CP being capable of customized base class Property Name, weight and its subclass attribute.For clarity, it is explained in table 2 Stated the example of the attribute configuration of CP, wherein be configured with three kinds of basic user properties, and using class equal difference strategy in algorithm 1 into Row subclass attribute Score quantifies.
2 user property configuration example of table
The attribute score of 2-3 computation requests person
When receiving the request from content requestor, content provider needs attribute distributing to content requestor.It is right In the attribute of every kind of base class, content provider need to select a sub- generic attribute, and the category provided according to definition 4 for content requestor Property score calculation formula be requestor's computation attribute score.
For example, the friend from same province personally initiates access token request to CP, then CP calculates his point Number, reference can be made to there is the entry of gray background in table 2.We obtain friend's attribute and are scored at 15, and personal attribute is scored at 10, same It saves attribute and is scored at 12.Therefore, we can obtain following values from table 2: W=(0.5,0.3,0.2) is calculated according to definition 4Finally obtain the category of the requestor Property is scored at 12.9.
For 3 access token modules when the request of CP response CQ, access token will be returned to CQ.Access token is by CP pairs A kind of effective and unique access authority identifier that CQ is defined.
3-1 access token format
The format of access token consists of two parts: token header and token payload.Token header includes three words Section: token ID (tokenId), token type (typx) and Encryption Algorithm (Enc), wherein token is respectively as follows: there are three types of type and awards Give (typg), share (typs) and commission (typd).Token payload includes six fields, including token data (datatoken), source address (IPCP), destination address (IPCQ), generate time (Tgen), expiration time (Texp) and verify data (see Table 3 for details).
3 access token format of table
3-2 token generates
CP generates a typgThe access token of type realizes that steps are as follows:
(5) end CP initializes.System generates the character string number that length is n, [str at random first0,str1,..., strn-1] each length is 32 bytes, then utilize TgenAnd TexpCalculate sn=(Texp-Tgen) modn, finally obtain current calculating The Hash used adds salt figure salt=strsn
(6) token header is generated.It randomly chooses 64bit and is set as typ as token ID, and by token typeg, selection pair Claim Encryption Algorithm DES perhaps AES selects hash algorithm SHA-1 or SHA-2.
(7) access token is generated.Generate authentication dataAnd it calculates Required symmetric cryptographic keyToken data is obtained using key encryption user property datatoken=EncsymKey(Suser||salt).The access token ultimately produced is
(8) access token is stored.The address of the cryptographic Hash of the token and requestor are stored in local effective token together In database.Note: it needs to delete the token from effective token database if CP wants to cancel some token, and is added to failure In database.
And participator or principal generate typsType or typdThe generating mode of the token of type is same as described above, In addition to datatokenWithWherein datatokenIt is to authorize order plus participator or authorized person by sharing code or authorization code Board composition is expressed as datatoken=EncPK(xCode)||H(AccTokeng), wherein xCode=sCode or dCode, this two Kind tokenFor sky.
3-3 token authentication
Token AccToken is authorized when CP receives oneg, first he whether before the deadline verify token;If so, The token is then verified whether in local effective token database;If so, extracting in tokenIt generatesAnd decrypt datatokenIt obtainsIf successful decryption obtains To S 'user, while verifying the user property score S at current timeuserWhether S ' that decryption obtain is greater than or equal touser, then continue VerifyingIt is calculated using the field extracted in tokenVerifying It is whether true, if it is, indicating AccTokengIt is effectively, the attribute of user is scored at Suser
When CP receives a commission token AccTokend, first he whether before the deadline verify token;If so, The token is then verified whether in local effective token database;If it is, illustrating AccTokendEffectively.
When participator receives a sharing token AccTokens, first he whether before the deadline verify token;If It is then to illustrate AccTokensEffectively.
4 matching modules
After access token is verified, CP will extract S from the tokenuser, and use SuserIt matches in resource set POpi, obtain the accessible resource set of CQ.Matching module carries out matching in fact using the attribute score and content rating score of CQ Multi-level access control (see algorithm 2) is showed, has been broadly divided into two steps: coarseness matching and fine granularity matching.
The matching of 4-1 coarseness
Coarseness matching is to match maximum addressable resource set RSet for CQaccessAccording to Suser, brief step is such as Under:
(4) it looks for closest to SuserAnd less than its even number Z.
(5) the boundary grade B=MaxS of accessible resource collection is calculatedop-Z。
(6) the maximum addressable resource set RSet of CQ is obtainedaccess, wherein the ranking score of all resources is all larger than B is represented by RSetaccess={ (PopB,{RSetj}B),(PopB+2,{RSetj}B+2),...,(Popn,{RSetj}n), tool Algorithm 3. is shown in body realization
The matching of 4-2 fine granularity
Due to RSetaccessIn not only include that the resource set accessed is allowed to also include corresponding permit operation, in order into one Step distinguishes same user or the close different user of score in varying environment, we introduce fine granularity matching.In fine granularity In matching, only In Grade is POp for weBResource set handled, briefly steps are as follows, be specifically shown in algorithm 4.
(5) calculating difference D=Suser-Z。
(6) subset mask is obtained
(7) POp is matchedBThe permit operation subset POp of level resourceallow=POpB&SPOpB
(8) the final accessible content RSet of CQ is obtainedallow

Claims (5)

1. one kind is based on matched access control method, it is characterised in that including content rights module, user property module, matching Module and access token module, modules interactive step are as follows:
(1) system initialization initializes the permit operation of content rights module definition content, the definition of initialising subscriber attribute module User property;
(2) content provider end initializes, and initializes content rights module and user property module, content rights module marks can The permit operation of resource and score are accessed, user property module contents supplier is that potential requestor configures user's base class and son Generic attribute, weight simultaneously calculate subclass attribute score;
(3) content requestor CQ initiates access request and responds CQ and backward reference token to content provider CP, CP;At the end CP, The attribute score of user property module calculating CQ first, then access token module is that CQ generates access token, is last transmitted to CQ;
(4) CQ accesses the content of CP using the access token;At the end CP, access token module first carries out token authentication, then Matching module accessible content collection according to provided by user property score and content rights module is matched, this is finally obtained The license of requestor accesses content set;In addition the access token can be used for multiple times within its validity period.
2. according to claim 1 a kind of based on matched access control method, it is characterised in that
In content rights module, CP define content allow operate and according to defined permit operation to content carry out calculate and Grade classification is implemented as follows with realizing multi-level resource set:
1-1 defines the permit operation of content
Definition 1: atomic operation collection (Atomic Operation Set, AOp)
AOp=..., Modify, Execute, Delegate, Share, Read } (1)
According to existing remote access resource requirement, define five kinds of atomic operations: modification (Modify) executes (Execute), committee It holds in the palm (Delegate), shares (Share), read (Read);
Wherein, Modify refers to the ability of more new resources, and Execute expression can execute resource, and Delegate indicates to incite somebody to action Delegation of resources is to secondary user, and Share refers to that the resource can share to multiple users, and Read indicates that resource is readable; This five atomic operations can be expressed as M, E, D, S, R for ease of description;
In order to define the permit operation of each resource, the structuring byte based on five kinds of atomic operations is introduced;Wherein every expression Atomic operation is 0 if there is no position then correspond to and if so, corresponding position is 1;
The permit operations of 1-2 markup resources and score
CP is each resource mark permit operation using additional extended byte upon power-up of the system;All resources of CP will be weighed New tissue is detailed in definition 2 to a multi-level permit operation gathered according to them;
Definition 2: the resource set (Resources Set, RSet) with permit operation
RSet={ (Popi,{Rj}i), i=0,1,3,5...n, j=1,2 ..., m (2)
In the resource set RSet of CP, basic binary group is (Popi,{Rj}i), one of PopiPossess one group of resource Rj, i table Show the score of the permit operation of resource, wherein the bigger expression of i allows more operations;To sum up, a POpiRepresent one The resource of grade.
3. according to claim 2 a kind of based on matched access control method, it is characterised in that user property module permits Perhaps CP defines and configures the attribute of potential CQ, and particular community is distributed to current CQ;In this way, which will be classified as Different access levels, is implemented as follows:
2-1 defines user property
Definition 3: user property collection (User Attribute Set, AttrSet)
It is defining in 3, TypeiIndicate the user property of i-th of base class,Indicate the user property of i-th of base class Subclass property set can also use binary group (Attrj,Scorej) indicate, wherein AttrjIndicate j-th of subclass attribute-name, Scorej Indicate corresponding attribute score;One-dimensional vector in equation (3) The wherein quantity of the subclass attribute of i-th of base class attribute of subscript m, if what CQ distributed is j-th of subclass attribute, we are by J tuple is set to 1, and other elements are set to 0;
Definition 3: user property score (User Attribute Score)
User property score (Suser) can pass throughWithIt is calculated according to according to equation (4), whereinIt isOne group Score is shown in equation (5),It is then the weight vectors of attribute,For convenience of calculation, we will be defined in 3It is simplified shown as
2-2 configures the attribute of potential requestor
Upon power-up of the system, for potential CQ, CP is firstly the need of configuration user property type of foundation, that is, base class attribute, and to every The corresponding weight of a base class attribute configuration and subclass attribute, while being subclass attribute computation attribute score, it calculates and realizes step such as Under:
(1) the maximum resource permit operation score (MaxS that CP in the system is defined is inputtedop), the quantization strategy of attribute score (Strategy) and need to carry out the attribute set { (Type of score calculatingi,{Attrj}i)};
(2) Strategy that selection executes, wherein 1 indicates the subclass attribute Score quantifies strategy of class equal difference, 2 indicate the ratios such as class Subclass attribute Score quantifies strategy;When attribute score calculates, maximum attribute is set and is scored at MaxSop- 1, the smallest attribute obtains It is divided into 1;
(3) the property set { (Type containing attribute score is exportedi,{(Attrj,Scorej)}i)};
The attribute score of 2-3 computation requests person
When receiving the request from content requestor, content provider needs attribute distributing to content requestor;For every The attribute of kind base class, content provider need to select a sub- generic attribute for content requestor, and be obtained according to the attribute that definition 4 provides Dividing calculation formula is requestor's computation attribute score.
4. according to claim 3 a kind of based on matched access control method, it is characterised in that in access token module, When the request of CP response CQ, access token will be returned to CQ;Access token be by CP to CQ define it is a kind of effectively and only One access authority identifier;
3-1 access token format
The format of access token consists of two parts: token header and token payload;Token header includes three fields: being enabled Board ID (tokenId), token type (typx) and Encryption Algorithm (Enc) be respectively as follows: and authorize wherein there are three types of token types (typg), share (typs) and commission (typd);Token payload includes six fields, including token data (datatoken)、 Source address (IPCP), destination address (IPCQ), generate time (Tgen), expiration time (Texp) and verify data (θ);
3-2 token generates
CP generates a typgThe access token of type realizes that steps are as follows:
(1) end CP initializes;System generates the character string number that length is n, [str at random first0,str1,...,strn-1] every A length is 32 bytes, then utilizes TgenAnd TexpCalculate sn=(Texp-Tgen) modn, finally obtain the Kazakhstan for currently calculating and using Uncommon plus salt figure salt=strsn
(2) token header is generated;It randomly chooses 64bit and is set as typ as token ID, and by token typeg, selection is symmetrical to be added Perhaps AES selects hash algorithm SHA-1 or SHA-2 to close algorithm DES;
(3) access token is generated;Generate authentication data θ=H (Suser||IPCP||IPCQ||Tgen||Texp| | salt) and calculate institute Need symmetric cryptographic key symKey=H (θ | | SKCP), token data data is obtained using key encryption user propertytoken =EncsymKey(Suser||salt);The access token ultimately produced is AccTokeng=tokenId | | typg||datatoken|| IPCP||IPCQ||Tgen||Texp||θ;
(4) access token is stored;The address of the cryptographic Hash of the token and requestor are stored in local effective token data together In library;It needs to delete the token from effective token database if CP wants to cancel some token, and is added to fail data library In;
And participator or principal generate typsType or typdThe generating mode of the token of type is same as described above, in addition to datatokenAnd θ;, wherein datatokenIt is to authorize token structure plus participator or authorized person by sharing code or authorization code At, and the θ of two kinds of tokens is sky;
3-3 token authentication
Token AccToken is authorized when CP receives oneg, first he whether before the deadline verify token;If it is, verifying Whether the token is in local effective token database;If so, the θ ' in token is extracted, generation symKey=H (θ ' | | SK), and data is decryptedtokenIt obtainsIf successful decryption obtains S'user, test simultaneously Demonstrate,prove the user property score S at current timeuserWhether S' that decryption obtain is greater than or equal touser, if it is continue to verify θ, make θ=H (S' is calculated with the field extracted in tokenuser||PK'CP||PK'CQ||T'gen||T'exp| | salt), verifyingIt is No establishment, if it is, indicating AccTokengIt is effectively, the attribute of user is scored at Suser
When CP receives a commission token AccTokend, first he whether before the deadline verify token;If it is, verifying Whether the token is in local effective token database;If it is, illustrating AccTokendEffectively;
When participator receives a sharing token AccTokens, first he whether before the deadline verify token;If it is, Illustrate AccTokensEffectively.
5. according to claim 4 a kind of based on matched access control method, it is characterised in that the realization of matching module It is as follows:
After access token is verified, CP will extract S from the tokenuser, and use SuserMatch the POp in resource seti, Obtain the accessible resource set of CQ;Requestor and content matching are broadly divided into two parts: coarseness matching and fine granularity Match;
The matching of 4-1 coarseness
Coarseness matching is to match maximum addressable resource set RSet for CQaccessAccording to Suser
(1) it looks for closest to SuserAnd less than its even number Z;
(2) the boundary grade B=MaxS of accessible resource collection is calculatedop-Z;
(3) the maximum addressable resource set RSet of CQ is obtainedaccess, wherein the ranking score of all resources is all larger than B;
The matching of 4-2 fine granularity
Due to RSetaccessIn not only include allow access resource set also include corresponding permit operation, for further area The close different user of same user or score in point varying environment, introduces fine granularity matching, and in fine granularity matching, only In Grade is POpBResource set handled;
(1) calculating difference D=Suser-Z;
(2) subset mask is obtained
(3) POp is matchedBThe permit operation subset POp of level resourceallow=POpB&SPOpB
(4) the final accessible content RSet of CQ is obtainedallow
CN201910086089.0A 2019-01-29 2019-01-29 Access control method based on matching Active CN109743331B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910086089.0A CN109743331B (en) 2019-01-29 2019-01-29 Access control method based on matching

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910086089.0A CN109743331B (en) 2019-01-29 2019-01-29 Access control method based on matching

Publications (2)

Publication Number Publication Date
CN109743331A true CN109743331A (en) 2019-05-10
CN109743331B CN109743331B (en) 2021-06-15

Family

ID=66366609

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910086089.0A Active CN109743331B (en) 2019-01-29 2019-01-29 Access control method based on matching

Country Status (1)

Country Link
CN (1) CN109743331B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110351265A (en) * 2019-07-02 2019-10-18 创新奇智(重庆)科技有限公司 A kind of authentication method based on JWT, computer-readable medium and system
CN110427770A (en) * 2019-06-20 2019-11-08 中国科学院信息工程研究所 A kind of Access and control strategy of database method and system for supporting service security to mark
CN113595743A (en) * 2021-08-04 2021-11-02 中国银行股份有限公司 Authorization token processing method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070266426A1 (en) * 2006-05-12 2007-11-15 International Business Machines Corporation Method and system for protecting against denial of service attacks using trust, quality of service, personalization, and hide port messages
CN103327002A (en) * 2013-03-06 2013-09-25 西安电子科技大学 Cloud storage access control system based on attribute
CN104994073A (en) * 2015-05-29 2015-10-21 北京奇虎科技有限公司 Cell phone terminal, server and account-device linking control and executing method
US20180227303A1 (en) * 2016-05-13 2018-08-09 Idm Global, Inc. Systems and Methods to Authenticate Users and/or Control Access Made by Users on a Computer Network using Identity Services

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070266426A1 (en) * 2006-05-12 2007-11-15 International Business Machines Corporation Method and system for protecting against denial of service attacks using trust, quality of service, personalization, and hide port messages
CN103327002A (en) * 2013-03-06 2013-09-25 西安电子科技大学 Cloud storage access control system based on attribute
CN104994073A (en) * 2015-05-29 2015-10-21 北京奇虎科技有限公司 Cell phone terminal, server and account-device linking control and executing method
US20180227303A1 (en) * 2016-05-13 2018-08-09 Idm Global, Inc. Systems and Methods to Authenticate Users and/or Control Access Made by Users on a Computer Network using Identity Services

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110427770A (en) * 2019-06-20 2019-11-08 中国科学院信息工程研究所 A kind of Access and control strategy of database method and system for supporting service security to mark
CN110351265A (en) * 2019-07-02 2019-10-18 创新奇智(重庆)科技有限公司 A kind of authentication method based on JWT, computer-readable medium and system
CN113595743A (en) * 2021-08-04 2021-11-02 中国银行股份有限公司 Authorization token processing method and device
CN113595743B (en) * 2021-08-04 2022-10-21 中国银行股份有限公司 Authorization token processing method and device

Also Published As

Publication number Publication date
CN109743331B (en) 2021-06-15

Similar Documents

Publication Publication Date Title
CN108418681B (en) Attribute-based ciphertext retrieval system and method supporting proxy re-encryption
CN104468615B (en) file access and modification authority control method based on data sharing
CN101883100B (en) Digital content distributed authorization method
CN110138561A (en) Efficient cipher text retrieval method, the cloud computing service system automatically corrected based on CP-ABE
CN110519066A (en) A kind of Internet of Things secret protection access control method based on block chain technology
CN108062485A (en) A kind of fuzzy keyword searching method of multi-service oriented device multi-user
WO2005066824A1 (en) Method and apparatus for limiting number of times contents can be accessed using hashing chain
CN114036240B (en) Multi-service provider privacy data sharing system and method based on block chain
CN109743331A (en) One kind being based on matched access control method
CN109361644A (en) A kind of Fog property base encryption method for supporting fast search and decryption
JP2003122635A (en) Access right control system
CN106656997A (en) Mobile social network based agent proxy re-encryption cross-domain friend-making privacy protection method
CN108021677A (en) The control method of cloud computing distributed search engine
Shen et al. Keyword search with access control over encrypted cloud data
JP2007226470A (en) Authority management server, authority management method, and authority management program
CN109936630A (en) A kind of Distributed Services access mandate and access control method based on attribute base password
WO2022242572A1 (en) Personal digital identity management system and method
CN116204923A (en) Data management and data query methods and devices
Zhang et al. Towards Privacy-Preserving Cloud Storage: A Blockchain Approach.
CN114244838A (en) Encryption method and system, decryption method, device and equipment for block chain data
CN108763944A (en) Multicenter large attribute Domain Properties base encryption method can be revoked safely in calculating in mist
CN107360252B (en) Data security access method authorized by heterogeneous cloud domain
JP2009187140A (en) Access control device, access control method, and program
CN116663046A (en) Private data sharing and retrieving method, system and equipment based on blockchain
Charanya et al. Attribute based encryption for secure sharing of E-health data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant