CN109743331A - One kind being based on matched access control method - Google Patents
One kind being based on matched access control method Download PDFInfo
- Publication number
- CN109743331A CN109743331A CN201910086089.0A CN201910086089A CN109743331A CN 109743331 A CN109743331 A CN 109743331A CN 201910086089 A CN201910086089 A CN 201910086089A CN 109743331 A CN109743331 A CN 109743331A
- Authority
- CN
- China
- Prior art keywords
- token
- attribute
- user
- score
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses one kind to be based on matched access control method, and related entity includes content provider, content requestor and router.In the present invention, CQ first initiates to request by trustable network to CP;When CP receives request, CP is CQ generation access token and is sent to CQ by configuring and calculating user property;Then, the access token request content can be used in CQ;Finally, CP realizes access token verifying, access content matching and the offer to CQ by access token module, content rights module and matching module.The present invention carries out data transmission ensuring the safety of content using trusted channel, designed access token improves access efficiency, according to content rights and requestor's attribute score, the matching way combined by coarseness with fine granularity realizes multi-level and efficient access control.
Description
Technical field
The present invention relates to access control technology fields, and in particular to one kind is based on matched access control method.
Background technique
Access control refers to that system is limited it and provided using data to user identity and its affiliated tactful group predetermined
The means of source capability.Access of the user to Internet resources such as server, catalogue, files is controlled commonly used in system manager.It visits
It asks that control is system security, integrality, the important foundation of availability and legal usability, is that Protection of Network Security and resource are protected
The difference that one of Key Strategy of shield and the certain control strategies of main body basis or permission carry out object itself or its resource is awarded
Power access.
Current access control type mainly includes self contained navigation, forced symmetric centralization, the access of based role
Control and beam-based alignment etc..But access control scheme has reliability low, poor expandability does not consider to access
The stratification of content, the deficiencies such as access efficiency is low.
Summary of the invention
Deficiency present invention is generally directed to the access control scheme pre-existed, the one kind provided are based on matched access control
Method.The present invention includes content rights module, user property module, matching module and access token module, modules interaction
Steps are as follows:
(1) system initialization initializes the permit operation of content rights module definition content, initialising subscriber attribute module
Define user property;
(2) content provider end initializes, and initializes content rights module and user property module, content rights module mark
Remember the permit operation of accessible resource and score, user property module contents supplier is that potential requestor configures user's base class
With subclass attribute, weight simultaneously calculates subclass attribute score;
(3) content requestor CQ initiates access request and responds CQ and backward reference token to content provider CP, CP;In CP
End, first user property module calculate the attribute score of CQ, and then access token module is that CQ generates access token, finally send
To CQ;
(4) CQ accesses the content of CP using the access token;At the end CP, access token module first carries out token authentication,
Then matching module accessible content collection according to provided by user property score and content rights module is matched, finally
License to the requestor accesses content set;In addition the access token can be used for multiple times within its validity period.
Content rights module, CP define allowing operation and calculating according to defined permit operation content for content
And grade classification is implemented as follows with realizing multi-level resource set:
1-1 defines the permit operation of content
Definition 1: atomic operation collection (Atomic Operation Set, AOp)
AOp=..., Modify, Execute, Delegate, Share, Read } (1)
According to existing remote access resource requirement, define five kinds of atomic operations: modification (Modify) executes
(Execute), (Delegate) is entrusted, shared (Share), read (Read);
Wherein, Modify refers to the ability of more new resources, and Execute expression can execute resource, and Delegate expression can
With by delegation of resources, to secondary user, Share refers to that the resource can share to multiple users, and Read indicates that resource is readable
's;This five atomic operations can be expressed as M, E, D, S, R for ease of description;
In order to define the permit operation of each resource, the structuring byte based on five kinds of atomic operations is introduced;Wherein every
Atomic operation is indicated and if so, corresponding position is 1, is 0 if there is no position then correspond to;
The permit operations of 1-2 markup resources and score
CP is each resource mark permit operation using additional extended byte upon power-up of the system;All resources of CP will
It is re-organized to permit operation of the multi-level set according to them, is detailed in definition 2;
Definition 2: the resource set (ResourcesSet, RSet) with permit operation
RSet={ (Popi,{Rj}i), i=0,1,3,5...n, j=1,2 ..., m (2)
In the resource set RSet of CP, basic binary group is (Popi,{Rj}i), one of PopiPossess one group of resource Rj,
I indicates the score of the permit operation of resource, and wherein the bigger expression of i allows more operations;To sum up, a POpiRepresent one
The resource of a grade.
User property module: allow CP to define and configure the attribute of potential CQ, and particular community is distributed into current CQ;With
This mode, the CQ will be classified as different access levels, be implemented as follows:
2-1 defines user property
Definition 3: user property collection (UserAttributeSet, AttrSet)
It is defining in 3, TypeiIndicate the user property of i-th of base class,Indicate that the user of i-th of base class belongs to
The subclass property set of property can also use binary group (Attrj,Scorej) indicate, wherein AttrjIndicate j-th of subclass attribute-name,
ScorejIndicate corresponding attribute score;One-dimensional vector in equation (3)The wherein quantity of the subclass attribute of i-th of base class attribute of subscript m,
If what CQ was distributed is j-th of subclass attribute, j-th of tuple is set to 1 by us, and other elements are set to 0;
Definition 3: user property score (User AttributeScore)
User property score (Suser) can pass throughWithIt is calculated according to according to equation (4), whereinIt is's
One group of score is shown in equation (5),It is then the weight vectors of attribute,For convenience of calculation, we will be defined in 3It is simplified shown as
2-2 configures the attribute of potential requestor
Upon power-up of the system, for potential CQ, CP firstly the need of configuration user property type of foundation, that is, base class attribute, and
To the corresponding weight of each base class attribute configuration and subclass attribute, while being subclass attribute computation attribute score, calculates and realize step
It is rapid as follows:
(1) the maximum resource permit operation score (MaxS that CP in the system is defined is inputtedop), the quantization strategy of attribute score
(Strategy) and need to carry out the attribute set { (Type of score calculatingi,{Attrj}i)};
(2) Strategy that selection executes, wherein 1 indicates the subclass attribute Score quantifies strategy of class equal difference, 2 indicate class etc.
The subclass attribute Score quantifies strategy of ratio;When attribute score calculates, maximum attribute is set and is scored at MaxSop- 1, the smallest category
Property is scored at 1;
(3) the property set { (Type containing attribute score is exportedi,{(Attrj,Scorej)}i)};
The attribute score of 2-3 computation requests person
When receiving the request from content requestor, content provider needs attribute distributing to content requestor;It is right
In the attribute of every kind of base class, content provider need to select a sub- generic attribute, and the category provided according to definition 4 for content requestor
Property score calculation formula be requestor's computation attribute score.
Access token module: when the request of CP response CQ, access token will be returned to CQ;Access token is by CP pairs
A kind of effective and unique access authority identifier that CQ is defined;
3-1 access token format
The format of access token consists of two parts: token header and token payload;Token header includes three words
Section: token ID (tokenId), token type (typx) and Encryption Algorithm (Enc) be respectively as follows: and award wherein there are three types of token types
Give (typg), share (typs) and commission (typd);Token payload includes six fields, including token data
(datatoken), source address (IPCP), destination address (IPCQ), generate time (Tgen), expiration time (Texp) and verify data
3-2 token generates
CP generates a typgThe access token of type realizes that steps are as follows:
(1) end CP initializes;System generates the character string number that length is n, [str at random first0,str1,...,
strn-1] each length is 32 bytes, then utilize TgenAnd TexpCalculate sn=(Texp-Tgen) modn, finally obtain current calculating
The Hash used adds salt figure salt=strsn;
(2) token header is generated;It randomly chooses 64bit and is set as typ as token ID, and by token typeg, selection pair
Claim Encryption Algorithm DES perhaps AES selects hash algorithm SHA-1 or SHA-2;
(3) access token is generated;Generate authentication dataAnd it calculates
Required symmetric cryptographic keyToken data is obtained using key encryption user property
datatoken=EncsymKey(Suser||salt);The access token ultimately produced is
(4) access token is stored;The address of the cryptographic Hash of the token and requestor are stored in local effective token together
In database;It needs to delete the token from effective token database if CP wants to cancel some token, and is added to failure number
According in library;
And participator or principal generate typsType or typdThe generating mode of the token of type is same as described above,
In addition to datatokenWith, wherein datatokenIt is to authorize order plus participator or authorized person by sharing code or authorization code
What board was constituted, and two kinds of tokensFor sky;
3-3 token authentication
Token AccToken is authorized when CP receives oneg, first he whether before the deadline verify token;If so,
The token is then verified whether in local effective token database;If so, extracting in tokenIt generatesAnd decrypt datatokenIt obtainsIf successful decryption
Obtain S 'user, while verifying the user property score S at current timeuserWhether S ' that decryption obtain is greater than or equal touserIf
It is to continue to verifyIt is calculated using the field extracted in token
VerifyingIt is whether true, if it is, indicating AccTokengIt is effectively, the attribute of user is scored at Suser;
When CP receives a commission token AccTokend, first he whether before the deadline verify token;If so,
The token is then verified whether in local effective token database;If it is, illustrating AccTokendEffectively;
When participator receives a sharing token AccTokens, first he whether before the deadline verify token;If
It is then to illustrate AccTokensEffectively.
Matching module: after access token is verified, CP will extract S from the tokenuser, and use SuserMatching money
The POp that source is concentratedi, obtain the accessible resource set of CQ;Requestor and content matching are broadly divided into two parts: coarseness
With being matched with fine granularity;
The matching of 4-1 coarseness
Coarseness matching is to match maximum addressable resource set RSet for CQaccessAccording to Suser;
(1) it looks for closest to SuserAnd less than its even number Z;
(2) the boundary grade B=MaxS of accessible resource collection is calculatedop-Z;
(3) the maximum addressable resource set RSet of CQ is obtainedaccess, wherein the ranking score of all resources is all larger than
B;
The matching of 4-2 fine granularity
Due to RSetaccessIn not only include that the resource set accessed is allowed to also include corresponding permit operation, in order into one
Step distinguishes same user or the close different user of score in varying environment, introduces fine granularity matching, and match in fine granularity
In, only In Grade is POpBResource set handled;
(1) calculating difference D=Suser-Z;
(2) subset mask is obtained
(3) POp is matchedBThe permit operation subset POp of level resourceallow=POpB&SPOpB;
(4) the final accessible content RSet of CQ is obtainedallow。
The present invention has the beneficial effect that:
The present invention carries out data transmission ensuring the safety of content using trusted channel, and designed access token improves
Access efficiency, according to content rights and requestor's attribute score, the matching way combined by coarseness with fine granularity is realized
Multi-level and efficient access control.
Detailed description of the invention
Fig. 1 is based on matched access control system structure chart;
Fig. 2 structuring byte representation permit operation;
Specific embodiment
Present invention will be further explained below with reference to the attached drawings and examples.
As illustrated in fig. 1 and 2, a kind of to be based on matched access control method, including content rights module, user property mould
Block, access token module and matching module.The modules interactive step of the invention is following (such as Fig. 1), modules it is specific
It is accomplished by
For 1 content rights module in the module, content provider (content provider, CP) defines the permission of content
It operates and calculating and grade classification is carried out to content according to defined permit operation, to realize multi-level resource set.
1-3 defines the permit operation of content
In order to facilitate the concrete operations for illustrating each resource, we introduce atomic operation collection (referring to Def.1).
Definition 1: atomic operation collection (Atomic Operation Set, AOp)
AOp=..., Modify, Execute, Delegate, Share, Read } (1)
According to existing remote access resource requirement, we define five kinds of atomic operations: modification (Modify) executes
(Execute), (Delegate) is entrusted, shared (Share), read (Read).
Wherein, Modify refers to the ability of more new resources, and Execute expression can execute resource, and Delegate is indicated
Can be by delegation of resources to secondary user, Share refers to that the resource can share to multiple users, and Read expression resource is can
It reads.For ease of description, this five atomic operations can be expressed as M, E, D, S, R.Certainly, for new in application program
Demand, we also allow to introduce more atomic operations.
In order to define the permit operation of each resource, we introduce the structuring word based on above-mentioned five kinds of atomic operations
Section.Structuring byte (POp, as shown in Figure 2), wherein every expressions atomic operation is if there is (corresponding position is 1), if not
In the presence of (corresponding position is 0).In Fig. 2, if some resource does not allow to remotely access, the rank of POp 0, the resource are indicated
For POp0Or POpmin.If some resource allows all atomic operations, POp 31, the grade of the resource when being accessed remotely through computer networks
POp is not expressed as it31Or POpmax.We are by POpiIn i score of the value as the level resource, it is assumed that MaxSopFor
31, MinSopIt is 1.
In existing 5 kinds of atomic operations, because read operation is the prerequisite of other four kinds of atomic operations, have
The permit operation mode and corresponding content rating (being shown in Table 1) of 17 kinds of resources.
The permit operations of 1-4 markup resources and score
CP is each resource mark permit operation using additional extended byte upon power-up of the system (according to defining 1).CP
All resources will be re-organized to permit operation of the multi-level set according to them, be detailed in definition 2.
Definition 2: the resource set (Resources Set, RSet) with permit operation
RSet={ (Popi,{Rj}i), i=0,1,3,5...n, j=1,2 ..., m (2)
In the resource set RSet of CP, basic binary group is (Popi,{Rj}i), one of PopiPossess one group of resource Rj,
I indicates the score of the permit operation of resource, and wherein the bigger expression of i allows more operations.To sum up, a POpiRepresent one
The resource of a grade, table 1 have been illustrated 31 kinds of resources grade mark and corresponding permit operation.
The permit operation of 1 resource of table
In table 1, R1Grade is POp0, R3,R9Grade is POp27。R1It is scored at 0, further our available SR3
=27, SR9=27, SR13=1 etc..If some resource RjWith can sharing operation, then it represents that the resource allow requestor by it
Other users are shared with, and CP will be generated for these resources and be shared codeWhereinFor obtaining for the resource
Point, st is timestamp.For with can delegation resource operation resource, CP will for it generate commission code
2 user property module modules allow CP define and configure potential content requestor (content requester,
CQ attribute), and particular community is distributed into current CQ.In this way, which will be classified as different access levels.
2-1 defines user property
Definition 3: user property collection (User Attribute Set, AttrSet)
It is defining in 3, TypeiIndicate the user property of i-th of base class,Indicate that the user of i-th of base class belongs to
The subclass property set of property can also use binary group (Attrj,Scorej) indicate, wherein AttrjIndicate j-th of subclass attribute-name,
ScorejIndicate corresponding attribute score (algorithm 1 is shown in specific implementation).One-dimensional vector in equation (3)The wherein quantity of the subclass attribute of i-th of base class attribute of subscript m,
If what CQ was distributed is j-th of subclass attribute, j-th of tuple is set to 1 by us, and other elements are set to 0.
In order to preferably be adapted with practical application, we introduce user's base class attribute when calculating user property score
Weight, to determine the significance level of each attribute in attribute ratings.For all base class attributes, (such as k), we haveTherefore, we are it can be concluded that calculate the formula of user property score, referring to definition 4.
Definition 4: user property score (UserAttribute Score)
User property score SuserIt can pass throughWithIt is calculated according to according to equation (4), whereinIt isOne
Group score is shown in equation (5),It is then the weight vectors of attribute.For convenience of calculation, we will be defined in 3Letter
Change is expressed as
2-2 configures the attribute of potential requestor
Upon power-up of the system, for potential CQ, CP firstly the need of configuration user property type of foundation, that is, base class attribute, and
It is subclass attribute computation attribute score to the corresponding weight of each base class attribute configuration and subclass attribute, while according to algorithm 1.It calculates
Steps are as follows for the realization of method 1:
(4) the maximum resource permit operation score (MaxS that CP in the system is defined is inputtedop), the quantization strategy of attribute score
(Strategy) and need to carry out the attribute set { (Type of score calculatingi,{Attrj}i)}。
(5) Strategy that selection executes, wherein 1 indicates the subclass attribute Score quantifies strategy of class equal difference, 2 indicate class etc.
The subclass attribute Score quantifies strategy of ratio.When attribute score calculates, we are arranged maximum attribute and are scored at MaxSop- 1, it is minimum
Attribute be scored at 1.
(6) the property set { (Type containing attribute score is exportedi,{(Attrj,Scorej)}i)}。
As described above, CP being capable of customized base class Property Name, weight and its subclass attribute.For clarity, it is explained in table 2
Stated the example of the attribute configuration of CP, wherein be configured with three kinds of basic user properties, and using class equal difference strategy in algorithm 1 into
Row subclass attribute Score quantifies.
2 user property configuration example of table
The attribute score of 2-3 computation requests person
When receiving the request from content requestor, content provider needs attribute distributing to content requestor.It is right
In the attribute of every kind of base class, content provider need to select a sub- generic attribute, and the category provided according to definition 4 for content requestor
Property score calculation formula be requestor's computation attribute score.
For example, the friend from same province personally initiates access token request to CP, then CP calculates his point
Number, reference can be made to there is the entry of gray background in table 2.We obtain friend's attribute and are scored at 15, and personal attribute is scored at 10, same
It saves attribute and is scored at 12.Therefore, we can obtain following values from table 2: W=(0.5,0.3,0.2) is calculated according to definition 4Finally obtain the category of the requestor
Property is scored at 12.9.
For 3 access token modules when the request of CP response CQ, access token will be returned to CQ.Access token is by CP pairs
A kind of effective and unique access authority identifier that CQ is defined.
3-1 access token format
The format of access token consists of two parts: token header and token payload.Token header includes three words
Section: token ID (tokenId), token type (typx) and Encryption Algorithm (Enc), wherein token is respectively as follows: there are three types of type and awards
Give (typg), share (typs) and commission (typd).Token payload includes six fields, including token data
(datatoken), source address (IPCP), destination address (IPCQ), generate time (Tgen), expiration time (Texp) and verify data
(see Table 3 for details).
3 access token format of table
3-2 token generates
CP generates a typgThe access token of type realizes that steps are as follows:
(5) end CP initializes.System generates the character string number that length is n, [str at random first0,str1,...,
strn-1] each length is 32 bytes, then utilize TgenAnd TexpCalculate sn=(Texp-Tgen) modn, finally obtain current calculating
The Hash used adds salt figure salt=strsn。
(6) token header is generated.It randomly chooses 64bit and is set as typ as token ID, and by token typeg, selection pair
Claim Encryption Algorithm DES perhaps AES selects hash algorithm SHA-1 or SHA-2.
(7) access token is generated.Generate authentication dataAnd it calculates
Required symmetric cryptographic keyToken data is obtained using key encryption user property
datatoken=EncsymKey(Suser||salt).The access token ultimately produced is
(8) access token is stored.The address of the cryptographic Hash of the token and requestor are stored in local effective token together
In database.Note: it needs to delete the token from effective token database if CP wants to cancel some token, and is added to failure
In database.
And participator or principal generate typsType or typdThe generating mode of the token of type is same as described above,
In addition to datatokenWithWherein datatokenIt is to authorize order plus participator or authorized person by sharing code or authorization code
Board composition is expressed as datatoken=EncPK(xCode)||H(AccTokeng), wherein xCode=sCode or dCode, this two
Kind tokenFor sky.
3-3 token authentication
Token AccToken is authorized when CP receives oneg, first he whether before the deadline verify token;If so,
The token is then verified whether in local effective token database;If so, extracting in tokenIt generatesAnd decrypt datatokenIt obtainsIf successful decryption obtains
To S 'user, while verifying the user property score S at current timeuserWhether S ' that decryption obtain is greater than or equal touser, then continue
VerifyingIt is calculated using the field extracted in tokenVerifying
It is whether true, if it is, indicating AccTokengIt is effectively, the attribute of user is scored at Suser。
When CP receives a commission token AccTokend, first he whether before the deadline verify token;If so,
The token is then verified whether in local effective token database;If it is, illustrating AccTokendEffectively.
When participator receives a sharing token AccTokens, first he whether before the deadline verify token;If
It is then to illustrate AccTokensEffectively.
4 matching modules
After access token is verified, CP will extract S from the tokenuser, and use SuserIt matches in resource set
POpi, obtain the accessible resource set of CQ.Matching module carries out matching in fact using the attribute score and content rating score of CQ
Multi-level access control (see algorithm 2) is showed, has been broadly divided into two steps: coarseness matching and fine granularity matching.
The matching of 4-1 coarseness
Coarseness matching is to match maximum addressable resource set RSet for CQaccessAccording to Suser, brief step is such as
Under:
(4) it looks for closest to SuserAnd less than its even number Z.
(5) the boundary grade B=MaxS of accessible resource collection is calculatedop-Z。
(6) the maximum addressable resource set RSet of CQ is obtainedaccess, wherein the ranking score of all resources is all larger than
B is represented by RSetaccess={ (PopB,{RSetj}B),(PopB+2,{RSetj}B+2),...,(Popn,{RSetj}n), tool
Algorithm 3. is shown in body realization
The matching of 4-2 fine granularity
Due to RSetaccessIn not only include that the resource set accessed is allowed to also include corresponding permit operation, in order into one
Step distinguishes same user or the close different user of score in varying environment, we introduce fine granularity matching.In fine granularity
In matching, only In Grade is POp for weBResource set handled, briefly steps are as follows, be specifically shown in algorithm 4.
(5) calculating difference D=Suser-Z。
(6) subset mask is obtained
(7) POp is matchedBThe permit operation subset POp of level resourceallow=POpB&SPOpB。
(8) the final accessible content RSet of CQ is obtainedallow。
。
Claims (5)
1. one kind is based on matched access control method, it is characterised in that including content rights module, user property module, matching
Module and access token module, modules interactive step are as follows:
(1) system initialization initializes the permit operation of content rights module definition content, the definition of initialising subscriber attribute module
User property;
(2) content provider end initializes, and initializes content rights module and user property module, content rights module marks can
The permit operation of resource and score are accessed, user property module contents supplier is that potential requestor configures user's base class and son
Generic attribute, weight simultaneously calculate subclass attribute score;
(3) content requestor CQ initiates access request and responds CQ and backward reference token to content provider CP, CP;At the end CP,
The attribute score of user property module calculating CQ first, then access token module is that CQ generates access token, is last transmitted to
CQ;
(4) CQ accesses the content of CP using the access token;At the end CP, access token module first carries out token authentication, then
Matching module accessible content collection according to provided by user property score and content rights module is matched, this is finally obtained
The license of requestor accesses content set;In addition the access token can be used for multiple times within its validity period.
2. according to claim 1 a kind of based on matched access control method, it is characterised in that
In content rights module, CP define content allow operate and according to defined permit operation to content carry out calculate and
Grade classification is implemented as follows with realizing multi-level resource set:
1-1 defines the permit operation of content
Definition 1: atomic operation collection (Atomic Operation Set, AOp)
AOp=..., Modify, Execute, Delegate, Share, Read } (1)
According to existing remote access resource requirement, define five kinds of atomic operations: modification (Modify) executes (Execute), committee
It holds in the palm (Delegate), shares (Share), read (Read);
Wherein, Modify refers to the ability of more new resources, and Execute expression can execute resource, and Delegate indicates to incite somebody to action
Delegation of resources is to secondary user, and Share refers to that the resource can share to multiple users, and Read indicates that resource is readable;
This five atomic operations can be expressed as M, E, D, S, R for ease of description;
In order to define the permit operation of each resource, the structuring byte based on five kinds of atomic operations is introduced;Wherein every expression
Atomic operation is 0 if there is no position then correspond to and if so, corresponding position is 1;
The permit operations of 1-2 markup resources and score
CP is each resource mark permit operation using additional extended byte upon power-up of the system;All resources of CP will be weighed
New tissue is detailed in definition 2 to a multi-level permit operation gathered according to them;
Definition 2: the resource set (Resources Set, RSet) with permit operation
RSet={ (Popi,{Rj}i), i=0,1,3,5...n, j=1,2 ..., m (2)
In the resource set RSet of CP, basic binary group is (Popi,{Rj}i), one of PopiPossess one group of resource Rj, i table
Show the score of the permit operation of resource, wherein the bigger expression of i allows more operations;To sum up, a POpiRepresent one
The resource of grade.
3. according to claim 2 a kind of based on matched access control method, it is characterised in that user property module permits
Perhaps CP defines and configures the attribute of potential CQ, and particular community is distributed to current CQ;In this way, which will be classified as
Different access levels, is implemented as follows:
2-1 defines user property
Definition 3: user property collection (User Attribute Set, AttrSet)
It is defining in 3, TypeiIndicate the user property of i-th of base class,Indicate the user property of i-th of base class
Subclass property set can also use binary group (Attrj,Scorej) indicate, wherein AttrjIndicate j-th of subclass attribute-name, Scorej
Indicate corresponding attribute score;One-dimensional vector in equation (3)
The wherein quantity of the subclass attribute of i-th of base class attribute of subscript m, if what CQ distributed is j-th of subclass attribute, we are by
J tuple is set to 1, and other elements are set to 0;
Definition 3: user property score (User Attribute Score)
User property score (Suser) can pass throughWithIt is calculated according to according to equation (4), whereinIt isOne group
Score is shown in equation (5),It is then the weight vectors of attribute,For convenience of calculation, we will be defined in 3It is simplified shown as
2-2 configures the attribute of potential requestor
Upon power-up of the system, for potential CQ, CP is firstly the need of configuration user property type of foundation, that is, base class attribute, and to every
The corresponding weight of a base class attribute configuration and subclass attribute, while being subclass attribute computation attribute score, it calculates and realizes step such as
Under:
(1) the maximum resource permit operation score (MaxS that CP in the system is defined is inputtedop), the quantization strategy of attribute score
(Strategy) and need to carry out the attribute set { (Type of score calculatingi,{Attrj}i)};
(2) Strategy that selection executes, wherein 1 indicates the subclass attribute Score quantifies strategy of class equal difference, 2 indicate the ratios such as class
Subclass attribute Score quantifies strategy;When attribute score calculates, maximum attribute is set and is scored at MaxSop- 1, the smallest attribute obtains
It is divided into 1;
(3) the property set { (Type containing attribute score is exportedi,{(Attrj,Scorej)}i)};
The attribute score of 2-3 computation requests person
When receiving the request from content requestor, content provider needs attribute distributing to content requestor;For every
The attribute of kind base class, content provider need to select a sub- generic attribute for content requestor, and be obtained according to the attribute that definition 4 provides
Dividing calculation formula is requestor's computation attribute score.
4. according to claim 3 a kind of based on matched access control method, it is characterised in that in access token module,
When the request of CP response CQ, access token will be returned to CQ;Access token be by CP to CQ define it is a kind of effectively and only
One access authority identifier;
3-1 access token format
The format of access token consists of two parts: token header and token payload;Token header includes three fields: being enabled
Board ID (tokenId), token type (typx) and Encryption Algorithm (Enc) be respectively as follows: and authorize wherein there are three types of token types
(typg), share (typs) and commission (typd);Token payload includes six fields, including token data (datatoken)、
Source address (IPCP), destination address (IPCQ), generate time (Tgen), expiration time (Texp) and verify data (θ);
3-2 token generates
CP generates a typgThe access token of type realizes that steps are as follows:
(1) end CP initializes;System generates the character string number that length is n, [str at random first0,str1,...,strn-1] every
A length is 32 bytes, then utilizes TgenAnd TexpCalculate sn=(Texp-Tgen) modn, finally obtain the Kazakhstan for currently calculating and using
Uncommon plus salt figure salt=strsn;
(2) token header is generated;It randomly chooses 64bit and is set as typ as token ID, and by token typeg, selection is symmetrical to be added
Perhaps AES selects hash algorithm SHA-1 or SHA-2 to close algorithm DES;
(3) access token is generated;Generate authentication data θ=H (Suser||IPCP||IPCQ||Tgen||Texp| | salt) and calculate institute
Need symmetric cryptographic key symKey=H (θ | | SKCP), token data data is obtained using key encryption user propertytoken
=EncsymKey(Suser||salt);The access token ultimately produced is AccTokeng=tokenId | | typg||datatoken||
IPCP||IPCQ||Tgen||Texp||θ;
(4) access token is stored;The address of the cryptographic Hash of the token and requestor are stored in local effective token data together
In library;It needs to delete the token from effective token database if CP wants to cancel some token, and is added to fail data library
In;
And participator or principal generate typsType or typdThe generating mode of the token of type is same as described above, in addition to
datatokenAnd θ;, wherein datatokenIt is to authorize token structure plus participator or authorized person by sharing code or authorization code
At, and the θ of two kinds of tokens is sky;
3-3 token authentication
Token AccToken is authorized when CP receives oneg, first he whether before the deadline verify token;If it is, verifying
Whether the token is in local effective token database;If so, the θ ' in token is extracted, generation symKey=H (θ ' | |
SK), and data is decryptedtokenIt obtainsIf successful decryption obtains S'user, test simultaneously
Demonstrate,prove the user property score S at current timeuserWhether S' that decryption obtain is greater than or equal touser, if it is continue to verify θ, make
θ=H (S' is calculated with the field extracted in tokenuser||PK'CP||PK'CQ||T'gen||T'exp| | salt), verifyingIt is
No establishment, if it is, indicating AccTokengIt is effectively, the attribute of user is scored at Suser;
When CP receives a commission token AccTokend, first he whether before the deadline verify token;If it is, verifying
Whether the token is in local effective token database;If it is, illustrating AccTokendEffectively;
When participator receives a sharing token AccTokens, first he whether before the deadline verify token;If it is,
Illustrate AccTokensEffectively.
5. according to claim 4 a kind of based on matched access control method, it is characterised in that the realization of matching module
It is as follows:
After access token is verified, CP will extract S from the tokenuser, and use SuserMatch the POp in resource seti,
Obtain the accessible resource set of CQ;Requestor and content matching are broadly divided into two parts: coarseness matching and fine granularity
Match;
The matching of 4-1 coarseness
Coarseness matching is to match maximum addressable resource set RSet for CQaccessAccording to Suser;
(1) it looks for closest to SuserAnd less than its even number Z;
(2) the boundary grade B=MaxS of accessible resource collection is calculatedop-Z;
(3) the maximum addressable resource set RSet of CQ is obtainedaccess, wherein the ranking score of all resources is all larger than B;
The matching of 4-2 fine granularity
Due to RSetaccessIn not only include allow access resource set also include corresponding permit operation, for further area
The close different user of same user or score in point varying environment, introduces fine granularity matching, and in fine granularity matching, only
In Grade is POpBResource set handled;
(1) calculating difference D=Suser-Z;
(2) subset mask is obtained
(3) POp is matchedBThe permit operation subset POp of level resourceallow=POpB&SPOpB;
(4) the final accessible content RSet of CQ is obtainedallow。
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910086089.0A CN109743331B (en) | 2019-01-29 | 2019-01-29 | Access control method based on matching |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910086089.0A CN109743331B (en) | 2019-01-29 | 2019-01-29 | Access control method based on matching |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109743331A true CN109743331A (en) | 2019-05-10 |
CN109743331B CN109743331B (en) | 2021-06-15 |
Family
ID=66366609
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910086089.0A Active CN109743331B (en) | 2019-01-29 | 2019-01-29 | Access control method based on matching |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109743331B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110351265A (en) * | 2019-07-02 | 2019-10-18 | 创新奇智(重庆)科技有限公司 | A kind of authentication method based on JWT, computer-readable medium and system |
CN110427770A (en) * | 2019-06-20 | 2019-11-08 | 中国科学院信息工程研究所 | A kind of Access and control strategy of database method and system for supporting service security to mark |
CN113595743A (en) * | 2021-08-04 | 2021-11-02 | 中国银行股份有限公司 | Authorization token processing method and device |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070266426A1 (en) * | 2006-05-12 | 2007-11-15 | International Business Machines Corporation | Method and system for protecting against denial of service attacks using trust, quality of service, personalization, and hide port messages |
CN103327002A (en) * | 2013-03-06 | 2013-09-25 | 西安电子科技大学 | Cloud storage access control system based on attribute |
CN104994073A (en) * | 2015-05-29 | 2015-10-21 | 北京奇虎科技有限公司 | Cell phone terminal, server and account-device linking control and executing method |
US20180227303A1 (en) * | 2016-05-13 | 2018-08-09 | Idm Global, Inc. | Systems and Methods to Authenticate Users and/or Control Access Made by Users on a Computer Network using Identity Services |
-
2019
- 2019-01-29 CN CN201910086089.0A patent/CN109743331B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070266426A1 (en) * | 2006-05-12 | 2007-11-15 | International Business Machines Corporation | Method and system for protecting against denial of service attacks using trust, quality of service, personalization, and hide port messages |
CN103327002A (en) * | 2013-03-06 | 2013-09-25 | 西安电子科技大学 | Cloud storage access control system based on attribute |
CN104994073A (en) * | 2015-05-29 | 2015-10-21 | 北京奇虎科技有限公司 | Cell phone terminal, server and account-device linking control and executing method |
US20180227303A1 (en) * | 2016-05-13 | 2018-08-09 | Idm Global, Inc. | Systems and Methods to Authenticate Users and/or Control Access Made by Users on a Computer Network using Identity Services |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110427770A (en) * | 2019-06-20 | 2019-11-08 | 中国科学院信息工程研究所 | A kind of Access and control strategy of database method and system for supporting service security to mark |
CN110351265A (en) * | 2019-07-02 | 2019-10-18 | 创新奇智(重庆)科技有限公司 | A kind of authentication method based on JWT, computer-readable medium and system |
CN113595743A (en) * | 2021-08-04 | 2021-11-02 | 中国银行股份有限公司 | Authorization token processing method and device |
CN113595743B (en) * | 2021-08-04 | 2022-10-21 | 中国银行股份有限公司 | Authorization token processing method and device |
Also Published As
Publication number | Publication date |
---|---|
CN109743331B (en) | 2021-06-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108418681B (en) | Attribute-based ciphertext retrieval system and method supporting proxy re-encryption | |
CN104468615B (en) | file access and modification authority control method based on data sharing | |
CN101883100B (en) | Digital content distributed authorization method | |
CN110138561A (en) | Efficient cipher text retrieval method, the cloud computing service system automatically corrected based on CP-ABE | |
CN110519066A (en) | A kind of Internet of Things secret protection access control method based on block chain technology | |
CN108062485A (en) | A kind of fuzzy keyword searching method of multi-service oriented device multi-user | |
WO2005066824A1 (en) | Method and apparatus for limiting number of times contents can be accessed using hashing chain | |
CN114036240B (en) | Multi-service provider privacy data sharing system and method based on block chain | |
CN109743331A (en) | One kind being based on matched access control method | |
CN109361644A (en) | A kind of Fog property base encryption method for supporting fast search and decryption | |
JP2003122635A (en) | Access right control system | |
CN106656997A (en) | Mobile social network based agent proxy re-encryption cross-domain friend-making privacy protection method | |
CN108021677A (en) | The control method of cloud computing distributed search engine | |
Shen et al. | Keyword search with access control over encrypted cloud data | |
JP2007226470A (en) | Authority management server, authority management method, and authority management program | |
CN109936630A (en) | A kind of Distributed Services access mandate and access control method based on attribute base password | |
WO2022242572A1 (en) | Personal digital identity management system and method | |
CN116204923A (en) | Data management and data query methods and devices | |
Zhang et al. | Towards Privacy-Preserving Cloud Storage: A Blockchain Approach. | |
CN114244838A (en) | Encryption method and system, decryption method, device and equipment for block chain data | |
CN108763944A (en) | Multicenter large attribute Domain Properties base encryption method can be revoked safely in calculating in mist | |
CN107360252B (en) | Data security access method authorized by heterogeneous cloud domain | |
JP2009187140A (en) | Access control device, access control method, and program | |
CN116663046A (en) | Private data sharing and retrieving method, system and equipment based on blockchain | |
Charanya et al. | Attribute based encryption for secure sharing of E-health data |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |