CN110807189A - Authority segmentation method in block chain access control - Google Patents
Authority segmentation method in block chain access control Download PDFInfo
- Publication number
- CN110807189A CN110807189A CN201911115805.XA CN201911115805A CN110807189A CN 110807189 A CN110807189 A CN 110807189A CN 201911115805 A CN201911115805 A CN 201911115805A CN 110807189 A CN110807189 A CN 110807189A
- Authority
- CN
- China
- Prior art keywords
- authority
- access control
- block chain
- division
- intelligent contract
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6272—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database by registering files or documents with a third party
Abstract
The invention discloses a permission segmentation method in block chain access control, wherein resource permissions in the access control are abstracted into non-homogeneous authorization permits which are stored in a block chain, and one permit can represent a plurality of permissions. For example, partitioning the rights in the time dimension. And the safety of the permission division is ensured through an intelligent contract. When a resource visitor wants to transfer a certain authority in the existing permit to another user, the permit is divided into a required number by using the authority division intelligent contract arranged on the blockchain. The permission segmentation method in the application enables the controllable minimum granularity in the access control based on the block chain to be accurate to a certain dimension of a certain permission of a resource.
Description
Technical Field
The invention relates to the field of access control based on a block chain, in particular to a permission segmentation method in block chain access control.
Background
The access control based on the block chain solves the problems of safety and trust among multiple organizations and single point of failure in the original centralized access control model due to the introduction of the block chain. The blockchain has the characteristics of decentralization, non-tampering, traceability and intelligent contract, and a trusted environment can be constructed among nodes which are not trusted with each other, so that the blockchain is used as a trusted entity to construct the access control model.
The block chain-based access control abstracts the authority of the object resource into certificates which are non-homogeneous, one certificate only represents one authority or a group of authorities of one resource, and the authority grant in the access control is completed through transaction or intelligent contracts. Therefore, the pass certificate and the authority are bound together, so that the user cannot control the authority with finer granularity and can only transfer the pass certificate as a unit. At present, no division method for the authority under the access control environment exists, and the authority in the general certificate is divided. At present, how to divide one or more permissions in a permit to form a new permit, even dividing the permissions according to different dimensions is a challenge of fine-grained application in the field of block chain access control.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides an authority segmentation method in block chain access control, which not only improves the flexibility of authority management and control in the access control, but also enables the minimum granularity of the access control to reach the authority level. Meanwhile, the block chain intelligent contract is used to avoid the safety problem of the authority in the segmentation process.
The purpose of the invention is realized by the following technical scheme: a method for dividing authority in block chain access control includes two parts, one is to use one or a group of authority of one resource in access control expressed by general certificate, to use intelligent contract to divide the general certificate, to realize the division of authority in general certificate by intelligent contract, to divide one or several authorities in general certificate to form new general certificate; the other is to use an intelligent contract-based approach to split a single right into multiple rights, split the rights from different dimensions, and then compose the split rights into new certificates.
The method for the evidence-based segmentation of the intelligent contract in the block chain access control divides one or more required authorities from the original evidence to form a plurality of new evidences, and the original evidence is invalid. The method completes the segmentation of the certificate according to the following steps:
the first step is as follows: the rights owner a who owns the access rights of the resource s negotiates with the resource visitor B (or with a plurality of resource visitors B, C …), decides to split a part of the rights from a set of access rights of the resource s owned by a, and passes it to the resource visitor B, C …. In the real environment, some resources can be divided, and some resources can not be divided, and only the divisible resources are considered here. Meanwhile, the authority owner A can not violate the authorization pass TSAnd on the basis of the existing constraint, adding a new constraint condition to the authorization certificate.
The second step is that: the authority owner A sends a partition request message generated by the negotiation result to a certification-based partition contract in the blockchain network, wherein the content of the partition request message is to authorize a certification TSThe set of owned permissions is split into multiple shares and the split permissions are passed to resource accessor B, C …. The division request message specifies which rights are divided and to whom the divided rights belong. There is a need to ensure that a right is not split and granted to multiple users.
The third step: resource accessor B, C sends a request for validation information to the rights segmentation contract.
The fourth step: the authority partitioning contract is validated by the A, B, C … and the access control contract for the resource s being agreed upon by multiple parties, so the authority partitioning contract sends information authorizing the transfer of the warranty to the access control contract for the resource s.
The fifth step: the access control policy in the access control contract for a resource s requires a decision to be made whether to grant the transfer of an authorization pass, first of all a pass T needs to be verifiedSThen verifies that the rights split is legitimate, and then obtains B, C … relevant information from the PIP to verify B, C … is legitimate.
And a sixth step: and making a decision according to the collected information by the access control contract of the resource s, if the verification is passed, generating a corresponding authorization pass for the divided authority, and then returning the authorization pass to the authority division contract. If the verification fails, rejection information is returned.
The seventh step: if yes, the authority division contract sends the newly generated authorization pass to the corresponding nodes; if the authority division contract is rejected, the authority division contract returns rejection information to each node.
In order to manage the authority with finer granularity, the invention also provides a method for dividing the single authority.
A permission division method based on an intelligent contract in block chain access control is characterized in that for a certain permission in a certificate, the permission is divided into two permissions in a certain dimension, and the key of permission division is that the permission has the property of being divided at a certain angle. For example, the traffic police control authority of the traffic lights, the traffic police A has the control authority of 8:00-12:00, and if the traffic police A has a temporary accident at 10:00, the authority of 10:00-12:00 can be divided and handed to the traffic police B. The examples are given for illustrative purposes only and are not intended to limit the invention.
The method is applied to access control based on the block chain, so that the access control system can manage authority with finer granularity, and the function of dividing a certificate into a plurality of certificates is realized by the certificate-passing dividing method based on the intelligent contract; the authority division method based on the intelligent contract realizes the function of dividing one authority into a plurality of authorities according to a certain dimension.
Drawings
FIG. 1 is a block chain access control-based evidence-based segmentation flow diagram in the method of the present invention;
FIG. 2 is a diagram illustrating smart contract-based rights partitioning in the method of the present invention;
FIG. 3 is a schematic diagram of an embodiment of the permission division method in blockchain access control according to the present invention;
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. The terms used in this application are explained below:
(1) the token is an entity representing access control authority in a block chain, and the token in the present invention refers to a non-homogeneous token.
(2) A Policy Enforcement Point (PEP) is an entity that performs access control in a specific application environment.
(3) Policy Information Point (PIP) refers to an entity that provides access control system Information through which attribute Information of a subject, a resource, and an environment can be acquired.
As shown in fig. 1, fig. 1 is a schematic diagram of a certification splitting process based on blockchain access control according to an embodiment of the present invention. The method uses intelligent contracts for forensic segmentation. The method embodiment completes the segmentation of the certificate according to the following steps:
the first step is as follows: the authority owner a who owns the access authority of the resource s negotiates with the resource accessor B (or with a plurality of resource accessors B, C …), decides to divide the access authority of the resource s owned by a into parts, and transfers the parts to the resource accessor B, C …. Some resources in the internet of things can be divided, and some resources are not divided, so that the authority division requires that the authorization token has a divisible attribute. At the same time, the authority owner A can not violate the authorization token TSAnd adding new constraint conditions to the authorization token on the basis of the existing constraint.
The second step is that: the authority owner A sends the division request message generated by the negotiation result to the block chain network, and the division contract SC is certifiedABCIs to authorize the token TSThe owned permissions are split and the split permissions are passed to resource accessor B, C …. Intelligent contract SCABCSpecifies which rights are split and to whom they are delivered.
The third step: resource accessor B, C sends intelligent contract SCABCA request for acknowledgement information is sent.
The fourth step: intelligent contract SCABCNeed A, B, C … and the access control contract SCS of the resource s to agree with each other, so that the SCABC is to send the information passed by the authorization token to the SCS。
The fifth step: SC (Single chip computer)SThe access control policy in (1) needs to make a decision whether to approve the passing of the authorization token, and therefore, it is necessary to verify whether the attributes and constraints of the authorization token TS are legal first, then verify whether the authority partition is legal, and then obtain B, C … relevant information from the PIP to verify whether B, C … is legal.
And a sixth step: SC (Single chip computer)SMaking a decision according to the collected information, if the verification is passed, generating a corresponding authorization token for the divided authority, and then returning the authorization token to the SCABC. If the verification fails, rejection information is returned.
The seventh step: if yes, SCABCSending the newly generated authorization token to the respective corresponding node; and if the node is rejected, returning rejection information to each node by the SCABC.
Further, embodiments of rights segmentation in the present invention are presented.
Referring to fig. 2, fig. 2 is a schematic diagram of authority segmentation based on an intelligent contract in the method of the present invention, and the embodiment of the method completes the segmentation of the certificate according to the following steps:
the first step is as follows: the authority owner sends a partition authority message to the blockchain, and the request needs to be accompanied with the identity of the principal, the corresponding certificate of the authority, and the partition scheme.
The second step is that: and after receiving the message, the intelligent contract for authority division in the block chain firstly verifies whether the message is correct, and the verified content comprises verification of the identity of a sender of the division request message and verification of whether the authority belongs to the sender of the message.
The third step: and searching an access control strategy corresponding to the authority after the verification is passed, and judging whether the authority can be divided and whether the authority division scheme is legal.
The fourth step: if the division and combination rule executes the authority division according to the scheme required by the division request message, new pass is generated for the divided authority, the owner of the pass is set as the authority owner, and the old pass is cancelled.
The fifth step: and returning the authority segmentation result to the authority owner.
The embodiment of the authority partition is different from the embodiment of the certification-passing partition in that the certification-passing partition refers to the partition of the certification-passing representing a plurality of authorities into a plurality of certificates, wherein the authorities are not changed; and the division of the right means that one right is divided into a plurality of available rights.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and although the invention has been described in detail with reference to the foregoing examples, it will be apparent to those skilled in the art that various changes in the form and details of the embodiments may be made and equivalents may be substituted for elements thereof. All modifications, equivalents and the like which come within the spirit and principle of the invention are intended to be included within the scope of the invention.
Claims (4)
1. A method for authority partition in block chain access control is characterized by comprising the following steps: the method is characterized in that controllable minimum granularity in access control based on a block chain is accurate to the authority of each resource, and intelligent contracts are used for completing the division of the authority; when the authority division is started, the intelligent contract verifies whether the user initiating the authority division is legal or not, the access control strategy corresponding to the authority is inquired by the intelligent contract, then whether the authority analysis is legal or not is judged, if the authority analysis is legal, a new authority permit is generated by the intelligent contract according to the division requirement, and the divided permit is cancelled.
2. The method as claimed in claim 1, wherein when mapping one or a group of rights of a resource to a pass (also called token, authorization token, etc.) in the access control system, the pass is divided using an intelligent contract, the intelligent contract is used to divide the rights in the pass, and one or more rights in the pass can be divided to form a new pass; the divided certificates may fail after the division is successful.
3. The method as claimed in claim 1, wherein the partition of the right in the block chain access control is performed by using an intelligent contract, the partition of the right in the certificate is realized by the intelligent contract, and one right is partitioned into a plurality of available rights.
4. As claimed in claim 1, the segmentation of the voucher and the segmentation of the rights can be performed simultaneously.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911115805.XA CN110807189B (en) | 2019-11-15 | 2019-11-15 | Authority segmentation method in block chain access control |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911115805.XA CN110807189B (en) | 2019-11-15 | 2019-11-15 | Authority segmentation method in block chain access control |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110807189A true CN110807189A (en) | 2020-02-18 |
| CN110807189B CN110807189B (en) | 2023-07-07 |
Family
ID=69502800
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911115805.XA Active CN110807189B (en) | 2019-11-15 | 2019-11-15 | Authority segmentation method in block chain access control |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110807189B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111901302A (en) * | 2020-06-28 | 2020-11-06 | 石家庄铁道大学 | Medical information attribute encryption access control method based on block chain |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106504091A (en) * | 2016-10-27 | 2017-03-15 | 上海亿账通区块链科技有限公司 | The method and device that concludes the business on block chain |
| WO2017076165A1 (en) * | 2015-11-03 | 2017-05-11 | 电信科学技术研究院 | Access control method, and access token issuing method and device |
| CA3015569A1 (en) * | 2016-02-23 | 2017-08-31 | nChain Holdings Limited | Registry and automated management method for blockchain-enforced smart contracts |
| WO2018039722A1 (en) * | 2016-08-30 | 2018-03-08 | Commonwealth Scientific And Industrial Research Organisation | Dynamic access control on blockchain |
| US20180268382A1 (en) * | 2017-03-20 | 2018-09-20 | Steven Victor Wasserman | Blockchain digital currency: systems and methods for use in enterprise blockchain banking |
| CN108989357A (en) * | 2018-09-12 | 2018-12-11 | 中国人民解放军国防科技大学 | User authorization and data sharing access control method based on block chain |
| CN109615523A (en) * | 2019-01-03 | 2019-04-12 | 安徽井畅数字技术有限公司 | A method of based on the logical logical card of card distribution homogeneity of non-homogeneous |
| WO2019170861A1 (en) * | 2018-03-08 | 2019-09-12 | Uvue Ltd | Resource management system and method of operation thereof |
| US20190294822A1 (en) * | 2018-03-26 | 2019-09-26 | Commissariat A L'energie Atomique Et Aux Energies Alternatives | Method and system for accessing anonymized data |
| US20190294817A1 (en) * | 2018-03-26 | 2019-09-26 | Commissariat A L'energie Atomique Et Aux Energies Alternatives | Method and system for managing access to personal data by means of a smart contract |
| CN110519066A (en) * | 2019-09-29 | 2019-11-29 | 广东电网有限责任公司 | A kind of Internet of Things secret protection access control method based on block chain technology |
| CN110855637A (en) * | 2019-10-28 | 2020-02-28 | 西北工业大学 | Block chain Internet of things distributed access control method based on attributes |
-
2019
- 2019-11-15 CN CN201911115805.XA patent/CN110807189B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017076165A1 (en) * | 2015-11-03 | 2017-05-11 | 电信科学技术研究院 | Access control method, and access token issuing method and device |
| CA3015569A1 (en) * | 2016-02-23 | 2017-08-31 | nChain Holdings Limited | Registry and automated management method for blockchain-enforced smart contracts |
| WO2018039722A1 (en) * | 2016-08-30 | 2018-03-08 | Commonwealth Scientific And Industrial Research Organisation | Dynamic access control on blockchain |
| CN106504091A (en) * | 2016-10-27 | 2017-03-15 | 上海亿账通区块链科技有限公司 | The method and device that concludes the business on block chain |
| US20180268382A1 (en) * | 2017-03-20 | 2018-09-20 | Steven Victor Wasserman | Blockchain digital currency: systems and methods for use in enterprise blockchain banking |
| WO2019170861A1 (en) * | 2018-03-08 | 2019-09-12 | Uvue Ltd | Resource management system and method of operation thereof |
| US20190294822A1 (en) * | 2018-03-26 | 2019-09-26 | Commissariat A L'energie Atomique Et Aux Energies Alternatives | Method and system for accessing anonymized data |
| US20190294817A1 (en) * | 2018-03-26 | 2019-09-26 | Commissariat A L'energie Atomique Et Aux Energies Alternatives | Method and system for managing access to personal data by means of a smart contract |
| CN108989357A (en) * | 2018-09-12 | 2018-12-11 | 中国人民解放军国防科技大学 | User authorization and data sharing access control method based on block chain |
| CN109615523A (en) * | 2019-01-03 | 2019-04-12 | 安徽井畅数字技术有限公司 | A method of based on the logical logical card of card distribution homogeneity of non-homogeneous |
| CN110519066A (en) * | 2019-09-29 | 2019-11-29 | 广东电网有限责任公司 | A kind of Internet of Things secret protection access control method based on block chain technology |
| CN110855637A (en) * | 2019-10-28 | 2020-02-28 | 西北工业大学 | Block chain Internet of things distributed access control method based on attributes |
Non-Patent Citations (1)
| Title |
|---|
| 刘胜国: "《基于审计与访问控制的授权策略研究》", 《信息科技》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111901302A (en) * | 2020-06-28 | 2020-11-06 | 石家庄铁道大学 | Medical information attribute encryption access control method based on block chain |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110807189B (en) | 2023-07-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11637746B2 (en) | Object identification for groups of IoT devices | |
| US10708070B2 (en) | System and method for utilizing connected devices to enable secure and anonymous electronic interaction in a decentralized manner | |
| CN110598394B (en) | Authority verification method and device and storage medium | |
| AU2018232853B2 (en) | Core network access provider | |
| CN106850622B (en) | User identity management method based on permission chain | |
| US20110197061A1 (en) | Configurable online public key infrastructure (pki) management framework | |
| US8990900B2 (en) | Authorization control | |
| Alexopoulos et al. | Towards secure distributed trust management on a global scale: An analytical approach for applying distributed ledgers for authorization in the IoT | |
| CN110809006A (en) | Block chain-based Internet of things access control architecture and method | |
| JP2023527811A (en) | Method, apparatus, and computer readable medium for authentication and authorization of networked data transactions | |
| GB2431746A (en) | Authorising a computing entity using path label sequences | |
| CN111585946B (en) | Cryptographic master profile control and transaction arbitration | |
| CN115841383A (en) | Committee decision voting method, system, medium, equipment and terminal | |
| CN110807189A (en) | Authority segmentation method in block chain access control | |
| CN110839030B (en) | Authority transfer method in block chain access control | |
| Kinkelin et al. | Hardening x. 509 certificate issuance using distributed ledger technology | |
| CN114401091B (en) | Device cross-domain authentication management method and device based on block chain | |
| Das et al. | Design of a Trust-Based Authentication Scheme for Blockchain-Enabled IoV System | |
| RANI et al. | Towards Shared Ownership In The Cloud | |
| Riabi et al. | Blockchain based OAuth for IoT | |
| CN116915773A (en) | Block chain sharing co-treatment method and system based on RPKI localization management mechanism | |
| Carrasco et al. | CredSSI: Enhancing Security and Privacy with Self-Sovereign Identities Approach | |
| Abdi | DECENTRALIZED ACCESS CONTROL FOR IoT BASED ON BLOCKCHAIN TECHNOLOGY | |
| CN117675163A (en) | Access control system, method and electronic equipment | |
| CN116232653A (en) | Equipment verification method, blockchain node and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |