CN110839030B - Authority transfer method in block chain access control - Google Patents
Authority transfer method in block chain access control Download PDFInfo
- Publication number
- CN110839030B CN110839030B CN201911115968.8A CN201911115968A CN110839030B CN 110839030 B CN110839030 B CN 110839030B CN 201911115968 A CN201911115968 A CN 201911115968A CN 110839030 B CN110839030 B CN 110839030B
- Authority
- CN
- China
- Prior art keywords
- authority
- transfer
- access control
- intelligent contract
- block chain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a permission transfer method in block chain access control, which abstracts the permission of resources into non-homogeneous general evidence and stores the non-homogeneous general evidence in a block chain in the block chain access control. When a resource visitor wants to transmit the own authority to another user, the authority transmission intelligent contract deployed on the block chain is used for transmitting the permit representing the authority to the other user, whether the user receiving the permit has the authority to receive or not is automatically verified by the intelligent contract, and the authority is prevented from being transmitted to an illegal user. The permission transfer method enables access control based on the block chain to be more flexible and safer.
Description
Technical Field
The invention relates to the field of access control based on a block chain, in particular to a method for transferring authority in block chain access control.
Background
The block chain is used as a distributed decentralized calculation and storage framework, and the problems caused by the design of an access control centralized decision mechanism are solved. The problems of the centralized decision mechanism are mainly reflected in single point failure and the safety problem of the central mechanism. After a researcher introduces a blockchain into access control, various access control models based on the blockchain are provided, and the blockchain is originally used as a point-to-point distributed book technology based on a cryptographic algorithm, so that the permission of resources is abstracted into non-homogeneous general evidence based on the blockchain in the access control, and the permission is granted through transaction transfer of the general evidence.
The method for mapping the authority into the evidence naturally conforms to the authority transfer function, and the authority can be flexibly transferred through the transaction or the intelligent contract in the block chain. But also brings potential safety hazard, and the authority owner may transfer the authority to an illegal user, thereby causing the problem of authority disclosure. At present, the existing permission transfer methods implemented through transactions on a block chain have serious potential safety hazards, and the permission constraints are not considered in the transfer methods, namely, a user receiving the permission is not subjected to the decision of an access control strategy and is directly endowed with the permission by a permission owner, so that the transfer of the permission can cause that the access permission of resources can be transferred to illegal users by legal users. How to ensure the security of the authority in the authority transfer process is a problem which must be solved by the access control based on the block chain at present
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a method for transferring the authority in the block chain access control, which not only improves the flexibility of the authority management in the access control, but also avoids the safety problem caused by the transfer of the authority among users.
The purpose of the invention is realized by the following technical scheme: a method for transferring authority in block chain access control adds an access control strategy of authority as another party on the basis of the authority transfer method that only a sender and a receiver of the authority are needed to participate originally, and the authority receiver must meet the access control strategy of the corresponding authority if the receiver of the authority wants to receive the corresponding authority. The new rights delivery scheme is implemented by intelligent contracts deployed on blockchains.
A workflow of rights transfer in blockchain access control:
when the authority is allowed to be transferred, when an authority owner A who owns the resource access authority wants to transfer the authority to a resource visitor B, the authority transfer messages meeting the requirement of the intelligent contract for authority transfer need to be agreed together under the condition of meeting the authority constraint.
The content of the rights transfer message is that rights owner a transfers rights to resource visitor B.
The rights transfer message is required to be validated to obtain a joint approval of the rights owner A, B and the access control contract for the resource.
If the authority transfer message is sent to the authority transfer intelligent contract in the block chain, the contract sends the transferred content to the access control contract of the resource
The access control contract S can acquire the information of the resource visitor B from the PIP and make a decision by combining the constraint and the attribute of the authority.
If the transfer is approved, the access control contract sends the approval information to the authority transfer contract, and then the authority transfer contract changes the owner of the authority from the authority owner A to the resource visitor B. Otherwise the rights transfer fails.
The authority transfer method in block chain access control comprises three implementation methods, the first method is to perform a complete authorization decision process on an authority receiver during each authority transfer, the authority transfer can only occur when the authority receiver is judged by an access control system to meet the use of the authority, and otherwise the authority transfer fails.
In the second method for transferring the authority in the access control based on the block chain, the authority is usually represented in a non-homogeneous evidence-based access control mode, and the expression of the authority transfer in the block chain is the evidence-based transfer. The first method of authority transfer requires a complete authorization decision process for an authority receiver, for example, in a complex environment such as the internet of things, an access control system has a large number of access policies, and policies corresponding to a certain authority often need to be searched and combined in the large number of access policies, and the search time increases with the increase of the number of access policies.
Therefore, the second method of authority transfer integrates the index of the access strategy corresponding to the authority into the authority pass certificate, and during each authority transfer, the corresponding access control strategy is directly found according to the access strategy index in the pass certificate, and then the authority receiver makes a decision, and the authority transfer can only occur when the authority receiver is judged by the access control system to meet the requirement of using the authority, otherwise, the authority transfer fails.
The third method of authority transfer in block chain access control directly integrates the access control strategy corresponding to the authority into the pass-certificate, so that when the authority is transferred, the access control strategy in the pass-certificate is directly read for decision making, whether the authority receiver has the authority to use the authority is judged, the authority transfer can only occur when the authority receiver is judged to meet the requirement of using the authority, otherwise, the authority transfer fails.
The three permission transfer methods have respective advantages and disadvantages, and applicable scenes are different. If the first method of rights transfer takes too long, the second method may be used. If the second method takes a long time, the third method may be used, but the storage overhead required by the three methods is sequentially increased, and different methods for transferring the rights need to be selected according to different applications.
In general, the beneficial effects of the invention are as follows:
the three permission transferring methods of the invention verify the permission receiver in the permission transferring process, judge whether the permission receiver has the permission to use the transferred permission, and only when the permission receiver is judged to meet the permission, the permission transfer can occur, otherwise the permission transfer fails. The invention avoids the possibility that the authority is obtained by an illegal user in the process of transmission, and solves an unauthorized access vulnerability in access control.
Drawings
FIG. 1 is a diagram illustrating a method of transferring permissions in blockchain access control according to the present invention;
FIG. 2 is a flowchart illustrating a method for transferring permissions in blockchain access control according to a first embodiment of the present invention;
FIG. 3 is a flowchart illustrating a method for transferring permissions in blockchain access control according to a second embodiment of the present invention;
fig. 4 is a flowchart illustrating a method for transferring permissions in blockchain access control according to a third embodiment of the present invention.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As shown in fig. 1, fig. 1 is a schematic diagram of a block chain access control-based privilege delivery flow according to the present invention. The method uses an intelligent contract for transferring the rights. The transfer of the authority refers to a process of transferring the authority to the user B after the authority of a certain resource is acquired by the user a, and the term used in the application is explained as follows:
(1) the token is an entity representing access control authority in a block chain, and the token in the present invention refers to a non-homogeneous token.
(2) A Policy Enforcement Point (PEP) is an entity that performs access control in a specific application environment.
(3) Policy Information Point (PIP) refers to an entity that provides access control system Information through which attribute Information of a subject, a resource, and an environment can be acquired.
The rights transfer flow shown in fig. 1 completes the transfer of rights according to the following steps:
step 1: and the authority owner A and the resource visitor B, which have the access authority of the resource s, negotiate to decide to pass the authority permit of the resource s to the resource visitor B.
Step 2: the authority owner A sends the authority transfer message generated by the negotiation result to the intelligent contract of authority transfer in the block chain network, and the content of the authority transfer message is the authority T of the authority owner ASTo resource visitor B.
And 3, step 3: resource accessor B sends confirmation receiving authorization token T to authority transfer intelligent contractSThe request of (1).
And 4, step 4: validation of rights delivery requires full agreement by A, B and the access control contract for resource s, so SCACInformation of the entitlement delivery message is to be sent to the SCT。
And 5, step 5: SC (Single chip computer)ACThe access control policy in (1) requires a decision to be made whether to grant the passing of the authorization token, and therefore requires the verification of the authorization token TSAnd then obtaining relevant information of B from PIP to verify whether B is legal.
And 6, step 6: SC (Single chip computer)TMaking a decision based on the collected information, and thenReturning the decision result to SCAC。
And 7, step 7: if yes, SCACGeneral certificate TSSending the information to B and informing A; if rejected, SCACThe rejection information is sent to B and informed to a.
Based on the above-mentioned permission transfer flow, various embodiments of permission transfer in block chain access control are proposed.
Referring to fig. 2, fig. 2 is a flowchart illustrating a method for transferring permissions in blockchain access control according to a first embodiment of the present invention.
While a logical order is shown in the flow chart, in some cases, the steps shown or described may be performed in an order different than that shown.
The first embodiment of the authority transfer method in block chain access control comprises the following steps:
and after the authority transfer parties determine to transfer the authority, the authority sender sends an authority transfer message to the authority transfer intelligent contract in the block chain.
After receiving the authority transfer message, the authority transfer contract first verifies whether the message is correct, then sends the transferred message and the information of the authority receiver to the access control intelligent contract, and the access control contract judges whether the authority receiver has the authority to use the authority according to the access control strategy of the authority.
If the authority receiver has the right to use, the authority transfer contract date changes the owner of the authority from the authority sender to the authority receiver, records the content of the authority transfer in the block chain, and returns the result.
If the authority receiver does not have the authority of using the authority, the authority transfer fails, and a failure result is returned.
Referring to fig. 3, fig. 3 is a flowchart illustrating a method for transferring permissions in blockchain access control according to a second embodiment of the present invention. The second embodiment of the method for transferring rights differs from the first embodiment of the method for controlling block chain access in that:
(1) and the authority pass certificate is integrated with an index of the authority corresponding to the access control strategy.
(2) After receiving the authority transfer message, the authority transfer contract firstly verifies whether the message is correct, then extracts the index of the access control strategy corresponding to the authority from the authority pass certificate, and then sends the index information and the information of the authority receiver to the access control intelligent contract.
(3) And combining the received strategy indexes into a complete access control strategy corresponding to the authority, and then judging an authority receiver to judge whether the authority receiver can use the authority.
Referring to fig. 4, fig. 4 is a flowchart illustrating a method for transferring permissions in blockchain access control according to a third embodiment of the present invention. The third embodiment of the rights transfer method differs from the previous two embodiments in that:
(1) the access control strategy corresponding to the authority is directly integrated into the pass certificate, so that after the authority transfer contract receives the authority transfer message, the access control strategy in the pass certificate can be directly extracted to judge whether the authority receiver has the right to use the authority.
(2) No information needs to be passed to the access control contract arbitration and therefore the time taken for transfer is shorter, but the storage cost of the voucher is higher.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and although the invention has been described in detail with reference to the foregoing examples, it will be apparent to those skilled in the art that various changes in the form and details of the embodiments may be made and equivalents may be substituted for elements thereof. All modifications, equivalents and the like which come within the spirit and principle of the invention are intended to be included within the scope of the invention.
Claims (5)
1. A method for transferring permissions in blockchain access control, comprising: the method uses the authority granted in the block chain access control of the intelligent contract transfer, and the authority transfer intelligent contract can detect whether the authority receiver uses the authorityIf the detection is passed, the owner of the authority is changed from the authority sender to the authority receiver by the intelligent contract, otherwise, the transfer fails; the permission transferring steps are as follows: step 1: the authority owner A and the resource accessor B which have the access authority of the resource s negotiate to determine the authorization token T of the resource sSPassed to resource accessor B; step 2: the authority owner A sends the authority transfer message generated by the negotiation result to the intelligent contract of authority transfer in the block chain network, and the content of the authority transfer message is the authorization token T of the authority owner ASPassed to resource accessor B; and 3, step 3: resource accessor B sends confirmation receiving authorization token T to authority transfer intelligent contractSA request for (2); and 4, step 4: the validation of the rights transfer requires the full consent of A, B and the access control contract of the resource s, so the intelligent contract SCACInformation of the entitlement delivery message is to be sent to the smart contract SCT(ii) a And 5, step 5: intelligent contract SCACThe access control policy in (1) requires a decision to be made whether to grant the passing of the authorization token, and therefore requires the verification of the authorization token TSWhether the attribute and the constraint of the system are legal or not, then obtaining related information of the B from the PIP and verifying whether the B is legal or not; and 6, step 6: intelligent contract SCTMaking a decision according to the collected information and then returning the decision result to the intelligent contract SCAC(ii) a And 7, step 7: if yes, then intelligent contract SCACWill authorize the token TSSending the information to B and informing A; if rejection, intelligent contract SCACThe rejection information is sent to B and informed to a.
2. The permission transfer method according to claim 1, wherein the permission includes reading, writing, creating, deleting of data, and operating on internet of things devices, and a certain permission can be granted to the principal in a fine-grained selection.
3. The method of claim 1, wherein a complete authorization decision process is performed for the rights recipient each time the rights are transferred, and the rights transfer can only occur if the rights recipient is judged by the access control system to satisfy the rights, otherwise the rights transfer fails.
4. The method of claim 1, wherein the method integrates an index of the access policy corresponding to the right into the authorization token, and during each right transfer, the corresponding access control policy is directly found according to the access policy index in the authorization token, and then a decision is made for the right receiver, and only when the right receiver is judged by the access control system to satisfy the use of the right, the right transfer can occur, otherwise the right transfer fails.
5. The method of claim 1, wherein the access control policy corresponding to the right is directly integrated into the authorization token, so that when the right is transferred, the access control policy in the authorization token is directly read for decision, and whether the right receiver has the right to use the right is determined.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911115968.8A CN110839030B (en) | 2019-11-15 | 2019-11-15 | Authority transfer method in block chain access control |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911115968.8A CN110839030B (en) | 2019-11-15 | 2019-11-15 | Authority transfer method in block chain access control |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110839030A CN110839030A (en) | 2020-02-25 |
CN110839030B true CN110839030B (en) | 2021-11-19 |
Family
ID=69576392
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911115968.8A Active CN110839030B (en) | 2019-11-15 | 2019-11-15 | Authority transfer method in block chain access control |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110839030B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111478890B (en) * | 2020-03-30 | 2021-12-03 | 中国科学院计算技术研究所 | Network service access control method and system based on intelligent contract |
CN111641586A (en) * | 2020-04-24 | 2020-09-08 | 杭州溪塔科技有限公司 | Account authority management method and system based on block chain |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107682331A (en) * | 2017-09-28 | 2018-02-09 | 复旦大学 | Internet of Things identity identifying method based on block chain |
CN108632035A (en) * | 2018-05-17 | 2018-10-09 | 湖北工业大学 | A kind of Oblivious Transfer system and method with access control |
CN108764898A (en) * | 2018-04-03 | 2018-11-06 | 武汉龙津科技有限公司 | A kind of logical method and system for demonstrate,proving design and its operating right management |
CN109117668A (en) * | 2018-08-10 | 2019-01-01 | 广东工业大学 | A kind of identification authorization safety access method based on block chain building |
CN110097467A (en) * | 2019-05-05 | 2019-08-06 | 华中科技大学 | A kind of side chain test method for intelligent contract safety and stability |
CN110519066A (en) * | 2019-09-29 | 2019-11-29 | 广东电网有限责任公司 | A kind of Internet of Things secret protection access control method based on block chain technology |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2017151514A (en) * | 2016-02-22 | 2017-08-31 | 富士ゼロックス株式会社 | Program and information processor |
-
2019
- 2019-11-15 CN CN201911115968.8A patent/CN110839030B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107682331A (en) * | 2017-09-28 | 2018-02-09 | 复旦大学 | Internet of Things identity identifying method based on block chain |
CN108764898A (en) * | 2018-04-03 | 2018-11-06 | 武汉龙津科技有限公司 | A kind of logical method and system for demonstrate,proving design and its operating right management |
CN108632035A (en) * | 2018-05-17 | 2018-10-09 | 湖北工业大学 | A kind of Oblivious Transfer system and method with access control |
CN109117668A (en) * | 2018-08-10 | 2019-01-01 | 广东工业大学 | A kind of identification authorization safety access method based on block chain building |
CN110097467A (en) * | 2019-05-05 | 2019-08-06 | 华中科技大学 | A kind of side chain test method for intelligent contract safety and stability |
CN110519066A (en) * | 2019-09-29 | 2019-11-29 | 广东电网有限责任公司 | A kind of Internet of Things secret protection access control method based on block chain technology |
Non-Patent Citations (1)
Title |
---|
物联网下的区块链访问控制综述;史锦山;《软件学报》;20190630;第1632-1648页 * |
Also Published As
Publication number | Publication date |
---|---|
CN110839030A (en) | 2020-02-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10454927B2 (en) | Systems and methods for managing relationships among digital identities | |
US7793333B2 (en) | Mobile authorization using policy based access control | |
US9021113B2 (en) | Inter-service sharing of content between users from different social networks | |
US20190333031A1 (en) | System, method, and computer program product for validating blockchain or distributed ledger transactions in a service requiring payment | |
US8417964B2 (en) | Software module management device and program | |
US9769137B2 (en) | Extensible mechanism for securing objects using claims | |
US20150026080A1 (en) | Methods and apparatus for title protocol, authentication, and sharing | |
US20150059005A1 (en) | Networked services licensing system and method | |
US20070220009A1 (en) | Methods, systems, and computer program products for controlling access to application data | |
US20040220878A1 (en) | Networked services licensing system and method | |
TW200836085A (en) | Reputation-based authorization decisions | |
CN101415001A (en) | Composite application using security annotations | |
WO2007115468A1 (en) | A method and system for information security authentication | |
CN109388957B (en) | Block chain-based information transfer method, device, medium and electronic equipment | |
CN110839030B (en) | Authority transfer method in block chain access control | |
US20060136425A1 (en) | Data-centric distributed computing | |
US20140013447A1 (en) | Method for User Access Control in a Multitenant Data Management System | |
AU2003219907B2 (en) | Networked services licensing system and method | |
di Vimercati et al. | Empowering owners with control in digital data markets | |
US20220318356A1 (en) | User registration method, user login method and corresponding device | |
CN110807189A (en) | Authority segmentation method in block chain access control | |
CN112202734B (en) | Service processing method, electronic device and readable storage medium | |
WO2022259377A1 (en) | Information distribution device, information distribution method, and program | |
JP5054552B2 (en) | Secondary content right management method and system, program, and computer-readable recording medium | |
JP4324792B2 (en) | Authentication information providing method, authentication method, authentication program, and information processing apparatus |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |