CN110839030B - Authority transfer method in block chain access control - Google Patents

Authority transfer method in block chain access control Download PDF

Info

Publication number
CN110839030B
CN110839030B CN201911115968.8A CN201911115968A CN110839030B CN 110839030 B CN110839030 B CN 110839030B CN 201911115968 A CN201911115968 A CN 201911115968A CN 110839030 B CN110839030 B CN 110839030B
Authority
CN
China
Prior art keywords
authority
transfer
access control
intelligent contract
block chain
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911115968.8A
Other languages
Chinese (zh)
Other versions
CN110839030A (en
Inventor
李茹
史锦山
张新
张晓东
张江徽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inner Mongolia University
Original Assignee
Inner Mongolia University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inner Mongolia University filed Critical Inner Mongolia University
Priority to CN201911115968.8A priority Critical patent/CN110839030B/en
Publication of CN110839030A publication Critical patent/CN110839030A/en
Application granted granted Critical
Publication of CN110839030B publication Critical patent/CN110839030B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a permission transfer method in block chain access control, which abstracts the permission of resources into non-homogeneous general evidence and stores the non-homogeneous general evidence in a block chain in the block chain access control. When a resource visitor wants to transmit the own authority to another user, the authority transmission intelligent contract deployed on the block chain is used for transmitting the permit representing the authority to the other user, whether the user receiving the permit has the authority to receive or not is automatically verified by the intelligent contract, and the authority is prevented from being transmitted to an illegal user. The permission transfer method enables access control based on the block chain to be more flexible and safer.

Description

Authority transfer method in block chain access control
Technical Field
The invention relates to the field of access control based on a block chain, in particular to a method for transferring authority in block chain access control.
Background
The block chain is used as a distributed decentralized calculation and storage framework, and the problems caused by the design of an access control centralized decision mechanism are solved. The problems of the centralized decision mechanism are mainly reflected in single point failure and the safety problem of the central mechanism. After a researcher introduces a blockchain into access control, various access control models based on the blockchain are provided, and the blockchain is originally used as a point-to-point distributed book technology based on a cryptographic algorithm, so that the permission of resources is abstracted into non-homogeneous general evidence based on the blockchain in the access control, and the permission is granted through transaction transfer of the general evidence.
The method for mapping the authority into the evidence naturally conforms to the authority transfer function, and the authority can be flexibly transferred through the transaction or the intelligent contract in the block chain. But also brings potential safety hazard, and the authority owner may transfer the authority to an illegal user, thereby causing the problem of authority disclosure. At present, the existing permission transfer methods implemented through transactions on a block chain have serious potential safety hazards, and the permission constraints are not considered in the transfer methods, namely, a user receiving the permission is not subjected to the decision of an access control strategy and is directly endowed with the permission by a permission owner, so that the transfer of the permission can cause that the access permission of resources can be transferred to illegal users by legal users. How to ensure the security of the authority in the authority transfer process is a problem which must be solved by the access control based on the block chain at present
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a method for transferring the authority in the block chain access control, which not only improves the flexibility of the authority management in the access control, but also avoids the safety problem caused by the transfer of the authority among users.
The purpose of the invention is realized by the following technical scheme: a method for transferring authority in block chain access control adds an access control strategy of authority as another party on the basis of the authority transfer method that only a sender and a receiver of the authority are needed to participate originally, and the authority receiver must meet the access control strategy of the corresponding authority if the receiver of the authority wants to receive the corresponding authority. The new rights delivery scheme is implemented by intelligent contracts deployed on blockchains.
A workflow of rights transfer in blockchain access control:
when the authority is allowed to be transferred, when an authority owner A who owns the resource access authority wants to transfer the authority to a resource visitor B, the authority transfer messages meeting the requirement of the intelligent contract for authority transfer need to be agreed together under the condition of meeting the authority constraint.
The content of the rights transfer message is that rights owner a transfers rights to resource visitor B.
The rights transfer message is required to be validated to obtain a joint approval of the rights owner A, B and the access control contract for the resource.
If the authority transfer message is sent to the authority transfer intelligent contract in the block chain, the contract sends the transferred content to the access control contract of the resource
The access control contract S can acquire the information of the resource visitor B from the PIP and make a decision by combining the constraint and the attribute of the authority.
If the transfer is approved, the access control contract sends the approval information to the authority transfer contract, and then the authority transfer contract changes the owner of the authority from the authority owner A to the resource visitor B. Otherwise the rights transfer fails.
The authority transfer method in block chain access control comprises three implementation methods, the first method is to perform a complete authorization decision process on an authority receiver during each authority transfer, the authority transfer can only occur when the authority receiver is judged by an access control system to meet the use of the authority, and otherwise the authority transfer fails.
In the second method for transferring the authority in the access control based on the block chain, the authority is usually represented in a non-homogeneous evidence-based access control mode, and the expression of the authority transfer in the block chain is the evidence-based transfer. The first method of authority transfer requires a complete authorization decision process for an authority receiver, for example, in a complex environment such as the internet of things, an access control system has a large number of access policies, and policies corresponding to a certain authority often need to be searched and combined in the large number of access policies, and the search time increases with the increase of the number of access policies.
Therefore, the second method of authority transfer integrates the index of the access strategy corresponding to the authority into the authority pass certificate, and during each authority transfer, the corresponding access control strategy is directly found according to the access strategy index in the pass certificate, and then the authority receiver makes a decision, and the authority transfer can only occur when the authority receiver is judged by the access control system to meet the requirement of using the authority, otherwise, the authority transfer fails.
The third method of authority transfer in block chain access control directly integrates the access control strategy corresponding to the authority into the pass-certificate, so that when the authority is transferred, the access control strategy in the pass-certificate is directly read for decision making, whether the authority receiver has the authority to use the authority is judged, the authority transfer can only occur when the authority receiver is judged to meet the requirement of using the authority, otherwise, the authority transfer fails.
The three permission transfer methods have respective advantages and disadvantages, and applicable scenes are different. If the first method of rights transfer takes too long, the second method may be used. If the second method takes a long time, the third method may be used, but the storage overhead required by the three methods is sequentially increased, and different methods for transferring the rights need to be selected according to different applications.
In general, the beneficial effects of the invention are as follows:
the three permission transferring methods of the invention verify the permission receiver in the permission transferring process, judge whether the permission receiver has the permission to use the transferred permission, and only when the permission receiver is judged to meet the permission, the permission transfer can occur, otherwise the permission transfer fails. The invention avoids the possibility that the authority is obtained by an illegal user in the process of transmission, and solves an unauthorized access vulnerability in access control.
Drawings
FIG. 1 is a diagram illustrating a method of transferring permissions in blockchain access control according to the present invention;
FIG. 2 is a flowchart illustrating a method for transferring permissions in blockchain access control according to a first embodiment of the present invention;
FIG. 3 is a flowchart illustrating a method for transferring permissions in blockchain access control according to a second embodiment of the present invention;
fig. 4 is a flowchart illustrating a method for transferring permissions in blockchain access control according to a third embodiment of the present invention.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As shown in fig. 1, fig. 1 is a schematic diagram of a block chain access control-based privilege delivery flow according to the present invention. The method uses an intelligent contract for transferring the rights. The transfer of the authority refers to a process of transferring the authority to the user B after the authority of a certain resource is acquired by the user a, and the term used in the application is explained as follows:
(1) the token is an entity representing access control authority in a block chain, and the token in the present invention refers to a non-homogeneous token.
(2) A Policy Enforcement Point (PEP) is an entity that performs access control in a specific application environment.
(3) Policy Information Point (PIP) refers to an entity that provides access control system Information through which attribute Information of a subject, a resource, and an environment can be acquired.
The rights transfer flow shown in fig. 1 completes the transfer of rights according to the following steps:
step 1: and the authority owner A and the resource visitor B, which have the access authority of the resource s, negotiate to decide to pass the authority permit of the resource s to the resource visitor B.
Step 2: the authority owner A sends the authority transfer message generated by the negotiation result to the intelligent contract of authority transfer in the block chain network, and the content of the authority transfer message is the authority T of the authority owner ASTo resource visitor B.
And 3, step 3: resource accessor B sends confirmation receiving authorization token T to authority transfer intelligent contractSThe request of (1).
And 4, step 4: validation of rights delivery requires full agreement by A, B and the access control contract for resource s, so SCACInformation of the entitlement delivery message is to be sent to the SCT
And 5, step 5: SC (Single chip computer)ACThe access control policy in (1) requires a decision to be made whether to grant the passing of the authorization token, and therefore requires the verification of the authorization token TSAnd then obtaining relevant information of B from PIP to verify whether B is legal.
And 6, step 6: SC (Single chip computer)TMaking a decision based on the collected information, and thenReturning the decision result to SCAC
And 7, step 7: if yes, SCACGeneral certificate TSSending the information to B and informing A; if rejected, SCACThe rejection information is sent to B and informed to a.
Based on the above-mentioned permission transfer flow, various embodiments of permission transfer in block chain access control are proposed.
Referring to fig. 2, fig. 2 is a flowchart illustrating a method for transferring permissions in blockchain access control according to a first embodiment of the present invention.
While a logical order is shown in the flow chart, in some cases, the steps shown or described may be performed in an order different than that shown.
The first embodiment of the authority transfer method in block chain access control comprises the following steps:
and after the authority transfer parties determine to transfer the authority, the authority sender sends an authority transfer message to the authority transfer intelligent contract in the block chain.
After receiving the authority transfer message, the authority transfer contract first verifies whether the message is correct, then sends the transferred message and the information of the authority receiver to the access control intelligent contract, and the access control contract judges whether the authority receiver has the authority to use the authority according to the access control strategy of the authority.
If the authority receiver has the right to use, the authority transfer contract date changes the owner of the authority from the authority sender to the authority receiver, records the content of the authority transfer in the block chain, and returns the result.
If the authority receiver does not have the authority of using the authority, the authority transfer fails, and a failure result is returned.
Referring to fig. 3, fig. 3 is a flowchart illustrating a method for transferring permissions in blockchain access control according to a second embodiment of the present invention. The second embodiment of the method for transferring rights differs from the first embodiment of the method for controlling block chain access in that:
(1) and the authority pass certificate is integrated with an index of the authority corresponding to the access control strategy.
(2) After receiving the authority transfer message, the authority transfer contract firstly verifies whether the message is correct, then extracts the index of the access control strategy corresponding to the authority from the authority pass certificate, and then sends the index information and the information of the authority receiver to the access control intelligent contract.
(3) And combining the received strategy indexes into a complete access control strategy corresponding to the authority, and then judging an authority receiver to judge whether the authority receiver can use the authority.
Referring to fig. 4, fig. 4 is a flowchart illustrating a method for transferring permissions in blockchain access control according to a third embodiment of the present invention. The third embodiment of the rights transfer method differs from the previous two embodiments in that:
(1) the access control strategy corresponding to the authority is directly integrated into the pass certificate, so that after the authority transfer contract receives the authority transfer message, the access control strategy in the pass certificate can be directly extracted to judge whether the authority receiver has the right to use the authority.
(2) No information needs to be passed to the access control contract arbitration and therefore the time taken for transfer is shorter, but the storage cost of the voucher is higher.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and although the invention has been described in detail with reference to the foregoing examples, it will be apparent to those skilled in the art that various changes in the form and details of the embodiments may be made and equivalents may be substituted for elements thereof. All modifications, equivalents and the like which come within the spirit and principle of the invention are intended to be included within the scope of the invention.

Claims (5)

1. A method for transferring permissions in blockchain access control, comprising: the method uses the authority granted in the block chain access control of the intelligent contract transfer, and the authority transfer intelligent contract can detect whether the authority receiver uses the authorityIf the detection is passed, the owner of the authority is changed from the authority sender to the authority receiver by the intelligent contract, otherwise, the transfer fails; the permission transferring steps are as follows: step 1: the authority owner A and the resource accessor B which have the access authority of the resource s negotiate to determine the authorization token T of the resource sSPassed to resource accessor B; step 2: the authority owner A sends the authority transfer message generated by the negotiation result to the intelligent contract of authority transfer in the block chain network, and the content of the authority transfer message is the authorization token T of the authority owner ASPassed to resource accessor B; and 3, step 3: resource accessor B sends confirmation receiving authorization token T to authority transfer intelligent contractSA request for (2); and 4, step 4: the validation of the rights transfer requires the full consent of A, B and the access control contract of the resource s, so the intelligent contract SCACInformation of the entitlement delivery message is to be sent to the smart contract SCT(ii) a And 5, step 5: intelligent contract SCACThe access control policy in (1) requires a decision to be made whether to grant the passing of the authorization token, and therefore requires the verification of the authorization token TSWhether the attribute and the constraint of the system are legal or not, then obtaining related information of the B from the PIP and verifying whether the B is legal or not; and 6, step 6: intelligent contract SCTMaking a decision according to the collected information and then returning the decision result to the intelligent contract SCAC(ii) a And 7, step 7: if yes, then intelligent contract SCACWill authorize the token TSSending the information to B and informing A; if rejection, intelligent contract SCACThe rejection information is sent to B and informed to a.
2. The permission transfer method according to claim 1, wherein the permission includes reading, writing, creating, deleting of data, and operating on internet of things devices, and a certain permission can be granted to the principal in a fine-grained selection.
3. The method of claim 1, wherein a complete authorization decision process is performed for the rights recipient each time the rights are transferred, and the rights transfer can only occur if the rights recipient is judged by the access control system to satisfy the rights, otherwise the rights transfer fails.
4. The method of claim 1, wherein the method integrates an index of the access policy corresponding to the right into the authorization token, and during each right transfer, the corresponding access control policy is directly found according to the access policy index in the authorization token, and then a decision is made for the right receiver, and only when the right receiver is judged by the access control system to satisfy the use of the right, the right transfer can occur, otherwise the right transfer fails.
5. The method of claim 1, wherein the access control policy corresponding to the right is directly integrated into the authorization token, so that when the right is transferred, the access control policy in the authorization token is directly read for decision, and whether the right receiver has the right to use the right is determined.
CN201911115968.8A 2019-11-15 2019-11-15 Authority transfer method in block chain access control Active CN110839030B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911115968.8A CN110839030B (en) 2019-11-15 2019-11-15 Authority transfer method in block chain access control

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911115968.8A CN110839030B (en) 2019-11-15 2019-11-15 Authority transfer method in block chain access control

Publications (2)

Publication Number Publication Date
CN110839030A CN110839030A (en) 2020-02-25
CN110839030B true CN110839030B (en) 2021-11-19

Family

ID=69576392

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911115968.8A Active CN110839030B (en) 2019-11-15 2019-11-15 Authority transfer method in block chain access control

Country Status (1)

Country Link
CN (1) CN110839030B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111478890B (en) * 2020-03-30 2021-12-03 中国科学院计算技术研究所 Network service access control method and system based on intelligent contract
CN111641586A (en) * 2020-04-24 2020-09-08 杭州溪塔科技有限公司 Account authority management method and system based on block chain

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107682331A (en) * 2017-09-28 2018-02-09 复旦大学 Internet of Things identity identifying method based on block chain
CN108632035A (en) * 2018-05-17 2018-10-09 湖北工业大学 A kind of Oblivious Transfer system and method with access control
CN108764898A (en) * 2018-04-03 2018-11-06 武汉龙津科技有限公司 A kind of logical method and system for demonstrate,proving design and its operating right management
CN109117668A (en) * 2018-08-10 2019-01-01 广东工业大学 A kind of identification authorization safety access method based on block chain building
CN110097467A (en) * 2019-05-05 2019-08-06 华中科技大学 A kind of side chain test method for intelligent contract safety and stability
CN110519066A (en) * 2019-09-29 2019-11-29 广东电网有限责任公司 A kind of Internet of Things secret protection access control method based on block chain technology

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2017151514A (en) * 2016-02-22 2017-08-31 富士ゼロックス株式会社 Program and information processor

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107682331A (en) * 2017-09-28 2018-02-09 复旦大学 Internet of Things identity identifying method based on block chain
CN108764898A (en) * 2018-04-03 2018-11-06 武汉龙津科技有限公司 A kind of logical method and system for demonstrate,proving design and its operating right management
CN108632035A (en) * 2018-05-17 2018-10-09 湖北工业大学 A kind of Oblivious Transfer system and method with access control
CN109117668A (en) * 2018-08-10 2019-01-01 广东工业大学 A kind of identification authorization safety access method based on block chain building
CN110097467A (en) * 2019-05-05 2019-08-06 华中科技大学 A kind of side chain test method for intelligent contract safety and stability
CN110519066A (en) * 2019-09-29 2019-11-29 广东电网有限责任公司 A kind of Internet of Things secret protection access control method based on block chain technology

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
物联网下的区块链访问控制综述;史锦山;《软件学报》;20190630;第1632-1648页 *

Also Published As

Publication number Publication date
CN110839030A (en) 2020-02-25

Similar Documents

Publication Publication Date Title
US10454927B2 (en) Systems and methods for managing relationships among digital identities
US7793333B2 (en) Mobile authorization using policy based access control
US9021113B2 (en) Inter-service sharing of content between users from different social networks
US20190333031A1 (en) System, method, and computer program product for validating blockchain or distributed ledger transactions in a service requiring payment
US8417964B2 (en) Software module management device and program
US9769137B2 (en) Extensible mechanism for securing objects using claims
US20150026080A1 (en) Methods and apparatus for title protocol, authentication, and sharing
US20150059005A1 (en) Networked services licensing system and method
US20070220009A1 (en) Methods, systems, and computer program products for controlling access to application data
US20040220878A1 (en) Networked services licensing system and method
TW200836085A (en) Reputation-based authorization decisions
CN101415001A (en) Composite application using security annotations
WO2007115468A1 (en) A method and system for information security authentication
CN109388957B (en) Block chain-based information transfer method, device, medium and electronic equipment
CN110839030B (en) Authority transfer method in block chain access control
US20060136425A1 (en) Data-centric distributed computing
US20140013447A1 (en) Method for User Access Control in a Multitenant Data Management System
AU2003219907B2 (en) Networked services licensing system and method
di Vimercati et al. Empowering owners with control in digital data markets
US20220318356A1 (en) User registration method, user login method and corresponding device
CN110807189A (en) Authority segmentation method in block chain access control
CN112202734B (en) Service processing method, electronic device and readable storage medium
WO2022259377A1 (en) Information distribution device, information distribution method, and program
JP5054552B2 (en) Secondary content right management method and system, program, and computer-readable recording medium
JP4324792B2 (en) Authentication information providing method, authentication method, authentication program, and information processing apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant