CN111431904B - Cloud storage access control method based on time characteristics - Google Patents

Cloud storage access control method based on time characteristics Download PDF

Info

Publication number
CN111431904B
CN111431904B CN202010219823.9A CN202010219823A CN111431904B CN 111431904 B CN111431904 B CN 111431904B CN 202010219823 A CN202010219823 A CN 202010219823A CN 111431904 B CN111431904 B CN 111431904B
Authority
CN
China
Prior art keywords
time slot
cloud storage
access control
signal
characteristic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010219823.9A
Other languages
Chinese (zh)
Other versions
CN111431904A (en
Inventor
王江
李礼
李鹏
吴佳
季峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai V&g Information Technology Co ltd
Original Assignee
Shanghai V&g Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai V&g Information Technology Co ltd filed Critical Shanghai V&g Information Technology Co ltd
Priority to CN202010219823.9A priority Critical patent/CN111431904B/en
Publication of CN111431904A publication Critical patent/CN111431904A/en
Application granted granted Critical
Publication of CN111431904B publication Critical patent/CN111431904B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B1/00Details of transmission systems, not covered by a single one of groups H04B3/00 - H04B13/00; Details of transmission systems not characterised by the medium used for transmission
    • H04B1/69Spread spectrum techniques
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • H04L67/025Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Abstract

The invention discloses a cloud storage access control method based on time characteristics, and provides a cloud storage access control method based on stream time slot characteristics with multiple purposes, which is called a random time slot spread spectrum coding mechanism. An invisible covert communication channel is opened, and the distribution of data packets in the selected time slot is slightly adjusted by applying a delay operation so as to embed time slot characteristic information in network traffic. In the self-adaptive cloud storage access control system, the time slot characteristics are generated based on the self attributes of the streams, so that different time slot characteristic information can be embedded into different streams, and the time slot characteristics embedded into each stream are unique and closely related to the streams, thereby overcoming the defect of insufficient flexibility of a cloud storage Mandatory Access Control (MAC) mode.

Description

Cloud storage access control method based on time characteristics
Technical Field
The invention relates to the technical field of security access of cloud storage application, in particular to a cloud storage access control method based on time characteristics.
Background
In the cloud storage service mode, data storage is controlled by an untrusted server and is outside user control, and the aim of access control is to ensure that only authorized users can access data by controlling the data, so that the confidentiality of the data in the cloud storage is ensured.
The cloud storage access control model has three types: autonomous access control (DAC), Mandatory Access Control (MAC), Role Based Access Control (RBAC). However, none of the three models can meet the application requirements of cloud storage. The main performance is as follows: 1) the DAC has the problem of large-scale user dynamic expansion, namely, the ACL scale in the DAC is increased sharply along with the increase of the number of users and resources, and the management and the maintenance are difficult; 2) the MAC mode is not flexible enough; 3) the RBAC is difficult to implement fine-grained access control because users must be accurately distinguished if fine-grained access control is to be performed, so that the RBAC needs to define a large number of user roles, which causes difficulty in role allocation and management.
Disclosure of Invention
In view of the above situation, in order to overcome the defects of the prior art, the invention provides a cloud storage access control method based on time characteristics, and provides a cloud storage access control method based on stream time slot characteristics, which has multiple purposes and is called a random time slot spread spectrum coding mechanism. An invisible covert communication channel is opened, and the distribution of data packets in the selected time slot is slightly adjusted by applying a delay operation so as to embed time slot characteristic information in network traffic. In the self-adaptive cloud storage access control system, the time slot characteristics are generated based on the self attributes of the streams, so that different time slot characteristic information can be embedded into different streams, and the time slot characteristics embedded into each stream are unique and closely related to the streams, thereby overcoming the defect of insufficient flexibility of an MAC mode.
The method comprises the following steps: firstly, an access request initiating terminal (a source host user A) sends an access request message to a cloud storage access control server, a feature embedding module arranged at the requesting terminal generates original time slot features according to user information and shared feature parameters, and the original time slot features are subjected to spread spectrum coding by using a direct sequence spread spectrum principle to obtain time slot feature signals.
The user information comprises the information of the operating system of the request terminal and a user name, and the shared characteristic parameters are a time factor and a secret key. The shared characteristic parameters are distributed to the users in advance by the cloud storage access control server, and the cloud storage access control server is responsible for managing and maintaining user information and shared characteristic parameters. The request end calculates the original characteristic signal from the user information and the shared characteristic parameter by using a Hash algorithm
And step two, the request message flow passes through a signal embedder, the time from the beginning to the end of the access request with a fixed length is divided into periods with equal intervals, the number of messages in each period is counted, a time slot characteristic signal is embedded, the number of the messages in a certain period is changed by utilizing the delay operation of the messages, and the purpose of changing the time slot characteristic signal of the message flow is achieved.
The signal embedder changes the number of messages in the time slot to achieve the purpose of embedding signals, and in order to improve the signal identification rate, two operations are defined: 1) packet replication operation, when the number of messages of the access request sent by the request end is limited and the time slot signal embedding is difficult to meet, the embedder can automatically replicate the data packet and add the data packet into the request message stream to meet the signal embedding operation; 2) clear operation, i.e. applying a delay operation to all data packets in the current slot so that they are delayed into the next slot.
And step three, the request message passes through a feature recognition module before flowing to the cloud storage server, and the feature recognition module comprises a signal extractor, a time slot decoder and a feature recognizer. The cloud storage access control server B stores information and sharing parameters of legal users. The characteristic identification module extracts the time slot characteristic signal of the request message, analyzes the time slot characteristic, compares the time slot characteristic with the characteristic of a legal user, authenticates the identity of the user and authorizes the user passing the time slot characteristic verification.
The signal extractor extracts the time slot signal of the message stream. And the time slot signal is subjected to spread spectrum decoding by a time slot decoder to obtain time slot characteristics, and the extracted characteristics are compared with the original user time slot characteristics stored by the cloud storage access control server. And if the time slot characteristic of the request message stream is consistent with a certain user time slot characteristic stored by the cloud storage access control server, the access request is considered to be in accordance with the control rule, the user A is allowed to access the resources of the target cloud storage server, otherwise, the access request is considered to be not in accordance with the rule, and the access request of the user A is rejected, so that the purpose of access control is achieved.
The specific technical scheme is as follows:
a cloud storage access control method based on time characteristics comprises the following steps:
an access request initiating terminal sends an access request message to a cloud storage access control server, a feature embedding module arranged at the requesting terminal generates original time slot features according to user information and shared feature parameters, and the original time slot features are subjected to spread spectrum coding by using a direct sequence spread spectrum principle to obtain time slot feature signals;
the shared characteristic parameters are distributed to the users in advance by the cloud storage access control server, and the cloud storage access control server is responsible for managing and maintaining user information and shared characteristic parameters; the request terminal calculates an original characteristic signal from the user information and the shared characteristic parameters by using a Hash algorithm;
(II) the request message flow passes through a signal embedder, the time from the beginning to the end of the access request with a fixed length is divided into periods with equal intervals, the number of messages in each period is counted, a time slot characteristic signal is embedded, the number of the messages in a certain period is changed by utilizing the delay operation of the messages, and the purpose of changing the time slot characteristic signal of the message flow is achieved;
thirdly, the request message passes through a feature recognition module before flowing to the cloud storage server, wherein the feature recognition module comprises a signal extractor, a time slot decoder and a feature recognizer; the cloud storage access control server stores information and sharing parameters of legal users, the characteristic identification module extracts time slot characteristic signals of the request message, analyzes time slot characteristics, compares the time slot characteristics with the characteristics of the legal users, authenticates the identities of the users and authorizes the users who pass time slot characteristic verification;
the signal extractor extracts the time slot signal of the message flow; and the time slot signal is subjected to spread spectrum decoding by a time slot decoder to obtain time slot characteristics, the extracted characteristics are compared with the original user time slot characteristics stored by the cloud storage access control server, the time slot characteristics of the request message stream are consistent with the time slot characteristics of a certain user stored by the cloud storage access control server, the access request is considered to be in accordance with the control rule to allow the user to access the resources of the target cloud storage server, otherwise, the access request is considered to be not in accordance with the rule, and the access request of the user is rejected, so that the purpose of access control is achieved.
Further, the user information in step (one) includes information of a requesting-end operating system and a user name, and the shared characteristic parameters include a time factor and a secret key.
Further, the step (two) further comprises:
the signal embedder changes the number of messages in the time slot to achieve the purpose of embedding signals, and comprises two operations in order to improve the signal identification rate: 1) packet replication operation, when the number of messages of the access request sent by the request end is limited and the time slot signal embedding is difficult to meet, the embedder can automatically replicate the data packet and add the data packet into the request message stream to meet the signal embedding operation; 2) clear operation, i.e. applying a delay operation to all data packets in the current slot so that they are delayed into the next slot.
Drawings
Fig. 1 is a block diagram of an example of a request side applying for access to a cloud storage server.
Fig. 2 is a schematic diagram of request message stream slot partitioning and feature embedding.
Fig. 3 is a schematic diagram of time slot characteristic spreading.
Detailed Description
The invention is further described below with reference to the drawings and the specific preferred embodiments, without limiting the scope of the invention.
The implementation process of cloud storage access control is shown in fig. 1, where a request packet stream sent by a request end a is embedded into a time slot feature after passing through a feature embedding module, and the feature embedding module includes a feature generator, a time slot encoder, and a signal embedder. Before reaching the destination host, the request message flow passes through a characteristic identification module which comprises a signal extractor, a time slot decoder and a characteristic identifier. The characteristic identification module extracts the time slot characteristic of the message flow, compares the extracted characteristic with the characteristic shared by the characteristic identification module, if the extracted characteristic is consistent with the characteristic shared by the characteristic identification module, the access request conforms to the control rule carefully, the request end A is allowed to access the resource of the target host, if the access request does not conform to the rule, the access request of the request end A is refused, and therefore the purpose of access control is achieved.
Fig. 1 includes a request end a, a cloud storage access control server B, and a cloud data storage server C, which use a data network as a communication medium. The method comprises the steps that a request terminal hopes to access resources on a cloud data storage server, sends an access request message to a cloud storage access control server, is installed on a characteristic embedding module of the request terminal, produces time slot characteristics according to user information and shared characteristic parameters, obtains time slot signals after spread spectrum coding, and embeds the signals into an emotion message stream. The cloud storage access control server stores information and sharing parameters of legal users, is installed in a characteristic identification module of the cloud storage access control server, extracts time slot characteristic signals of request messages, analyzes time slot characteristics, compares the time slot characteristics with the characteristics of the legal users, authenticates user identities, authorizes the users passing time slot characteristic verification, and can verify the users to the cloud storage access control server by a request end, acquire access authority of cloud data and establish a safe communication link.
When applying for the access right, the request end needs to input user information and shared time slot characteristic parameters (such as time factor T and key K), and the time slot characteristic parameters are issued to a legal user in advance by the cloud storage access control server. The slot characteristic parameter may be any number.
In the system of fig. 1, a feature embedding module and a feature recognition module are respectively deployed at an access request end and a cloud storage access control server, and the feature embedding module includes a feature generator, a time slot encoder and a signal embedder. The characteristic generator utilizes the user information and the shared characteristic parameters to produce original time slot characteristics, the time slot encoder has the function of carrying out spread spectrum operation on the original time slot characteristics to enhance the anti-interference capability of signals, the signal embedder changes the statistical characteristics of the number of messages in the time slot period of the message stream, the time slot characteristic signals are embedded into the request message stream in a 0 and 1 coding mode, the content and the size of a data packet are not modified, and the time slot characteristic generator is transparent to users.
The feature recognition module operating in the cloud storage access control server comprises a signal extractor, a time slot decoder and a feature recognizer, wherein the signal extractor counts the number of messages in all time slot periods, and restores the time slot signals T of 0 and 1 codes according to the number of the messagessSending the time slot signal to a time slot decoder, and using the same time slot spread spectrum code P to restore the original time slot characteristic Ds. The feature recognizer calculates time slot feature D corresponding to the user according to the user information and the shared time slot feature parameters stored by the cloud storage access control serveroCalculating DsAnd DoWhen the inner product is larger than the threshold r, D is consideredsAnd DoAnd the similarity is high, the extracted time slot characteristics are consistent with the user time slot characteristics, the request end passes the identity authentication, the access authority of the cloud data storage server is given to the request end, and otherwise, the request end is refused to access the cloud data storage server.
In fig. 2, the time slot division and time slot feature embedding operation of the request message stream is shown, the time from the beginning to the end of the access request with a fixed length is divided into periods with equal intervals, the number of messages in each period is counted, and the number of messages in the period is used as a 0, 1 signal. The statistical signal of the message quantity of all periods in the whole access request time is constructed into the time slot characteristic of the message flow, and the time delay operation of the message is utilized to change the quantity of the message in a certain period, thereby achieving the purpose of changing the time slot characteristic signal of the message flow. And after the cloud storage access control server authenticates the identity of the user at the request end, the cloud storage access control server gives the access authority of the cloud data storage server to the request end.
In fig. 3, a resource request side wishes to access a cloud data storage server or other resources, and sends an application message stream to a cloud storage access control server. The characteristic embedding module installed at the request end generates time slot characteristics of the message flow, and performs spread spectrum operation on the original characteristic information, so that the anti-interference capability of signals is improved, and the accuracy of time slot characteristic signal embedding and detection is improved.
Multiplying the original characteristic signal by the time slot spread spectrum code P to obtain a characteristic spread spectrum signal Ts(i.e. T)s=Ds*Ps),TsThe transmission is carried out through a channel, and a receiving party obtains a signal T on the assumption that no interference is suffered in the transmission processr=Ts=Ds*PsUsing feature codes PrThe method for despreading the original signal to recover the original signal comprises the following steps:
Figure BDA0002425685190000071
here,. denotes the inner product between vectors,. sigma.denotes the summation over all elements in a vector, and N denotes the spreading code length. There are two cases when despreading:
(1)Pr=Ps: feature codes of the requester and the detector are the same, Pr*Ps1, therefore
Figure BDA0002425685190000081
The signal recovery was successful.
(2)Pr≠Ps: if the feature codes of the requesting party and the detecting party are different, then
Figure BDA0002425685190000082
I.e. Dr≠DsThe feature information recovery fails.
It should be understood that the above-described embodiments of the present invention are merely examples for clearly illustrating the present invention, and are not intended to limit the embodiments of the present invention. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the claims of the present invention.

Claims (3)

1. A cloud storage access control method based on time characteristics is characterized by comprising the following steps:
an access request initiating terminal sends an access request message to a cloud storage access control server, a feature embedding module arranged at the requesting terminal generates original time slot features according to user information and shared feature parameters, and the original time slot features are subjected to spread spectrum coding by using a direct sequence spread spectrum principle to obtain time slot feature signals;
the shared characteristic parameters are distributed to the users in advance by the cloud storage access control server, and the cloud storage access control server is responsible for managing and maintaining user information and shared characteristic parameters; the request terminal calculates an original characteristic signal from the user information and the shared characteristic parameters by using a Hash algorithm;
(II) the request message flow passes through a signal embedder, the time from the beginning to the end of the access request with a fixed length is divided into periods with equal intervals, the number of messages in each period is counted, a time slot characteristic signal is embedded, the number of the messages in a certain period is changed by utilizing the delay operation of the messages, and the purpose of changing the time slot characteristic signal of the message flow is achieved;
thirdly, the request message passes through a feature recognition module before flowing to the cloud storage server, wherein the feature recognition module comprises a signal extractor, a time slot decoder and a feature recognizer; the cloud storage access control server stores information and sharing parameters of legal users, the characteristic identification module extracts time slot characteristic signals of the request message, analyzes time slot characteristics, compares the time slot characteristics with the characteristics of the legal users, authenticates the identities of the users and authorizes the users who pass time slot characteristic verification;
the signal extractor extracts the time slot signal of the message flow; and the time slot signal is subjected to spread spectrum decoding by a time slot decoder to obtain time slot characteristics, the extracted characteristics are compared with the original user time slot characteristics stored by the cloud storage access control server, the time slot characteristics of the request message stream are consistent with the time slot characteristics of a certain user stored by the cloud storage access control server, the access request is considered to be in accordance with the control rule to allow the user to access the resources of the target cloud storage server, otherwise, the access request is considered to be not in accordance with the rule, and the access request of the user is rejected, so that the purpose of access control is achieved.
2. The method according to claim 1, wherein the user information in step (one) includes request-side operating system information and a user name, and the shared characteristic parameters include a time factor and a secret key.
3. The cloud storage access control method based on the time characteristic as claimed in claim 1, wherein the step (two) further comprises:
the signal embedder changes the number of messages in a time slot to achieve the purpose of embedding signals, and comprises two operations in order to improve the signal identification rate: 1) packet replication operation, when the number of messages of an access request sent by a request end is limited and cannot meet the requirement of time slot signal embedding, an embedder can automatically replicate data packets and add the data packets to a request message flow so as to meet the requirement of signal embedding; 2) clear operation, i.e. applying a delay operation to all data packets in the current slot so that they are delayed into the next slot.
CN202010219823.9A 2020-03-25 2020-03-25 Cloud storage access control method based on time characteristics Active CN111431904B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010219823.9A CN111431904B (en) 2020-03-25 2020-03-25 Cloud storage access control method based on time characteristics

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010219823.9A CN111431904B (en) 2020-03-25 2020-03-25 Cloud storage access control method based on time characteristics

Publications (2)

Publication Number Publication Date
CN111431904A CN111431904A (en) 2020-07-17
CN111431904B true CN111431904B (en) 2022-05-06

Family

ID=71548730

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010219823.9A Active CN111431904B (en) 2020-03-25 2020-03-25 Cloud storage access control method based on time characteristics

Country Status (1)

Country Link
CN (1) CN111431904B (en)

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104412609A (en) * 2012-07-05 2015-03-11 Lg电子株式会社 Method and apparatus for processing digital service signals
KR102086514B1 (en) * 2012-07-16 2020-03-09 엘지전자 주식회사 Method and apparatus for processing digital service signals
CN104967610B (en) * 2015-04-30 2018-05-29 中国人民解放军国防科学技术大学 A kind of timeslot-based watermark hopping communication means
CN108650054B (en) * 2018-04-03 2020-06-09 厦门大学 Method for establishing concealed channel by network stream watermark of forward error correcting code and interleaving code
CN109922066B (en) * 2019-03-11 2020-11-20 江苏大学 Dynamic watermark embedding and detecting method based on time slot characteristics in communication network

Also Published As

Publication number Publication date
CN111431904A (en) 2020-07-17

Similar Documents

Publication Publication Date Title
CN107749848B (en) Internet of things data processing method and device and Internet of things system
Judge et al. Security issues and solutions in multicast content distribution: A survey
Dhamodharan et al. Detecting and preventing sybil attacks in wireless sensor networks using message authentication and passing method
US5440633A (en) Communication network access method and system
US7835525B2 (en) Cryptographic method using dual encryption keys and a wireless local area network (LAN) system therefor
CN104967610B (en) A kind of timeslot-based watermark hopping communication means
CN109146524A (en) A kind of agricultural product using block chain technology are traced to the source information security solution
CN102868702B (en) System login device and system login method
CN108768635A (en) A kind of cipher mark administrative model and method suitable for Internet of things system
KR20170057030A (en) Method and apparatus for detecting attaks and generating attack signatures based on signature merging
CN104852914A (en) Watermark hopping communication method based on data packet interval
CN113055176A (en) Terminal authentication method and system, terminal device, P2P verification platform and medium
CN111431904B (en) Cloud storage access control method based on time characteristics
CN110572392A (en) Identity authentication method based on HyperLegger network
CN106487505A (en) Key management, acquisition methods and relevant apparatus and system
CN101980477B (en) Method and device for detecting number of shadow users, and network equipment
CN109981637B (en) Multi-source cross composite authentication method for Internet of things based on block chain
CN108366066B (en) A kind of data transmission method and system automating community
Liang et al. Towards robust and stealthy communication for wireless intelligent terminals
CN114979140A (en) Unmanned aerial vehicle urban traffic management interaction method and platform based on edge calculation and computer readable medium
Yang et al. Sliding window based ON/OFF flow watermarking on Tor
Chen et al. An application-level data transparent authentication scheme without communication overhead
CN101267663A (en) A method, system and device for user identity validation
CN116070253A (en) Driving data processing method, driving data processing device and storage medium
CN109698966B (en) Method and device for logging in streaming media and interactively encrypting data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant