CN111431904B - Cloud storage access control method based on time characteristics - Google Patents
Cloud storage access control method based on time characteristics Download PDFInfo
- Publication number
- CN111431904B CN111431904B CN202010219823.9A CN202010219823A CN111431904B CN 111431904 B CN111431904 B CN 111431904B CN 202010219823 A CN202010219823 A CN 202010219823A CN 111431904 B CN111431904 B CN 111431904B
- Authority
- CN
- China
- Prior art keywords
- time slot
- cloud storage
- access control
- signal
- characteristic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04B—TRANSMISSION
- H04B1/00—Details of transmission systems, not covered by a single one of groups H04B3/00 - H04B13/00; Details of transmission systems not characterised by the medium used for transmission
- H04B1/69—Spread spectrum techniques
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
- H04L67/025—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Abstract
The invention discloses a cloud storage access control method based on time characteristics, and provides a cloud storage access control method based on stream time slot characteristics with multiple purposes, which is called a random time slot spread spectrum coding mechanism. An invisible covert communication channel is opened, and the distribution of data packets in the selected time slot is slightly adjusted by applying a delay operation so as to embed time slot characteristic information in network traffic. In the self-adaptive cloud storage access control system, the time slot characteristics are generated based on the self attributes of the streams, so that different time slot characteristic information can be embedded into different streams, and the time slot characteristics embedded into each stream are unique and closely related to the streams, thereby overcoming the defect of insufficient flexibility of a cloud storage Mandatory Access Control (MAC) mode.
Description
Technical Field
The invention relates to the technical field of security access of cloud storage application, in particular to a cloud storage access control method based on time characteristics.
Background
In the cloud storage service mode, data storage is controlled by an untrusted server and is outside user control, and the aim of access control is to ensure that only authorized users can access data by controlling the data, so that the confidentiality of the data in the cloud storage is ensured.
The cloud storage access control model has three types: autonomous access control (DAC), Mandatory Access Control (MAC), Role Based Access Control (RBAC). However, none of the three models can meet the application requirements of cloud storage. The main performance is as follows: 1) the DAC has the problem of large-scale user dynamic expansion, namely, the ACL scale in the DAC is increased sharply along with the increase of the number of users and resources, and the management and the maintenance are difficult; 2) the MAC mode is not flexible enough; 3) the RBAC is difficult to implement fine-grained access control because users must be accurately distinguished if fine-grained access control is to be performed, so that the RBAC needs to define a large number of user roles, which causes difficulty in role allocation and management.
Disclosure of Invention
In view of the above situation, in order to overcome the defects of the prior art, the invention provides a cloud storage access control method based on time characteristics, and provides a cloud storage access control method based on stream time slot characteristics, which has multiple purposes and is called a random time slot spread spectrum coding mechanism. An invisible covert communication channel is opened, and the distribution of data packets in the selected time slot is slightly adjusted by applying a delay operation so as to embed time slot characteristic information in network traffic. In the self-adaptive cloud storage access control system, the time slot characteristics are generated based on the self attributes of the streams, so that different time slot characteristic information can be embedded into different streams, and the time slot characteristics embedded into each stream are unique and closely related to the streams, thereby overcoming the defect of insufficient flexibility of an MAC mode.
The method comprises the following steps: firstly, an access request initiating terminal (a source host user A) sends an access request message to a cloud storage access control server, a feature embedding module arranged at the requesting terminal generates original time slot features according to user information and shared feature parameters, and the original time slot features are subjected to spread spectrum coding by using a direct sequence spread spectrum principle to obtain time slot feature signals.
The user information comprises the information of the operating system of the request terminal and a user name, and the shared characteristic parameters are a time factor and a secret key. The shared characteristic parameters are distributed to the users in advance by the cloud storage access control server, and the cloud storage access control server is responsible for managing and maintaining user information and shared characteristic parameters. The request end calculates the original characteristic signal from the user information and the shared characteristic parameter by using a Hash algorithm
And step two, the request message flow passes through a signal embedder, the time from the beginning to the end of the access request with a fixed length is divided into periods with equal intervals, the number of messages in each period is counted, a time slot characteristic signal is embedded, the number of the messages in a certain period is changed by utilizing the delay operation of the messages, and the purpose of changing the time slot characteristic signal of the message flow is achieved.
The signal embedder changes the number of messages in the time slot to achieve the purpose of embedding signals, and in order to improve the signal identification rate, two operations are defined: 1) packet replication operation, when the number of messages of the access request sent by the request end is limited and the time slot signal embedding is difficult to meet, the embedder can automatically replicate the data packet and add the data packet into the request message stream to meet the signal embedding operation; 2) clear operation, i.e. applying a delay operation to all data packets in the current slot so that they are delayed into the next slot.
And step three, the request message passes through a feature recognition module before flowing to the cloud storage server, and the feature recognition module comprises a signal extractor, a time slot decoder and a feature recognizer. The cloud storage access control server B stores information and sharing parameters of legal users. The characteristic identification module extracts the time slot characteristic signal of the request message, analyzes the time slot characteristic, compares the time slot characteristic with the characteristic of a legal user, authenticates the identity of the user and authorizes the user passing the time slot characteristic verification.
The signal extractor extracts the time slot signal of the message stream. And the time slot signal is subjected to spread spectrum decoding by a time slot decoder to obtain time slot characteristics, and the extracted characteristics are compared with the original user time slot characteristics stored by the cloud storage access control server. And if the time slot characteristic of the request message stream is consistent with a certain user time slot characteristic stored by the cloud storage access control server, the access request is considered to be in accordance with the control rule, the user A is allowed to access the resources of the target cloud storage server, otherwise, the access request is considered to be not in accordance with the rule, and the access request of the user A is rejected, so that the purpose of access control is achieved.
The specific technical scheme is as follows:
a cloud storage access control method based on time characteristics comprises the following steps:
an access request initiating terminal sends an access request message to a cloud storage access control server, a feature embedding module arranged at the requesting terminal generates original time slot features according to user information and shared feature parameters, and the original time slot features are subjected to spread spectrum coding by using a direct sequence spread spectrum principle to obtain time slot feature signals;
the shared characteristic parameters are distributed to the users in advance by the cloud storage access control server, and the cloud storage access control server is responsible for managing and maintaining user information and shared characteristic parameters; the request terminal calculates an original characteristic signal from the user information and the shared characteristic parameters by using a Hash algorithm;
(II) the request message flow passes through a signal embedder, the time from the beginning to the end of the access request with a fixed length is divided into periods with equal intervals, the number of messages in each period is counted, a time slot characteristic signal is embedded, the number of the messages in a certain period is changed by utilizing the delay operation of the messages, and the purpose of changing the time slot characteristic signal of the message flow is achieved;
thirdly, the request message passes through a feature recognition module before flowing to the cloud storage server, wherein the feature recognition module comprises a signal extractor, a time slot decoder and a feature recognizer; the cloud storage access control server stores information and sharing parameters of legal users, the characteristic identification module extracts time slot characteristic signals of the request message, analyzes time slot characteristics, compares the time slot characteristics with the characteristics of the legal users, authenticates the identities of the users and authorizes the users who pass time slot characteristic verification;
the signal extractor extracts the time slot signal of the message flow; and the time slot signal is subjected to spread spectrum decoding by a time slot decoder to obtain time slot characteristics, the extracted characteristics are compared with the original user time slot characteristics stored by the cloud storage access control server, the time slot characteristics of the request message stream are consistent with the time slot characteristics of a certain user stored by the cloud storage access control server, the access request is considered to be in accordance with the control rule to allow the user to access the resources of the target cloud storage server, otherwise, the access request is considered to be not in accordance with the rule, and the access request of the user is rejected, so that the purpose of access control is achieved.
Further, the user information in step (one) includes information of a requesting-end operating system and a user name, and the shared characteristic parameters include a time factor and a secret key.
Further, the step (two) further comprises:
the signal embedder changes the number of messages in the time slot to achieve the purpose of embedding signals, and comprises two operations in order to improve the signal identification rate: 1) packet replication operation, when the number of messages of the access request sent by the request end is limited and the time slot signal embedding is difficult to meet, the embedder can automatically replicate the data packet and add the data packet into the request message stream to meet the signal embedding operation; 2) clear operation, i.e. applying a delay operation to all data packets in the current slot so that they are delayed into the next slot.
Drawings
Fig. 1 is a block diagram of an example of a request side applying for access to a cloud storage server.
Fig. 2 is a schematic diagram of request message stream slot partitioning and feature embedding.
Fig. 3 is a schematic diagram of time slot characteristic spreading.
Detailed Description
The invention is further described below with reference to the drawings and the specific preferred embodiments, without limiting the scope of the invention.
The implementation process of cloud storage access control is shown in fig. 1, where a request packet stream sent by a request end a is embedded into a time slot feature after passing through a feature embedding module, and the feature embedding module includes a feature generator, a time slot encoder, and a signal embedder. Before reaching the destination host, the request message flow passes through a characteristic identification module which comprises a signal extractor, a time slot decoder and a characteristic identifier. The characteristic identification module extracts the time slot characteristic of the message flow, compares the extracted characteristic with the characteristic shared by the characteristic identification module, if the extracted characteristic is consistent with the characteristic shared by the characteristic identification module, the access request conforms to the control rule carefully, the request end A is allowed to access the resource of the target host, if the access request does not conform to the rule, the access request of the request end A is refused, and therefore the purpose of access control is achieved.
Fig. 1 includes a request end a, a cloud storage access control server B, and a cloud data storage server C, which use a data network as a communication medium. The method comprises the steps that a request terminal hopes to access resources on a cloud data storage server, sends an access request message to a cloud storage access control server, is installed on a characteristic embedding module of the request terminal, produces time slot characteristics according to user information and shared characteristic parameters, obtains time slot signals after spread spectrum coding, and embeds the signals into an emotion message stream. The cloud storage access control server stores information and sharing parameters of legal users, is installed in a characteristic identification module of the cloud storage access control server, extracts time slot characteristic signals of request messages, analyzes time slot characteristics, compares the time slot characteristics with the characteristics of the legal users, authenticates user identities, authorizes the users passing time slot characteristic verification, and can verify the users to the cloud storage access control server by a request end, acquire access authority of cloud data and establish a safe communication link.
When applying for the access right, the request end needs to input user information and shared time slot characteristic parameters (such as time factor T and key K), and the time slot characteristic parameters are issued to a legal user in advance by the cloud storage access control server. The slot characteristic parameter may be any number.
In the system of fig. 1, a feature embedding module and a feature recognition module are respectively deployed at an access request end and a cloud storage access control server, and the feature embedding module includes a feature generator, a time slot encoder and a signal embedder. The characteristic generator utilizes the user information and the shared characteristic parameters to produce original time slot characteristics, the time slot encoder has the function of carrying out spread spectrum operation on the original time slot characteristics to enhance the anti-interference capability of signals, the signal embedder changes the statistical characteristics of the number of messages in the time slot period of the message stream, the time slot characteristic signals are embedded into the request message stream in a 0 and 1 coding mode, the content and the size of a data packet are not modified, and the time slot characteristic generator is transparent to users.
The feature recognition module operating in the cloud storage access control server comprises a signal extractor, a time slot decoder and a feature recognizer, wherein the signal extractor counts the number of messages in all time slot periods, and restores the time slot signals T of 0 and 1 codes according to the number of the messagessSending the time slot signal to a time slot decoder, and using the same time slot spread spectrum code P to restore the original time slot characteristic Ds. The feature recognizer calculates time slot feature D corresponding to the user according to the user information and the shared time slot feature parameters stored by the cloud storage access control serveroCalculating DsAnd DoWhen the inner product is larger than the threshold r, D is consideredsAnd DoAnd the similarity is high, the extracted time slot characteristics are consistent with the user time slot characteristics, the request end passes the identity authentication, the access authority of the cloud data storage server is given to the request end, and otherwise, the request end is refused to access the cloud data storage server.
In fig. 2, the time slot division and time slot feature embedding operation of the request message stream is shown, the time from the beginning to the end of the access request with a fixed length is divided into periods with equal intervals, the number of messages in each period is counted, and the number of messages in the period is used as a 0, 1 signal. The statistical signal of the message quantity of all periods in the whole access request time is constructed into the time slot characteristic of the message flow, and the time delay operation of the message is utilized to change the quantity of the message in a certain period, thereby achieving the purpose of changing the time slot characteristic signal of the message flow. And after the cloud storage access control server authenticates the identity of the user at the request end, the cloud storage access control server gives the access authority of the cloud data storage server to the request end.
In fig. 3, a resource request side wishes to access a cloud data storage server or other resources, and sends an application message stream to a cloud storage access control server. The characteristic embedding module installed at the request end generates time slot characteristics of the message flow, and performs spread spectrum operation on the original characteristic information, so that the anti-interference capability of signals is improved, and the accuracy of time slot characteristic signal embedding and detection is improved.
Multiplying the original characteristic signal by the time slot spread spectrum code P to obtain a characteristic spread spectrum signal Ts(i.e. T)s=Ds*Ps),TsThe transmission is carried out through a channel, and a receiving party obtains a signal T on the assumption that no interference is suffered in the transmission processr=Ts=Ds*PsUsing feature codes PrThe method for despreading the original signal to recover the original signal comprises the following steps:
here,. denotes the inner product between vectors,. sigma.denotes the summation over all elements in a vector, and N denotes the spreading code length. There are two cases when despreading:
(1)Pr=Ps: feature codes of the requester and the detector are the same, Pr*Ps1, therefore
The signal recovery was successful.
(2)Pr≠Ps: if the feature codes of the requesting party and the detecting party are different, thenI.e. Dr≠DsThe feature information recovery fails.
It should be understood that the above-described embodiments of the present invention are merely examples for clearly illustrating the present invention, and are not intended to limit the embodiments of the present invention. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the claims of the present invention.
Claims (3)
1. A cloud storage access control method based on time characteristics is characterized by comprising the following steps:
an access request initiating terminal sends an access request message to a cloud storage access control server, a feature embedding module arranged at the requesting terminal generates original time slot features according to user information and shared feature parameters, and the original time slot features are subjected to spread spectrum coding by using a direct sequence spread spectrum principle to obtain time slot feature signals;
the shared characteristic parameters are distributed to the users in advance by the cloud storage access control server, and the cloud storage access control server is responsible for managing and maintaining user information and shared characteristic parameters; the request terminal calculates an original characteristic signal from the user information and the shared characteristic parameters by using a Hash algorithm;
(II) the request message flow passes through a signal embedder, the time from the beginning to the end of the access request with a fixed length is divided into periods with equal intervals, the number of messages in each period is counted, a time slot characteristic signal is embedded, the number of the messages in a certain period is changed by utilizing the delay operation of the messages, and the purpose of changing the time slot characteristic signal of the message flow is achieved;
thirdly, the request message passes through a feature recognition module before flowing to the cloud storage server, wherein the feature recognition module comprises a signal extractor, a time slot decoder and a feature recognizer; the cloud storage access control server stores information and sharing parameters of legal users, the characteristic identification module extracts time slot characteristic signals of the request message, analyzes time slot characteristics, compares the time slot characteristics with the characteristics of the legal users, authenticates the identities of the users and authorizes the users who pass time slot characteristic verification;
the signal extractor extracts the time slot signal of the message flow; and the time slot signal is subjected to spread spectrum decoding by a time slot decoder to obtain time slot characteristics, the extracted characteristics are compared with the original user time slot characteristics stored by the cloud storage access control server, the time slot characteristics of the request message stream are consistent with the time slot characteristics of a certain user stored by the cloud storage access control server, the access request is considered to be in accordance with the control rule to allow the user to access the resources of the target cloud storage server, otherwise, the access request is considered to be not in accordance with the rule, and the access request of the user is rejected, so that the purpose of access control is achieved.
2. The method according to claim 1, wherein the user information in step (one) includes request-side operating system information and a user name, and the shared characteristic parameters include a time factor and a secret key.
3. The cloud storage access control method based on the time characteristic as claimed in claim 1, wherein the step (two) further comprises:
the signal embedder changes the number of messages in a time slot to achieve the purpose of embedding signals, and comprises two operations in order to improve the signal identification rate: 1) packet replication operation, when the number of messages of an access request sent by a request end is limited and cannot meet the requirement of time slot signal embedding, an embedder can automatically replicate data packets and add the data packets to a request message flow so as to meet the requirement of signal embedding; 2) clear operation, i.e. applying a delay operation to all data packets in the current slot so that they are delayed into the next slot.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010219823.9A CN111431904B (en) | 2020-03-25 | 2020-03-25 | Cloud storage access control method based on time characteristics |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010219823.9A CN111431904B (en) | 2020-03-25 | 2020-03-25 | Cloud storage access control method based on time characteristics |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111431904A CN111431904A (en) | 2020-07-17 |
CN111431904B true CN111431904B (en) | 2022-05-06 |
Family
ID=71548730
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010219823.9A Active CN111431904B (en) | 2020-03-25 | 2020-03-25 | Cloud storage access control method based on time characteristics |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111431904B (en) |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104412609A (en) * | 2012-07-05 | 2015-03-11 | Lg电子株式会社 | Method and apparatus for processing digital service signals |
KR102086514B1 (en) * | 2012-07-16 | 2020-03-09 | 엘지전자 주식회사 | Method and apparatus for processing digital service signals |
CN104967610B (en) * | 2015-04-30 | 2018-05-29 | 中国人民解放军国防科学技术大学 | A kind of timeslot-based watermark hopping communication means |
CN108650054B (en) * | 2018-04-03 | 2020-06-09 | 厦门大学 | Method for establishing concealed channel by network stream watermark of forward error correcting code and interleaving code |
CN109922066B (en) * | 2019-03-11 | 2020-11-20 | 江苏大学 | Dynamic watermark embedding and detecting method based on time slot characteristics in communication network |
-
2020
- 2020-03-25 CN CN202010219823.9A patent/CN111431904B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN111431904A (en) | 2020-07-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107749848B (en) | Internet of things data processing method and device and Internet of things system | |
Judge et al. | Security issues and solutions in multicast content distribution: A survey | |
Dhamodharan et al. | Detecting and preventing sybil attacks in wireless sensor networks using message authentication and passing method | |
US5440633A (en) | Communication network access method and system | |
US7835525B2 (en) | Cryptographic method using dual encryption keys and a wireless local area network (LAN) system therefor | |
CN104967610B (en) | A kind of timeslot-based watermark hopping communication means | |
CN109146524A (en) | A kind of agricultural product using block chain technology are traced to the source information security solution | |
CN102868702B (en) | System login device and system login method | |
CN108768635A (en) | A kind of cipher mark administrative model and method suitable for Internet of things system | |
KR20170057030A (en) | Method and apparatus for detecting attaks and generating attack signatures based on signature merging | |
CN104852914A (en) | Watermark hopping communication method based on data packet interval | |
CN113055176A (en) | Terminal authentication method and system, terminal device, P2P verification platform and medium | |
CN111431904B (en) | Cloud storage access control method based on time characteristics | |
CN110572392A (en) | Identity authentication method based on HyperLegger network | |
CN106487505A (en) | Key management, acquisition methods and relevant apparatus and system | |
CN101980477B (en) | Method and device for detecting number of shadow users, and network equipment | |
CN109981637B (en) | Multi-source cross composite authentication method for Internet of things based on block chain | |
CN108366066B (en) | A kind of data transmission method and system automating community | |
Liang et al. | Towards robust and stealthy communication for wireless intelligent terminals | |
CN114979140A (en) | Unmanned aerial vehicle urban traffic management interaction method and platform based on edge calculation and computer readable medium | |
Yang et al. | Sliding window based ON/OFF flow watermarking on Tor | |
Chen et al. | An application-level data transparent authentication scheme without communication overhead | |
CN101267663A (en) | A method, system and device for user identity validation | |
CN116070253A (en) | Driving data processing method, driving data processing device and storage medium | |
CN109698966B (en) | Method and device for logging in streaming media and interactively encrypting data |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |