CN112187800B - Attribute-based access control method with anonymous access capability - Google Patents
Attribute-based access control method with anonymous access capability Download PDFInfo
- Publication number
- CN112187800B CN112187800B CN202011046521.2A CN202011046521A CN112187800B CN 112187800 B CN112187800 B CN 112187800B CN 202011046521 A CN202011046521 A CN 202011046521A CN 112187800 B CN112187800 B CN 112187800B
- Authority
- CN
- China
- Prior art keywords
- attribute
- policy
- access control
- access
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
- H04L63/0421—Anonymous communication, i.e. the party's identifiers are hidden from the other party or parties, e.g. using an anonymizer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses an attribute-based access control method with anonymous access capability, which mainly solves the problems that the privacy of an access request main body is revealed and the main body cannot accurately provide attribute information in the prior art. The implementation scheme is as follows: the subject sends an access request only containing object identity information and operation; sending a signature request to a main body according to the main body attribute required by the strategy corresponding to the access request; and the main body generates a signature of the required main body attribute through the attribute certificate and participates in policy evaluation with the access request to obtain an access control decision evaluation result. The invention avoids the leakage of the subject attributes, reduces the participation of irrelevant subject attributes in the access control decision, and improves the decision efficiency of the access control while ensuring the privacy of the subject.
Description
Technical Field
The invention belongs to the technical field of information, and further relates to an attribute-based access control method with anonymous access capability in the technical field of information security. The method can be used for performing access control with anonymity capability on the process of accessing the cloud computing resources so as to protect sensitive information and avoid the cloud computing resources from being illegally accessed.
Background
The core concept of cloud computing is to provide fast and safe cloud computing service and data storage on a website by taking the internet as a center. Under the open environment of high flexibility and expandability of cloud computing and coordination of multiple computer resources, security problems such as privacy stealing, resource masquerading, hacking and the like can easily occur. Access control, which guarantees the security of the system through the grant of authority, is one of the accepted methods for securing the security of the computing system. Most of the existing access control methods evaluate the request through a preset policy and finally decide whether to grant the specific resource requested by the request to the main body.
The attribute-based access control model ABAC, proposed in the paper "Guide to attribute based control (ABAC) definition and definitions" (NIST SP) -800-. The method comprises the following specific steps: first, a principal sends an access request to a policy enforcement point, which verifies the correctness of the access request. Secondly, if the access request is correct, the strategy execution point forwards the access request to the strategy information point, the strategy information point carries out attribute retrieval according to the unique identifiers of the subject and the object in the access request, and returns a subject attribute set, an object attribute set and an environment attribute set required by strategy evaluation to the strategy decision point. Thirdly, the strategy decision point forwards the attribute set to the strategy management point, and the strategy management point performs strategy matching according to the attribute set provided by the strategy decision point and returns the applicable strategy set to the strategy decision point. And fourthly, the strategy decision point evaluates the access request according to the acquired attribute set and the strategy set and returns the access control decision to the strategy execution point. Fifth, the policy enforcement point enforces the access control decision. In the method, the basis for retrieving the attributes is identity information of the principal contained in the access request. However, in a cloud computing environment, a subject cannot accurately provide attribute information, which causes transmission of redundant subject attributes, resulting in reduction of access control decision efficiency; meanwhile, the access request must contain subject attribute information, which can cause the subject privacy to be revealed, so that the subject privacy cannot be effectively protected, and the subject security is threatened.
Disclosure of Invention
The invention aims to provide an attribute-based access control method with anonymous access capability aiming at the defects of the prior art, and solves the problem of privacy disclosure possibly existing in the prior art during cloud computing resource allocation.
The technical idea for realizing the purpose of the invention is as follows: the part for managing the subject attribute in the traditional attribute-based access control method is separated from the whole, the subject attribute is managed by a trusted organization, and a unique attribute certificate is issued to the subject. The access request content based on the attribute access control method is changed from the subject attribute, the object attribute and the operation into object identity information and operation, and the access control method based on the attribute can realize access control through the attribute certificate and the access request of the subject under the condition that the subject is anonymous.
The invention comprises the following steps:
step 1, sending an access request:
the subject sends an access request to the context processor, wherein the access request comprises the unique identifier and the operation of the object; the operation refers to the allocation of cloud computing resources;
step 2, forwarding to a strategy information point:
the context processor forwards the received access request to a policy information point;
and step 3, returning object attribute information and environment attribute information:
finding object attribute information corresponding to the unique object identifier in the access request in the strategy information point; the strategy information point calls a GetPerformanceInfo function and a GetAdapters Address function to acquire environment attribute information, wherein the environment attribute is related information of system equipment and a physical environment when access occurs; sending the object attribute information and the environment attribute information to a context processor;
step 4, the context processor simultaneously sends the received object attribute information, the environment attribute information and the access request to a policy management point;
step 5, sending a strategy:
the policy management point extracts all policies identical to the received object attribute information, environment attribute information and access request from the policy base and sends the policies to the context processor;
step 6, sending a signature request:
the context processor extracts the predicate of the subject attribute in each received strategy and generates a random message corresponding to the predicate and used for ensuring the access uniqueness; the context processor encapsulates the subject attribute predicates corresponding to each strategy and the random message into a signature request and sends the signature request to the subject;
step 7, signature sending:
the subject calls a signature method HABS.show function to the signature request by using the attribute certificate to obtain a message signature represented by binary system, and sends the message signature to the context processor;
step 8, after receiving the message signature, the context processor generates a policy evaluation request corresponding to the message signature and sends the policy evaluation request to a policy decision point;
step 9, the strategy decision point evaluates the strategy according to the attribute in the strategy evaluation request, generates a corresponding access control decision and sends the access control decision to the context processor;
step 10, executing an access control decision:
the context processor sends the access control decision to the main body, and if the decision is refused, the work flow is ended; otherwise, the context handler forwards the access control decision to the policy enforcement point, which enforces the access control decision.
Compared with the prior art, the invention has the following advantages:
first, since the present invention only includes the unique identifier and operation of the object in the access request sent by the subject to the context processor, and does not include subject attribute information, the problem that the privacy of the subject is easily revealed because the access request sent by the prior art includes the subject attribute information is overcome. The main body does not need to contain the attribute of the main body when sending the access request, and a system executing the access control method cannot directly obtain the attribute of the main body, so that anonymous access is realized, and the privacy of the main body is protected.
Secondly, because the context processor can encapsulate the subject attribute predicates corresponding to each strategy and the random message into a signature request, the sending of redundant subject attributes is avoided, and the problem that the subject cannot accurately provide attribute information in the access control in the prior art is solved, so that the subject can accurately provide the required message signature, the participation of irrelevant subject attributes in the access control decision is reduced, and the decision efficiency of the access control is improved.
Drawings
FIG. 1 is a flow chart of the present invention.
Detailed Description
In order to better describe the implementation process of the invention, the access control flow is divided into three parts. The first part is system initialization, and guarantees are provided for safety of information issued in the system in the anonymous access process of a main body; the second part is main body registration, which issues corresponding main body attribute certificate for main body participating in the anonymous access process of main body; the third part is the anonymous access of the subject according to the method of the present invention, which is usually performed on the basis of the two parts.
The specific steps of the first part of system initialization are as follows.
The key distribution center runs a signature HABS based on homomorphic attributes to generate a public key and a private key pair of the attribute authority, and distributes the private key to the attribute authority. The public key and the private key are used for ensuring the safety of information issued by the attribute authority in the system; the key distribution center refers to a trusted organization responsible for generating and distributing keys; the attribute authority refers to abstracting each system entity providing a trusted subject data source into a point for collecting all subject attributes.
The specific steps of the second partial body registration are as follows.
In a first step, the principal sends a registration request to the attribute authority and the key distribution center.
And secondly, the attribute authority generates corresponding attributes according to the main body registration request, and the key distribution center generates a public key and a private key pair for the registered main body and sends the private key to the main body. The subject refers to a user accessing the resource; the public key is used for verifying the message signature of the main body; the private key is used for the subject signature.
And thirdly, the main body sends an attribute certificate request to the attribute authority, wherein the request contains the public key of the main body. The attribute certificate refers to digital authentication for identifying attribute information of a main body in a communication process.
And fourthly, after receiving the attribute certificate request, the attribute authority issues the attribute certificate for the main body.
And fifthly, after receiving the attribute certificate, the main body calls a HABS. The HABS.issue function is used for outputting authenticated credentials according to the attribute set; the habs.
The implementation steps of the present invention are further described with reference to fig. 1. Other advantages and effects of the present invention will be readily apparent to those skilled in the art from the disclosure herein. The invention is capable of other and different embodiments and of being practiced or of being carried out in various details, and various modifications and changes may be made in the details of the description without departing from the spirit thereof.
Step 1, sending an access request:
the subject sends an access request to the context processor, wherein the access request comprises the unique identifier and the operation of the object; the operation refers to the allocation of cloud computing resources;
step 2, forwarding to a strategy information point:
the context processor forwards the received access request to a policy information point;
the policy information point refers to a point abstracted from each system entity serving as a source of the attribute value, and is used for managing attributes of all users accessing the resources, cloud computing resources and environments.
And step 3, returning object attribute information and environment attribute information:
finding object attribute information corresponding to the unique object identifier in the access request in the strategy information point; the strategy information point calls a GetPerformanceInfo function and a GetAdapters Address function to acquire environment attribute information, wherein the environment attribute is related information of system equipment and a physical environment when access occurs; sending the object attribute information and the environment attribute information to a context processor;
the GetPerformanceInfo function and the GetAptpterAdaddresses function are interfaces for accessing software or hardware, and relevant information of system equipment and a physical environment can be obtained through the interfaces.
Step 4, the context processor simultaneously sends the received object attribute information, the environment attribute information and the access request to a policy management point;
the policy management point refers to a point abstracted from each system entity for creating and managing a policy or a policy set, and is used for creating and managing an access control policy.
Step 5, sending a strategy:
the policy management point extracts all policies identical to the received object attribute information, environment attribute information and access request from the policy base and sends the policies to the context processor;
the policy is a set of access control rules for all security-related activities in a domain to which a system for implementing access control belongs, and includes subject attribute information, object attribute information, environment attribute information, and operation information.
Step 6, sending a signature request:
the context processor extracts the predicate of the subject attribute in each received strategy and generates a random message corresponding to the predicate and used for ensuring the access uniqueness; the context processor encapsulates the subject attribute predicates corresponding to each strategy and the random message into a signature request and sends the signature request to the subject;
the subject attribute predicate refers to the description of the relationship between subject attributes in the strategy, namely a conjunction relationship and an disjunction relationship respectively
Step 7, signature sending:
the subject calls a signature method HABS.show function to the signature request by using the attribute certificate to obtain a message signature represented by binary system, and sends the message signature to the context processor;
the signature method habs. show function refers to a method of transforming a random message, a transformation method for a random message receiver to confirm the random message and an entity to apply transformation to the random message.
Step 8, after receiving the message signature, the context processor generates a policy evaluation request corresponding to the message signature and sends the policy evaluation request to a policy decision point;
step 9, the strategy decision point evaluates the strategy according to the attribute in the strategy evaluation request, generates a corresponding access control decision and sends the access control decision to the context processor;
the policy decision point is a point abstracted from a system entity which evaluates the policy and presents an authorization decision, and the access request is evaluated according to the obtained attribute and the policy.
Step 10, executing an access control decision:
the context processor sends the access control decision to the main body, and if the decision is refused, the work flow is ended; otherwise, the context handler forwards the access control decision to the policy enforcement point, which enforces the access control decision.
The policy enforcement point is a point abstracted from a system entity which makes a decision request and implements an authorization decision to perform access control, and is used for verifying the access request and executing the access control decision.
The foregoing embodiments are merely illustrative of the principles and utilities of the present invention and are not intended to limit the invention. Modifications and variations can be made to the above-described embodiments by those skilled in the art without departing from the spirit and scope of the present invention. However, these modifications are included in the scope of the present invention.
Claims (8)
1. A attribute-based access control method with anonymous access capability is characterized in that a main body sends an access request which does not contain attribute information of the main body to realize anonymous access; separating a function associated with the principal attribute from an authority to a trusted authority, the method comprising the steps of:
step 1, sending an access request:
the subject sends an access request to the context processor, wherein the access request comprises the unique identifier and the operation of the object; the operation refers to the allocation of cloud computing resources;
step 2, forwarding to a strategy information point:
the context processor forwards the received access request to a policy information point;
and step 3, returning object attribute information and environment attribute information:
finding object attribute information corresponding to the unique object identifier in the access request in the strategy information point; the strategy information point calls a GetPerformanceInfo function and a GetAdapters Address function to acquire environment attribute information, wherein the environment attribute is related information of system equipment and a physical environment when access occurs; sending the object attribute information and the environment attribute information to a context processor;
step 4, the context processor simultaneously sends the received object attribute information, the environment attribute information and the access request to a policy management point;
step 5, sending a strategy:
the policy management point extracts all policies identical to the received object attribute information, environment attribute information and access request from the policy base and sends the policies to the context processor;
step 6, sending a signature request:
the context processor extracts the predicate of the subject attribute in each received strategy and generates a random message corresponding to the predicate and used for ensuring the access uniqueness; the context processor encapsulates the subject attribute predicates corresponding to each strategy and the random message into a signature request and sends the signature request to the subject;
step 7, signature sending:
the subject calls a signature method HABS.show function to the signature request by using the attribute certificate to obtain a message signature represented by binary system, and sends the message signature to the context processor;
step 8, after receiving the message signature, the context processor generates a policy evaluation request corresponding to the message signature and sends the policy evaluation request to a policy decision point;
step 9, the strategy decision point evaluates the strategy according to the attribute in the strategy evaluation request, generates a corresponding access control decision and sends the access control decision to the context processor;
step 10, executing an access control decision:
the context processor sends the access control decision to the main body, and if the decision is refused, the work flow is ended; otherwise, the context handler forwards the access control decision to the policy enforcement point, which enforces the access control decision.
2. The method according to claim 1, wherein the policy information point in step 2 is an abstraction of each system entity from which the attribute value originates as a point for managing the attributes of all users accessing the resource, the cloud computing resource and the environment.
3. The method of claim 1, wherein the policy management point in step 4 is a point abstracted from each system entity creating and managing a policy or a set of policies, and is used for creating and managing the access control policy.
4. The method according to claim 1, wherein the policy in step 5 is a set of access control rules for all security-related activities in a domain to which the system for performing access control belongs, and the access control rules include subject attribute information, object attribute information, environment attribute information, and operation information.
5. The method of claim 1, wherein the subject attribute predicate in step 6 describes relationships between subject attributes in a policy, and the relationships are conjunctive relationships and disjunctive relationships.
6. The attribute-based access control method with anonymous access capability of claim 1, wherein the signature method habs.
7. The method according to claim 1, wherein the policy decision point in step 9 is obtained by abstracting a system entity that evaluates a policy and presents an authorization decision as a point, and evaluating the access request according to the obtained attribute and policy.
8. The method of claim 1, wherein the policy enforcement point in step 10 is an abstraction of a system entity that makes a decision request and implements an authorization decision to enforce access control as a point for verifying the access request and enforcing the access control decision.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011046521.2A CN112187800B (en) | 2020-09-29 | 2020-09-29 | Attribute-based access control method with anonymous access capability |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011046521.2A CN112187800B (en) | 2020-09-29 | 2020-09-29 | Attribute-based access control method with anonymous access capability |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112187800A CN112187800A (en) | 2021-01-05 |
CN112187800B true CN112187800B (en) | 2021-07-27 |
Family
ID=73946852
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011046521.2A Active CN112187800B (en) | 2020-09-29 | 2020-09-29 | Attribute-based access control method with anonymous access capability |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112187800B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113051602B (en) * | 2021-01-22 | 2022-11-22 | 东南大学 | Database fine-grained access control method based on zero trust architecture |
CN113259137A (en) * | 2021-07-15 | 2021-08-13 | 广东电网有限责任公司江门供电局 | Power grid access control method, system and storage medium based on user attributes |
CN118509185A (en) * | 2023-02-09 | 2024-08-16 | 华为云计算技术有限公司 | Access control method and device based on cloud computing technology |
CN116208430B (en) * | 2023-04-28 | 2023-08-25 | 江苏苏宁银行股份有限公司 | Access control system and method based on multi-attribute game |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104735055A (en) * | 2015-02-12 | 2015-06-24 | 河南理工大学 | Cross-domain security access control method based on credibility |
CN108123936A (en) * | 2017-12-13 | 2018-06-05 | 北京科技大学 | A kind of access control method and system based on block chain technology |
CN108234535A (en) * | 2016-12-13 | 2018-06-29 | 中国电信股份有限公司 | BAC dynamic allocation methods, device and system |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10719617B2 (en) * | 2018-02-20 | 2020-07-21 | Government Of The United States Of America, As Represented By The Secretary Of Commerce | Access control system and process for managing and enforcing an attribute based access control policy |
CN106992988B (en) * | 2017-05-11 | 2020-12-08 | 浙江工商大学 | Cross-domain anonymous resource sharing platform and implementation method thereof |
CN109818907A (en) * | 2017-11-21 | 2019-05-28 | 航天信息股份有限公司 | One kind being based on UCON model user anonymity access method and system |
-
2020
- 2020-09-29 CN CN202011046521.2A patent/CN112187800B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104735055A (en) * | 2015-02-12 | 2015-06-24 | 河南理工大学 | Cross-domain security access control method based on credibility |
CN108234535A (en) * | 2016-12-13 | 2018-06-29 | 中国电信股份有限公司 | BAC dynamic allocation methods, device and system |
CN108123936A (en) * | 2017-12-13 | 2018-06-05 | 北京科技大学 | A kind of access control method and system based on block chain technology |
Non-Patent Citations (1)
Title |
---|
支持匿名授权的基于属性的访问控制模型研究;魏永恒;《中国优秀硕士学位论文全文数据库(电子期刊) 信息科技辑》;20200215;正文第2-4章,图4.1 * |
Also Published As
Publication number | Publication date |
---|---|
CN112187800A (en) | 2021-01-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112187800B (en) | Attribute-based access control method with anonymous access capability | |
WO2021128733A1 (en) | Hyperledger fabric blockchain private data storage and access system and method therefor | |
Habiba et al. | Cloud identity management security issues & solutions: a taxonomy | |
CN112073400B (en) | Access control method, system, device and computing equipment | |
Werner et al. | Cloud identity management: A survey on privacy strategies | |
CN112005522B (en) | Cloud-based key management | |
US8978122B1 (en) | Secure cross-tenancy federation in software-as-a-service system | |
US20190052643A1 (en) | Cloud access rule translation for hybrid cloud computing environments | |
US20140123207A1 (en) | Keystore access control system | |
WO2014004412A1 (en) | Identity risk score generation and implementation | |
CN105518689B (en) | Method and system relating to user authentication for accessing a data network | |
CN114417287B (en) | Data processing method, system, device and storage medium | |
Ardagna et al. | Enabling privacy-preserving credential-based access control with XACML and SAML | |
CN116708037B (en) | Cloud platform access right control method and system | |
CN109413080B (en) | Cross-domain dynamic authority control method and system | |
WO2022148182A1 (en) | Key management method and related device | |
US20080066158A1 (en) | Authorization Decisions with Principal Attributes | |
US8793773B2 (en) | System and method for providing reputation reciprocity with anonymous identities | |
US20080066169A1 (en) | Fact Qualifiers in Security Scenarios | |
CN113901432A (en) | Block chain identity authentication method, equipment, storage medium and computer program product | |
KR102271201B1 (en) | Method for maintaining private information on blockchain network and device thereof | |
KR20100060130A (en) | System for protecting private information and method thereof | |
CN112000936A (en) | Cross-domain attribute heterogeneous identity service method, medium and equipment | |
CN115134175B (en) | Security communication method and device based on authorization strategy | |
WO2007090866A1 (en) | Collaborative access control in a computer network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |