CN113507443B - Internet of things access control method and device based on time capability tree and storage medium - Google Patents

Internet of things access control method and device based on time capability tree and storage medium Download PDF

Info

Publication number
CN113507443B
CN113507443B CN202110654367.5A CN202110654367A CN113507443B CN 113507443 B CN113507443 B CN 113507443B CN 202110654367 A CN202110654367 A CN 202110654367A CN 113507443 B CN113507443 B CN 113507443B
Authority
CN
China
Prior art keywords
capability
time
tree
user
token
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110654367.5A
Other languages
Chinese (zh)
Other versions
CN113507443A (en
Inventor
殷丽华
李超
李凡
罗天杰
罗熙
孙哲
王滨
王星
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou University
Original Assignee
Guangzhou University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou University filed Critical Guangzhou University
Priority to CN202110654367.5A priority Critical patent/CN113507443B/en
Publication of CN113507443A publication Critical patent/CN113507443A/en
Application granted granted Critical
Publication of CN113507443B publication Critical patent/CN113507443B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an Internet of things access control method and device based on a time capability tree, wherein the method comprises the following steps: generating a corresponding initial capacity token according to the access control authority, and sending the encrypted initial capacity token to the first user; receiving a first resource request and a capability token sent by a first user, and sending a resource object corresponding to the first resource request to the first user after judging that the capability token is legal; establishing a time capacity tree, storing the time capacity tree into a time capacity tree library of the resource object, and recording the time of using the time capacity tree into a node time sequence; updating the time capability tree according to a second resource request sent by a second user; and receiving a third resource request sent by the first user, sending an object of the third resource request to the first user, and recording the time at the moment into the node time sequence. The embodiment of the invention can effectively reduce the workload of the access control of the Internet of things and reduce the potential safety hazard.

Description

Internet of things access control method and device based on time capability tree and storage medium
Technical Field
The invention relates to the technical field of Internet of things, in particular to a time capability tree-based Internet of things access control method and device.
Background
The appearance of the internet of things changes the lives of people and brings great leap in the fields of traffic, medical treatment, industrial automation and the like. With the popularity of the internet of things, more and more devices are accessed to the network on an unprecedented scale, and the access of the devices of the internet of things increases the risk of privacy disclosure and attacks to users. Access control is a process that determines which objects have which rights, and is critical to the protection of resources and information in a series of security challenges facing the internet of things.
The existing access control of the internet of things is usually realized based on the access control of the capacity, and specifically, the capacity model is established, and the capacity is issued and transmitted in a capacity token issuing mode from the capacity of the resource, so that the access control of the internet of things is realized. The existing access control method of the Internet of things has the problems of large calculated amount and large potential safety hazard.
Disclosure of Invention
The invention provides an Internet of things access control method and device based on a time capability tree, and aims to solve the technical problems of large calculated amount and large potential safety hazard of the existing Internet of things access control method.
The first embodiment of the invention provides an internet of things access control method based on a time capability tree, which comprises the following steps:
receiving first authority information sent by a first user, and granting access control authority to the first user after verifying that the first authority information accords with an access control strategy;
generating a corresponding initial capacity token according to the access control authority, carrying out digital signature encryption on the initial capacity token to obtain a capacity token, and sending the capacity token to the first user; wherein the initial capability token comprises an initial capability tree;
receiving a first resource request and the capability token sent by the first user, and sending a resource object corresponding to the first resource request to the first user after judging that the capability token is legal;
establishing a time capability tree, storing the time capability tree into a time capability tree library of the resource object, and recording the time using the time capability tree into a node time sequence;
receiving a second resource request sent by a second user according to the capability token, sending a resource object corresponding to the second resource request to the second user after verifying that the capability token is legal, and updating the time capability tree;
receiving a third resource request sent by the first user, detecting whether a time capability tree corresponding to a resource object of the third resource request exists in the first user, if so, sending the object of the third resource request to the first user, and recording the time at the moment into the node time sequence.
Further, the method further comprises:
and acquiring a corresponding time capability tree according to a preset authority, sending capability tokens corresponding to the authority to all users of the time capability tree, and simultaneously invalidating original capability tokens corresponding to all the users.
Further, the method further comprises:
and searching the nodes of the time capability tree to confirm the suspected user according to the damaged time, the resource position and the related authority of the resource server.
Further, the time capability tree includes a capability tree name, capability tree nodes, a node relationship, valid time corresponding to the nodes, and a node time sequence.
Further, after sending the capability token to the first user, the method further includes:
and verifying the digital signature of the capability token by using a public key, and judging that the first user meets the condition of using the capability token when the digital signature is verified to be legal.
Further, the establishing the time capability tree includes:
if the original time capability tree of the resource server is wrong, finding out an initial node with the mistake according to the original time capability tree, extracting all nodes under the initial node, changing titles of all the nodes, and establishing a new time capability tree.
Further, after a new time capability tree is established, all the nodes are withdrawn from the original time capability tree.
A second embodiment of the present invention provides an access control device for an internet of things, including:
the verification module is used for receiving first authority information sent by a first user, and granting access control authority to the first user after verifying that the first authority information accords with an access control strategy;
the token sending module is used for generating a corresponding initial capacity token according to the access control authority, obtaining a capacity token after performing digital signature encryption on the initial capacity token, and sending the capacity token to the first user; wherein the initial capability token comprises an initial capability tree;
the first resource object sending module is used for receiving a first resource request sent by the first user and the capability token, and sending a resource object corresponding to the first resource request to the first user after judging that the capability token is legal;
the capacity tree building module is used for building a time capacity tree, storing the time capacity tree into a time capacity tree library of the resource object and recording the time using the time capacity tree into a node time sequence;
the capacity tree updating module is used for receiving a second resource request sent by a second user according to the capacity token, sending a resource object corresponding to the second resource request to the second user after verifying that the capacity token is legal, and updating the time capacity tree;
and the second resource object sending module is used for receiving a third resource request sent by the first user, detecting whether a time capability tree corresponding to a resource object of the third resource request exists in the first user, if so, sending the object of the third resource request to the first user, and recording the time at the moment into the node time sequence.
A third embodiment of the present invention provides a computer-readable storage medium, which includes a stored computer program, wherein when the computer program runs, the apparatus where the computer-readable storage medium is located is controlled to execute the access control of the internet of things as described above.
The embodiment of the invention collects the complete time capacity tree composed of partial time trees in the capacity token, performs resource-side log management, completes capacity oriented change and revocation by operating the time capacity tree, and does not need to issue the capacity token of the whole capacity tree, thereby effectively reducing the workload; according to the embodiment of the invention, the time capability tree is constructed, the trees formed by the function owners corresponding to each resource are collected, and the corresponding nodes of the time capability tree responding to the direct directional change can be realized when the capability modification and cancellation are needed, so that the potential safety hazard of the access of the Internet of things can be effectively eliminated.
Drawings
Fig. 1 is a schematic flowchart of an internet of things access control method based on a time capability tree according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of an access control system of the internet of things according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating a node data structure of a temporal capability tree according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a capability flow topology provided by an embodiment of the present invention;
fig. 5 is another schematic flow chart of an internet of things access control method based on a time capability tree according to an embodiment of the present invention;
fig. 6 is another schematic structural diagram of an internet of things access control system based on a time capability tree according to an embodiment of the present invention
Fig. 7 is a schematic structural diagram of an access control device of the internet of things according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In the description of the present application, it is to be understood that the terms "first", "second" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implying any number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature. In the description of the present application, "a plurality" means two or more unless otherwise specified.
In the description of the present application, it is to be noted that, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meaning of the above terms in the present application can be understood in a specific case by those of ordinary skill in the art.
Referring to fig. 1 to 5, in a first embodiment of the present invention, the first embodiment of the present invention provides a method for controlling access to an internet of things based on a temporal capability tree as shown in fig. 1, including:
s1, receiving first authority information sent by a first user, and granting access control authority to the first user after verifying that the first authority information conforms to the access control strategy;
s2, generating a corresponding initial capacity token according to the access control authority, carrying out digital signature encryption on the initial capacity token to obtain a capacity token, and sending the capacity token to the first user; wherein the initial capability token comprises an initial capability tree;
s3, receiving a first resource request and a capability token sent by a first user, and sending a resource object corresponding to the first resource request to the first user after judging that the capability token is legal;
s4, establishing a time capacity tree, storing the time capacity tree into a time capacity tree library of the resource object, and recording the time of using the time capacity tree into a node time sequence;
as a specific implementation manner of the embodiment of the present invention, the time capability tree includes a capability tree name, capability tree nodes, a node relationship, an effective time corresponding to the nodes, and a node time sequence.
S5, receiving a second resource request sent by a second user according to the capability token, sending a resource object corresponding to the second resource request to the second user after verifying that the capability token is legal, and updating the time capability tree;
s6, receiving a third resource request sent by the first user, detecting whether a time capability tree corresponding to a resource object of the third resource request exists in the first user, if so, sending the object of the third resource request to the first user, and recording the time at this time into the node time sequence.
The embodiment of the invention collects the complete time capacity tree composed of partial time trees in the capacity token, performs resource-side log management, completes capacity oriented change and revocation by operating the time capacity tree, and does not need to issue the capacity token of the whole capacity tree, thereby effectively reducing the workload; according to the embodiment of the invention, the time capability tree is constructed, the trees formed by the function owners corresponding to each resource are collected, and the corresponding nodes of the time capability tree responding to the direct directional change can be realized when the capability modification and cancellation are needed, so that the potential safety hazard of the access of the Internet of things can be effectively eliminated.
Referring to fig. 2, an internet of things access control system is provided, which includes a back-end policy repository, an IoT cloud platform, a user, a resource manager, a time capability tree, and a resource object.
It should be noted that a temporal capability tree is stored in each capability token as one of the data items. Referring to fig. 3, the time capability Tree is composed of two data items, Title and Tree. The resource identifier in the Title is a unique identifier of the resource, and may be represented by a resource ID or a resource location. The Capability in the Title is the authority owned by the user to perform some operations on the resource, such as the modification authority on the table, the GET authority on the html file, etc. (the ability of whether to have the allocation Capability also serves as one of the capabilities). The nodes of the Time capability tree are composed of three parts, namely user ID, Effective Time and Access Records. Wherein the user identification uniquely represents the user identity, such as a user ID. The validity time is the validity period of some capability the user has with respect to the resource. The access record is a series of time sequences that record the times at which the user has made valid accesses to the resource. It should be noted that the time capability tree in the capability token does not store the access records, and the access records only exist in the time capability tree after being combined in the resource server and serve as formatted storage of the access log, so that data analysis can be performed later conveniently.
After the time capability tree is obtained, the time capability trees sent by the nodes are combined completely at the resource end, and the access time of each node is recorded on the corresponding node of the time capability tree, so that the resource log management of the CapBAC is completed. The managed resource log is recorded by the access time data item of the node in the time capability tree and is provided with information such as a resource ID and an accessor ID, and the managed resource log can be conveniently searched.
As a specific implementation manner of the embodiment of the present invention, the method further includes:
and acquiring a corresponding time capability tree according to a preset authority, sending capability tokens corresponding to the authority to all users of the time capability tree, and simultaneously enabling original capability tokens corresponding to all the users to be invalid.
As a specific implementation manner of the embodiment of the present invention, the method further includes:
and searching the nodes of the time capability tree to confirm the suspected user according to the damaged time, the resource position and the related authority of the resource server.
According to the embodiment of the invention, the access time is classified and recorded, and the nodes of the time capability tree are searched according to the damaged time, the resource position and the related authority of the resource server, so that the confirmation process of the suspected user can be effectively simplified.
Referring to fig. 4, because a plurality of time capability trees are formed by users and capabilities in a system, user nodes may repeatedly appear in the plurality of time capability trees, in the embodiment of the present invention, the capability trees of the same resource are regarded as one layer of a two-dimensional plane, and the user nodes are aligned and a plurality of layers of capability trees are stacked to obtain a capability flow topology diagram. Wherein, each node represents each user in the system and all the capabilities thereof, the edges of the capability flow to the topological graph represent the capability flow, and the complete capability flow to the topological graph provides a carrier for a CapBAC global forensic analysis algorithm.
As a specific implementation manner of the embodiment of the present invention, after sending the capability token to the first user, the method further includes:
and verifying the digital signature of the capability token by using the public key, and judging that the first user meets the condition of using the capability token when the digital signature is verified to be legal.
According to the embodiment of the invention, the validity of the capability token can be effectively ensured by verifying the digital signature of the capability token, so that the safety and validity of the access control of the Internet of things can be effectively improved.
As a specific implementation manner of the embodiment of the present invention, establishing a time capability tree includes:
if the original time capability tree of the resource server is wrong, finding out the starting node with the mistake according to the original time capability tree, extracting all nodes under the starting node, changing titles of all nodes and establishing a new time capability tree.
In the embodiment of the invention, the title of the node in the resource server is modified, so that the huge workload brought by changing the capability token can be effectively reduced, and the pre-allocated capability tree can be reserved.
For example, since each Access of the user adds the Access Time to the Access Records of the corresponding node of the Time capability tree, the embodiment of the present invention needs to check whether the Access Records are within the Effective Time interval during each addition, and when the Access Records are not within the Effective Time interval, the Access Records are considered to be illegal and not authorized. When the capability of a captured certain node needs to be cancelled, the Effective Time of the node is changed from the starting Time and the ending Time to the starting Time and the current Time, and all nodes under the node are deleted. The previously issued capability of the node is considered as an invalid token because the validity period in the time capability tree does not match the recorded validity period. The change in the embodiment of the present invention may disable the node and all capabilities authorized by the node, whether or not it has been captured. When the valid period starting Time in the newly received capability is positioned after the termination Time, the node is judged to be authorized again, namely the Effective Time of the node is changed to be the same as that in the token.
As a specific implementation of the embodiment of the present invention, after a new time capability tree is established, all nodes are revoked from the original time capability tree.
Optionally, the time capability tree is composed of a capability tree name, nodes and node relationships, and valid times and node time sequences corresponding to the nodes. The capacity tree name is an identifier of specific capacity of a specific resource, the node and the node relation represent a user and the relation of the user in the capacity tree, the effective time corresponding to the node records the effective time of the capacity, and the node time sequence records the time of each capacity release. To save resource resources, most of the time capability trees can only be built and stored for fast validation of the capability token. And when the accident tracing positioning and the capability orientation change are required, taking out the time capability tree from the resource end and using the time capability tree for the next calculation.
Fig. 5 is a schematic flow chart of a method for controlling access based on the internet of things according to an embodiment of the present invention.
The embodiment of the invention has the following beneficial effects:
according to the embodiment of the invention, the access records are set on the nodes of the time capability tree, and the resource logs are automatically extracted and stored, so that the efficiency of access control of the Internet of things can be effectively improved; according to the embodiment of the invention, the time capability trees formed by the function owners corresponding to each resource are integrated by constructing the time capability trees, and the corresponding nodes of the corresponding time capability trees are directly directionally changed when the capability is required to be modified and cancelled, so that the potential safety hazard of access control of the Internet of things can be effectively eliminated; according to the embodiment of the invention, through the completion flowing and accessing process of the construction capability flow to the recording capability of the topological graph, a complete data base can be provided for the forensic analysis algorithm, so that after a security event occurs, the data can be accurately analyzed through the forensic analysis method, the analysis workload can be effectively reduced, and the analysis effect can be improved.
Referring to fig. 6, in a second embodiment of the present invention, an access control server is a backend server, which is used as an issuer of initial capability, Alice is an owner of an album cloud, Bob is a friend of Alice, and Alice wants Bob print a photo, and the specific process of application is as follows:
1) three users who need to access the photo album cloud resources, as represented by Alice, Bob and printer in the example, only Alice has to register at the access control server in advance, the registration information is shared with the photo album cloud, and Bob and printer need to prove their identities;
2) after receiving the initial token transmitted by the access control server, Alice has the capability of reading, downloading, uploading and deleting all photos in the photo album cloud;
3) alice wants to ask Bob to help her print a photo, and then gives Bob the right to read and download the photo through the capability token;
4) bob gives the reading right of the photo to a printer through the capability token, and the printer has the reading capability on the photo in the photo album cloud, so that the photo is printed successfully;
5) the next day, Alice finds that the photo appears in a corporate chat group, the photo relates to Alice's privacy, and Alice wants to know who divulged his/her own photo;
6) analyzing a capability flow topological graph formed by a time capability tree of the downloading capability of the photo stored in the album cloud, and finding that Bob downloads the photo and unintentionally reveals the photo;
7) the method comprises the following steps that Alice finds that the downloading capacity of a photo cannot be delivered to others at random, and then the downloading capacity of the photo is changed into fine-grained capacity which can be downloaded only when Alice allows to inquire the Alice before downloading;
8) alice sends the request to the access control server and the album cloud, which changes the download capability tree for the photo to the one corresponding to the new capability and invalidates all the old capability tokens.
According to the embodiment of the invention, through the time capability tree of the downloading capability of the photo in the photo album cloud, it is found that Alice, Bob and David have the capability at present, information is sent to Bob and David through the access control server, and is an "access control policy updated, whether to download a new capability certificate? ", and issues a new capability certificate that records the new capability, at which point the change in capability is completed.
Referring to fig. 7, a third embodiment of the present invention provides an access control device for internet of things, including:
the verification module 10 is configured to receive first right information sent by a first user, and grant an access control right to the first user after verifying that the first right information conforms to an access control policy;
the token sending module 20 is configured to generate a corresponding initial capability token according to the access control permission, obtain a capability token after performing digital signature encryption on the initial capability token, and send the capability token to the first user; wherein the initial capability token comprises an initial capability tree;
the first resource object sending module 30 is configured to receive a first resource request and a capability token sent by a first user, and send a resource object corresponding to the first resource request to the first user after determining that the capability token is legal;
a capability tree establishing module 40, configured to establish a time capability tree, store the time capability tree in a time capability tree library of the resource object, and record a time for using the time capability tree into the node time sequence;
as a specific implementation manner of the embodiment of the present invention, the time capability tree includes a capability tree name, capability tree nodes, a node relationship, an effective time corresponding to the nodes, and a node time sequence.
The capability tree updating module 50 is configured to receive a second resource request sent by a second user according to the capability token, send a resource object corresponding to the second resource request to the second user after verifying that the capability token is legal, and update the time capability tree;
a second resource object sending module 60, configured to receive a third resource request sent by the first user, detect whether a time capability tree corresponding to a resource object of the third resource request exists in the first user, and if so, send the object of the third resource request to the first user, and record the time at this time in the node time sequence.
The embodiment of the invention collects the complete time capacity tree composed of partial time trees in the capacity token, performs resource-side log management, completes capacity oriented change and revocation by operating the time capacity tree, and does not need to issue the capacity token of the whole capacity tree, thereby effectively reducing the workload; according to the embodiment of the invention, the time capability tree is constructed, the trees formed by the function owners corresponding to each resource are collected, and the corresponding nodes of the time capability tree responding to the direct directional change can be realized when the capability modification and cancellation are needed, so that the potential safety hazard of the access of the Internet of things can be effectively eliminated.
Referring to fig. 2, an internet of things access control system is provided, which includes a back-end policy repository, an IoT cloud platform, a user, a resource manager, a time capability tree, and a resource object.
It should be noted that a temporal capability tree is stored in each capability token as one of the data items. Referring to fig. 3, the time capability Tree is composed of two data items, Title and Tree. The resource identifier in the Title is a unique identifier of the resource, and may be represented by a resource ID or a resource location. The Capability in the Title is the authority owned by the user to perform some operations on the resource, such as the modification authority on the table, the GET authority on the html file, etc. (the ability of whether to have the allocation Capability also serves as one of the capabilities). The nodes of the Time capability tree are composed of three parts, namely user ID, Effective Time and Access Records. Wherein the user identification uniquely represents the user identity, such as a user ID. The validity time is the validity period of some capability the user has with respect to the resource. The access record is a series of time sequences that record the times at which the user has made valid accesses to the resource. It should be noted that the time capability tree in the capability token does not store the access records, and the access records only exist in the time capability tree after being combined in the resource server and serve as formatted storage of the access log, so that data analysis can be performed later conveniently.
After the time capability tree is obtained, the time capability trees sent by the nodes are combined completely at the resource end, and the access time of each node is recorded on the corresponding node of the time capability tree, so that the resource log management of the CapBAC is completed. The managed resource log is recorded by the access time data item of the node in the time capability tree and is provided with information such as a resource ID and an accessor ID, and the managed resource log can be conveniently searched.
As a specific implementation manner of the embodiment of the present invention, the apparatus further includes:
and the token sending module is used for acquiring the corresponding time capability tree according to the preset authority, sending the capability tokens corresponding to the authority to all users of the time capability tree, and simultaneously enabling the original capability tokens corresponding to all the users to be invalid.
As a specific implementation manner of the embodiment of the present invention, the apparatus further includes:
and the confirmation module is used for searching and confirming the suspected user for the node of the time capability tree according to the damaged time, the resource position and the related authority of the resource server.
According to the embodiment of the invention, the access time is classified and recorded, and the nodes of the time capability tree are searched according to the damaged time, the resource position and the related authority of the resource server, so that the confirmation process of the suspected user can be effectively simplified.
Referring to fig. 4, because a plurality of time capability trees are formed by users and capabilities in a system, user nodes may repeatedly appear in the plurality of time capability trees, in the embodiment of the present invention, the capability trees of the same resource are regarded as one layer of a two-dimensional plane, and the user nodes are aligned and a plurality of layers of capability trees are stacked to obtain a capability flow topology diagram. Wherein, each node represents each user in the system and all the capabilities thereof, the edges of the capability flow to the topological graph represent the capability flow, and the complete capability flow to the topological graph provides a carrier for a CapBAC global forensic analysis algorithm.
As a specific implementation manner of the embodiment of the present invention, after sending the capability token to the first user, the method further includes:
and the judging module is used for verifying the digital signature of the capability token by using the public key, and judging that the first user meets the condition of using the capability token when the digital signature is verified to be legal.
According to the embodiment of the invention, the validity of the capability token can be effectively ensured by verifying the digital signature of the capability token, so that the safety and validity of the access control of the Internet of things can be effectively improved.
As a specific implementation manner of the embodiment of the present invention, establishing a time capability tree includes:
if the original time capability tree of the resource server is wrong, finding out the starting node with the mistake according to the original time capability tree, extracting all nodes under the starting node, changing titles of all nodes and establishing a new time capability tree.
In the embodiment of the invention, the title of the node in the resource server is modified, so that the huge workload brought by changing the capability token can be effectively reduced, and the pre-allocated capability tree can be reserved.
For example, since each Access of the user adds the Access Time to the Access Records of the corresponding node of the Time capability tree, the embodiment of the present invention needs to check whether the Access Records are within the Effective Time interval during each addition, and when the Access Records are not within the Effective Time interval, the Access Records are considered to be illegal and not authorized. When the capability of a captured certain node needs to be cancelled, the Effective Time of the node is changed from the starting Time and the ending Time to the starting Time and the current Time, and all nodes under the node are deleted. The previously issued capability of the node is considered as an invalid token because the validity period in the time capability tree does not match the recorded validity period. The change in the embodiment of the present invention may disable the node and all capabilities authorized by the node, whether or not it has been captured. When the valid period starting Time in the newly received capability is positioned after the termination Time, the node is judged to be authorized again, namely the Effective Time of the node is changed to be the same as that in the token.
As a specific implementation of the embodiment of the present invention, after a new time capability tree is established, all nodes are revoked from the original time capability tree.
Optionally, the time capability tree is composed of a capability tree name, nodes and node relationships, and valid times and node time sequences corresponding to the nodes. The capacity tree name is an identifier of specific capacity of a specific resource, the node and the node relation represent a user and the relation of the user in the capacity tree, the effective time corresponding to the node records the effective time of the capacity, and the node time sequence records the time of each capacity release. To save resource resources, most of the time capability trees can only be built and stored for fast validation of the capability token. And when the accident tracing positioning and the capability orientation change are required, taking out the time capability tree from the resource end and using the time capability tree for the next calculation.
The embodiment of the invention has the following beneficial effects:
according to the embodiment of the invention, the access records are set on the nodes of the time capability tree, and the resource logs are automatically extracted and stored, so that the efficiency of access control of the Internet of things can be effectively improved; according to the embodiment of the invention, the time capability trees formed by the function owners corresponding to each resource are integrated by constructing the time capability trees, and the corresponding nodes of the corresponding time capability trees are directly directionally changed when the capability is required to be modified and cancelled, so that the potential safety hazard of access control of the Internet of things can be effectively eliminated; according to the embodiment of the invention, through the completion flowing and accessing process of the construction capability flow to the recording capability of the topological graph, a complete data base can be provided for the forensic analysis algorithm, so that after a security event occurs, the data can be accurately analyzed through the forensic analysis method, the analysis workload can be effectively reduced, and the analysis effect can be improved.
A fourth embodiment of the present invention provides a computer-readable storage medium, which includes a stored computer program, wherein when the computer program runs, a device in which the computer-readable storage medium is located is controlled to execute the access control of the internet of things.
The invention provides a time capability tree-based Internet of things access control method and device, and aims to solve the technical problems of large calculated amount and large potential safety hazard of the existing time capability tree-based Internet of things access control method.
The foregoing is a preferred embodiment of the present invention, and it should be noted that it would be apparent to those skilled in the art that various modifications and enhancements can be made without departing from the principles of the invention, and such modifications and enhancements are also considered to be within the scope of the invention.

Claims (8)

1. An Internet of things access control method based on a time capability tree is characterized by comprising the following steps:
receiving first authority information sent by a first user, and granting access control authority to the first user after verifying that the first authority information accords with an access control strategy;
generating a corresponding initial capacity token according to the access control authority, carrying out digital signature encryption on the initial capacity token to obtain a capacity token, and sending the capacity token to the first user; wherein the initial capability token comprises a raw temporal capability tree;
receiving a first resource request and the capability token sent by the first user, and sending a resource object corresponding to the first resource request to the first user after judging that the capability token is legal;
establishing a time capability tree, storing the time capability tree into a time capability tree library of the resource object, and recording the time using the time capability tree into a node time sequence; the establishing of the time capability tree specifically comprises the following steps: if the original time capability tree of the resource server is wrong, finding out an initial node with the mistake according to the original time capability tree, extracting all nodes under the initial node, changing titles of all the nodes, and establishing a new time capability tree;
receiving a second resource request sent by a second user according to the capability token, sending a resource object corresponding to the second resource request to the second user after verifying that the capability token is legal, and updating the time capability tree;
receiving a third resource request sent by the first user, detecting whether a time capability tree corresponding to a resource object of the third resource request exists in the first user, if so, sending the object of the third resource request to the first user, and recording the time at the moment into the node time sequence.
2. The method for access control to the internet of things based on the temporal capability tree of claim 1, further comprising:
and acquiring a corresponding time capability tree according to a preset authority, sending capability tokens corresponding to the authority to all users of the time capability tree, and simultaneously invalidating original capability tokens corresponding to all the users.
3. The method for access control to the internet of things based on the temporal capability tree of claim 1, further comprising:
and searching the nodes of the time capability tree to confirm the suspected user according to the damaged time, the resource position and the related authority of the resource server.
4. The method of claim 1, wherein the temporal capability tree comprises a capability tree name, capability tree nodes, node relationships, valid times corresponding to the nodes, and a node time sequence.
5. The method of temporal capability tree based access control to the internet of things of claim 1, further comprising, after sending the capability token to the first user:
and verifying the digital signature of the capability token by using a public key, and judging that the first user meets the condition of using the capability token when the digital signature is verified to be legal.
6. The method for internet of things access control based on a temporal capability tree of claim 1, wherein all the nodes are revoked from the original temporal capability tree after a new temporal capability tree is established.
7. An internet of things access control device based on a time capability tree, comprising:
the verification module is used for receiving first authority information sent by a first user, and granting access control authority to the first user after verifying that the first authority information accords with an access control strategy;
the token sending module is used for generating a corresponding initial capacity token according to the access control authority, obtaining a capacity token after performing digital signature encryption on the initial capacity token, and sending the capacity token to the first user; wherein the initial capability token comprises a raw temporal capability tree;
the first resource object sending module is used for receiving a first resource request sent by the first user and the capability token, and sending a resource object corresponding to the first resource request to the first user after judging that the capability token is legal;
the capacity tree building module is used for building a time capacity tree, storing the time capacity tree into a time capacity tree library of the resource object and recording the time using the time capacity tree into a node time sequence; the method is specifically used for: if the original time capability tree of the resource server is wrong, finding out an initial node with the mistake according to the original time capability tree, extracting all nodes under the initial node, changing titles of all the nodes, and establishing a new time capability tree;
the capacity tree updating module is used for receiving a second resource request sent by a second user according to the capacity token, sending a resource object corresponding to the second resource request to the second user after verifying that the capacity token is legal, and updating the time capacity tree;
and the second resource object sending module is used for receiving a third resource request sent by the first user, detecting whether a time capability tree corresponding to a resource object of the third resource request exists in the first user, if so, sending the object of the third resource request to the first user, and recording the time at the moment into the node time sequence.
8. A computer-readable storage medium, comprising a stored computer program, wherein when the computer program runs, the computer-readable storage medium is controlled to execute a method for controlling access to the internet of things based on a temporal capability tree according to any one of claims 1 to 6.
CN202110654367.5A 2021-06-10 2021-06-10 Internet of things access control method and device based on time capability tree and storage medium Active CN113507443B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110654367.5A CN113507443B (en) 2021-06-10 2021-06-10 Internet of things access control method and device based on time capability tree and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110654367.5A CN113507443B (en) 2021-06-10 2021-06-10 Internet of things access control method and device based on time capability tree and storage medium

Publications (2)

Publication Number Publication Date
CN113507443A CN113507443A (en) 2021-10-15
CN113507443B true CN113507443B (en) 2022-03-25

Family

ID=78010319

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110654367.5A Active CN113507443B (en) 2021-06-10 2021-06-10 Internet of things access control method and device based on time capability tree and storage medium

Country Status (1)

Country Link
CN (1) CN113507443B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114401199B (en) * 2022-01-06 2024-03-01 中国科学院计算机网络信息中心 Hierarchical network capability model management method
US20230267231A1 (en) * 2022-02-23 2023-08-24 Red Hat, Inc. Implementing privilege capabilities for devices used for container native function operations

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103685204A (en) * 2012-09-24 2014-03-26 中国科学院声学研究所 Resource authentication method based on internet of things resource sharing platform
WO2019245998A1 (en) * 2018-06-22 2019-12-26 Experian Information Solutions, Inc. System and method for a token gateway environment
CN111935131A (en) * 2020-08-06 2020-11-13 中国工程物理研究院计算机应用研究所 SaaS resource access control method based on resource authority tree
CN112153137A (en) * 2020-09-21 2020-12-29 三星电子(中国)研发中心 Multi-device linkage method and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103685204A (en) * 2012-09-24 2014-03-26 中国科学院声学研究所 Resource authentication method based on internet of things resource sharing platform
WO2019245998A1 (en) * 2018-06-22 2019-12-26 Experian Information Solutions, Inc. System and method for a token gateway environment
CN111935131A (en) * 2020-08-06 2020-11-13 中国工程物理研究院计算机应用研究所 SaaS resource access control method based on resource authority tree
CN112153137A (en) * 2020-09-21 2020-12-29 三星电子(中国)研发中心 Multi-device linkage method and system

Also Published As

Publication number Publication date
CN113507443A (en) 2021-10-15

Similar Documents

Publication Publication Date Title
US10002151B2 (en) Client computer for updating a database stored on a server via a network
US20240013210A1 (en) Data Processing System Utilising Distributed Ledger Technology
CN113507443B (en) Internet of things access control method and device based on time capability tree and storage medium
WO2019079928A1 (en) Access token management method, terminal and server
CN109886675B (en) Resource access token distribution and resource use monitoring method based on block chain
CN101677352A (en) Document management system, document producing apparatus, document use managing apparatus, and computer readable medium
US20190141048A1 (en) Blockchain identification system
JP2020511803A (en) System and method for blockchain-based data management
CN116226880A (en) Block chain ciphertext retrieval security traceability system based on searchable encryption
US20180191698A1 (en) Controlling access to electronic resources based on a user's sociometric identification document
CN109450636B (en) Integrity verification method for group data in cloud storage
CN113542191A (en) Block chain based data access and verification method and device
CN111614687A (en) Identity verification method, system and related device
KR102559571B1 (en) Proof of ownership and proof of transfer history using distributed ID
US6681233B1 (en) Data circulation between servers and clients
CN115514523A (en) Data security access system, method, device and medium based on zero trust system
CN113378120A (en) Version authorization control method, device, equipment and storage medium based on block chain
Jahan et al. Securing E-passport management using private-permissioned blockchain and IPFS
CN116055082B (en) User management method and system based on OpenStack
US20070168312A1 (en) User control points in a network environment
Jahan et al. Utilizing Hyperledger-Based Private Blockchain to Secure E-Passport Management
KR20180072899A (en) System and method for gs1 based thing information searching service
Ruiz Molina Report on Decentralized Identity Models and Study on Main Privacy Concerns
CN116910788A (en) Searchable encryption management method and device for service data and storage medium
CN116467734A (en) Resource sharing management method and device for respiratory disease biological resource library

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant