CN113612754A - Cross-domain access method and system based on block chain - Google Patents
Cross-domain access method and system based on block chain Download PDFInfo
- Publication number
- CN113612754A CN113612754A CN202110858312.6A CN202110858312A CN113612754A CN 113612754 A CN113612754 A CN 113612754A CN 202110858312 A CN202110858312 A CN 202110858312A CN 113612754 A CN113612754 A CN 113612754A
- Authority
- CN
- China
- Prior art keywords
- access
- domain
- request
- cross
- block chain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 54
- 238000007726 management method Methods 0.000 claims description 72
- 238000013507 mapping Methods 0.000 claims description 54
- 230000008520 organization Effects 0.000 claims description 43
- 238000012550 audit Methods 0.000 claims description 10
- 238000011217 control strategy Methods 0.000 claims description 9
- 238000005516 engineering process Methods 0.000 abstract description 12
- 230000008569 process Effects 0.000 description 7
- 238000013475 authorization Methods 0.000 description 6
- 230000006399 behavior Effects 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000005034 decoration Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000005284 excitation Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Abstract
The invention relates to the technical field of cross-regional access information, in particular to a cross-regional access method and a system based on a block chain, wherein the method comprises the following steps: based on the received cross-domain request instruction, the request end sends a cross-domain access request to a request end server; a request end server sends a cross-domain access request to a block chain; calling the rule information of a request end by a block chain; the block chain sends an access permission decision to a receiving end server; the receiving end server sends the access permission decision to the receiving end; when receiving the decision of allowing access, the receiving end sends the data requested by the request end to the request end. The invention provides a decentralized cross-domain access control method based on a distributed network structure of a block chain, and solves the problems of a single server; by adopting the technology based on the block chain, the problems that the existing cross-domain access technology center framework is easy to generate single-point faults, the third-party service is not absolutely reliable, and the existing cross-domain access technology center framework is easy to be attacked are solved.
Description
Technical Field
The invention relates to the technical field of cross-region access information, in particular to a block chain-based cross-region access method and system.
Background
With the development of cloud computing and internet of things technologies, distributed systems and distributed storage have been widely used. In a distributed environment, devices and resources are dispersed among different domains. Resource sharing and device interoperability between domains is urgently required. For example, governments have been aware of the effectiveness and improvement of local policies by sharing government system data. Companies have facilitated the development of the local travel industry by sharing traffic and travel data. For the above reasons, the cross-domain access control technology is an effective method for solving the resource sharing problem in the background of wide use of distributed systems in the internet era.
The existing cross-domain access technology is various, and is based on attribute, role and behavior, but basically adopts a centralized architecture, and needs to obtain authentication and authorization information through a trusted third party. However, the problem of single point of failure easily occurs in the centralized architecture, once the central server cannot provide service, the authorization information cannot be read; secondly, due to the existence of a trusted third party, the information flow between application domains becomes more complex, the maintenance becomes more difficult, and the maintenance cost is increased; in addition, the centralized architecture depends on the absolute credibility of a third party, but in the current network environment, a certain node can hardly realize the absolute credibility and safety, so that the credible third party trust problem is generated. Therefore, a need exists for a system cross-domain access method that can be decentralized, overcome single point failures, and increase reliability.
Disclosure of Invention
The embodiment of the invention provides a block chain-based cross-domain access method and a block chain-based cross-domain access system, which realize a decentralized block chain technology and improve the cross-domain access reliability by integrating the block chain technology.
According to an embodiment of the present invention, a block chain-based cross-domain access method is provided, which includes the following steps: based on the received cross-domain request instruction, the request end sends a cross-domain access request to a request end server;
when receiving a cross-domain access request, a request end server sends the cross-domain access request to a block chain;
based on the cross-domain access request, the block chain calls the rule information of the request terminal;
when the rule information meets the requirement, the block chain sends an access permission decision to the receiving end server;
when receiving the access permission decision, the receiving end server sends the access permission decision to the receiving end;
when receiving the decision of allowing access, the receiving end sends the data requested by the request end to the request end.
Further, before the request end sends the cross-domain access request to the request end server based on the received cross-domain request instruction, the method further includes:
rule information is configured for a request end and a receiving end;
rule information is uploaded to the blockchain.
Further, based on the cross-domain access request, the rule information of the blockchain call request terminal specifically includes:
and calling the role of the request terminal, the mapping rule and the access control strategy.
Further, when receiving the cross-domain access request, the request end server sends the cross-domain access request to the blockchain specifically as follows:
sending a cross-domain access request to an intelligent contract in a block chain;
the intelligent contract records the audit record on the blockchain and adds the access permission decision of the access permission request to the access history list for recording.
Further, the permission access decision specifically includes:
making an access decision based on the user role and the access control policy; or the like, or, alternatively,
an access decision is made based on the user access history list.
A block chain based cross-domain access system, comprising: the system comprises a block chain, a domain management server and a domain organization, wherein the domain organization is connected with the domain management server, and the domain management server is connected with the block chain; the domain organization comprises a request end domain organization and a receiving end domain organization, and the domain management server comprises a request end domain management server and a receiving end domain management server;
the request end domain organization is used for sending a cross-domain access request to the request end domain management server based on the received cross-domain request instruction;
the request end domain management server is used for sending the cross-domain access request to the block chain when receiving the cross-domain access request;
the block chain is used for calling the rule information of the request terminal based on the cross-domain access request;
when the rule information meets the requirement, the blockchain sends an access permission decision to the receiving end domain management server;
and the receiving end domain organization is used for sending the data requested and obtained by the requesting end domain organization to the requesting end domain organization when receiving the access permission decision.
Further, the air conditioner is provided with a fan,
the system further comprises: and the system initialization setting is used for configuring rule information for the request terminal and the receiving terminal and uploading the rule information to the block chain.
Further, the rule information specifically includes:
the role of the requesting domain organization, the mapping rules and the access control policies.
Further, the blockchain includes:
the intelligent contract is used for receiving a cross-domain access request sent by a request end server;
and the history list module is used for recording the auditing record of the intelligent contract on the history list and adding the access permission decision of the access permission request into the access history list for recording.
Further, the permission access decision specifically includes:
making an access decision based on the user role and the access control policy; or the like, or, alternatively,
an access decision is made based on the user access history list.
According to the block chain-based cross-domain access method and system, based on the received cross-domain request instruction, a request end sends a cross-domain access request to a request end server; when receiving a cross-domain access request, a request end server sends the cross-domain access request to a block chain; based on the cross-domain access request, the block chain calls the rule information of the request terminal; when the rule information meets the requirement, the block chain sends an access permission decision to the receiving end server; when receiving the access permission decision, the receiving end server sends the access permission decision to the receiving end; when receiving the decision of allowing access, the receiving end sends the data requested by the request end to the request end. The invention provides a decentralized cross-domain access control method based on a distributed network structure of a block chain, and solves the problems of a single server; by adopting the technology based on the block chain, the problems that the existing cross-domain access technology center framework is easy to generate single-point faults, the third-party service is not absolutely reliable, and the existing cross-domain access technology center framework is easy to be attacked are solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a flow chart of a block chain-based cross-domain access method according to the present invention;
fig. 2 is a schematic diagram of the block chain-based cross-domain access system of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
As shown in fig. 1 and fig. 2, according to an embodiment of the present invention, there is provided a block chain-based cross-domain access method, including the following steps:
s101: based on the received cross-domain request instruction, the request end sends a cross-domain access request to a request end server;
s102: when receiving a cross-domain access request, a request end server sends the cross-domain access request to a block chain;
s103: based on the cross-domain access request, the block chain calls the rule information of the request terminal;
s104: when the rule information meets the requirement, the block chain sends an access permission decision to the receiving end server;
s105: when receiving the access permission decision, the receiving end server sends the access permission decision to the receiving end;
s106: when receiving the decision of allowing access, the receiving end sends the data requested by the request end to the request end.
According to the block chain-based cross-domain access method and system, based on the received cross-domain request instruction, a request end sends a cross-domain access request to a request end server; when receiving a cross-domain access request, a request end server sends the cross-domain access request to a block chain; based on the cross-domain access request, the block chain calls the rule information of the request terminal; when the rule information meets the requirement, the block chain sends an access permission decision to the receiving end server; when receiving the access permission decision, the receiving end server sends the access permission decision to the receiving end; when receiving the decision of allowing access, the receiving end sends the data requested by the request end to the request end. The invention provides a decentralized cross-domain access control method based on a distributed network structure of a block chain, and solves the problems that the existing cross-domain access technology center framework is easy to generate single-point faults, third-party services are not absolutely reliable, and the existing cross-domain access technology center framework is easy to be attacked by adopting a technology based on the block chain.
In particular, in the prior art, the authorization of user information adopts a single-server architecture, i.e., a centralized architecture, which generally lacks security and reliability, and the single server cannot provide trusted access decisions, because a malicious or infected server can easily prevent an authorized user from prohibiting access to a resource or allowing an illegal user to access the resource. The invention provides a decentralized cross-domain access control method based on a distributed network structure of a block chain, and solves the problems of a single server.
Specifically, each domain organization includes devices and users therein; the user is a cross-domain requester, the equipment is a resource owner, and an access control strategy can be defined to determine who can access the resource in the equipment through the technical scheme of the application;
the domain management server is responsible for formulating role mapping rules between domain organizations. And the domain management server uploads the role mapping rule, the user role and the access strategy of the equipment to the block chain. In addition, all domain management servers maintain a blockchain in common.
The blockchain includes a plurality of server nodes for recording role mapping rules, device access policies, and cross-domain access records, and an intelligent contract that defines interfaces for transaction invocation and makes access decisions according to the role mapping rules and the device access policies, such as nodes 1 to N in fig. 2.
Specifically, the cross-domain access method is completed by cooperation of a domain organization, a domain management server and a blockchain, wherein a user of the domain organization is a subject applying for cross-domain access, and equipment is an object of the cross-domain access. And the domain management server uploads the user roles, role mapping rules and strategies of the equipment to the block chain. The blockchain makes access decisions by calling a functional interface.
Blockchain techniques and intelligent contracts:
in order to solve the technical defects that the existing cross-domain access system is unsafe and unreliable, is easy to generate single-point faults, lacks integrity and confidentiality and the like, the invention realizes the distributed cross-domain access system by using a block chain technology, and enhances the safety and the anti-tampering function of the cross-domain access system. The block chain infrastructure comprises 6 layers such as a data layer, a network layer, a consensus layer, an excitation layer, a contract layer and an application layer, wherein the contract layer uses an algorithm such as an intelligent contract. The blockchain acts as a traceable distributed network, and each node maintains the same ledger, including the role, rules, policies and access records of the system, thus no third party is required to provide data services. When transactions are synchronized to the blockchain, they cannot be modified or deleted, so all transactions can be traced on the blockchain ledger. The method solves the problem of single point of failure of a centralized cross-domain access system, and greatly improves the safety and reliability of cross-domain access.
To provide a trusted access control process, intelligent contracts are installed in blockchains and define some interface functions for system calls. Blockchain smart contracts are data transparent, and any party to a transaction can view its code and data. The intelligent contract code and the data output generated by running are not tamperproof, and the node running the intelligent contract does not need to worry about other nodes to modify the code and the data maliciously. Moreover, as the number of the nodes supporting the block chain network is often hundreds or even thousands, the failure of part of the nodes does not cause the stop of the intelligent contract, and the reliability of the intelligent contract is close to permanent operation theoretically, so that the intelligent contract can be effective at every moment like a paper contract.
The domain management server uploads the user roles, role mapping rules between domain organizations, and access policies of devices onto the blockchain using intelligent contracts. Further, the smart contract adds and manages a user access history list that records the user's request for permitted access, and with this list, the user can easily prove that he has access rights to the device. Therefore, the intelligent contract makes an access decision by two methods, namely making the access decision based on the user role and the access control strategy, and making the access decision based on the user access history list. The method greatly improves the efficiency and the trust degree of cross-domain access control.
To provide a trusted access control process, intelligent contracts are installed in a blockchain and define some interface functionality, the intelligent contracts providing the following functional interfaces:
UR (upload user name): this function is invoked by the domain management server for uploading the domain organization's username onto the blockchain.
UM (upload role mapping rule): this function is invoked by the domain management server for uploading role mapping rules between domain organizations onto the blockchain.
UAP (upload access policy): this function is invoked by the domain management server for uploading the access policy of the device onto the blockchain.
GUR (get user role): this function will return the user's role once the user's ID is received.
RA (record audit): this function is used to record requests from users and access decisions from across the blockchain.
MR (role mapping): upon receiving a unique identifier of a rule mapping rule between a role and two domain organizations, the function maps the role according to the role mapping rule.
GP (acquisition strategy): upon receipt of the device's public key, this function will return the access policy of the device.
The invention of the present application is explained in detail below by means of specific examples:
when a user wishes to issue a cross-domain access request, the user broadcasts its cross-domain access request, as shown by reference (c) in fig. 2. For example, an a-domain user a wants to read data of a device B belonging to a B-domain; at this time, if the user makes a request (tag | user ID | device ID | access control command | signature), for example, the a-domain user a wants to request the resource c of the B-domain device B, the request is sent as follows: 01| user _ a _ domain a | device _ B _ domain B | r | Isk, where the tag 01 indicates that user a has previously accessed the resource, the access control command is r indicates read-only, and Isk indicates the user signature.
As shown by the symbol (c) in fig. 2, the user broadcasts the request in the domain-management-server network; and the domain management servers of the domain A and the domain B both receive the cross-domain request of the user a, and after receiving the access request, send the access request to the intelligent contract.
As shown by the label (r) in fig. 2, the smart contract records the audit record on the blockchain by calling RA and adds the allowed access request to the access history list.
As indicated by the symbol (v) in fig. 2, the smart contract will acquire the role of the user by calling the GUR (acquire user role), map the role of the user by calling the MR (role mapping), and acquire the policy of the device by calling the GP (acquire policy); determining an access decision method according to the cross-domain request mark, wherein the access decision is divided into two types, and if the mark is 00, the domain management server calls the access decision; if the flag is 01, the domain management server invokes an access decision based on the access history list. Then, whether the access policy of the device satisfies the mapping role is determined, and an access decision or an access permission decision is made and returned to the domain management server.
As shown by the label of fig. 2, the domain management server connected to the domain organization B returns the access decision to the device B after receiving the access decision.
After receiving the access decision result, the device returns the data to the user who is allowed to access the data resource, as shown in symbol (c) of fig. 2. The device generates a session key to encrypt the data and signs a hash of the data, which is then returned to the user.
Further, the user may verify the access decision. The domain management server can trace back to the access records of the users to detect abnormal access behaviors of the users. In addition, the audit record may also provide evidence for the access history list.
In an embodiment, before the request end sends the cross-domain access request to the request end server based on the received cross-domain request instruction, the method further includes:
rule information is configured for a request end and a receiving end;
rule information is uploaded to the blockchain.
As shown by the mark (r) in fig. 2, IDs are first configured for users and devices within the domain organization and for the management server. For example, in the A domain, the named device is "device _ name _ Domain A"; the user is "User _ Name _ Domain A"; the management server is "management server _ Domain A". The domain management servers jointly make role mapping rules, then upload the roles, the role mapping rules and the access policies of the users to the block chain by calling UR (uploading user name), UM (uploading role mapping rules) and UAP (uploading access policy) functions, and each domain management server can only upload a rule set for mapping the foreign roles into the local roles.
In an embodiment, based on the cross-domain access request, the rule information of the blockchain call request terminal specifically includes:
and calling the role of the request terminal, the mapping rule and the access control strategy.
Specifically, the domain management server uploads a user role, role mapping rules among domain organizations and an access policy of the device to a block chain; and the intelligent contract calls the role mapping rule, the equipment access strategy and the cross-domain access record and makes an access decision according to the role mapping rule and the equipment access strategy.
In an embodiment, when receiving the cross-domain access request, the sending, by the request end server, the cross-domain access request to the blockchain specifically includes:
sending a cross-domain access request to an intelligent contract in a block chain;
the intelligent contract records the audit record on the blockchain and adds the access permission decision of the access permission request to the access history list for recording.
A historical access list is added in the intelligent contract, and based on the efficiency of a block chain, an efficient intelligent contract is invented to make an access decision based on the historical access list.
In an embodiment, the permission access decision specifically includes:
making an access decision based on the user role and the access control policy; or the like, or, alternatively,
an access decision is made based on the user access history list.
Adding and managing a user access history list by the intelligent contract, wherein the list records the access permission requests of the user; using this list, the user can easily prove that he has access rights to the device. Therefore, the intelligent contract makes an access decision by two methods, namely making the access decision based on the user role and the access control strategy, and making the access decision based on the user access history list. The method greatly improves the efficiency and the trust degree of cross-domain access control.
Example 2
As shown in fig. 2, according to another embodiment of the present invention, there is provided a block chain-based cross-domain access system, including:
the system comprises a block chain, a domain management server and a domain organization, wherein the domain organization is connected with the domain management server, and the domain management server is connected with the block chain; the domain organization comprises a request end domain organization and a receiving end domain organization, and the domain management server comprises a request end domain management server and a receiving end domain management server;
the request end domain organization is used for sending a cross-domain access request to the request end domain management server based on the received cross-domain request instruction;
the request end domain management server is used for sending the cross-domain access request to the block chain when receiving the cross-domain access request;
the block chain is used for calling the rule information of the request terminal based on the cross-domain access request;
when the rule information meets the requirement, the blockchain sends an access permission decision to the receiving end domain management server;
and the receiving end domain organization is used for sending the data requested and obtained by the requesting end domain organization to the requesting end domain organization when receiving the access permission decision.
The overall system architecture is shown in fig. 2, and mainly includes a domain organization, a domain management server, and a block chain.
The domain organization includes users, which are cross-domain requesters, and devices, which are resource owners, may define access control policies to decide who may access their resources.
The domain management server is responsible for formulating role mapping rules between domain organizations. And the domain management server uploads the role mapping rule, the user role and the access strategy of the equipment to the block chain. In addition, all domain management servers maintain a blockchain in common.
The blockchain includes a plurality of server nodes and intelligent contracts, such as node 1 through node N in fig. 2; the server node is used for recording role mapping rules, equipment access policies and cross-domain access records, the intelligent contract defines an interface for transaction calling, and access decisions are made according to the role mapping rules and the equipment access policies. The block chain is used for supervising the domain management server; it records user roles, role mapping rules, access control policies and audit records containing requests and access control decisions; to protect against malicious attackers, it uses a consensus algorithm to ensure that the blockchain ledger is consistent.
Specifically, each domain organization includes devices and users therein; the user is a cross-domain requester, the device is a resource owner, and the access control policy can be defined to determine who can access the resource in the device according to the technical scheme of the application.
Specifically, the cross-domain access techniques and features are as follows:
the cross-domain access method is completed by cooperation of a domain organization, a domain management server and a block chain, wherein a user of the domain organization is a subject applying cross-domain access, and equipment is an object of the cross-domain access. And the domain management server uploads the user roles, role mapping rules and strategies of the equipment to the block chain. The blockchain makes access decisions by calling a functional interface.
Blockchain techniques and intelligent contracts:
in order to solve the technical defects that the existing cross-domain access system is unsafe and unreliable, is easy to generate single-point faults, lacks integrity and confidentiality and the like, the invention realizes the distributed cross-domain access system by using a block chain technology, and enhances the safety and the anti-tampering function of the cross-domain access system. The block chain infrastructure comprises 6 layers such as a data layer, a network layer, a consensus layer, an excitation layer, a contract layer and an application layer, wherein the contract layer uses an algorithm such as an intelligent contract. The blockchain acts as a traceable distributed network, and each node maintains the same ledger, including the role, rules, policies and access records of the system, thus no third party is required to provide data services. When transactions are synchronized to the blockchain, they cannot be modified or deleted, so all transactions can be traced on the blockchain ledger. The method solves the problem of single point of failure of a centralized cross-domain access system, and greatly improves the safety and reliability of cross-domain access.
To provide a trusted access control process, intelligent contracts are installed in blockchains and define some interface functions for system calls. Blockchain smart contracts are data transparent, and any party to a transaction can view its code and data. The intelligent contract code and the data output generated by running are not tamperproof, and the node running the intelligent contract does not need to worry about other nodes to modify the code and the data maliciously. Moreover, as the number of the nodes supporting the block chain network is often hundreds or even thousands, the failure of part of the nodes does not cause the stop of the intelligent contract, and the reliability of the intelligent contract is close to permanent operation theoretically, so that the intelligent contract can be effective at every moment like a paper contract.
The domain management server uploads the user roles, role mapping rules between domain organizations, and access policies of devices onto the blockchain using intelligent contracts. Further, the smart contract adds and manages a user access history list that records the user's request for permitted access, and with this list, the user can easily prove that he has access rights to the device. Therefore, the intelligent contract makes an access decision by two methods, namely making the access decision based on the user role and the access control strategy, and making the access decision based on the user access history list. The method greatly improves the efficiency and the trust degree of cross-domain access control.
To provide a trusted access control process, intelligent contracts are installed in a blockchain and define some interface functionality, the intelligent contracts providing the following functional interfaces:
UR (upload user name): this function is invoked by the domain management server for uploading the domain organization's username onto the blockchain.
UM (upload role mapping rule): this function is invoked by the domain management server for uploading role mapping rules between domain organizations onto the blockchain.
UAP (upload access policy): this function is invoked by the domain management server for uploading the access policy of the device onto the blockchain.
GUR (get user role): this function will return the user's role once the user's ID is received.
RA (record audit): this function is used to record requests from users and access decisions from across the blockchain.
MR (role mapping): upon receiving a unique identifier of a rule mapping rule between a role and two domain organizations, the function maps the role according to the role mapping rule.
GP (acquisition strategy): upon receipt of the device's public key, this function will return the access policy of the device.
Role mapping rules:
the role-based access control model expresses complex relationships among users, roles and permissions, solves the problem that a main body is always bound with a specific entity in the traditional access control, realizes flexible authorization of the main body, and is the most classical access control model. The role-based access control model realizes the authority conversion of users in different domains by establishing the mapping relation between the users and the roles, so that the users can flexibly acquire the authority. Therefore, in the present invention, the domain management server jointly formulates a role mapping relationship between domains, and uploads a mapping rule from an external domain role to a local domain role to the block chain.
Specifically, the system operation is mainly divided into four stages, namely system initialization, access control, data transmission and dispute processing. The invention of the present application is explained in detail below by means of specific examples:
initializing a system, namely configuring IDs for users and equipment in a domain and a management server as shown by a mark (r) in FIG. 2; for example, in the a domain, the named device is "device _ name _ domain a", the user is "user _ name _ domain a", and the management server is "management server _ domain a". The domain management servers jointly make role mapping rules, then upload the roles, the role mapping rules and the access policies of the users to the block chain by calling UR (uploading user name), UM (uploading role mapping rules) and UAP (uploading access policy) functions, and each domain management server can only upload a rule set for mapping the foreign roles into the local roles.
Access control, shown as reference (c) in fig. 2, when a user wishes to issue a cross-domain access request, the user broadcasts its cross-domain access request. For example, an a-domain user a wants to read data of a device B belonging to a B-domain; at this time, if the user makes a request (tag | user ID | device ID | access control command | signature), for example, the a-domain user a wants to request the resource c of the B-domain device B, the request is sent as follows: 01| user _ a _ domain a | device _ B _ domain B | r | Isk, where the tag 01 indicates that user a has previously accessed the resource, the access control command is r indicates read-only, and Isk indicates the user signature.
As shown by the symbol (c) in fig. 2, the user broadcasts the request in the domain-management-server network; and the domain management servers of the domain A and the domain B both receive the cross-domain request of the user a, and after receiving the access request, send the access request to the intelligent contract.
As shown by the label (r) in fig. 2, the smart contract records the audit record on the blockchain by calling RA and adds the allowed access request to the access history list.
As indicated by the symbol (v) in fig. 2, the smart contract will acquire the role of the user by calling the GUR (acquire user role), map the role of the user by calling the MR (role mapping), and acquire the policy of the device by calling the GP (acquire policy); determining an access decision method according to the cross-domain request mark, wherein the access decision is divided into two types, and if the mark is 00, the domain management server calls the access decision; if the flag is 01, the domain management server invokes an access decision based on the access history list. Then, whether the access policy of the device satisfies the mapping role is determined, and an access decision or an access permission decision is made and returned to the domain management server.
As shown by the label of fig. 2, the domain management server connected to the domain organization B returns the access decision to the device B after receiving the access decision.
Data transfer, as shown at mark (c) in fig. 2, the device returns data to the user allowed to access the data resource after receiving the access decision result. The device generates a session key to encrypt the data and signs a hash of the data, which is then returned to the user.
To handle the dispute, the user can verify the access decision. The domain management server can trace back to the access records of the users to detect abnormal access behaviors of the users. In addition, the audit record may also provide evidence for the access history list.
In particular, in the prior art, the authorization of user information adopts a single-server architecture, i.e., a centralized architecture, which generally lacks security and reliability, and the single server cannot provide trusted access decisions, because a malicious or infected server can easily prevent an authorized user from prohibiting access to a resource or allowing an illegal user to access the resource. The invention provides a decentralized cross-domain access control method based on a distributed network structure of a block chain, and solves the problems of a single server.
In an embodiment, the system further comprises: and the system initialization setting module is used for configuring rule information for the request terminal and the receiving terminal and uploading the rule information to the block chain. The system is initially set up, which has already been described above, and is not described here again.
In an embodiment, the rule information specifically includes:
the role of the requesting domain organization, the mapping rules and the access control policies.
Specifically, the domain management server uploads a user role, role mapping rules among domain organizations and an access policy of the device to a block chain; and the intelligent contract calls the role mapping rule, the equipment access strategy and the cross-domain access record and makes an access decision according to the role mapping rule and the equipment access strategy.
In an embodiment, the blockchain includes:
the intelligent contract is used for receiving a cross-domain access request sent by a request end server;
and the history list module is used for recording the auditing record of the intelligent contract on the history list and adding the access permission decision of the access permission request into the access history list for recording.
A historical access list is added in the intelligent contract, and based on the efficiency of a block chain, an efficient intelligent contract is invented to make an access decision based on the historical access list.
In an embodiment, the permission access decision specifically includes:
making an access decision based on the user role and the access control policy; or the like, or, alternatively,
an access decision is made based on the user access history list.
Adding and managing a user access history list by the intelligent contract, wherein the list records the access permission requests of the user; using this list, the user can easily prove that he has access rights to the device. Therefore, the intelligent contract makes an access decision by two methods, namely making the access decision based on the user role and the access control strategy, and making the access decision based on the user access history list. The method greatly improves the efficiency and the trust degree of cross-domain access control.
The invention has the beneficial effects that:
1. in the prior art, the authorization of user information adopts a single-server architecture, namely a centralized architecture, which generally lacks security and reliability, and the single server cannot provide trusted access decisions, because a malicious or infected server can easily prevent an authorized user from forbidding access to resources or allow an illegal user to access the resources. The invention provides a decentralized cross-domain access control method based on a distributed network structure of a block chain, and solves the problems of a single server. By adopting the technology based on the block chain, the problems that the existing cross-domain access technology center framework is easy to generate single-point faults, the third-party service is not absolutely reliable, and the existing cross-domain access technology center framework is easy to be attacked are solved.
2. In the prior art, cross-domain access control based on a third-party server is mostly adopted, and the integrity and confidentiality are lacked. The invention adopts the block chain link points to record and maintain the information, thereby improving the confidentiality of the cross-domain access system.
3. The access control based on the access strategy and the role mapping relation is mostly used in the existing system, the efficiency is low, but the invention uses the intelligent contract, adds the historical access list, can make the access decision according to the historical access record of the user, and greatly improves the cross-domain access efficiency.
4. The prior access control method mostly uses single access control based on roles or attributes, but the invention combines a block chain and a role mapping technology for use, and a system uploads roles, role mapping rules and access strategies of users to the block chain, thereby realizing a credible access control process.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.
Claims (10)
1. A block chain-based cross-domain access method is characterized by comprising the following steps:
based on the received cross-domain request instruction, the request end sends a cross-domain access request to a request end server;
when the cross-domain access request is received, the request end server sends the cross-domain access request to a block chain;
based on the cross-domain access request, the blockchain calls the rule information of the request terminal;
when the rule information meets the requirement, the block chain sends an access permission decision to a receiving end server;
when receiving the access permission decision, the receiver server sends the access permission decision to the receiver;
and when the access permission decision is received, the receiving end sends the data requested to be obtained by the request end to the request end.
2. The block chain-based cross-domain access method according to claim 1, wherein before the request end sends a cross-domain access request to the request end server based on the received cross-domain request command, the method further comprises:
configuring rule information for the request terminal and the receiving terminal;
and uploading the rule information to the block chain.
3. The method according to claim 1, wherein the invoking, by the blockchain, the rule information of the requester based on the cross-domain access request specifically includes:
and calling the role of the request terminal, the mapping rule and the access control strategy.
4. The blockchain-based cross-domain access method according to claim 3, wherein when receiving the cross-domain access request, the request server sends the cross-domain access request to a blockchain specifically includes:
sending the cross-domain access request to an intelligent contract in the block chain;
the intelligent contract records the audit record on the blockchain and adds the access permission decision of the access permission request to the access history list for recording.
5. The block chain-based cross-domain access method according to claim 4, wherein the access permission decision specifically comprises:
making an access decision based on the user role and the access control policy; or the like, or, alternatively,
an access decision is made based on the user access history list.
6. A block chain based cross-domain access system, comprising: the system comprises a block chain, a domain management server and a domain organization, wherein the domain organization is connected with the domain management server, and the domain management server is connected with the block chain; the domain organization comprises a request end domain organization and a receiving end domain organization, and the domain management server comprises a request end domain management server and a receiving end domain management server;
the request end domain organization is used for sending a cross-domain access request to a request end domain management server based on the received cross-domain request instruction;
the request end domain management server is used for sending the cross-domain access request to the block chain when receiving the cross-domain access request;
the blockchain is used for calling the rule information of the request terminal based on the cross-domain access request;
when the rule information meets the requirement, the blockchain sends an access permission decision to the receiving end domain management server;
and the receiving end domain organization is used for sending the data acquired by the request end domain organization to the request end domain organization when receiving the access permission decision.
7. The blockchain-based cross domain access system of claim 6, further comprising: and the system initialization setting module is used for configuring rule information for the request terminal and the receiving terminal and uploading the rule information to the block chain.
8. The system according to claim 6, wherein the rule information specifically includes:
the role of the requesting end domain organization, the mapping rule and the access control strategy.
9. The blockchain-based cross domain access system of claim 6, wherein the blockchain comprises:
the intelligent contract is used for receiving the cross-domain access request sent by the request end server;
and the history list module is used for recording the auditing record of the intelligent contract on a history list and adding the access permission decision of the access permission request into the access history list for recording.
10. The blockchain-based cross-domain access system of claim 6, wherein the permission access decision specifically comprises:
making an access decision based on the user role and the access control policy; or the like, or, alternatively,
an access decision is made based on the user access history list.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110858312.6A CN113612754A (en) | 2021-07-28 | 2021-07-28 | Cross-domain access method and system based on block chain |
| PCT/CN2021/112238 WO2023004889A1 (en) | 2021-07-28 | 2021-08-12 | Blockchain-based method and system for cross-domain access |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110858312.6A CN113612754A (en) | 2021-07-28 | 2021-07-28 | Cross-domain access method and system based on block chain |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113612754A true CN113612754A (en) | 2021-11-05 |
Family
ID=78338516
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110858312.6A Pending CN113612754A (en) | 2021-07-28 | 2021-07-28 | Cross-domain access method and system based on block chain |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN113612754A (en) |
| WO (1) | WO2023004889A1 (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114051059A (en) * | 2021-11-10 | 2022-02-15 | 银联商务股份有限公司 | IDC transaction cross-domain decision-making method of remote double-active system |
| CN114154193A (en) * | 2021-11-26 | 2022-03-08 | 哈尔滨工程大学 | Cross-domain access control method based on block chain |
| CN114268493A (en) * | 2021-12-21 | 2022-04-01 | 联想(北京)有限公司 | Cross-domain access method on block chain and server |
| CN114465808A (en) * | 2022-02-28 | 2022-05-10 | 中国工商银行股份有限公司 | Method and device for detecting network access policy |
| CN114666067A (en) * | 2022-05-23 | 2022-06-24 | 成都信息工程大学 | Cross-domain fine-grained attribute access control method and system based on block chain |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107332847A (en) * | 2017-07-05 | 2017-11-07 | 武汉凤链科技有限公司 | A kind of access control method and system based on block chain |
| CN108810073A (en) * | 2018-04-05 | 2018-11-13 | 西安电子科技大学 | A kind of Internet of Things multiple domain access control system and method based on block chain |
| US20190334700A1 (en) * | 2018-04-26 | 2019-10-31 | Jonathan Sean Callan | Method and system for managing decentralized data access permissions through a blockchain |
| CN110414268A (en) * | 2019-07-23 | 2019-11-05 | 北京启迪区块链科技发展有限公司 | Access control method, device, equipment and storage medium |
| CN110809006A (en) * | 2019-11-14 | 2020-02-18 | 内蒙古大学 | Block chain-based Internet of things access control architecture and method |
| CN112702315A (en) * | 2020-12-07 | 2021-04-23 | 深圳供电局有限公司 | Cross-domain device access control method and device, computer device and storage medium |
| CN113067861A (en) * | 2021-03-16 | 2021-07-02 | 四川大学 | Distributed extensible access control authorization system and method based on block chain |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090132713A1 (en) * | 2007-11-20 | 2009-05-21 | Microsoft Corporation | Single-roundtrip exchange for cross-domain data access |
| CN107995197A (en) * | 2017-12-04 | 2018-05-04 | 中国电子科技集团公司第三十研究所 | A kind of method for realizing across management domain identity and authority information is shared |
| CN111835528B (en) * | 2020-07-16 | 2023-04-07 | 广州大学 | Decentralized Internet of things cross-domain access authorization method and system |
-
2021
- 2021-07-28 CN CN202110858312.6A patent/CN113612754A/en active Pending
- 2021-08-12 WO PCT/CN2021/112238 patent/WO2023004889A1/en unknown
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107332847A (en) * | 2017-07-05 | 2017-11-07 | 武汉凤链科技有限公司 | A kind of access control method and system based on block chain |
| CN108810073A (en) * | 2018-04-05 | 2018-11-13 | 西安电子科技大学 | A kind of Internet of Things multiple domain access control system and method based on block chain |
| US20190334700A1 (en) * | 2018-04-26 | 2019-10-31 | Jonathan Sean Callan | Method and system for managing decentralized data access permissions through a blockchain |
| CN110414268A (en) * | 2019-07-23 | 2019-11-05 | 北京启迪区块链科技发展有限公司 | Access control method, device, equipment and storage medium |
| CN110809006A (en) * | 2019-11-14 | 2020-02-18 | 内蒙古大学 | Block chain-based Internet of things access control architecture and method |
| CN112702315A (en) * | 2020-12-07 | 2021-04-23 | 深圳供电局有限公司 | Cross-domain device access control method and device, computer device and storage medium |
| CN113067861A (en) * | 2021-03-16 | 2021-07-02 | 四川大学 | Distributed extensible access control authorization system and method based on block chain |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114051059A (en) * | 2021-11-10 | 2022-02-15 | 银联商务股份有限公司 | IDC transaction cross-domain decision-making method of remote double-active system |
| CN114051059B (en) * | 2021-11-10 | 2023-08-18 | 银联商务股份有限公司 | IDC transaction cross-domain decision method of remote double-activity system |
| CN114154193A (en) * | 2021-11-26 | 2022-03-08 | 哈尔滨工程大学 | Cross-domain access control method based on block chain |
| CN114268493A (en) * | 2021-12-21 | 2022-04-01 | 联想(北京)有限公司 | Cross-domain access method on block chain and server |
| WO2023116028A1 (en) * | 2021-12-21 | 2023-06-29 | 联想(北京)有限公司 | Cross-domain access method on blockchain and server |
| CN114465808A (en) * | 2022-02-28 | 2022-05-10 | 中国工商银行股份有限公司 | Method and device for detecting network access policy |
| CN114666067A (en) * | 2022-05-23 | 2022-06-24 | 成都信息工程大学 | Cross-domain fine-grained attribute access control method and system based on block chain |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2023004889A1 (en) | 2023-02-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113612754A (en) | Cross-domain access method and system based on block chain | |
| CN111709056B (en) | Data sharing method and system based on block chain | |
| CN101997876B (en) | Attribute-based access control model and cross domain access method thereof | |
| RU2531569C2 (en) | Secure and private backup storage and processing for trusted computing and data services | |
| US7987496B2 (en) | Automatic application of information protection policies | |
| Bates et al. | Towards secure provenance-based access control in cloud environments | |
| US11546366B2 (en) | Threat information sharing based on blockchain | |
| Majumder et al. | Taxonomy and classification of access control models for cloud environments | |
| CN109525570B (en) | Group client-oriented data layered security access control method | |
| CN111581292A (en) | Industrial Internet data asset right confirming and trading method and platform | |
| CN112837194A (en) | Intelligent system | |
| Mythili et al. | Trust management approach for secure and privacy data access in cloud computing | |
| Zhang et al. | Blockchain based big data security protection scheme | |
| Johri et al. | Security framework using Hadoop for big data | |
| Chen et al. | Towards scalable, fine-grained, intrusion-tolerant data protection models for healthcare cloud | |
| Samet et al. | Securing mobile agents, stationary agents and places in mobile agents systems | |
| CN111683056B (en) | Linux security module-based information flow control system and method between cloud platforms | |
| CN114861144A (en) | Data authority processing method based on block chain | |
| Singh et al. | Review of attribute based access control (ABAC) models for cloud computing | |
| Basu et al. | A framework for blockchain-based verification of integrity and authenticity | |
| Chin et al. | A context-constrained authorisation (cocoa) framework for pervasive grid computing | |
| Sasaki et al. | Access control architecture for smart city IoT platform | |
| Wang et al. | Blockchain for Public Safety: A Survey of Techniques and Applications | |
| Shi et al. | DUCE: distributed usage control enforcement for private data sharing in internet of things | |
| Mix et al. | Universal Utility Data Exchange (UUDEX) Functional Design Requirements-Rev 1 |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211105 |
|
| RJ01 | Rejection of invention patent application after publication |