CN117424747A - Cross-domain access control method and system based on multi-block chain - Google Patents

Cross-domain access control method and system based on multi-block chain Download PDF

Info

Publication number
CN117424747A
CN117424747A CN202311536545.XA CN202311536545A CN117424747A CN 117424747 A CN117424747 A CN 117424747A CN 202311536545 A CN202311536545 A CN 202311536545A CN 117424747 A CN117424747 A CN 117424747A
Authority
CN
China
Prior art keywords
domain
access control
cross
chain
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311536545.XA
Other languages
Chinese (zh)
Inventor
任志宇
王海超
杜学绘
王娜
王文娟
孙奕
曹利峰
张天彭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University of PLA Strategic Support Force
Original Assignee
Information Engineering University of PLA Strategic Support Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Engineering University of PLA Strategic Support Force filed Critical Information Engineering University of PLA Strategic Support Force
Priority to CN202311536545.XA priority Critical patent/CN117424747A/en
Publication of CN117424747A publication Critical patent/CN117424747A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to the technical field of blockchain information security, in particular to a cross-domain access control method and system based on multiple blockchains, which are implemented by deploying access control chains of an access control model based on attributes in each security domain, downloading access decisions in and among domains to the access control chains in each domain, and utilizing a relay chain cross-chain technology to be compatible with heterogeneous access control chains in each security domain; based on the trust evaluation contracts of the intelligent contracts, which are policy decision contracts, policy management contracts, attribute authority contracts, inter-domain intermediary contracts and trust management in the ABAC model are introduced into the intra-domain and inter-domain access control flow, the trusted cross-domain access control of the intra-domain and inter-domain without the need of a third party access is realized; and realizing the security assurance of the cross-domain access control data based on the cross-chain interoperability and the SPV data verification algorithm. The method and the device are applicable to cross-domain access control scenes in a multi-domain environment, and can meet requirements of inter-domain privacy and expansibility in the multi-domain environment.

Description

Cross-domain access control method and system based on multi-block chain
Technical Field
The invention relates to the technical field of blockchain information security, in particular to a cross-domain access control method and system based on multiple blockchains.
Background
With the rapid development of information technologies such as big data, internet of things and cloud computing, people gradually recognize the value of the data, and the data has become a new production element in various fields including medical treatment, finance and scientific research. Under the background of big data, the data is explosively increased and dispersed in service information systems established by different institutions, the institutions are often divided into different security domains for meeting the data privacy requirements, and each security domain designs different security strategies according to different service requirements, so that each security domain presents the characteristics of inter-domain intercommunication and inter-domain isolation, and the data is not fully utilized. Therefore, the current situation of information isolation of different information systems is broken, data of different security domains are enabled to flow, and data sharing from a closed single domain to a collaborative cross-domain is necessary. However, the security event layer in the data sharing process is endless, so that the risk of data leakage in the data sharing process in the multi-domain environment must be reduced, and the data security is ensured.
The access control technology is an important security technology for ensuring the security of data in a multi-domain data sharing system, and prevents the access behavior of illegal users and the illegal access behavior of legal users by limiting the access authority of users to the data. Meanwhile, the access control technology can help the manager to control and limit the access authority of the user to various resources in the system, ensure confidentiality, integrity and availability of data and maintain safe and stable operation of the system. At present, the traditional access control models such as autonomous access control, forced access control and role-based access control are mature and are used for protecting resources on a large scale, but the models cannot be directly applied in a multi-domain environment, and a fine-granularity and flexible access control model is needed to meet the access control requirements in the multi-domain environment. The access control model based on the attribute can more flexibly and finely deal with the access requirements under the multi-domain complex environment through describing the authority information by the entity attribute, but the access control model based on the attribute has the defect of realizing judgment transparency, auditability and the like, so that new technology is required to be introduced for perfecting.
In recent years, access control research under multi-domain data sharing has focused on using a centralized architecture, i.e. each domain relies on a "centralized" third party server to perform data operations, but the centralized architecture can face single point of failure, policy tampering, rights determination reliability, and other problems. The blockchain technology provides a new idea for realizing an access control system, and the characteristics of distributed, tamper-proof, disclosure transparency and the like of the blockchain technology are naturally possessed, and the risk brought by a centralized access control architecture can be effectively solved without the trusted execution characteristic of third-party endorsements. However, at present, the access control based on the blockchain is more focused on the realization in a single domain, and the account book of the single-chain blockchain architecture is transparent to the disclosure of the participating nodes, so that the cross-trust-domain data cannot be processed, and the expandability and the inter-domain privacy of the cross-domain method based on the blockchain are not ideal.
Disclosure of Invention
Therefore, the invention provides a cross-domain access control method and a system based on multi-blockchain, which utilize the blockchain technology to establish a trusted cross-domain access control mechanism which has low cost, high efficiency and can ensure inter-domain privacy, so as to solve the problem that the existing blockchain access control cannot process cross-trust domain data, expansibility and inter-domain privacy.
According to the design scheme provided by the invention, a cross-domain access control method based on multi-block chains is provided, which comprises the following steps:
registering each attribute to a corresponding service block chain security domain by an unregistered user and a service provider based on attribute authority, and performing uplink storage on access control chains of each security domain by calling an intra-domain intelligent contract to store the attribute, the attribute corresponding relation and a service provider self-defined access control policy;
the access control links in the security domains of the business block chains are deployed to policy execution client nodes, and the policy execution client nodes cross-domain link the access control links in the security domains of other business block chains through relay links, wherein the access control links deploy attribute authorities, policy management points and policy decision points in an ABAC access control model in an intra-domain intelligent contract form, and the relay links execute inter-domain data transmission in an inter-domain intelligent contract form;
when a resource requester in an access request domain initiates an intra-domain access request, a policy execution client node establishes data exchange between the resource requester and a resource owner by using an access control chain and calling an intra-domain intelligent contract; when a resource requester in an access request domain initiates an inter-domain access request, a policy execution client node establishes data exchange between the request domain resource requester and a target domain resource owner by using a relay chain and by calling an inter-domain intelligent contract.
As the cross-domain access control method based on multi-block chains, the intra-domain intelligent contract further comprises: a policy handling contract function for performing add, delete and update operations on access control policies, an attribute handling contract function for performing delete and update operations on entity attributes, an access control handling contract function for deciding access controls by parsing access requests, and an inter-domain data flow handling contract function for performing cross-domain access control request response handling for policy enforcement client nodes within an access domain.
As the multi-blockchain-based cross-domain access control method of the present invention, further, the inter-domain intelligent contract includes: a data conversion contract function for cross-link data conversion, a routing contract function for cross-link data routing forwarding, and a registration contract function for cross-link identity registration and intra-link identity mapping of access entities.
As the multi-blockchain-based cross-domain access control method, further, each node in the relay chain judges that the current node plays a role type through inter-domain intelligent contracts deployed by the nodes, the role types in each node are divided into an adapter node role type, a routing node role type and a registration node role type, wherein the adapter node role type carries out format conversion processing on cross-link data on a security domain of the heterogeneous service blockchain based on a data conversion contract function, the routing node role type judges the identity of the routing node based on the routing contract function and maintains cross-link routing information on the chain, and the registration node role type carries out registration identification on cross-link user information based on the registration contract function.
As the multi-blockchain-based cross-domain access control method of the present invention, further, the policy enforcement client node establishes data exchange between the resource requester and the resource owner by calling the intra-domain intelligent contract using the access control chain, including:
firstly, aiming at an original access control request sent by a resource requester as an access control subject, a policy execution client node analyzes the original access control request based on an intra-domain intelligent contract and inquires about a relevant control policy of the access request through a host-guest relevant attribute list so as to judge whether the attribute of a host-guest meets the requirements of the relevant control policy and perform real-time trust evaluation on the host-guest based on legal user trust management, wherein the original access control request comprises a host unique identifier, a guest unique identifier and actions of the host-guest required by the host, and the relevant attribute list comprises the attribute of the host-guest, the environmental attribute and a trust attribute representing the current trust relationship of the host-guest;
and then, based on the real-time trust evaluation result, the policy execution client node feeds back the judgment result to the access object so that the access object responds to the access control request.
As the multi-blockchain-based cross-domain access control method of the present invention, further, the policy enforcement client node establishes data exchange between the requesting domain resource requester and the target domain resource owner by using the relay chain and by calling the inter-domain intelligent contract, including:
Firstly, aiming at an original access control request sent by a resource requester as an access control subject, a policy execution client node in a corresponding request domain analyzes the original access control request based on an intra-domain intelligent contract and acquires a subject attribute list, and adjusts the access control request based on the subject attribute list and sends the adjusted access control request to a relay chain, wherein the original access control request comprises a request domain subject unique identifier, a target domain subject unique identifier and a subject requirement to the action of the subject;
then, the relay chain analyzes the access control request and carries out routing addressing on the object based on the inter-domain intelligent contract so as to find a target domain policy execution client node and generate a request domain identifier and a target domain identifier, reconstruct the access control request based on the request domain identifier and the target domain identifier and send the reconstructed access control request to the target domain policy execution client node;
then, the target domain policy execution client node analyzes the access control request, acquires access object attribute information and trust attributes representing the current trust relationship of the cross-domain host and guest based on the intra-domain intelligent contract, so as to match the access control policy meeting the conditions based on the attributes, and carries out real-time trust evaluation on the host and guest based on legal user trust management;
And finally, based on the real-time trust evaluation result, the target domain policy execution client node feeds back the access control policy matching result to the access object so as to enable the access object to respond to the access control request.
As the multi-blockchain-based cross-domain access control method of the present invention, further, the relay chain parses the access control request and performs routing addressing on the object based on the inter-domain intelligent contract, including:
performing data conversion on access request data related to an access control chain of a request domain accessed by calling an inter-domain intelligent contract, performing route forwarding on a cross-chain request in access, and performing implicit recording on block transaction history of a cross-chain data transaction on a relay chain, wherein the data conversion comprises: removing redundant parameters, extracting cross-chain specific parameters and packaging the cross-chain specific parameters into cross-chain data transactions, wherein the cross-chain specific parameters comprise request domain identification, target domain identification, main client identification, main body attribute information and action information of main body requirements on a shell.
As the multi-blockchain-based cross-domain access control method of the invention, further, the method for carrying out route forwarding on the cross-chain request in the access comprises the following steps: setting a router blockchain node, and carrying out route forwarding according to the transmission connection requirement of the cross-link request and a routing table in the router blockchain, wherein the routing information in the router blockchain is stored in a form of on-link transactions, so that the cross-link request searches a relay link node for cross-link data conversion processing through the stored routing information and carries out data forwarding through the relay link node.
As the cross-domain access control method based on multi-block chains, the invention further implicitly records the block transaction history of the cross-chain data transaction on the relay chain, and further comprises the following steps: verifying the authenticity of the cross-chain data transaction in the relay chain by using a simple payment verification SPV algorithm, wherein the verification process comprises the following steps:
firstly, a relay chain searches a block where a cross-chain transaction is located through a bloom filter according to a cross-chain request identifier in the cross-chain data transaction, and returns a hash authentication path according to a block number, wherein the hash authentication path consists of hash values of adjacent leaf nodes of a Merkle subtree where the cross-chain transaction is located and root node hash values of adjacent subtrees;
then, the source chain performs Merkle certification according to the hash certification path and the stored relay chain block head information, and judges the real existence of the cross-chain data transaction on the relay chain according to the certification result.
Further, the present invention also provides a cross-domain access control system based on multi-blockchain, comprising: an access control domain, a relay link cross-domain system, an access control entity and an access control link, wherein,
the access control domain is divided into an access control request domain and an access control target domain according to access roles, and each access control domain is provided with an access control chain for controlling access requests in the domain and between domains;
The relay chain cross-domain system is connected with nodes in each domain through relay nodes so as to access control chains in each access control domain;
the access control entity consists of an access control subject uploading the intra-domain entity attribute to an intra-domain access control chain and an access control object uploading the custom object access control policy to the intra-domain access control chain;
an access control chain for storing related attributes, strategies and access behavior records of an access control mechanism in an ABAC access control model in a form of on-chain transactions;
the cross-domain access control system is specifically implemented in the following steps:
firstly, registering respective attributes of unregistered users and service providers into corresponding service block chain security domains based on attribute authorities, and storing the attributes, attribute corresponding relations and access control strategies defined by the service providers in a uplink manner on access control chains of the security domains by calling intra-domain intelligent contracts;
the access control links in the security domains of the business block chains are deployed to policy execution client nodes, and the policy execution client nodes cross-domain link the access control links in the security domains of other business block chains through relay links, wherein the access control links deploy attribute authorities, policy management points and policy decision points in an ABAC access control model in an intra-domain intelligent contract form, and the relay links execute inter-domain data transmission in an inter-domain intelligent contract form;
When a resource requester in an access request domain initiates an intra-domain access request, a policy execution client node establishes data exchange between the resource requester and a resource owner by using an access control chain and calling an intra-domain intelligent contract; when a resource requester in an access request domain initiates an inter-domain access request, a policy execution client node establishes data exchange between the request domain resource requester and a target domain resource owner by using a relay chain and by calling an inter-domain intelligent contract.
The invention has the beneficial effects that:
according to the invention, access control chains based on an attribute access control model are deployed in each security domain, access decisions in the domain and among domains are lowered to the access control chains in each domain, autonomous authorization in the domain is supported, fine-granularity and traceable access control is realized, heterogeneous access control chains in each security domain are compatible through a relay chain cross-chain technology, and forwarding and recording of cross-domain access control information are realized; introducing policy decision contracts, policy management contracts, attribute authority contracts and inter-domain intermediation contracts in an ABAC model into intra-domain and inter-domain access control flows based on intelligent contracts of cross-domain access control, introducing trust evaluation contracts of trust management, and realizing a trusted cross-domain access control mechanism without third party access between domains; the cross-link control data forwarding mechanism of the relay link realizes the security assurance of cross-domain access control data based on cross-link interoperation and SPV data verification algorithm, can be suitable for a cross-domain access control scene in a multi-domain environment, can meet the requirements of inter-domain privacy and expansibility in the multi-domain environment, and has a good application prospect.
Description of the drawings:
FIG. 1 is a schematic representation of a multi-blockchain-based cross-domain access control architecture in an embodiment;
FIG. 2 is a schematic flow of intra-domain access control in an embodiment;
FIG. 3 is a schematic flow of intra-domain access control in an embodiment;
fig. 4 is a cross-chain interoperation framework based on relay chains in an embodiment.
The specific embodiment is as follows:
the present invention will be described in further detail with reference to the drawings and the technical scheme, in order to make the objects, technical schemes and advantages of the present invention more apparent.
At present, most multi-block chain service systems use a single-chain architecture, data in an overall block chain network must be added to an account book after being agreed through all nodes, and the serial mode greatly reduces throughput of the overall network, so that the system is not suitable for scenes with frequent access requests in and among entity domains under multiple domains, and each security domain sets different access control strategies according to actual requirements, and the single-chain architecture is difficult to process all cross-chain data on one public transparent chain. Aiming at the problem that the prior blockchain cross-domain access control method cannot meet the requirements of inter-domain privacy and expansibility in a multi-domain environment, the embodiment of the invention provides a cross-domain access control system based on a multi-blockchain, which comprises the following components: an access control domain, a relay link cross-domain system, an access control entity and an access control link, wherein,
The access control domain is divided into an access control request domain and an access control target domain according to access roles, and each access control domain is provided with an access control chain for controlling access requests in the domain and between domains;
the relay chain cross-domain system is connected with nodes in each domain through relay nodes so as to access control chains in each access control domain;
the access control entity consists of an access control subject uploading the intra-domain entity attribute to an intra-domain access control chain and an access control object uploading the custom object access control policy to the intra-domain access control chain;
and (3) an access control chain, wherein the access control mechanism related attribute, strategy and access behavior record in the ABAC access control model are stored in the form of an on-chain transaction.
Referring to fig. 1, an access control domain is divided into an access control request domain and a target domain from an access control cross-domain role, wherein an access control system of an intra-domain blockchain platform is deployed in the domain and is responsible for performing access control on access requests transferred between the domain and the domain. Attribute authorities (Attribute Authority, AA), policy management points (Policy Administration Point, PAP) and policy execution points (Policy Decision Point, PDP) in the ABAC model can be compiled and deployed in the form of intelligent contracts, nodes connected with a relay chain are owned in a domain and are used as policy execution clients (PEP clients) at the same time, the nodes are responsible for forwarding access requests, if the access requests are in-domain, the access requests are forwarded to the access control chain in the domain, if the access requests are out-of-domain, the access requests are forwarded to the relay chain, and access results are obtained through the relay chain. And adding a trust evaluation contract TEC, so as to realize trust management of the legitimate user and support dynamic access control. The cross-domain system is also called a relay chain cross-chain system, and access control block chains of each security domain are accessed by a relay chain platform through connecting nodes in each domain by the relay nodes. Inter-domain data transmission and data conversion are realized by deploying the intermediary contract ICC, and the accessed intra-domain access control chain can also carry out cross-domain data verification by downloading the relay chain block head data through the light node. In the access control entity, a resource User (Data User, DU) is used as an access control body and is responsible for uploading the intra-domain entity attribute to the intra-domain access control chain. A resource Owner (DO) as an entity defining an access control object, the access control policy of the object being defined and uploaded by the resource Owner. In the access control chain, an access control system main logic based on an ABAC model is realized in each security domain through intelligent contracts on a blockchain, the access control chain stores the related attribute, strategy and access behavior record of an access control mechanism in the form of transactions on the chain, all the transactions on the chain are disclosed to be transparent, traceable and non-tamperable, and the influence of single-point attack can be reduced by realizing the access control system in the domain based on the blockchain.
Based on the system architecture, the embodiment of the invention also provides a cross-domain access control method based on multi-block chain, which comprises the following steps:
s101, registering respective attributes into corresponding service block chain security domains by unregistered users and service providers based on attribute authorities, and storing the attributes, the attribute corresponding relations and access control strategies defined by the service providers in a uplink manner on access control chains of the security domains by calling intra-domain intelligent contracts.
The entities participating in the access flow may be divided into an access subject, i.e. an entity requesting access to a service or resource, and an access object, typically a service provider or resource provider, all of which need to participate in the access flow control by registration.
S102, deploying access control chains in each service block chain safety domain to policy execution client nodes, wherein each policy execution client node cross-domain links the access control chains in other service block chain safety domains through relay chains, the access control chains deploy attribute authority, policy management points and policy decision points in an ABAC access control model in an intra-domain intelligent contract form, and the relay chains execute inter-domain data transmission by using an inter-domain intelligent contract form.
Wherein the intra-domain intelligence contract comprises: a policy handling contract function for performing add, delete and update operations on access control policies, an attribute handling contract function for performing delete and update operations on entity attributes, an access control handling contract function for deciding access controls by parsing access requests, and an inter-domain data flow handling contract function for performing cross-domain access control request response handling for policy enforcement client nodes within an access domain. The inter-domain intelligence contract includes: a data conversion contract function for cross-link data conversion, a routing contract function for cross-link data routing forwarding, and a registration contract function for cross-link identity registration and intra-link identity mapping of access entities.
The specific design function of each smart contract is shown in Table 1 below.
Table 1 Intelligent contract functions
(a) PAPC is responsible for policy related operations
DO pairs TX in blocks by invoking the AddPolicy, deletePolicy, updatePolicy method in PAPC policy And performing addition, deletion and update operations. PAPC must pass through the hash value of DO attribute list and TX policy The Pid in the process is matched, and the subsequent pruning operation can be performed after the matching is successful.
The QueryPolicy function in the PAPC can only be called by the PDPC, the access control strategy meeting the conditions is inquired according to the AAR provided by the PDPC, and the inquired access control related strategy is returned in the form of a strategy set so as to be used for the PDPC to carry out strategy judgment.
(b) AAC is responsible for attribute related operations
The security domain manager uploads, deletes and updates the attributes of the entity through the call AddAttribute, deleteAttribute, updateAttribute, and the AAC knows whether the identity of the contract caller meets the condition or not through acquiring the call intelligent contract, for example, whether the call intelligent contract caller has a certain attribute or not to verify the identity of the intelligent contract caller.
The PDPC calls a QueryAttribute method of the AAC to acquire attribute relation, and the search operation of the attribute returns to the PDPC after the search is successful on a host-client attribute list which is sent to the PDPC by the PEP and is deconstructed.
(c) PDPC is responsible for access control decision related operations
The PDPC is responsible for receiving and analyzing a natural access request (Nautural Access Request, NAR) sent by the under-link PEP client, acquiring the uploaded on-link attribute and on-link access control strategy after analyzing the NAR, and finally performing automatic access control judgment according to the acquired three access control primitives and returning the result to the PEP client.
(d) ICC is responsible for inter-domain data stream processing
ICC is deployed by a cross-domain system, namely a relay chain cross-chain system, and is responsible for processing cross-domain access control requests and responses sent by PEP clients in an access domain.
Each node in the relay chain can judge that the current node plays a role type through an inter-domain intelligent contract deployed by the node, the role type in each node is divided into an adapter node role type, a routing node role type and a registration node role type, wherein the adapter node role type carries out format conversion processing on cross-link data on a heterogeneous service blockchain security domain based on a data conversion contract function, the routing node role type judges the identity of the routing node based on the routing contract function and maintains cross-link routing information on the chain, and the registration node role type carries out registration identification on cross-link user information based on the registration contract function.
S103, when a resource requester in an access request domain initiates an intra-domain access request, a policy execution client node establishes data exchange between the resource requester and a resource owner by using an access control chain and calling an intra-domain intelligent contract; when a resource requester in an access request domain initiates an inter-domain access request, a policy execution client node establishes data exchange between the request domain resource requester and a target domain resource owner by using a relay chain and by calling an inter-domain intelligent contract.
Specifically, policy enforcement client nodes utilize access control chains and establish data exchange between resource requesters and resource owners by invoking intra-domain intelligence contracts, which may be designed to contain:
firstly, aiming at an original access control request sent by a resource requester as an access control subject, a policy execution client node analyzes the original access control request based on an intra-domain intelligent contract and inquires about a relevant control policy of the access request through a host-guest relevant attribute list so as to judge whether the attribute of a host-guest meets the requirements of the relevant control policy and perform real-time trust evaluation on the host-guest based on legal user trust management, wherein the original access control request comprises a host unique identifier, a guest unique identifier and actions of the host-guest required by the host, and the relevant attribute list comprises the attribute of the host-guest, the environmental attribute and a trust attribute representing the current trust relationship of the host-guest;
and then, based on the real-time trust evaluation result, the policy execution client node feeds back the judgment result to the access object so that the access object responds to the access control request.
Initialization of access control flows, i.e., blockchain network initialization, intelligent contract deployment, and intervention across chain systems must be done in advance by an administrator. Before authorization, the host and the guest have to complete attribute registration, register the attribute to the attribute in the attribute authority, and call an AddA ttribute interface in the AA contact to register the hash value of the attribute chain and the corresponding relationship of the attribute. While the guest owner defines the access control policy P DO And calling AddPolicy in the PAP context to carry out the uplink of the strategy. As shown in fig. 2, when the resource and the resource requester are in the same domain, the access control decision is made by the domain access control chain, and the domain access control detailed steps can be described as follows:
(a) The resource requester sends an original access control request (Natural Access Request, NAR) as an access control body to the PEP client, the NAR parameters comprising: principal unique identification ID DU Object unique identifier ID DO The subject requires action T on the object DO
(b) And the PEP client transmits the NAR to the PDPC, and the PDPC performs NAR analysis to acquire the host-client identification and action in the NAR.
(c) PDPC subjects the subject objectThe identification is sent to AAC, and the query attribute in AAC is called to acquire and store the data to the TX on the chain attr The related attribute list AL in (a) includes a host-guest attribute, an environment attribute, and a trust attribute representing the current trust relationship of the host-guest.
(d) The PDPC combines the returned attribute list into an attribute access request (Attribute Access Request, AAR), then sends the AAR to the PAPC for relevant policy query, and the queried TX policy Returning to the PDPC.
(e) The PDPC firstly judges whether the trust attribute meets the policy requirement, and returns attribute lists AL and TX for PAPC and AAC after meeting the policy requirement policy Centralized policy P DO And the set carries out access control judgment, after the judgment is finished, the judgment result and the access behavior are returned to the PEP client and the TEC, the TEC carries out real-time trust evaluation according to the feedback, the PEP client returns to the object, and the object responds to the access control result.
Specifically, the policy enforcement client node establishes a data exchange between the requesting domain resource requester and the target domain resource owner using the relay chain and by invoking the inter-domain intelligent contract, and may be designed to include the following:
firstly, aiming at an original access control request sent by a resource requester as an access control subject, a policy execution client node in a corresponding request domain analyzes the original access control request based on an intra-domain intelligent contract and acquires a subject attribute list, and adjusts the access control request based on the subject attribute list and sends the adjusted access control request to a relay chain, wherein the original access control request comprises a request domain subject unique identifier, a target domain subject unique identifier and a subject requirement to the action of the subject;
then, the relay chain analyzes the access control request and carries out routing addressing on the object based on the inter-domain intelligent contract so as to find a target domain policy execution client node and generate a request domain identifier and a target domain identifier, reconstruct the access control request based on the request domain identifier and the target domain identifier and send the reconstructed access control request to the target domain policy execution client node;
Then, the target domain policy execution client node analyzes the access control request, acquires access object attribute information and trust attributes representing the current trust relationship of the cross-domain host and guest based on the intra-domain intelligent contract, so as to match the access control policy meeting the conditions based on the attributes, and carries out real-time trust evaluation on the host and guest based on legal user trust management;
and finally, based on the real-time trust evaluation result, the target domain policy execution client node feeds back the access control policy matching result to the access object so as to enable the access object to respond to the access control request.
As shown in fig. 3, the relay chain serves as a cross-domain platform, plays a role of a link based on blockchain access control in two domains, and realizes forwarding of cross-domain access control data, and the inter-domain access control flow is as follows:
(a) The body sends a Cross-domain original access control request (Cross-domain Natural Access Request, C-NAR) to the request domain PEP client, the C-NAR varying its parameters according to the specific situation. The request field is called C-NAR1, and the request parameters include: request domain body unique identification C-UID DU Unique identification C-UID of target domain object DO And subject requires action T on object DO
(b) The request domain PEP client requests the attribute list of the access main body to the home domain AAC, the PEP client sends the changed C-NAR2 to the ICC on the relay chain after receiving the returned attribute list, and the C-NAR2 request parameters comprise: request domain body unique identification C-UID DU And body attribute information AL DU Unique identification C-UID of target domain object DO The subject requires action T on the object DO
(c) Cross-domain system, i.e. ICC in relay chain cross-chain system receives cross-domain unified identity identification pair C-UID of object in C-NAR DO After route addressing is carried out and the PEP client of the target domain is found, the C-NAR3 is reconstructed, and the parameters comprise: source Domain identification L DU Target domain identification L DO Request domain body unique identification C-UID DU And body attribute information AL DU Unique identification C-UID of target domain object DO The subject requires action T on the object DO
(d) After the PEP client in the target domain receives the C-NAR3 after the addressing is successful, generating a new C-NAR4, wherein the parameters include: source Domain identification L DU Request domain body unique identification C-UID DU And body attribute information AL DU Unique identification C-UID of target domain object DO The subject requires action T on the object DO . And C-NAR4 is sent to the PDP to make access control judgment.
(e) The PDPC in the target domain will first pass on to the C-UID DU ,C-UID DO AAC to the local domain obtains object attribute information and trust attributes representing the current trust relationship of the cross-domain host and guest. And the PDPC generates AAR from all the transferred attribute information and sends the AAR to the target domain PAPC to match the access control policy set meeting the conditions, and the PAPC returns to the PDPC after finding the access control policy set meeting the conditions.
(f) The target domain PDPC makes centralized judgment on the access control strategy set, returns the judgment result to the target domain PEP client, and transmits the judgment result to ICC (integrated circuit) after the target domain client speaks, wherein the return parameters are as follows: request domain body unique identification C-UID DU Unique identification C-UID of target domain object DO And access control results.
The relay chain analyzes the access control request and carries out routing addressing on the object based on the inter-domain intelligent contract, and the method can comprise the following steps:
performing data conversion on access request data related to an access control chain of a request domain accessed by calling an inter-domain intelligent contract, performing route forwarding on a cross-chain request in access, and performing implicit recording on block transaction history of a cross-chain data transaction on a relay chain, wherein the data conversion comprises: removing redundant parameters, extracting cross-chain specific parameters and packaging the cross-chain specific parameters into cross-chain data transactions, wherein the cross-chain specific parameters comprise request domain identification, target domain identification, main client identification, main body attribute information and action information of main body requirements on a shell.
Routing forwarding of access mid-span requests may be designed to include: setting a router blockchain node, and carrying out route forwarding according to the transmission connection requirement of the cross-link request and a routing table in the router blockchain, wherein the routing information in the router blockchain is stored in a form of on-link transactions, so that the cross-link request searches a relay link node for cross-link data conversion processing through the stored routing information and carries out data forwarding through the relay link node.
The current centralized cross-domain access control mechanism uniformly forwards cross-domain control information through a third party server outside a security domain, traceability and auditability of the cross-domain information cannot be guaranteed, and a blockchain-based access control system of each security domain cannot directly exchange data of a cross-chain because consistency of platforms is not negotiated in advance. The inter-link interoperation framework based on the relay link is shown in fig. 4, and may be composed of the following three parts:
(a) Parallel chain: the parallel chain plays a requester and a receiver of the cross-chain operation in the cross-chain control information exchange and is responsible for realizing the service system in each trust domain. Each parallel chain is an independent blockchain network, but in order to link heterogeneous blockchain platforms, the parallel chains can realize self-audit by utilizing intelligent contracts on the chains, and can verify the locally stored relay chain transaction block head through a data verification algorithm based on SPV, so that the existence authenticity of cross-chain request information in the block head is proved to realize trusted audit among the chains. Multiple independent blockchains running in parallel can be connected through a mode of linking parallel chains by a relay chain, a rope-shaped structure can be formed, the inter-link interoperability between the blockchains is enhanced, and the cross-domain application is supported to be realized in a cross-link mode.
(b) Relay chain: the relay chain is used as a main chain for linking each parallel block chain and is responsible for carrying out data conversion analysis and route forwarding on a cross-chain request sent by a node on the parallel chain so as to realize data transmission between the chains, meanwhile, the relay chain implicitly records each transaction transmitted by each parallel chain, and each parallel chain client can carry out a verification link according to block head data which is stored by the relay chain and is accessed into each parallel chain and carry out transaction verification by utilizing the SPV. The architecture is shown in fig. 4, the nodes on the relay chain are mainly divided into three roles, namely an adapter node, a routing node and a registration node, the roles of the nodes on the relay chain are not fixed and can be doubled, and the roles of the nodes at a certain moment are judged by mainly deploying intelligent contracts with the nodes. The adapter node is connected with the parallel chain and the relay chain, allows the transaction to be sent and different types of blockchain protocols and networks to be queried, and can realize the processing of the cross-chain data format on the heterogeneous blockchain through deploying data conversion contracts (Data Conversion Contract, DCC), such as the analysis, the storage and the conversion of the cross-chain data primitive sent by using the Goland-based chain code in Fabric; the routing node is used for realizing inter-link routing addressing and routing forwarding, judging the identity of the routing node through a Routing Contract (RC) on a relay chain, and meanwhile, the routing node is responsible for maintaining inter-link routing information on the chain; the registration node also integrally relays the node responsible for registering information of the cross-link users, and each user is identified through unified user identification.
(c) Cross-chain transaction entity: the method mainly comprises a source chain requester and a target chain receiver, wherein a cross-chain transaction entity can be any chain in heterogeneous parallel chains for deploying cross-chain intelligent contracts, but all cross-chain transaction entities must be ensured to have uniform cross-chain identification.
The design of the inter-domain intelligent contracts on the relay chain can be described as follows:
(a) Data conversion contract DCC
Blockchain is a closed and independent system, and blockchain-based application platforms within different security domains are not known to each other before being linked using a relay chain, so there is a problem of transactional incompatibility across blockchains. In order to realize the connection between chains, a specific role must be added as a connecting party, so that the information exchange between the two parties is convenient. The adapter node is responsible for information exchange of the relay chain and the parallel chain, and DCC deployed at the adapter node is mainly responsible for conversion of the cross-chain data, i.e. parsing, modifying and packaging the cross-chain data transferred from the flat phase chain. The DCC is responsible for resolving the cross-link information sent by the parallel links, converting and removing redundant parameters such as block height, and only obtaining specific cross-link parameters such as the main client identification in the cross-link access control request. And then packaging the concrete content into a cross-link transaction, wherein all operations on the relay link are performed through the cross-link transaction except the routing table information, and the DCC packages the concrete content subjected to data conversion into the cross-link transaction package cross-link data transaction, wherein the cross-link data transaction concrete information can be expressed as:
TX cross-chain ={SourceChainID,DestinationChainID,Type,Txid,Timestamp,Content}
The source chain identifier is sourceChai-nID, the DestinationChainID is a target chain identifier, the Type is a cross-chain transaction Type, the Type is an access control Type, the Txid is a transaction unique identifier, the Type is also another transaction Type, the Timestamp is used for generating a Timestamp for the cross-chain transaction, and the Content is packaged specific Content transferred from a parallel chain.
(b) Routing contract RC
The blockchain router may use some blockchain entities or nodes as routers to send requests among different blockchain networks in the blockchain router network, and the blockchain functions as a router to analyze and transmit connection requests according to a communication protocol, so as to preserve the dynamic communication layout of the blockchain network. In the method, an intelligent contract form is selected to be used, namely routing forwarding is performed by using a routing contract, so that the cross-link data can be ensured to search an adapter node linked with a parallel link through stored routing information, and then the data is unpacked and forwarded through the adapter node, wherein the router node of the routing transaction transmits according to a routing table written in a router block chain. The routing information is stored in the form of on-chain transactions, which are specifically shown as follows:
TX Routing ={BlockchainID,Pority,Timestamp,AdapterAddr}
the method comprises the steps of determining a Block-chain ID (identity) of a Block-chain application system, determining a priority of a route, determining the highest priority of the route, determining a time stamp of the latest access cross-chain system, and determining an Address of an adapter node connected with a Block-chain network.
(3) Registration contract RCC
The registration contract is responsible for uniformly mapping the accounts of the entity in each chain to facilitate cross-chain management, and the user performs cross-chain identity registration and intra-chain identity mapping by calling a registration function on the RCC contract.
According to the above contracts, the data conversion algorithm on the relay chain is as follows in table 2:
table 2 relay link based data exchange
Wherein the simple payment verification SPV algorithm is utilized to verify the authenticity of the cross-chain data transaction in the relay chain, the verification process can be designed to comprise the following steps:
firstly, a relay chain searches a block where a cross-chain transaction is located through a bloom filter according to a cross-chain request identifier in the cross-chain data transaction, and returns a hash authentication path according to a block number, wherein the hash authentication path consists of hash values of adjacent leaf nodes of a Merkle subtree where the cross-chain transaction is located and root node hash values of adjacent subtrees;
then, the source chain performs Merkle certification according to the hash certification path and the stored relay chain block head information, and judges the real existence of the cross-chain data transaction on the relay chain according to the certification result.
The relay chain is responsible for carrying out data conversion on accessed heterogeneous parallel chains and carrying out routing forwarding on cross-chain requests, and meanwhile, implicitly records sent cross-chain transactions in block transaction histories on the relay chain, but each heterogeneous chain cannot determine whether the sent cross-chain transactions are completely and correspondingly processed on the relay block chain, and then each parallel chain is required to verify the authenticity of submitted cross-chain transactions on the relay chain through a cross-chain transaction verification algorithm. Simple Pay Verification (SPV) is a data presence verification algorithm based on the merck tree structure. In the block body, each transaction is mounted on a leaf node of the merck tree, and a user can finish payment verification of a certain transaction by only storing the block header information of each block (the essence is to verify whether the block where the certain transaction is located is a consensus block). Based on this, in the embodiment, the SPV algorithm is selected to perform presence authenticity verification on the transaction on the storage relay chain, where the SPV-based data verification algorithm pseudocode may be as shown in the following table 3:
TABLE 3 SPV-based Cross-chain data presence verification Algorithm
The node sends a cross-chain request and then receives the CCId, i.e., the CCId is stored in the Merkle binary hash tree in the form of leaf nodes. The parallel chain firstly sends CCId to the relay chain, the relay chain rapidly inquires the block where the transaction is located through a bloom filter, and the relay chain returns a hash authentication path consisting of hash values of adjacent leaf nodes of the subtree where the transaction is located and root node hash values of the adjacent subtrees according to the block number; after the source link receives the hash authentication path, merkle proving is carried out according to the stored relay chain block head information, and after proving is successful, the source link indicates that the cross-chain transaction exists on the relay chain.
Aiming at the problem that the prior blockchain cross-domain access control scheme cannot meet the requirements of inter-domain privacy and expansibility in a multi-domain environment, in the embodiment of the invention, access control chains of an attribute-based access control model are deployed in each security domain, access decisions in the domain and between domains are lowered to access control chains in each domain, autonomous authorization in the domain is supported, fine-granularity and traceable access control is realized, and the forwarding and recording of cross-domain access request responses are realized by communicating heterogeneous access control chains in each security domain through a relay chain; designing an intelligent contract supporting cross-domain access control, and realizing a trusted cross-domain access control flow without third party access between domains by introducing a domain policy decision contract, a policy management contract, an attribute authority contract, a trust evaluation contract and an inter-domain intermediary contract into the domain and inter-domain access control flow; and by designing a forwarding intelligent contract on a relay chain and a cross-chain data existence algorithm based on SPV, the auditability and verifiability of the cross-chain are ensured, the method is applicable to a cross-domain access control scene in a multi-domain environment, and the requirements of inter-domain privacy and expansibility in the multi-domain environment can be met.
The relative steps, numerical expressions and numerical values of the components and steps set forth in these embodiments do not limit the scope of the present invention unless it is specifically stated otherwise.
In the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, and identical and similar parts between the embodiments are all enough to refer to each other. For the system disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
The elements and method steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or a combination thereof, and the elements and steps of the examples have been generally described in terms of functionality in the foregoing description to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Those of ordinary skill in the art may implement the described functionality using different methods for each particular application, but such implementation is not considered to be beyond the scope of the present invention.
Those of ordinary skill in the art will appreciate that all or a portion of the steps in the above methods may be performed by a program that instructs associated hardware, and that the program may be stored on a computer readable storage medium, such as: read-only memory, magnetic or optical disk, etc. Alternatively, all or part of the steps of the above embodiments may be implemented using one or more integrated circuits, and accordingly, each module/unit in the above embodiments may be implemented in hardware or may be implemented in a software functional module. The present invention is not limited to any specific form of combination of hardware and software.
Finally, it should be noted that: the above examples are only specific embodiments of the present invention, and are not intended to limit the scope of the present invention, but it should be understood by those skilled in the art that the present invention is not limited thereto, and that the present invention is described in detail with reference to the foregoing examples: any person skilled in the art may modify or easily conceive of the technical solution described in the foregoing embodiments, or perform equivalent substitution of some of the technical features, while remaining within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention, and are intended to be included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. A multi-blockchain-based cross-domain access control method, comprising:
registering each attribute to a corresponding service block chain security domain by an unregistered user and a service provider based on attribute authority, and performing uplink storage on access control chains of each security domain by calling an intra-domain intelligent contract to store the attribute, the attribute corresponding relation and a service provider self-defined access control policy;
the access control links in the security domains of the business block chains are deployed to policy execution client nodes, and the policy execution client nodes cross-domain link the access control links in the security domains of other business block chains through relay links, wherein the access control links deploy attribute authorities, policy management points and policy decision points in an ABAC access control model in an intra-domain intelligent contract form, and the relay links execute inter-domain data transmission in an inter-domain intelligent contract form;
when a resource requester in an access request domain initiates an intra-domain access request, a policy execution client node establishes data exchange between the resource requester and a resource owner by using an access control chain and calling an intra-domain intelligent contract; when a resource requester in an access request domain initiates an inter-domain access request, a policy execution client node establishes data exchange between the request domain resource requester and a target domain resource owner by using a relay chain and by calling an inter-domain intelligent contract.
2. The multi-blockchain-based cross-domain access control method of claim 1, wherein the intra-domain intelligence contract comprises: a policy handling contract function for performing add, delete and update operations on access control policies, an attribute handling contract function for performing delete and update operations on entity attributes, an access control handling contract function for deciding access controls by parsing access requests, and an inter-domain data flow handling contract function for performing cross-domain access control request response handling for policy enforcement client nodes within an access domain.
3. The multi-blockchain-based cross-domain access control method of claim 1 or 2, wherein the inter-domain intelligence contract comprises: a data conversion contract function for cross-link data conversion, a routing contract function for cross-link data routing forwarding, and a registration contract function for cross-link identity registration and intra-link identity mapping of access entities.
4. The multi-blockchain-based cross-domain access control method according to claim 3, wherein each node in the relay chain determines that the current node plays a role type through an inter-domain intelligent contract deployed by the node, the role type in each node is divided into an adapter node role type, a routing node role type and a registration node role type, wherein the adapter node role type performs format conversion processing on cross-link data on a heterogeneous service blockchain security domain based on a data conversion contract function, the routing node role type determines routing node identity and maintains cross-link routing information on the chain based on a routing contract function, and the registration node role type performs registration identification on cross-link user information based on a registration contract function.
5. The multi-blockchain-based cross-domain access control method of claim 1, wherein the policy enforcement client node establishes the exchange of data between the resource requester and the resource owner using the access control chain and by invoking an intra-domain intelligence contract, comprising:
firstly, aiming at an original access control request sent by a resource requester as an access control subject, a policy execution client node analyzes the original access control request based on an intra-domain intelligent contract and inquires about a relevant control policy of the access request through a host-guest relevant attribute list so as to judge whether the attribute of a host-guest meets the requirements of the relevant control policy and perform real-time trust evaluation on the host-guest based on legal user trust management, wherein the original access control request comprises a host unique identifier, a guest unique identifier and actions of the host-guest required by the host, and the relevant attribute list comprises the attribute of the host-guest, the environmental attribute and a trust attribute representing the current trust relationship of the host-guest;
and then, based on the real-time trust evaluation result, the policy execution client node feeds back the judgment result to the access object so that the access object responds to the access control request.
6. The multi-blockchain-based cross-domain access control method of claim 1, wherein the policy enforcement client node establishes the exchange of data between the requesting domain resource requester and the target domain resource owner using the relay chain and by invoking an inter-domain intelligence contract, comprising:
firstly, aiming at an original access control request sent by a resource requester as an access control subject, a policy execution client node in a corresponding request domain analyzes the original access control request based on an intra-domain intelligent contract and acquires a subject attribute list, and adjusts the access control request based on the subject attribute list and sends the adjusted access control request to a relay chain, wherein the original access control request comprises a request domain subject unique identifier, a target domain subject unique identifier and a subject requirement to the action of the subject;
then, the relay chain analyzes the access control request and carries out routing addressing on the object based on the inter-domain intelligent contract so as to find a target domain policy execution client node and generate a request domain identifier and a target domain identifier, reconstruct the access control request based on the request domain identifier and the target domain identifier and send the reconstructed access control request to the target domain policy execution client node;
Then, the target domain policy execution client node analyzes the access control request, acquires access object attribute information and trust attributes representing the current trust relationship of the cross-domain host and guest based on the intra-domain intelligent contract, so as to match the access control policy meeting the conditions based on the attributes, and carries out real-time trust evaluation on the host and guest based on legal user trust management;
and finally, based on the real-time trust evaluation result, the target domain policy execution client node feeds back the access control policy matching result to the access object so as to enable the access object to respond to the access control request.
7. The multi-blockchain-based cross-domain access control method of claim 6, wherein the relay chain parses the access control request and routes the object based on the inter-domain smart contract, comprising:
performing data conversion on access request data related to an access control chain of a request domain accessed by calling an inter-domain intelligent contract, performing route forwarding on a cross-chain request in access, and performing implicit recording on block transaction history of a cross-chain data transaction on a relay chain, wherein the data conversion comprises: removing redundant parameters, extracting cross-chain specific parameters and packaging the cross-chain specific parameters into cross-chain data transactions, wherein the cross-chain specific parameters comprise request domain identification, target domain identification, main client identification, main body attribute information and action information of main body requirements on a shell.
8. The multi-blockchain-based cross-domain access control method of claim 7, wherein routing the access mid-cross-chain request includes: setting a router blockchain node, and carrying out route forwarding according to the transmission connection requirement of the cross-link request and a routing table in the router blockchain, wherein the routing information in the router blockchain is stored in a form of on-link transactions, so that the cross-link request searches a relay link node for cross-link data conversion processing through the stored routing information and carries out data forwarding through the relay link node.
9. The multi-blockchain-based cross-domain access control method of claim 7, wherein implicitly recording a blocktransaction history of a cross-chain data transaction on a relay chain further comprises: verifying the authenticity of the cross-chain data transaction in the relay chain by using a simple payment verification SPV algorithm, wherein the verification process comprises the following steps:
firstly, a relay chain searches a block where a cross-chain transaction is located through a bloom filter according to a cross-chain request identifier in the cross-chain data transaction, and returns a hash authentication path according to a block number, wherein the hash authentication path consists of hash values of adjacent leaf nodes of a Merkle subtree where the cross-chain transaction is located and root node hash values of adjacent subtrees;
Then, the source chain performs Merkle certification according to the hash certification path and the stored relay chain block head information, and judges the real existence of the cross-chain data transaction on the relay chain according to the certification result.
10. A multi-blockchain based cross-domain access control system, comprising: an access control domain, a relay link cross-domain system, an access control entity and an access control link, wherein,
the access control domain is divided into an access control request domain and an access control target domain according to access roles, and each access control domain is provided with an access control chain for controlling access requests in the domain and between domains;
the relay chain cross-domain system is connected with nodes in each domain through relay nodes so as to access control chains in each access control domain;
the access control entity consists of an access control subject uploading the intra-domain entity attribute to an intra-domain access control chain and an access control object uploading the custom object access control policy to the intra-domain access control chain;
an access control chain for storing related attributes, strategies and access behavior records of an access control mechanism in an ABAC access control model in a form of on-chain transactions;
the cross-domain access control system is specifically implemented in the following steps:
Firstly, registering respective attributes of unregistered users and service providers into corresponding service block chain security domains based on attribute authorities, and storing the attributes, attribute corresponding relations and access control strategies defined by the service providers in a uplink manner on access control chains of the security domains by calling intra-domain intelligent contracts;
the access control links in the security domains of the business block chains are deployed to policy execution client nodes, and the policy execution client nodes cross-domain link the access control links in the security domains of other business block chains through relay links, wherein the access control links deploy attribute authorities, policy management points and policy decision points in an ABAC access control model in an intra-domain intelligent contract form, and the relay links execute inter-domain data transmission in an inter-domain intelligent contract form;
when a resource requester in an access request domain initiates an intra-domain access request, a policy execution client node establishes data exchange between the resource requester and a resource owner by using an access control chain and calling an intra-domain intelligent contract; when a resource requester in an access request domain initiates an inter-domain access request, a policy execution client node establishes data exchange between the request domain resource requester and a target domain resource owner by using a relay chain and by calling an inter-domain intelligent contract.
CN202311536545.XA 2023-11-17 2023-11-17 Cross-domain access control method and system based on multi-block chain Pending CN117424747A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311536545.XA CN117424747A (en) 2023-11-17 2023-11-17 Cross-domain access control method and system based on multi-block chain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311536545.XA CN117424747A (en) 2023-11-17 2023-11-17 Cross-domain access control method and system based on multi-block chain

Publications (1)

Publication Number Publication Date
CN117424747A true CN117424747A (en) 2024-01-19

Family

ID=89522948

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311536545.XA Pending CN117424747A (en) 2023-11-17 2023-11-17 Cross-domain access control method and system based on multi-block chain

Country Status (1)

Country Link
CN (1) CN117424747A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117708181A (en) * 2024-02-05 2024-03-15 人民法院信息技术服务中心 Heterogeneous data cross-link query method, device, system and equipment for private link

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117708181A (en) * 2024-02-05 2024-03-15 人民法院信息技术服务中心 Heterogeneous data cross-link query method, device, system and equipment for private link
CN117708181B (en) * 2024-02-05 2024-04-30 人民法院信息技术服务中心 Heterogeneous data cross-link query method, device, system and equipment for private link

Similar Documents

Publication Publication Date Title
Liu et al. Fabric-IoT: A blockchain-based access control system in IoT
US11995618B2 (en) Blockchain network interaction controller
CN110147994B (en) Instant execution method of block chain based on homomorphic encryption
JP7019697B2 (en) Dynamic access control on the blockchain
US9667654B2 (en) Policy directed security-centric model driven architecture to secure client and cloud hosted web service enabled processes
CN112005264A (en) Blockchain implementing cross-chain transactions
CN108173850A (en) A kind of identity authorization system and identity identifying method based on block chain intelligence contract
JP7511629B2 (en) A security layer for building blockchain
US20060106748A1 (en) System and method for orchestrating composite web services in constrained data flow environments
CN105359482A (en) System and method for transparently injecting policy in a platform as a service infrastructure
CN111950019A (en) Block chain-based Internet of things access control system and method
CN117424747A (en) Cross-domain access control method and system based on multi-block chain
Pathak et al. TABI: Trust-based ABAC mechanism for edge-IoT using blockchain technology
Cui et al. IoT data management and lineage traceability: A blockchain-based solution
Zeydan et al. Blockchain-Based Service Orchestration for 5G Vertical Industries in Multicloud Environment
Rahman et al. Blockchain-enabled SLA compliance for crowdsourced edge-based network function virtualization
Xi et al. Decentralized access control for secure microservices cooperation with blockchain
Khalil et al. IoT-MAAC: Multiple attribute access control for IoT environments
Nelson Wide-Area Software-Defined Storage
JP4967056B2 (en) Policy determination apparatus, method, and program
JP4967055B2 (en) Information processing system, method and program
CN115225647B (en) Intelligent contract-based safety interaction method between manufacturing industry data evolution entity departments
Kalapaaking et al. Blockchain-Based Access Control for Secure Smart Industry Management Systems
Kirkman et al. Intercloud: a data movement policy DApp for managing trust in the cloud
Lawal et al. Utilizing Policy Machine for Attribute-Based Access Control in Permissioned Blockchain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination