CN117688586A

CN117688586A - Intelligent access control method and system based on cryptography mechanism

Info

Publication number: CN117688586A
Application number: CN202311705858.3A
Authority: CN
Inventors: 马平; 徐兵; 兰春嘉; 王磊
Original assignee: Shanghai Lingshuzhonghe Information Technology Co ltd
Current assignee: Shanghai Lingshuzhonghe Information Technology Co ltd
Priority date: 2023-12-12
Filing date: 2023-12-12
Publication date: 2024-03-12

Abstract

The application provides an intelligent access control method and system based on a cryptography mechanism, and relates to the technical field of access control, wherein the method comprises the following steps: the method comprises the steps of controlling and partitioning an access space, constructing a multi-attribute access space, obtaining access request information and user information, identifying the access information to determine the attribute of the access space, then matching a password mechanism, carrying out identity verification on the user information, obtaining a verification result, and calling authority data of the access space when the set requirement of the access space is passed. The method mainly solves the problems that classification setting cannot be carried out according to different requirements, attribute encryption management is lacked, and unauthorized access and potential data leakage risks are difficult to effectively prevent. The unique secret key and a plurality of secret keys at other levels are utilized for combined decryption, so that the security of access control can be increased, unauthorized users are prevented from obtaining access rights, and the reliability and the security of the system are improved.

Description

Intelligent access control method and system based on cryptography mechanism

Technical Field

The application relates to the technical field of access control, in particular to an intelligent access control method and system based on a cryptography mechanism.

Background

Access control of data is a very important issue. Many sensitive data, such as personal information, financial information, corporate secrets, etc., require strict control of their access rights to prevent unauthorized access and potential risk of data leakage. In addition, with the rapid development of network and information technology, the variety and quantity of data are increasing, which presents a greater challenge for access control of data. Access management to authorized users is to be achieved. For example, a high-level manager implementing a company can access the data of the whole company, and a common staff can only access the data of the department of the company, but the common staff can access the data of which the high-level is authorized after authorization, so that if the authority management is disordered, an unauthorized user can obtain the access authority, or a user with excessive authority can appear, and the data can be lost or leaked. The cryptography mechanism can provide a strong technical support for the access control of data, and can perform access management on authorized users by utilizing the password management, and simultaneously perform access management on users with preset attributes based on attribute encryption management.

However, in the process of implementing the technical scheme of the invention in the embodiment of the application, the inventor of the application finds that at least the following technical problems exist in the above technology:

the method cannot be classified and set according to different requirements, lacks attribute encryption management, and is difficult to effectively prevent unauthorized access and potential data leakage risks.

Disclosure of Invention

The method mainly solves the problems that classification setting cannot be carried out according to different requirements, attribute encryption management is lacked, and unauthorized access and potential data leakage risks are difficult to effectively prevent.

In view of the foregoing, the present application provides an intelligent access control method and system based on a cryptography mechanism, and in a first aspect, the present application provides an intelligent access control method based on a cryptography mechanism, where the method includes: performing access control partition on the access space to construct a multi-attribute access space, wherein the multi-attribute access space characterizes different access authority mechanisms including authority management, role authorization and private verification; acquiring access request information and access user information; performing access space identification on the access request information, determining access space attributes, and matching a password mechanism based on the access space attributes; setting a forced constraint condition and a forced constraint coefficient of a password mechanism according to the access space attribute and the corresponding password mechanism; configuring a cipher mechanism space based on the forced constraint condition and the forced constraint coefficient of the cipher mechanism, wherein the cipher mechanism space comprises an attribute identification subspace and a decryption execution subspace; identifying and checking the access request information and the access user information through the password mechanism space to obtain a checking result; and when the verification result passes the set requirement of the access space, calling the access space authority data.

In a second aspect, the present application provides a cryptographic mechanism based intelligent access control system, the system comprising: the access space construction module is used for carrying out access control partition on the access space and constructing a multi-attribute access space, wherein the multi-attribute access space characterizes different access authority mechanisms including authority management, role authorization and private verification; the information acquisition module is used for acquiring access request information and access user information; the access space attribute determining module is used for carrying out access space identification on the access request information, determining access space attributes and matching a password mechanism based on the access space attributes; the forced constraint coefficient acquisition module is used for setting forced constraint conditions and forced constraint coefficients of the password mechanism according to the access space attribute and the corresponding password mechanism; the encryption mechanism space configuration module is used for configuring an encryption mechanism space based on a forced constraint condition and a forced constraint coefficient of the encryption mechanism, wherein the encryption mechanism space comprises an attribute identification subspace and a decryption execution subspace; the verification result acquisition module is used for identifying and verifying the access request information and the access user information through the password mechanism space to obtain a verification result; and the access space data calling module is used for calling access space authority data when the verification result passes the set requirement of the access space.

In a third aspect, the present application provides an electronic device comprising: a processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the steps of the method of any one of the first aspects.

One or more technical solutions provided in the present application have at least the following technical effects or advantages:

the application provides an intelligent access control method and system based on a cryptography mechanism, and relates to the technical field of access control, wherein the method comprises the following steps: the method comprises the steps of controlling and partitioning an access space, constructing a multi-attribute access space, obtaining access request information and user information, identifying the access information to determine the attribute of the access space, then matching a password mechanism, carrying out identity verification on the user information, obtaining a verification result, and calling authority data of the access space when the set requirement of the access space is passed.

The method mainly solves the problems that classification setting cannot be carried out according to different requirements, attribute encryption management is lacked, and unauthorized access and potential data leakage risks are difficult to effectively prevent. The unique secret key and a plurality of secret keys at other levels are utilized for combined decryption, so that the security of access control can be increased, unauthorized users are prevented from obtaining access rights, and the reliability and the security of the system are improved.

The foregoing description is merely an overview of the technical solutions of the present application, and may be implemented according to the content of the specification in order to make the technical means of the present application more clearly understood, and in order to make the above-mentioned and other objects, features and advantages of the present application more clearly understood, the following detailed description of the present application will be given.

Drawings

For a clearer description of the technical solutions of the present application or of the prior art, the drawings used in the description of the embodiments or of the prior art will be briefly described below, it being obvious that the drawings in the description below are only exemplary and that other drawings can be obtained, without inventive effort, by a person skilled in the art from the drawings provided.

Fig. 1 is a schematic flow chart of an intelligent access control method based on a cryptography mechanism according to an embodiment of the present application;

FIG. 2 is a schematic flow chart of a method for performing combined decryption by using a plurality of keys of a binding authentication level in an intelligent access control method based on a cryptography mechanism according to an embodiment of the present application;

fig. 3 is a schematic flow chart of a method for setting a key according to authority classification of an access user in the intelligent access control method based on a cryptography mechanism according to the embodiment of the present application;

FIG. 4 is a schematic diagram of a cryptographic mechanism-based intelligent access control system according to an embodiment of the present application;

fig. 5 is a schematic structural diagram of an exemplary electronic device of the present application.

Reference numerals illustrate: the system comprises an access space construction module 10, an information acquisition module 20, an access space attribute determination module 30, a forced constraint coefficient acquisition module 40, a cryptographic mechanism space configuration module 50, a verification result acquisition module 60, an access space data retrieval module 70, an electronic device 300, a memory 301, a processor 302, a communication interface 303 and a bus architecture 304.

Detailed Description

The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.

For a better understanding of the foregoing technical solutions, the following detailed description will be given with reference to the accompanying drawings and specific embodiments of the present invention:

example 1

The intelligent access control method based on the cryptography mechanism as shown in fig. 1 comprises the following steps:

performing access control partition on the access space to construct a multi-attribute access space, wherein the multi-attribute access space characterizes different access authority mechanisms including authority management, role authorization and private verification;

specifically, the access control partition is an effective management method for ensuring the safe access of different users to different resources. Constructing the multi-attribute access space can further refine access control, characterize different access authority mechanisms, including authority management, role authorization, private verification, and the like. The authority management refers to the allocation of corresponding access authorities according to the positions and responsibilities of the users. Under this mechanism, users can only access data and resources within their sphere of responsibility. For example, a company's high-level manager may access data for the entire company, while a common employee may only access data for his or her own department. Role authorization refers to the allocation of corresponding access rights according to the role in which the user is located. Under this mechanism, users can access data and resources related to their roles. For example, on an e-commerce website, a user may obtain different access rights depending on their role (e.g., buyer, seller, administrator, etc.). Private authentication refers to the fact that a user must pass authentication before accessing a resource to ensure that only authorized users can access data and resources. Under this mechanism, the user needs to provide a valid identification (e.g., an identification card, passport, etc.) to gain access. By dividing the access space into different regions and characterizing different access rights mechanisms using the multi-attribute access space, finer access control can be achieved, ensuring that only authorized users can access the corresponding data and resources. This helps to protect the security and integrity of the data, improving the reliability of the system.

Acquiring access request information and access user information;

in particular, in the process of constructing a multi-attribute access space, acquiring access request information and access user information is a key step. Such information may help the system determine the user's access rights and whether to allow access to a particular resource. Acquiring access request information: determining the source of the access request: the system needs to determine from which user or entity the access request is, and what the purpose of the request is. This may be accomplished by examining information of the source of the request, IP address, user agent, etc. Acquiring the requested resource information: the system needs to know which resources are requested, e.g., files, database records, web pages, etc. This may be accomplished by parsing the request URL or request parameters. Acquiring the requested operation information: the system needs to know what the user wishes to perform on the resource, such as read, write, delete, etc. This may be accomplished by examining the method and parameters of the request. Acquiring access user information: verifying the identity of a user: before processing the access request, the system needs to verify the identity of the user, ensuring that it is a legitimate user. This may be accomplished by comparison with a user identity database or other authentication mechanism. Acquiring user attributes: once the identity of the user is verified, the system needs to obtain attribute information related to the user, such as the user's role, department, job level, etc. These attributes may be used to determine the access rights of the user. Acquiring user authorization information: the system also needs to check the authorization information of the user to determine if it has access to the requested resource. This can be achieved by checking configuration information such as the user's role, rights, etc. By obtaining access request information and access user information, the system can comprehensively analyze the information to determine the access rights of the user and whether to allow access to particular resources. This will help to implement a smart access control method based on multi-attribute access space.

Performing access space identification on the access request information, determining access space attributes, and matching a password mechanism based on the access space attributes;

specifically, the access space identification is performed on the access request information, so that the access space where the resource related to the access request is located and the attribute of the space can be determined. Based on the access space attribute matching password mechanism, it may be further determined whether the user has access to the space. Identifying access request information: the received access request information is analyzed, and information related to the access space, such as the location of the resource, the department to which the resource belongs, the access time, and the like, is extracted. Determining access spatial attributes: based on the extracted access request information, some attributes of the access space, such as the geographic location where the resource is located, the organization structure to which the resource belongs, the access time range, etc., can be determined. Matching password mechanism: based on the determined access space attributes, a corresponding cryptographic mechanism may be designed to verify whether the user has access to the space. For example, a geographic location password may be designed based on the geographic location where the resource is located, and only users who know the password may access the resource. Verifying user rights: when a user submits an access request, the system requests the user to input a password matched with the access space attribute according to the identity information and other attributes of the user. The system will verify that the password entered by the user is correct to determine if the user has access to the space. Deciding whether to allow access: based on the identity information of the user and the password authentication result, the system may decide whether to allow the user to access the requested resource. If the user has access, the system will process its request; otherwise, the system refuses the access request and gives out corresponding prompt information. Through the steps, the intelligent access control method based on the access space attribute matching password mechanism can realize finer access control, and ensure that only authorized users can access corresponding resources.

Setting a forced constraint condition and a forced constraint coefficient of a password mechanism according to the access space attribute and the corresponding password mechanism;

specifically, according to the access space attribute and the corresponding password mechanism, a forced constraint condition and a forced constraint coefficient of the password mechanism are set. These mandatory constraints and mandatory constraint coefficients can help the system to better control access behavior, ensuring security and integrity of data. Password length: it is mandatory that the user password be at least 8 bits in length and contain uppercase letters, lowercase letters, numbers and special characters. Such forced constraints may increase the complexity and security of the password. Password expiration time: the user is forced to have to change the code at intervals, for example every 30 days. This reduces the risk of the password being broken. Login failure times limit: the number of login failures of the user is forced to be limited within a period of time, e.g. at most 3 consecutive login failures are allowed. Thus, brute force cracking and malicious attacks can be prevented. Access time limit: it is mandatory to limit the user to access the resources for a certain period of time, e.g. only to access the resources inside the company during working hours. Unauthorized access and abuse can thus be avoided. IP address restriction: it is mandatory to limit users to access resources only from specific IP addresses, e.g. only in corporate internal networks. This can prevent illegal access and attack from the outside. Access rights level: the access authority level of the user to the specific resource is forcefully limited according to the authority, the role or the private verification result of the user, for example, a department manager is only allowed to view the personal information of the department staff. This avoids unauthorized access and abuse. These mandatory constraints and mandatory constraint coefficients can be adjusted and optimized according to specific business needs and security objectives to ensure that the system is capable of achieving a higher level of security and controllability.

Configuring a cipher mechanism space based on the forced constraint condition and the forced constraint coefficient of the cipher mechanism, wherein the cipher mechanism space comprises an attribute identification subspace and a decryption execution subspace;

specifically, in the smart access control method based on the cryptography mechanism, a cryptography mechanism space is configured. According to the forced constraint condition and the forced constraint coefficient of the encryption mechanism, a cipher mechanism space can be constructed, wherein the cipher mechanism space comprises an attribute identification subspace and a decryption execution subspace. The attribute identification subspace is a subspace for identifying access request information and access user information. It can identify access requests and access user attributes based on access request attributes such as requested resources, requested time, requested source, etc., and access user attributes such as user name, password, belonging role, etc. By the identification of the attribute identification subspace, the attribute of the access request and the access user can be determined, so that the basis is provided for subsequent decryption execution. The decryption execution subspace is a subspace for executing decryption operations. The method can select a corresponding password mechanism to perform decryption operation according to the access request identified by the attribute identification subspace and the attribute of the access user. In the decryption execution subspace, a variety of cryptographic mechanisms may be implemented, such as a key-based decryption mechanism, a public key-based decryption mechanism, etc. The manner and process of decryption execution may also vary according to different cryptographic mechanisms. By configuring the cipher mechanism space, more flexible and efficient access control can be realized based on the forced constraint condition and the forced constraint coefficient of the cipher mechanism.

Identifying and checking the access request information and the access user information through the password mechanism space to obtain a checking result;

specifically, the access request information and the access user information are identified and verified through the password mechanism space. The system can identify and verify the access request information and the user information according to a preset password mechanism so as to judge whether the access request is legal or not and whether the user identity passes authentication or not. Resource identification verification of access request: the system will check if the access request contains the correct resource identifier, e.g. a file, a data table etc. Verification by resource identification can ensure that the request is directed to the correct resource. Time verification of access request: the system will check whether the access request is presented within the allowed time frame. For example, it may be set that only internal resources of the company are accessed during the working period, to avoid unauthorized access and abuse. Verification of the origin of the access request: the system will verify whether the access request is from a legitimate source. For example, it may be set that only an IP address in the company's internal network is allowed to access the company's internal resources to prevent illegal access and attack from outside. User identity authentication verification: the system will verify whether the identity information provided by the user is legitimate and valid. For example, the user name and password may be checked for a match, or the user identity may be confirmed by other means of authentication. User permission verification: the system will check whether the rights information of the user meets the requirements. For example, it may be verified whether the user has authority to access a specific resource, or whether the authority level of the user is sufficient to perform a specific operation. Through the identification verification operations, the system can obtain verification results, namely whether the access request is legal or not and whether the user identity passes authentication or not. Based on the verification results, the system may further decide whether to allow the user to access a particular resource, or take other appropriate measures to protect the security and integrity of the data. And when the verification result passes the set requirement of the access space, calling the access space authority data. When the verification result passes the set requirement of the access space, the access space authority data can be called to determine which access authorities the user has. The access space rights data is typically related to information about the user's role, position, department, etc. for characterizing the user's access rights to different resources. Acquiring access space authority data: after the verification result passes the set requirement of the access space, the system determines the access right of the user according to the pre-stored access space right data. Such data may be stored in a database, configuration file, or other storage medium. Analyzing the rights data: the system analyzes and analyzes the acquired rights data to determine which access rights the user has. This may include comparing the user's role, position, department, etc. information to match rules and conditions in the rights data. Updating the access control policy: according to the analysis result, the system can update the access control strategy to add or modify the corresponding access rights for the user. This may be accomplished by updating database records, modifying configuration files, or otherwise. Processing an access request: and processing the access request of the user by the system according to the updated access control strategy. If the user has access rights, the system responds to the request and provides corresponding data or services; otherwise, the system refuses the access request and gives out corresponding prompt information. By retrieving access space rights data and updating the access control policy, the system can dynamically determine the access rights of the user, enabling more flexible and dynamic access control.

Further, the method of the present application performs identification verification on the access request information and the access user information through the cryptographic mechanism space, and includes:

performing access target attribute identification on the access request information through an attribute identification subspace to acquire request access space attributes;

user identity recognition is carried out according to the access user information, and a user role is determined;

and matching the forced constraint condition of the user roles by utilizing the decryption execution subspace, and identifying the verification result according to the matched forced constraint coefficient.

Specifically, first, access target attribute identification is performed on access request information through an attribute identification subspace, and an attribute of a request access space is acquired. Including identifying information of the resource type, resource location, resource identifier, etc. of the access request to determine the attributes of the target resource for which the request is directed. And then, carrying out user identity recognition according to the access user information, and determining the user role. Including verifying user-supplied identity information, such as a user name and password, or confirming the user's identity by other means of identity verification. Meanwhile, the roles of the users, such as an administrator, a general user, etc., may be determined so as to perform different access controls for different roles. And then, carrying out forced constraint condition matching on the user roles by utilizing the decryption execution subspace, and carrying out verification result identification according to the matched forced constraint coefficients. The method comprises the steps of comparing preset mandatory constraint conditions with attributes of user roles, and determining whether the user meets the condition of the access request according to a matching result. Meanwhile, according to the size of the forced constraint coefficient, the priority or weight of the user role under the condition of meeting the condition can be judged. Finally, according to the identification verification result, whether the access request is legal or not and whether the user identity passes authentication or not can be judged. Based on the verification results, the system may further decide whether to allow the user to access a particular resource, or take other appropriate measures to protect the security and integrity of the data. The intelligent access control method based on the cryptography mechanism is realized, and only legal users can access specific resources through identification verification of access request information and user information, so that the safety and the integrity of data are improved.

Further, as shown in fig. 2, the method of the present application, based on the access space attribute matching cryptographic mechanism, includes:

when the access space attribute is authority management, determining an authority management level;

setting a single-verification authority user based on the authority management hierarchy, wherein the single-verification authority user is used as the top layer of the authority management hierarchy;

setting all authority management levels except the top-level user to be binding verification levels, wherein a binding mechanism of the binding verification levels is set by the independent authority user;

and when the access user is a single-verification authority user, directly decrypting by using the single-verification key, and when the access user is other hierarchy users, determining a binding verification hierarchy according to the binding mechanism, and performing combined decryption by using a plurality of keys of the binding verification hierarchy, wherein the users of different hierarchies correspond to different forced constraint conditions and forced constraint coefficients.

Specifically, when the access space attribute is authority management, determining an authority management level, wherein the single-verification authority user is the top user of the authority management level and has the highest authority level. These users may set a binding authentication level, which is a set of keys associated with each authority management level. When the access user is a single-verification authority user, they can directly decrypt the access request using the single-verification key. However, when the accessing user is a user of other authority management hierarchy, the system determines a binding verification hierarchy according to the binding mechanism and uses multiple keys of the hierarchy for combined decryption. The access control method based on the authority management can realize fine access control, and ensure that only users with specific positions and responsibilities can access corresponding resources. By setting the independent authority user and the binding verification level, the access control strategy can be flexibly adjusted to meet the continuously changing business requirements. Meanwhile, the unique secret key and a plurality of secret keys at other levels are utilized for combined decryption, so that the security of access control can be increased, and unauthorized users are prevented from obtaining access rights.

Further, the method of the present application, based on the access space attribute matching cryptographic mechanism, further includes:

when the access space attribute is role authorization, setting a multi-authority role, wherein each authority role corresponds to an access data category;

when the access user has a multi-authority role, setting constraint conditions and constraint coefficients of the role;

and adding the constraint condition of the role into a decryption mechanism of the access rights of the multi-rights role.

Specifically, first, multiple authority roles are set, each corresponding to one access data category. This means that each role has a specific access right to access the data class associated with it. When the access user has a plurality of roles, a role constraint condition is set. These constraints define interrelationships and limitations between the different roles to ensure proper allocation of access rights. The constraints include constraints on certain roles accessing certain data accesses at certain times or places, or only a limited amount of data can be accessed at the same time, constraints between roles. Exemplary if roles are divided into a supervisor, an administrator, an employee, and a serviceman, the employee can only be accessed during the work in the company, the supervisor can be accessed at any time, the administrator can apply to the supervisor if not during the work but during the work, the serviceman can be accessed at any time if it is passed, during the serviceman access, none of the supervisor is removed, an employee a and a serviceman B, B are present in the access, a is not accessed during the work and within the company, if the user has multiple roles at the same time, multiple constraints such as time constraints, location constraints may need to be satisfied, and if there is an administrator C and a serviceman is side by side, then the person C may be accessed at any time. By setting role constraints, security and flexibility of access control can be increased. Next, role constraints are added to the decryption mechanism of the access rights of the multi-rights role. This means that the system will take into account not only the role and rights of the user, but also the role constraints when decrypting the access request. The system decrypts and responds to the access request only if the user's role and rights are satisfactory and the role constraints are met. By setting the multi-authority roles and the role constraint conditions, the access control strategy can be flexibly defined so as to meet specific service requirements. The access control method based on role authorization can help a system administrator manage access rights according to different roles and constraint conditions, and ensure the safety and the integrity of data. Through the steps, the access control method based on role authorization can be realized, so that only users with correct roles and meeting constraint conditions can access corresponding data, and the safety and the integrity of the data are improved.

Further, as shown in fig. 3, the method of the present application, based on the access space attribute matching cryptographic mechanism, further includes:

when the access space attribute is private verification, carrying out data grade partition on private data, and setting a password mechanism for each data grade partition;

setting an access user list, carrying out authority classification on the access user list, and establishing a mapping relation between an access user and a data grade partition;

and setting a key according to the authority classification of the access user based on the mapping relation between the access user and the data grade partition.

Specifically, first, data-level division is performed on private data, and a cryptographic mechanism is set for each division. This means that data is divided into different levels according to its sensitivity and importance, and a specific cryptographic mechanism is set for each level. Next, access to the list of users is set and the list is authority-classified. This means that users are divided into different permission levels, each level corresponding to a different access permission, depending on their identity and trust. Then, a mapping relation between the access user and the data grade partition is established. This means that each user is assigned access rights to one or more data level partitions, ensuring that the user can only access data within his scope of rights. And finally, setting a key according to the authority classification of the access user based on the mapping relation between the access user and the data level partition. This means that each user and the data level partition he accesses is assigned a unique key, and the user needs to provide the correct key to verify his identity and rights when accessing the data. Through the steps, fine control and protection of private data can be realized. Only authenticated users with the correct keys can access the data within the authority range, and confidentiality and integrity of the data are ensured.

Further, in the method of the present application, the setting a cryptographic mechanism for each data class partition includes:

setting a cooperative trust channel of the access user based on the private verification attribute;

acquiring a dynamic verification receiving channel according to access request information of an access user;

respectively sending dynamic verification codes to the access user cooperative trust channel and the dynamic verification receiving channel;

and carrying out joint password verification by utilizing the access user cooperative trust channel and the dynamic verification receiving channel.

Specifically, first, based on the private authentication attribute, an access user cooperative trust channel is set. The collaborative trust channel is a way to establish trust relationships between users, through which users can collaborate together to complete access authentication. Next, a dynamic authentication receiving channel is acquired according to access request information of the access user. The dynamic authentication receiving channel is a receiving channel associated with the access request for receiving the dynamic authentication code from the user. And then, respectively sending dynamic verification codes to the access user cooperative trust channel and the dynamic verification receiving channel. The dynamic verification code is a random, disposable verification code used to verify the identity and authorization of the user. And finally, carrying out joint password verification by utilizing the access user cooperative trust channel and the dynamic verification receiving channel. Joint password authentication is an authentication method combining a user password and other authentication modes (such as dynamic authentication codes) so as to improve the security and the accuracy of authentication. Through the above steps, a safer and more flexible access control to private data can be achieved. By utilizing the cooperative trust channel and the dynamic verification receiving channel, the complexity and the security of the access process can be increased, and unauthorized users can be prevented from accessing private data.

Further, the method of the present application further comprises:

based on the password mechanism corresponding to the multi-attribute access space, carrying out analysis on an operation space, speed and computational power, and determining the operation characteristics of the password mechanism;

connecting a cloud computing platform to acquire computing equipment information;

performing operation characteristic analysis on the operation equipment information, and performing matching analysis by using the operation characteristics of the operation equipment and the operation characteristics of the password mechanism to determine a cloud node-access space attribute corresponding relation;

and based on the Yun Jiedian-access space attribute corresponding relation, cloud node distribution is carried out according to the matching password mechanism, and a task unloading instruction is generated.

Specifically, first, based on the cryptographic mechanism corresponding to the multi-attribute access space, the operation space, the speed and the computational power are analyzed to determine the operation characteristics of the cryptographic mechanism. These features may include the complexity of the algorithm, the speed of encryption and decryption, the computational resources occupied, etc. Next, the cloud computing platform is connected to acquire computing device information. Such information may include the model number of the device, performance metrics, available resources, etc. Then, the acquired operation device information is subjected to operation feature analysis. This includes evaluating computing power, memory and storage space, etc. of the device to determine operational characteristics of the device. And then, matching analysis is carried out by utilizing the operation characteristics of the operation device and the operation characteristics of the password mechanism. By comparing the performance metrics of the devices to the requirements of the cryptographic mechanism, it is possible to determine which devices are suitable to perform a particular task. And based on the Yun Jiedian-access space attribute corresponding relation, cloud node distribution is carried out according to a matched password mechanism. This may include assigning specific tasks to cloud nodes with corresponding performance characteristics to ensure that the tasks can be performed efficiently. And finally, generating a task unloading instruction. These instructions may be instructions on how to offload tasks to cloud nodes, how to monitor the execution state of tasks, and so on. Through the steps, the proper cloud node can be selected according to the task demand, the execution efficiency of the task is optimized, and meanwhile, the safety and privacy protection of the data are ensured.

Further, in the method of the present application, the generating a task offloading instruction further includes:

based on the operation equipment information, equipment type clustering is carried out, and equipment similar clusters are determined;

judging whether a plurality of node devices exist according to the cloud node-access space attribute corresponding relation and the device similar clusters;

when the load identification model exists, building the load identification model based on the similar clusters of the equipment, performing model training by using a processing sample set of the node equipment as training data, and obtaining the load identification model when training convergence is completed;

and carrying out load matching on the plurality of node devices according to the load identification model, determining the node devices with the matched loads, and generating the task unloading instruction.

Specifically, first, device type clustering is performed based on computing device information, and device class clusters are determined. This means that similar devices are clustered together to form a cluster. Next, according to the Yun Jiedian-access space attribute corresponding relation and the device similar clusters, whether a plurality of node devices exist is judged. If there are a plurality of node devices, the next process is performed. When a plurality of node devices exist, a load identification model is built based on the similar clusters of the devices. This requires model training using the processed sample set of node devices as training data. Through the training process, the model will learn the load characteristics and differences between different devices. And after the training convergence is completed, obtaining a load identification model. The model may be used to predict the loading conditions of different node devices. And then, carrying out load matching on the plurality of node devices according to the load identification model. This includes analyzing the load condition of each node and selecting the node device most suitable for performing a particular task based on the model predictions. And finally, determining the node equipment with matched loads, and generating a task unloading instruction. These instructions instruct how to offload tasks to selected node devices while monitoring the execution status of the tasks. Through the steps, the proper node equipment can be selected to execute the task according to the performance characteristics and the load condition of the equipment, the execution efficiency of the task is optimized, and meanwhile, the safety and the privacy protection of the data are ensured.

Example two

Based on the same inventive concept as the smart access control method based on the cryptography mechanism of the foregoing embodiment, as shown in fig. 4, the present application provides a smart access control system based on the cryptography mechanism, the system comprising:

the access space construction module 10 is used for carrying out access control partition on the access space and constructing a multi-attribute access space, wherein the multi-attribute access space characterizes different access authority mechanisms including authority management, role authorization and private verification;

an information acquisition module 20, where the information acquisition module 20 is configured to acquire access request information and access user information;

an access space attribute determining module 30, where the access space attribute determining module 30 is configured to identify an access space for access request information, determine an access space attribute, and match a cryptographic mechanism based on the access space attribute;

the mandatory constraint coefficient acquisition module 40 is configured to set mandatory constraint conditions and mandatory constraint coefficients of a password mechanism according to the access space attribute and a corresponding password mechanism by the mandatory constraint coefficient acquisition module 40;

the cryptographic mechanism space configuration module 50 configures a cryptographic mechanism space based on a forced constraint condition and a forced constraint coefficient of the cryptographic mechanism, wherein the cryptographic mechanism space comprises an attribute identification subspace and a decryption execution subspace;

The verification result obtaining module 60, where the verification result obtaining module 60 is configured to identify and verify the access request information and the access user information through the cryptographic mechanism space, so as to obtain a verification result;

and the access space data calling module 70 is used for calling access space authority data when the verification result passes the set requirement of the access space.

Further, the system further comprises:

the verification result identification module is used for carrying out access target attribute identification on the access request information through an attribute identification subspace, and acquiring request access space attributes; user identity recognition is carried out according to the access user information, and a user role is determined; and matching the forced constraint condition of the user roles by utilizing the decryption execution subspace, and identifying the verification result according to the matched forced constraint coefficient. Further, the system further comprises:

the combined decryption module is used for determining an authority management level when the access space attribute is authority management; setting a single-verification authority user based on the authority management hierarchy, wherein the single-verification authority user is used as the top layer of the authority management hierarchy; setting all authority management levels except the top-level user to be binding verification levels, wherein a binding mechanism of the binding verification levels is set by the independent authority user; and when the access user is a single-verification authority user, directly decrypting by using the single-verification key, and when the access user is other hierarchy users, determining a binding verification hierarchy according to the binding mechanism, and performing combined decryption by using a plurality of keys of the binding verification hierarchy, wherein the users of different hierarchies correspond to different forced constraint conditions and forced constraint coefficients.

Further, the system further comprises:

the constraint condition setting module is used for setting multiple authority roles when the access space attribute is role authorization, and each authority role corresponds to one access data category; setting role constraint conditions when the access user has a multi-authority role; and adding the role constraint condition into a decryption mechanism of access rights of the multi-rights role.

Further, the system further comprises:

the key setting module is used for carrying out data grade partition on private data when the access space attribute is private verification, and setting a password mechanism for each data grade partition; setting an access user list, carrying out authority classification on the access user list, and establishing a mapping relation between an access user and a data grade partition; and setting a key according to the authority classification of the access user based on the mapping relation between the access user and the data grade partition.

Further, the system further comprises:

the joint password verification module is used for setting a user collaborative trust channel based on private verification attributes; acquiring a dynamic verification receiving channel according to access request information of an access user; respectively sending dynamic verification codes to the access user cooperative trust channel and the dynamic verification receiving channel; and carrying out joint password verification by utilizing the access user cooperative trust channel and the dynamic verification receiving channel.

Further, the system further comprises:

the task unloading instruction generation module is used for analyzing the operation space, the speed and the computational power based on the password mechanism corresponding to the multi-attribute access space and determining the operation characteristics of the password mechanism; connecting a cloud computing platform to acquire computing equipment information; performing operation characteristic analysis on the operation equipment information, and performing matching analysis by using the operation characteristics of the operation equipment and the operation characteristics of the password mechanism to determine a cloud node-access space attribute corresponding relation; and based on the Yun Jiedian-access space attribute corresponding relation, cloud node distribution is carried out according to the matching password mechanism, and a task unloading instruction is generated.

Further, the system further comprises:

the node equipment determining module for load matching is used for carrying out equipment type clustering based on the operation equipment information to determine equipment similar clusters; judging whether a plurality of node devices exist according to the cloud node-access space attribute corresponding relation and the device similar clusters; when the load identification model exists, building the load identification model based on the similar clusters of the equipment, performing model training by using a processing sample set of the node equipment as training data, and obtaining the load identification model when training convergence is completed; and carrying out load matching on the plurality of node devices according to the load identification model, determining the node devices with the matched loads, and generating the task unloading instruction.

Exemplary electronic device

The electronic device of the present application is described below with reference to fig. 5:

the electronic device 300 includes: a processor 302, a communication interface 303, a memory 301. Optionally, the electronic device 300 may also include a bus architecture 304. Wherein the communication interface 303, the processor 302 and the memory 301 may be interconnected by a bus architecture 304; the bus architecture 304 may be a peripheral component interconnect (peripheral component interconnect, PCI) bus, or an extended industry standard architecture (extended industry Standard architecture, EISA) bus, among others. The bus architecture 304 may be divided into address buses, data buses, control buses, and the like. For ease of illustration, only one thick line is shown in fig. 5, but not only one bus or one type of bus.

Processor 302 may be a CPU, microprocessor, ASIC, or one or more integrated circuits for controlling the execution of the programs of the present application.

The communication interface 303 uses any transceiver-like means for communicating with other devices or communication networks, such as ethernet, radio access network (radio access network, RAN), wireless local area network (wireless local areanetworks, WLAN), wired access network, etc.

The memory 301 may be, but is not limited to, ROM or other type of static storage device that may store static information and instructions, RAM or other type of dynamic storage device that may store information and instructions, or may be an electrically erasable programmable read-only memory (EEPROM), compact-only-memory (CD-ROM) or other optical disk storage, optical disk storage (including compact disk, laser disk, optical disk, digital versatile disk, blu-ray disk, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory may be self-contained and coupled to the processor through bus architecture 304. The memory may also be integrated with the processor.

The memory 301 is used for storing computer-executable instructions for executing the embodiments of the present application, and is controlled by the processor 302 to execute the instructions. The processor 302 is configured to execute computer-executable instructions stored in the memory 301, thereby implementing a group control management method for a sewing machine provided in the foregoing embodiments of the present application.

Through the foregoing detailed description of the smart access control method based on the cryptography, those skilled in the art can clearly understand the smart access control system based on the cryptography in this embodiment, and for the system disclosed in the embodiment, since the system corresponds to the device disclosed in the embodiment, the description is relatively simple, and relevant places refer to the description of the method section.

The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims

1. The intelligent access control method based on the cryptography mechanism is characterized by comprising the following steps:

Acquiring access request information and access user information;

and when the verification result passes the set requirement of the access space, calling the access space authority data.

2. The method of claim 1, wherein identifying and verifying the access request information, the access user information, through the cryptographic mechanism space comprises:

3. The method of claim 1, wherein matching a cryptographic mechanism based on the access spatial attribute comprises:

4. The method of claim 1, wherein matching a cryptographic mechanism based on the access spatial attribute, further comprises:

5. The method of claim 1, wherein matching a cryptographic mechanism based on the access spatial attribute, further comprises:

6. The method of claim 5, wherein setting a cryptographic mechanism for each data level partition comprises:

7. The method as recited in claim 1, further comprising:

8. The method of claim 7, wherein generating a task offload instruction further comprises:

9. An intelligent access control system based on cryptography mechanism, comprising:

the access space construction module is used for carrying out access control partition on the access space and constructing a multi-attribute access space, wherein the multi-attribute access space characterizes different access authority mechanisms including authority management, role authorization and private verification;

the information acquisition module is used for acquiring access request information and access user information;

the access space attribute determining module is used for carrying out access space identification on the access request information, determining access space attributes and matching a password mechanism based on the access space attributes; the forced constraint coefficient acquisition module is used for setting forced constraint conditions and forced constraint coefficients of the password mechanism according to the access space attribute and the corresponding password mechanism;

The encryption mechanism space configuration module is used for configuring an encryption mechanism space based on a forced constraint condition and a forced constraint coefficient of the encryption mechanism, wherein the encryption mechanism space comprises an attribute identification subspace and a decryption execution subspace;

the verification result acquisition module is used for identifying and verifying the access request information and the access user information through the password mechanism space to obtain a verification result;

and the access space data calling module is used for calling access space authority data when the verification result passes the set requirement of the access space.

10. An electronic device, the electronic device comprising:

at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-8.