CN117914601A - Multistage safety authentication and access control system of file robot - Google Patents

Multistage safety authentication and access control system of file robot Download PDF

Info

Publication number
CN117914601A
CN117914601A CN202410090424.5A CN202410090424A CN117914601A CN 117914601 A CN117914601 A CN 117914601A CN 202410090424 A CN202410090424 A CN 202410090424A CN 117914601 A CN117914601 A CN 117914601A
Authority
CN
China
Prior art keywords
security
authentication
access control
control system
password
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410090424.5A
Other languages
Chinese (zh)
Inventor
李燕强
齐少华
马国伟
张泽宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hebei Indoor Technology Co ltd
Original Assignee
Hebei Indoor Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hebei Indoor Technology Co ltd filed Critical Hebei Indoor Technology Co ltd
Priority to CN202410090424.5A priority Critical patent/CN117914601A/en
Publication of CN117914601A publication Critical patent/CN117914601A/en
Pending legal-status Critical Current

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention belongs to the technical field of archival data processing, in particular to a multistage security authentication and access control system of an archival robot, which comprises a security authentication system and an access control system; the security authentication system comprises identity authentication and certificate authentication; the identity authentication comprises a password and a digital signature, and the identity authentication is completed by combining the password and the digital signature; the certificate authentication comprises a USB KEY, and a user private KEY and a digital certificate are stored in the USB KEY; the identity authentication and access control system adopts a double-factor authentication mode of combining a password with USB KEY software and hardware and matching one-time password; to enable the USB KEY to work normally, the user is required to input a correct USB KEY password; therefore, the password is lost, and the USB KEY cannot pass the authentication; the USB KEY is lost, and the authentication cannot be performed without a password; the multi-stage authentication mode is realized, and the password and the USB KEY are matched with double-factor authentication, so that the security level of the identity authentication system is effectively improved.

Description

Multistage safety authentication and access control system of file robot
Technical Field
The invention belongs to the technical field of archival data processing, and particularly relates to a multistage security authentication and access control system of an archival robot.
Background
Many documents within a company can be managed by a document management robot, such as important documents of sales contracts, purchase orders, vendor agreements, financial statements, and the like; the archive robot manages archives in a network form; corporate personnel need to conduct network authentication in advance before inquiring, extracting and other operations on files through a file robot; with the popularization of network applications, network security incidents also occur at times, and the work of enhancing network security is not slow.
Network authentication technology is one of the important components of network security technology. Authentication refers to a process of verifying whether an authenticated object is authentic and valid. The basic idea is to verify whether the authenticated object is truly valid or not by verifying the attribute of the authenticated object. The attribute of the authenticated object may be a password, a digital signature, or a physiological feature such as a fingerprint, sound, retina, etc. Authentication is often used to mutually confirm identity between two parties to a communication to ensure security of the communication.
Access control is also a non-negligible part of network security technology, and enables access to transmitted data to have confidentiality and integrity, and data theft and tampering are prevented.
However, the conventional network application has potential safety hazards in authentication and transmission, which are as follows:
there is no effective authentication mechanism. Traditional identity authentication adopts a user name encryption mode. This approach has the following weaknesses: the password is simple and easy to guess, is complex and difficult to memorize and is easy to lose; and, the more applications or user ends accessed, the more passwords, the more difficult it is to manage;
There is no efficient access transport security mechanism: most of network applications currently adopt the TCP protocol, and the protocol has no data protection mechanism in network transmission, so that data is easy to tamper and steal in the access process.
Disclosure of Invention
In order to make up for the deficiency of the prior art, solve the above-mentioned technical problem; the invention provides a multistage security authentication and access control system of a file robot.
The technical scheme adopted for solving the technical problems is as follows: the invention provides a multistage safety authentication and access control system of a file robot, which comprises a safety authentication system and an access control system;
the security authentication system comprises identity authentication and certificate authentication; the identity authentication comprises a password and a digital signature, and the identity authentication is completed by combining the password and the digital signature; the certificate authentication comprises a USB KEY, and a user private KEY and a digital certificate are stored in the USB KEY;
the security authentication system further comprises a security authentication gateway for issuing a token for accessing the application system to the authenticated user, and for each access request of the user, the proxy service will authenticate the access token of the user based on Kerberos protocol to determine the legal identity of the user;
The access control system comprises a mandatory access control module based on a multi-level security authentication means.
Preferably, the security authentication system further comprises a two-factor authentication mode, and the two-factor authentication mode is one-time pad.
Preferably, the access control system is added into a management platform and a middleware module;
the management platform comprises: grading users and files in a distributed information system: secure information interaction of access requests/responses is ensured by adopting a public key cryptography technology: recording historical access information of a user for security audit in the future;
Middleware module: the information interaction interface between the distributed information system and the management platform is used for completing the safe interaction of information between the distributed information system and the management platform in the modes of information encryption and decryption, identity authentication and password verification.
Preferably, the access control system is based on a forced access control module, and a management platform and a middleware module are added to form a multi-level security policy model; the model base elements include:
A main body: the user is represented by S, and is shown as a formula (1);
S={s1, s2, ..., sn} (1);
Object: refers to files, data and files, and is expressed by O as shown in a formula (2);
O={o1,o2, ...,on} (2);
Security level: is a gradient security mark of a subject and an object, and comprises a subject, an object security level and a category set; the security level of the subject and the object represents the sensitivity degree of the security of the subject and the object, and is represented by C, as shown in a formula (3);
C={c1, c2, ..., cn} (3);
The category set represents a set of departments or categories in an organization, represented by K, as shown in formula (4);
K={k1,k2, ...,kn} (4);
All subjects and objects in the system are distributed with a security level and category set, which is expressed by F, as shown in a formula (5);
F={CS×CO×KS×KO} (5);
Access control matrix: describing the autonomous authorization state in the system at any moment in a matrix form, wherein the autonomous authorization state is represented by M, and is shown as a formula (6):
Accessing a set of attributes: describing a manner in which the subject accesses the object, expressed AS shown in formula (7); wherein, the execution is E (execution), read only is R (read), added as A (application), and read/write is W (write);
AS={E, R,A,W} (7);
system state: representing all possible system states of the multi-stage security system, represented by V, as shown in formula (8);
V={v1,v2,...,vn} (8);
In the system state, the access attribute authority of the subject S to the object O is represented by b, as shown in the formula (9);
b∈S×O×AS (9);
Multistage safety feature: the multi-level security features define the security of the system state, embody multi-level security policies, including autonomous security, simple security and multi-level security;
The state v= (b, M, F) satisfies autonomous security to Represented by formula (10);
the state v= (b, M, F) satisfies simple security, expressed as x, as shown in formula (11);
The state v= (b, M, F) satisfies multi-level security to Represented by formula (12);
Preferably, the access control system performs authentication in a single sign-on mode, and a protection mechanism is established in the single sign-on mode.
Preferably, the access control system further includes a KDC, and the KDC has a time-stamped ticket for generating the encryption.
The beneficial effects of the invention are as follows:
1. the invention relates to a multistage safety authentication and access control system of a file robot, wherein the identity authentication and access control system adopts a double-factor authentication mode of combining a password with USB KEY software and hardware and matching one-time password; to enable the USB KEY to work normally, the user is required to input a correct USB KEY password; therefore, the password is lost, and the USB KEY cannot pass the authentication; the USB KEY is lost, and the authentication cannot be performed without a password; the multi-stage authentication mode is realized, and the password and the USB KEY are matched with double-factor authentication, so that the security level of the identity authentication system is effectively improved.
2. The multi-stage security authentication and access control system of the file robot of the invention forces the access control system to determine the access mode according to the sensitive marks of the subject and the object; the security characteristic control data of 'no upper reading and no lower writing' can only flow from low to high according to the level, so that sensitive data is ensured not to leak, information interoperation between cross-domain distributed systems can be safely and effectively solved, network information resources are ensured to be controlled and correctly used by legal users, invasion and deliberate damage of illegal users are limited, and the security level of an identity authentication system is further improved.
Drawings
The invention is further described below with reference to the accompanying drawings.
FIG. 1 is a detailed step diagram of the security policy of the access control system of the present invention;
FIG. 2 is a level map of the present invention;
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Embodiment one:
Many documents within a company can be managed by a document management robot, such as important documents of sales contracts, purchase orders, vendor agreements, financial statements, and the like; the archive robot manages archives in a network form; corporate personnel need to conduct network authentication in advance before inquiring, extracting and other operations on files through a file robot; with the popularization of network application, network security accidents also occur at times, and the work of strengthening network security is not slow;
the network authentication technology is one of important components of the network security technology; authentication refers to a process of verifying whether an authenticated object is authentic and valid; the basic idea is to achieve the purpose of confirming whether the authenticated object is truly effective by verifying the attribute of the authenticated object; the attribute of the authenticated object may be a password, a digital signature, or a physiological feature such as a fingerprint, sound, retina; authentication is often used to mutually confirm identities of two parties to ensure the security of communications;
the access control is also a non-negligible part in the network security technology, and the access control ensures that the data transmitted by access has confidentiality and integrity, and prevents the data from being stolen and tampered;
however, the conventional network application has potential safety hazards in authentication and transmission, which are as follows:
There is no effective authentication mechanism; the traditional identity authentication adopts a user name encryption mode; this approach has the following weaknesses: the password is simple and easy to guess, is complex and difficult to memorize and is easy to lose; and, the more applications or user ends accessed, the more passwords, the more difficult it is to manage;
There is no efficient access transport security mechanism: most of network applications currently adopt TCP (transmission control protocol), and the protocol has no data protection mechanism in network transmission, so that data is easy to tamper and steal in the access process;
in order to effectively solve the problems, the multi-stage security authentication and access control system of the file robot comprises a security authentication system and an access control system;
The security authentication system comprises identity authentication and certificate authentication; the identity authentication comprises a password and a digital signature, and the identity authentication is completed by combining the password and the digital signature; the certificate authentication comprises a USB KEY, and a user private KEY and a digital certificate are stored in the USB KEY;
The security authentication system further comprises a security authentication gateway for issuing a token for accessing the application system to the authenticated user, and for each access request of the user, the proxy service will authenticate the access token of the user based on the Kerberos protocol to determine the legal identity of the user;
the access control system comprises a forced access control module based on a multi-stage security authentication means;
The security authentication system also comprises a double-factor authentication mode, and the double-factor authentication mode is one-time pad;
Specific:
The security authentication system is provided with a USB KEY for each user, and the USB KEY is issued by the CA system and then stored with a unique certificate identifier for providing identity for the user; by applying the certificate authentication technology, the vulnerability of single password authentication can be avoided, and the mutual identity authentication of the client and the server can be safely and effectively realized; meanwhile, a one-time-pad dynamic negotiation technology is adopted to ensure confidentiality and integrity of authentication transmission information;
When the user uses, the user needs to use the authentication client software to cooperate with the USB KEY, and the PKI-based handshake protocol and the security authentication gateway are adopted to carry out two-way identity authentication, and after the authentication is passed, the security authentication gateway issues a token for accessing the application system for the user; the identity authentication client software intercepts an application access request of a user and accesses application services through a security authentication gateway; for each access request of the user, the proxy service verifies the access token of the user based on the Kerberos protocol to determine the legal identity of the user;
the proxy service obtains the service resource accessed by the user from the user request, obtains the user identity information from the access token, and uses the two elements to perform RBAC access arbitration; the system accesses the network resource by the agent user through the arbitrated request; otherwise, the system refuses the access request of the user; meanwhile, the system can carry out data confidentiality and integrity protection on data information transmitted in the network according to the requirements of users;
the security authentication gateway extracts necessary information from the user access request to form an audit log;
in addition, the traditional identity authentication adopts a user name encryption mode; the password of each user is set by the user, and only the user knows the password; the computer considers the operator as a legal user as long as the password can be correctly input; in fact, since many users often use character strings that are easily guessed, such as birthdays, telephone numbers, etc., as passwords in order to prevent forgetting the passwords, or place the passwords in a place that is considered safe by itself on paper, it is easy to cause password leakage. Even if the user password is not leaked, the password is static data, the password needs to be transmitted in the memory of the computer and in the network in the verification process, and verification information used for each verification is the same, so that the password is easily intercepted by a Trojan program residing in the memory of the computer or monitoring equipment in the network; therefore, the user name encryption code mode is an extremely unsafe identity authentication mode;
the identity authentication and access control system adopts a double-factor authentication mode of combining a password with USB KEY software and hardware and matching one-time password; because the USB KEY is a hardware device of a USB interface, a singlechip or a smart card chip is arranged in the USB KEY, and can store a KEY and a digital certificate of a user, and authentication of the user identity is realized by utilizing a cryptographic algorithm arranged in the USB KEY; to enable the USB KEY to work normally, the user is required to input a correct USB KEY password; therefore, the password is lost, and the USB KEY cannot pass the authentication; the USB KEY is lost, and the authentication cannot be performed without a password; the multi-stage authentication mode is realized, and the password and the USB KEY are matched with double-factor authentication, so that the security level of the identity authentication system is effectively improved;
the mandatory access strategy assigns each subject and object with an access level, such as the highest secret level, secret level and no secret level, and the levels are defined as T > S > C > U; an example is used to illustrate the application of mandatory access control rules, such as WEB services running at a "secret level" security level; if the WEB server is attacked, an attacker operates in a target system with a security level of 'secret level', and the attacker cannot access the data with the security level of 'highest secret level' in the system;
And, the mandatory access control system decides the access mode according to the sensitive marks of the subject and the object, the access mode includes: read down; a read up (ru) allowed by a read operation when the subject security level is higher than the security level of the guest information resource; a read operation allowed when the subject security level is lower than the security level of the guest information resource; write down; allowing a write operation to be performed when the subject security level is higher than the security level of the guest information resource to write upward (wu, write up); write operations allowed to be performed when the subject security level is lower than the security level of the guest information resource; the security characteristic control data of 'no upper reading and no lower writing' can only flow from low to high according to the level, so that sensitive data is ensured not to leak, information interoperation between cross-domain distributed systems can be safely and effectively solved, network information resources are ensured to be controlled and correctly used by legal users, invasion and deliberate damage of illegal users are limited, and the security level of an identity authentication system is further improved.
Embodiment two:
on the basis of the first embodiment, the access control system is added into a management platform and a middleware module;
the management platform comprises: grading users and files in a distributed information system: secure information interaction of access requests/responses is ensured by adopting a public key cryptography technology: recording historical access information of a user for security audit in the future;
Middleware module: the information interaction interface between the distributed information system and the management platform is used for completing the safe interaction of information between the distributed information system and the management platform in the modes of information encryption and decryption, identity authentication and password verification;
the access control system is based on a forced access control module, and a management platform and a middleware module are added to form a multi-level security policy model; the model basic elements include:
A main body: the user is represented by S, and is shown as a formula (1);
S={s1, s2, ..., sn} (1);
Object: refers to files, data and files, and is expressed by O as shown in a formula (2);
O={o1,o2, ...,on} (2);
Security level: is a gradient security mark of a subject and an object, and comprises a subject, an object security level and a category set; the security level of the subject and the object represents the sensitivity degree of the security of the subject and the object, and is represented by C, as shown in a formula (3);
C={c1, c2, ..., cn} (3);
The category set represents a set of departments or categories in an organization, represented by K, as shown in formula (4);
K={k1,k2, ...,kn} (4);
All subjects and objects in the system are distributed with a security level and category set, which is expressed by F, as shown in a formula (5);
F={CS×CO×KS×KO} (5);
Access control matrix: describing the autonomous authorization state in the system at any moment in a matrix form, wherein the autonomous authorization state is represented by M, and is shown as a formula (6):
Accessing a set of attributes: describing a manner in which the subject accesses the object, expressed AS shown in formula (7); wherein, the execution is E (execution), read only is R (read), added as A (application), and read/write is W (write);
AS={E,R,A,W} (7);
system state: representing all possible system states of the multi-stage security system, represented by V, as shown in formula (8);
V={v1,v2,...,vn} (8);
In the system state, the access attribute authority of the subject S to the object O is represented by b, as shown in the formula (9);
b∈S×O×AS (9);
Multistage safety feature: the multi-level security features define the security of the system state, embody multi-level security policies, including autonomous security, simple security and multi-level security;
The state v= (b, M, F) satisfies autonomous security to Represented by formula (10);
the state v= (b, M, F) satisfies simple security, expressed as x, as shown in formula (11);
The state v= (b, M, F) satisfies multi-level security to Represented by formula (12);
Specific:
In order to get rid of the constraint of the traditional multi-level safety centralized management, a management platform module and a middleware module are added; and (3) a management platform: is an independent, credible and manageable third party and is responsible for coordinating the security management work of each cross-domain distributed system; the main functions include: grading users and files in the distributed information system; secure information interaction of the access request/response is ensured by adopting a public key cryptography technology; recording historical access information of a user for security audit in the future; middleware module: the information interaction interface is used for completing the safe interaction of information between the distributed information system and the management platform in the modes of information encryption and decryption, identity authentication, password verification and the like; through the mutual coordination between the two, the expandability and the safety of the multi-level safety are improved, and the information safety interaction between the systems and the safety management of the information systems are realized;
The participation elements involved in the multilevel security policy are expressed by mathematical symbols, and the Chinese meaning, english meaning and symbol of the specific elements are expressed as follows:
Security policy element representation
The detailed steps of the security policy are shown in fig. 1 in the attached drawings of the specification by taking the implementation of a file O 8 of the Sys 1 system under the Dist y domain as an example, wherein the user S 3 of the Sys 1 system under the Dist x domain wants to access the file O 8 of the Sys 1 system under the Dist y domain;
Step1 level mapping: the management platform re-ranks the users of the distributed system through comprehensive evaluation, wherein S 3 is used for representing the users, O 8 is used for representing the files, S 3 is used for carrying out the re-ranking on the files O 8, the original grades of the users and the files are not changed, and the assessment result is mapped to a grade mapping table of the management platform, as shown in figure 2 in the attached drawing of the specification;
Step2 body access request: user S 3 accesses file O 8 to initiate access request s_req(s_distx,s_sys1,s3,s_selv,o_disty,o_sys1,o8,o_selv,op), to fill information such as main body area, system, user name, user security level, file name and access mode in req in sequence, o_ selv is not filled temporarily, because S 3 does not know security level of O 8 at this time, and then request information is encrypted and sent by public keys of management platform and system respectively through middleware;
Step3 guest local query: after the middleware of the Dist y region Sys 1 system receives the access request of the user S 3 of the Dist x region Sys i system, decrypting and authenticating the request information, and then searching the related information of O 8 from a local file system database according to the file name of O 8 to obtain the security level of O 8;
step4 guest access request: generating a one-time password by the file system Middleware, feeding back req to form o_res(s_Distx,s_sys1,S3,s_selv,o_disty,o_sys1,08,o_selv,op,pass),, filling o_ selv of the file O 8 and the pass which is just generated, and finally encrypting and transmitting o_res by using a management platform public key;
Step5, the management platform authorizes authentication: the management platform firstly decrypts received step2 and step4 information, then performs matching (in order to ensure the same piece of request information), searches corresponding security levels according to the subject and object information in the main s_req and the o_res by using a level mapping table LML after the matching is successful, and performs authorization judgment according to a multi-level security model to obtain permission;
step6, the platform authorizes the object: the management platform encrypts and returns the authorization judgment result by using a public key of the distributed file system, the file system decrypts p_res(s_distx,s_sys1,s3,s_selv,o_disty,o_sys1,o8,o_selv,op,pass,per), if per agrees to access, the file system opens a password authentication interface of the file 0 8, and sets a user access time limit countdown time of 5min (a timeout window is closed); otherwise, the Middleware closes the access request; whether successful or not, the access behavior is recorded for later safety audit;
Step7, a platform authorizes a main body: the management platform returns ,p_res(s_distx,s_sys1,s3,s_selv,o_disty,o_sys1,o8,o_selv,op,pass,per), the result of the authentication through the user public key encryption, if per is authorized to access, the user S can access the file O 8 with a password: otherwise, the Middleware closes the access request, and records the access behavior for later security audit;
Step8 records access behavior: similarly, the management platform records each access behavior, and guarantees the real repudiation of each host access object behavior by using an independent trusted third party identity for later security audit;
step9 security audit: the audit is used as an independent third party, and a supervision and management platform, a file system and a user history record are responsible for security audit for security check of related units;
The security and flexibility of the cross-domain interoperation of the system information are ensured, the access behavior of the user is restrained, the access control system is based on the forced access control module, a management platform and a middleware module are added to form a multi-level security policy, and the security of the system is further ensured by ensuring that a subject must follow rules in the security access control system when trying to access the object.
Embodiment III:
Based on the second embodiment, the access control system performs identity verification in a single sign-on mode, and establishes a protection mechanism in the single sign-on mode;
The access control system also comprises a KDC, and the KDC is provided with a bill with a time stamp for generating encryption;
Specific: single sign-on is a technique in the prior art that facilitates user access to a network; no matter how complex the network structure is, the user can obtain the authorization of accessing the system and the application software only by one authentication when logging in, and then can freely shuttle in the network; the identity authentication and access control system realizes the web page single sign-on of '0 development' in a password proxy mode, and a user only needs to input a password of a USB KEY to pass the authentication of the identity authentication system when starting client software, and can access an application system without inputting an application system password after that: meanwhile, through the setting of login skip, the user can automatically skip to the page after the user logs in after opening the application home page, so that the user operation is simplified;
And, there is a protection mechanism written internally, wherein the mechanism includes:
key Distribution Center (KDC): is a trusted third party providing authentication services;
kerberos authentication server: the authentication server hosts the function of KDC;
ticket granting ticket: a Ticket Granting Ticket (TGT) provides evidence that the principal has authenticated through the KDC;
bill: is an encrypted message that provides evidence that the subject has access to the object;
kerberos requires an account database, which is typically included in directory services; it uses ticket exchanges between clients, web servers and KDCs to prove identity and provide authentication;
The login process works as follows:
1. a user inputs a user name and a password at a client;
2. The client encrypts the username using AES for transmission to the KDC;
the KDC verifies the user name according to the database of the known credentials;
the KDC generates a symmetric key used by the client and the kerberos server, and encrypts the symmetric key in a user name password interleaving mode; and the KDC also generates an encrypted time stamped TGT;
5. The KDC then sends the encrypted symmetric key and the encrypted time-stamped TGT to the client;
6. the client installs the TGT for use until it expires;
the client also decrypts the symmetric key using a hash of the username-password:
preventive access control: preventive controls attempt to prevent unnecessary or unauthorized activity from occurring; for example: fence, lock, lighting, alarm system, security policy, security awareness training, CCTV, firewall, antivirus software, intrusion prevention system, etc.; detecting access control:
the detectivity control attempts to discover or detect unwanted or unauthorized activity; for example: delivery probes, post rotation, mandatory holiday strategies, audit trails, user supervision and inspection, and incident investigation;
Correcting access control: correcting the control modification environment to restore the system to normal after unexpected or unauthorized activity; for example: backup and restore plans.
The foregoing has shown and described the basic principles, principal features and advantages of the invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, and that the above embodiments and descriptions are merely illustrative of the principles of the present invention, and various changes and modifications may be made without departing from the spirit and scope of the invention, which is defined in the appended claims. The scope of the invention is defined by the appended claims and equivalents thereof.

Claims (6)

1. The multi-stage security authentication and access control system of the file robot comprises a security authentication system and an access control system; the method is characterized in that:
the security authentication system comprises identity authentication and certificate authentication; the identity authentication comprises a password and a digital signature, and the identity authentication is completed by combining the password and the digital signature; the certificate authentication comprises a USB KEY, and a user private KEY and a digital certificate are stored in the USB KEY;
the security authentication system further comprises a security authentication gateway for issuing a token for accessing the application system to the authenticated user, and for each access request of the user, the proxy service will authenticate the access token of the user based on Kerberos protocol to determine the legal identity of the user;
The access control system comprises a mandatory access control module based on a multi-level security authentication means.
2. The archival robot multi-stage security authentication and access control system according to claim 1, wherein: the security authentication system further comprises a two-factor authentication mode, and the two-factor authentication mode is one-time pad.
3. The archival robot multi-stage security authentication and access control system according to claim 1, wherein: the access control system is added into a management platform and a middleware module;
The management platform comprises: grading users and files in a distributed information system: secure information interaction of access requests/responses is ensured by adopting a public key cryptography technology: recording historical access information of a user for security audit in the future;
the middleware module: the information interaction interface between the distributed information system and the management platform is used for completing the safe interaction of information between the distributed information system and the management platform in the modes of information encryption and decryption, identity authentication and password verification.
4. A multi-stage security authentication and access control system for archival robots as defined in claim 3, wherein: the access control system is based on a forced access control module, and a management platform and a middleware module are added to form a multi-level security policy model; the model base elements include:
A main body: the user is represented by S, and is shown as a formula (1);
S={s1, s2, ..., sn} (1);
Object: refers to files, data and files, and is expressed by O as shown in a formula (2);
O={o1,o2, ...,on} (2);
Security level: is a gradient security mark of a subject and an object, and comprises a subject, an object security level and a category set; the security level of the subject and the object represents the sensitivity degree of the security of the subject and the object, and is represented by C, as shown in a formula (3);
C={c1, c2, ..., cn} (3);
The category set represents a set of departments or categories in an organization, represented by K, as shown in formula (4);
K={k1,k2, ...,kn} (4);
All subjects and objects in the system are distributed with a security level and category set, which is expressed by F, as shown in a formula (5);
F={CS×CO×KS×KO} (5);
Access control matrix: describing the autonomous authorization state in the system at any moment in a matrix form, wherein the autonomous authorization state is represented by M, and is shown as a formula (6):
Accessing a set of attributes: describing a manner in which the subject accesses the object, expressed AS shown in formula (7); wherein, the execution is E (execution), read only is R (read), added as A (application), and read/write is W (write);
AS={E,R,A,W} (7);
system state: representing all possible system states of the multi-stage security system, represented by V, as shown in formula (8);
V={v1,v2, ...,vn} (8);
In the system state, the access attribute authority of the subject S to the object O is represented by b, as shown in the formula (9);
b∈S×O×AS(9);
Multistage safety feature: the multi-level security features define the security of the system state, embody multi-level security policies, including autonomous security, simple security and multi-level security;
The state v= (b, M, F) satisfies autonomous security to Represented by formula (10);
the state v= (b, M, F) satisfies simple security, expressed as x, as shown in formula (11);
The state v= (b, M, F) satisfies multi-level security to Represented by formula (12);
5. the archival robot multi-stage security authentication and access control system according to claim 4, wherein: the access control system performs identity verification in a single sign-on mode, and a protection mechanism is established in the single sign-on mode.
6. A multi-stage security authentication and access control system for archival robots as defined in claim 3, wherein: the access control system also comprises a KDC, and the KDC is provided with a bill with a time stamp for generating encryption.
CN202410090424.5A 2024-01-22 2024-01-22 Multistage safety authentication and access control system of file robot Pending CN117914601A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410090424.5A CN117914601A (en) 2024-01-22 2024-01-22 Multistage safety authentication and access control system of file robot

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410090424.5A CN117914601A (en) 2024-01-22 2024-01-22 Multistage safety authentication and access control system of file robot

Publications (1)

Publication Number Publication Date
CN117914601A true CN117914601A (en) 2024-04-19

Family

ID=90681625

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410090424.5A Pending CN117914601A (en) 2024-01-22 2024-01-22 Multistage safety authentication and access control system of file robot

Country Status (1)

Country Link
CN (1) CN117914601A (en)

Similar Documents

Publication Publication Date Title
US8984601B2 (en) Enterprise security system
US7395436B1 (en) Methods, software programs, and systems for electronic information security
JP4746266B2 (en) Method and system for authenticating a user for a sub-location in a network location
Tardo et al. SPX: Global authentication using public key certificates
JP4463887B2 (en) Protected storage of core data secrets
CN106888084B (en) Quantum fort machine system and authentication method thereof
US9047458B2 (en) Network access protection
US6678821B1 (en) Method and system for restricting access to the private key of a user in a public key infrastructure
US20090293111A1 (en) Third party system for biometric authentication
CN114662079A (en) Method and system for accessing data from multiple devices
CN111783075A (en) Authority management method, device and medium based on secret key and electronic equipment
KR20030036787A (en) System for establishing an audit trail to protect objects distributed over a network
US20080040613A1 (en) Apparatus, system, and method for secure password reset
CN103152179A (en) Uniform identity authentication method suitable for multiple application systems
WO2023009969A1 (en) Non-fungible token authentication
KR20060032888A (en) Apparatus for managing identification information via internet and method of providing service using the same
CN106533693B (en) Access method and device of railway vehicle monitoring and overhauling system
CN109309645A (en) A kind of software distribution security guard method
CN101939748A (en) Activation by trust delegation
CN111538973A (en) Personal authorization access control system based on state cryptographic algorithm
KR100545676B1 (en) Authentication Method And Authentication System Using Information About Computer System's State
CN117914601A (en) Multistage safety authentication and access control system of file robot
US8621231B2 (en) Method and server for accessing an electronic safe via a plurality of entities
Schaffer Ontology for authentication
RU2571372C1 (en) System for protecting information containing state secrets from unauthorised access

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination