云计算下可信虚拟群体内访问控制研究

doi:10.3969/j.issn.1000-436x.2013.z1.027

摘要/Abstract

摘要：

针对缺乏适合基于云计算的生产型重要信息系统内部隔离机制的问题，对云计算模式下现有的访问控制技术进行了比较，提出了基于两级密钥管理的访问控制方案。第一级构造了一个基于单项散列函数的访问控制多项式实现了子群体间信息流的隔离，即实现了生产型重要信息系统内部门间的信息隔离；在第一级密钥管理的基础上，提出了子群体间层次密钥管理，实现不同部门间信息流的访问控制。然后对该方案的安全性和复杂度进行了分析。最后，通过实例和仿真实验对基于两级密钥管理的访问控制方案进行了验证。

关键词: 云计算, 密码学访问控制, 密钥管理, 生产型信息系统

Abstract:

There is no appropriate internal isolation mechanism for important production information system based on cloud computing. Here the main access control technologies were compared thoroughly and then two-layer key manage-ment scheme was put forward. In terms of the first layer, access control polynomial based on one-way hash function was constructed to achieve the separation of information flow between subgroups, that is, the information isolation within any department of a company was accomplished. Based on the first layer, a hierarchical key management was presented for different subgroups so as to realize the access control between different departments of a company. Then the security and complexity were analyzed. Finally, through the example and simulation experiment, the access control model based on two-layer key management scheme was verified.

Key words: cloud computing, cryptographic access control, key management, production information system

梁鹏,沈昌祥,宁振虎. 云计算下可信虚拟群体内访问控制研究[J]. 通信学报, 2013, 34(Z1): 207-215.

Peng LIANG,Chang-xiang SHEN,Zhen-hu NING. On access to trusted virtual group under cloud computing[J]. Journal on Communications, 2013, 34(Z1): 207-215.

图/表 5

参考文献 25

[1]	张兴．无干扰可信模型及可信平台体系结构实现研究[D]．解放军信息工程大学， 2009. ZHANG X . Doctoral Dissertation: Researches on Non-Interference Trusted Model and the Implementation of Trusted Computing Platform Architecture[D]. The PLA Information Engineering University, 2009.
[2]	沈昌祥，张焕国，王怀民等．可信计算的研究与发展[J]．中国科学， 2010,40(2):139-166. SHEN C X , ZHANG H G , WANG H M , et al. Research and de-velop-ment on trusted computing[J]. Science China Press, 2010,40(2):139-166.
[3]	GONG B , SHEN C X . Behavior Measurement Model Based on Pre-diction and Control of Trusted Network[C]. China Communications, 2012,9(5):117-128.
[4]	公备．支持可信群体构建的可信网络连接架构及关键技术研究[D]. 北京工业大学， 2012. GONG B . Doctoral Dissertation: Trusted Network Architecture With Support Trusted Group Established and Key Technologies Research[D]. Beijing University of Technology, 2012.
[5]	戴汝为，操龙兵． Internet—一个开放的复杂巨系统[J]．中国科学， 2003,33(4):289-296. DAI R W , CAO L B . Internet—an open complex giant system[J]. Sci-ence in China, 2003,33(4):289-296.
[6]	张文红，陈森发．生态工业系统——一个开放的复杂巨系统[J]．系统仿真学报， 2004,16(3):432-440. ZHANG W H , CHEN S F . Eco-industry—an open giant complex sys-tem[J]. Journal of System Simulation, 2004,16(3):432-440.
[7]	卿斯汉，刘文清．操作系统安全[M]．北京：清华大学出版社， 2004,8. QING S H , LIU W Q . Operating System Security[M]. Beijing, Tsinghua University Press, 2004,8.
[8]	Nat'l Computer Security Center. Trusted network interpretation of the trusted computer system evaluation criteria[A]. NCSC-TG2005[C]. 1987.
[9]	BELL D E , LAPADULA L J . Secure Computer Systems: Mathematical Foundations[R]. The MITRE Corporation, Bedford, Massachussetts, 1973.
[10]	李益发，沈昌祥．一种新的操作系统安全模型[J]．中国科学E辑(信息科学)， 2006,36(4):347-356. LI Y F , SHEN C X . A new security model for operating system[J]. Science in China Ser E Information Sciences, 2006,36(4):347-356.
[11]	周正，刘毅，沈昌祥．一种新的保密性与完整性统一安全策略[J]．计算机工程与应用， 2007,43(34):1-2. ZHOU Z , LIU Y , SHEN C X . A new unified security policies between confidentiality and integrity[J]. Computer Engineering and Ap-plica-tions, 2007,43(34):1-2.
[12]	SANDHU R S , COYNE E J , HAL L , et al. Role-based aeeess control models[J]. IEEE ComPuter, 1996,29 (2):38-47.
[13]	ZAHIR TARI , SHUN-WIJ CHAN A . Role-based access control for intranet security[J]. IEEE Intranet Computing, 1997.24-25.
[14]	FERRAIOLO D F , BARKLEY J F , et al. A role based access control model an reference implementation within a corporate[A]. ACM Transactions on Information and System Security (TISSEC)[C]. 1999.
[15]	HARRINGTON A , et al. Cryptographic access control in a distributed file system[A]. Proceedings of the Eighth ACM Symposium on Access Control Models and Technologies[C]. Como, Italy, 2003.158-165.
[16]	GOYAL V , PANDEY O , SAHAI A , et al. Attribute based encryption for fine-grained access control of encrypted data[A]. Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS '06)[C]. New York, NY, USA: ACM, 2006.89-98.
[17]	BONEH D , BOYEN X , GOH E J . Hierarchical identity based encryption with constant size ciphertext[A]. Advances in Cryptology-EUROCRYPT 2005[C]. Berlin, Heidelberg: Springer-Verlag, 2005.440-456.
[18]	ATTRAPADUNG N , IMAI H . Dual-policy attribute based encryp-tion[A]. Proc of the Applied Cryptography and Network Security[C]. Berlin, Heidelberg, Springer-Verlag, 2009.168-185.
[19]	PARNO B , RAYKOVA M , VAIKUNTANATHAN V . How to delegate and verify in public: verifiable computation from attribute-based en-cryption[A]. TCC 2012[C]. 2012.422-439.
[20]	YAO D F , FAZIO N , DODIS Y , et al. Id-Based encryption for complex hierarchies with applications to forward security and broadcast en-cryption[A]. Proc of the ACM Conf on Computer and Communica-tions Security[C]. New York: ACM Press, 2004.354-363.
[21]	LIN C H . Dynamic key management scheme for access control in a hierarchy[J]. Computer Communications, 1997,20 (15):1381-1385.
[22]	BLUNDO C , SANTIS A D , HERZBERG A , et al. Perfect secure key distribution for dynamic conferences[A]. Advances in Cryptology, CRYPTO'92[C]. Springer, Berlin, 1993.471-486.
[23]	BLUNDO C , MATTOS L A F , STINSON D R . Generalised beimel-chor scheme for broadcast encryption and interactive key distribu-tion[A]. Theoretical Computer Science 200[C]. 1998.313-334.
[24]	BUYYA R , MURSHED M . GridSim: a toolkit for the modeling and simulation of distributed resource management and scheduling for grid computing[J]. Journal of concurrency and computation practice and experience, 2002,14 (13-15):1175-1220.
[25]	梁鹏等．肉类食品安全追溯系统的可信体系结构[J]．网络安全技术与应用， 2010,8. LIANG P , et al. Meat food traceability system for reliable architec-ture[J]. Network Security, Technology ＆ Application, 2010,8.