通信学报 ›› 2020, Vol. 41 ›› Issue (2): 112-122.doi: 10.11959/j.issn.1000-436x.2020035

• 学术论文 • 上一篇    下一篇

基于属性轻量级可重构的访问控制策略

谢绒娜1,李晖1,史国振2(),郭云川3   

  1. 1 西安电子科技大学网络与信息安全学院,陕西 西安 710071
    2 北京电子科技学院电子与通信工程系,北京 100070
    3 中国科学院信息工程研究所,北京 100093
  • 修回日期:2019-12-16 出版日期:2020-02-25 发布日期:2020-03-09
  • 作者简介:谢绒娜(1976- ),女,山西永济人,西安电子科技大学博士生,主要研究方向为网络与系统安全、访问控制、密码工程|李晖(1968- ),男,河南灵宝人,博士,西安电子科技大学教授、博士生导师,主要研究方向为密码信息安全、信息论与编码理论|史国振(1974- ),男,河南济源人,博士,北京电子科技学院副教授、硕士生导师,主要研究方向为网络与系统安全、嵌入式安全|郭云川(1977- ),男,四川营山人,博士,中国科学院副研究员、博士生导师,主要研究方向为访问控制、形式化方法
  • 基金资助:
    国家重点研发计划基金资助项目(2017YFB0802705);国家重点研发计划基金资助项目(2016QY06X1203);国家自然科学基金资助项目(61672515)

Attribute-based lightweight reconfigurable access control policy

Rongna XIE1,Hui LI1,Guozhen SHI2(),Yunchuan GUO3   

  1. 1 School of Cyber Engineering,Xidian University,Xi’an 710071,China
    2 Department of Electronics and Communication Engineering,Beijing Electronic Science and Technology Institute ,Beijing 100070,China
    3 Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100093,China
  • Revised:2019-12-16 Online:2020-02-25 Published:2020-03-09
  • Supported by:
    The National Key Research and Development Program of China(2017YFB0802705);The National Key Research and Development Program of China(2016QY06X1203);The National Natural Science Foundation of China(61672515)

摘要:

针对复杂网络环境下访问控制策略冗余与冲突检测、访问控制策略评估的效率面临的严峻挑战,提出了基于属性轻量级可重构的访问控制策略。以基于属性的访问控制策略为范例,根据访问控制策略中的操作类型、主体属性、客体属性和环境属性将基于属性的访问控制策略划分为多个不相交的原子访问控制规则,并通过与、或等逻辑关系构成的代数表达式,将原子访问控制规则重构出复杂访问控制策略;提出原子访问控制规则冗余与冲突检测方法,将复杂访问控制策略分解为等效的原子访问控制规则和代数表达式,通过对等效的原子访问控制规则和代数表达式进行冗余与冲突检测实现对复杂访问控制策略进行冗余与冲突检测;从时间复杂度和空间复杂度2个不同角度对等效转化的访问控制策略进行评估。结果表明,所提方法大大降低了访问控制策略的长度、数量和复杂度,提高了访问控制策略冗余与冲突检测的效率以及访问控制策略评估的效率。

关键词: 轻量级, 可重构, 原子访问控制规则, 代数表达式, 等效转化

Abstract:

Aiming at the severe challenges of access control policy redundancy and conflict detection,the efficiency of access control policy evaluation in complex network environment,an attribute-based lightweight reconfigurable access control policy was proposed.Taking the attribute-based access control policy as an example,the attribute-based access control policy was divided into multiple disjoint atomic access control rules according to the operation type,subject attribute,object attribute,and environment attribute in the access control policy.Complex access control policies were constructed through atomic access control rules and an algebraic expression formed by AND,OR logical relationships.A method for redundancy and collision detection of atomic access control rules was proposed.A method was proposed for decompose a complex access control policy into equivalent atomic access control rules and an algebraic expression.The method for redundancy and collision detection of complex access control policies were proposed through redundancy and collision detection of equivalent atomic access control rules and algebraic expressions.From time complexity and space complexity,the efficiency of the equivalent transformation access control policy was evaluated.It showes that the reconstruction method for access control policy greatly reduces the number,size and complexity of access control policy,improves the efficiency of access control policy redundancy and collision detection,and the efficiency of access control evaluation.

Key words: lightweight, reconfigurable, atomic access control rule, algebraic expression, equivalent transformation

中图分类号: 

No Suggested Reading articles found!