面向网络空间的访问控制模型

doi:10.11959/j.issn.1000-436x.2016109

Abstract

Abstract:

A novel cyberspace-oriented access control model was proposed,termed as CoAC,which avoided the threats by comprehensively considering vital factors,such as access requesting entity,general tense,access point,device,networks,resource,internet-based interactive graph and chain of resource transmission.By appropriately adjusting these factors,CoAC emulated most of typical access control models and fulfilled the requirements of new information service patterns and dissemination modes.The administrative model of CoAC was also presented and the functions and methods for administrating CoAC were described by utilizing Z-notation.CoAC is flexible and scalable,it can be further refined and expanded to figure out new opportunities and challenges in the upcoming access control techniques.

Key words: cyberspace security, access control, administrative scene, information service pattern, information dissemi-nation mode

Feng-hua LI,Yan-chao WANG,Li-hua YIN,Rong-na XIE,Jin-bo XIONG. Novel cyberspace-oriented access control model[J]. Journal on Communications, 2016, 37(5): 9-20.

Figures/Tables 5

函数名	描述	函数名	描述
verifyid	若用户身份和证书合法则返回 True，否则返回 Falseverifyid(userid,certification:NAME;outresult:BOOLEAN)?result=(userid∈U)(isvalid(certification))＞	verifyng	若请求的网络 reqng 满足网络 verifyng 的要求则返回True，否则返回Falseverifyng(reqng:NAME;out result:BOOLEAN)?reqng∈NGSTATESresult=( ?ng₁,ng₂∈validng·ng₁＜reqng＜ng₂)∧(q∈Q;d∈DSTATES;t∈TSTATES;l∈LSTATES;ng∈NGSTATES; p∈PERMISSIONS(q,sc= (q,t,l,d,reqng))∈QSC∧(sc=(q,t,l,d,reqng),p)∈SCP )?
isnable	若场景scene可用则返回True，否则返回Falseisnable(scene:NAME;out result:BOOLEAN)?scene∈SCENEresult=scene∈ENABLE^*?	n.activescbyu	返回用户user激活场景数量n.activescbyu(user:NAME;out result:N)?user USERSresult=N _{activ e U_total}(user)?
verifyt	若请求的广义时态re q t 满足广义时态状态verifyt的要求则返回True，否则返回Falseverifyt(reqt:NAME;out result:BOOLEAN)?reqt∈TSTATESresult=(?t₁,t₂∈validt·t₁＜reqt＜t₂)∧(q∈Q;t∈TSTATES;l∈LSTATES;d∈DSTATES;ng∈NGSTATES;p∈ PERMISSIONS(q,sc=(reqt,,l d,ng))∈ QSC ∧(sc=(q,reqt,l,d,ng),p)∈SCP)?	maxn.activescbyu	返回用户user最多能激活场景数量maxn.activescbyu(user:NAME;out result:N)?user∈USERSresult=N _{m ax U_total}(user)＞
verifyl	若请求的接入点 re q l 满足接入点 verifyl 的要求则返回True，否则返回Falseverifyl(reql:NAME;out result:BOOLEAN)?reql∈LSTATESresult=(?l₁,l∈validl·l₁＜reql＜l₂)∧(q∈Q;t∈TSTATES;l∈LSTATES;d∈DSTATES;ng∈NGSTATES;p∈PERMISSIONS(q,sc=(q,t,reql,d ,ng))∈QSC∧(sc=(q,t,reql,d ,ng),p)∈SCP)?	n.activescbyp	返回激活权限permission的场景数量n.activescbyp(user:NAME;out result:N)?user∈USERSresult=N _{max P_total}(user)?
verifyd	若请求的访问设备reqd满足访问设备verifyd的要求则返回True，否则返回Falseverifyd(reqd:NAME;out result:BOOLEAN)?reqd∈DSTATESresult=(?d₁,d₂∈validd·d₁＜reqd＜d₂)∧(q∈Q;d∈DSTATES;t∈TSTATES;l∈LSTATES;ng∈NGSTATES;p∈PERMISSIONS(q,sc=(q,t,l,reqd,ng))∈QSC∧(sc=(q,t,l,reqd,ng),p)∈SCP)?	maxn.activescbyp	返回最多能激活权限permission的场景数量P_totalmaxn.activescbyp(user:NAME;out result:N)?permission∈PERMISSIONSresult=N _{max P_total}(user)?

References 35

[1]	National Computer Security Center.Glossary of computer security terms NCSC-TG-004)[EB/OL].
[2]	BELL D E , LAPADULA L J . Secure computer systems:mathematical foundations[R]. MITRE CORP BEDFORD MA, 1973.
[3]	STALLINGS W . Network and internetwork security:princip and practice[M]. Englewood Cliffs:Prentice Hall, 1995.
[4]	FERRAIOLO D F , KUHN D R . Role-based access con-trol[C]// National Computer Security Conference. c1992: 554-563.
[5]	OH S , SANDHU R , ZHANG X . An effective role administration mod-el using organization structure[J]. ACM Transactions on Information and System Security (TISSEC), 2006,9(2): 113-137.
[6]	SANDHU R , BHAMIDIPATI V , MUNAWER Q . The ARBAC97 model for role-based administration of roles[J]. ACM Transactions on Information and System Security, 1999,2(1): 105-135.
[7]	SANDHU R , MUNAWER Q , The ARBAC99 model for administra-tion of roles[C]// Annual Computer Security Applications Conference. c1999: 229-238.
[8]	SANDHU R S , COYNE E J , FEINSTEIN H L , et al. Role-based access control models[J]. Computer, 1996(2): 38-47.
[9]	FREUDENTHAL E , PESIN T , PORT L , et al. dRBAC:distributed role-based access control for dynamic coalition environments[C]// In-ternational Conference on Distributed Computing System. c2002: 411-420.
[10]	LIU S , HUANG H . Role-based access control for distributed coopera-tion environment[C]// International Conference onComputational Intel-ligence and Security. c2009: 455-459.
[11]	PARK J , SANDHU R . The UCON ABC usage control model[J]. ACM Transactions on Information and System Security (TISSEC), 2004,7(1): 128-174.
[12]	KATT B , ZhANG X W , BREU R , et al. A general obligation model and continuity:enhanced policy enforcement engine for usage con-trol[C]// ACM Symposium on Access Control Models and Technolo-gies, Estes Park,CO,USA, c2008: 683-695.
[13]	LOVAT E , PRETSCHNER . Data-centric multi-layer usage control enforcement:a social network example[C]// ACM Symposium on Access Control Models and Technologies. Innsbruck,Austria, c2011: 151-152.
[14]	XU C , WANG Q , ZHANG W , et al. Temporal access control based on multiple subjects[C]// International Conference on Multimedia Infor-mation Networking and Security. c2009: 438-441.
[15]	BERTINO E , BONATTI P A , FERRARI E . TRBAC:a temporal role-based access control model[J]. ACM Transactions on Information and System Security (TISSEC), 2001,4(3): 191-233.
[16]	王小明, 赵宗涛 . 基于角色的时态对象存取控制模型[J]．电子学报, 2005,33(9): 1634-1638. WANG X M , ZHAO Z T . Role-based access control model of tem-poral object[J]. Acta Electronica Sinica, 2005,33(9): 1634-1638.
[17]	XU C , WANG Q , ZHANG W , et al. Temporal access control based on multiple subjects[C]// International Conference on Multimedia Infor-mation Networking and Security. c2009: 438-441.
[18]	YUAN E , TONG J . Attributed based access control (ABAC) for Web services[C]// The IEEE International Conference on Web Services. FL,USA, c2005: 561-569.
[19]	李晓峰, 冯登国, 陈朝武 , 等. 基于属性的访问控制模型[J]．通信学报, 2008,29(4): 90-98. LI X F , FENG D G , CHEN Z W , et al. Model for attribute based access control[J]. Journal on Communications, 2008,29(4): 90-98.
[20]	王小明, 付红, 张立臣 . 基于属性的访问控制研究进展[J]．电子学报, 2010,38(7): 1660-1667. WANG X M , FU H , ZHANG L C , et al. Research progress on attribute-based access control[J]. Acta Electronica Sinica, 2010,38(7): 1660-1667.
[21]	PIRRETTI M , TRAVNOR P , MCDANIEL P , et al. Secure attribute-based systems[J]. Journal of Computer Security, 2010,18(5): 799-837.
[22]	李凤华, 王巍, 马建峰 , 等. 基于行为的访问控制模型及其行为管理[J]．电子学报, 2008,36(10): 1881-1890. LI F H , WANG W , MA J F , et al. Action-based access control model and administration of actions[J]. Acta Electronica Sinica, 2008,36(10): 1881-1890.
[23]	RIVEST R , SHAMIR A , WAGNER D A . Time-lock puzzles and timed-release crypto[R]. MIT LCS Tech.Report MIT/LCS/TR-684, 1996.
[24]	CATHALO J , LIBERT B , QUISQUATER J J . Efficient and non-interactive timed-release encryption[M]. Information and Com-munications Security, 2005: 291-303.
[25]	PATERSON K G , QUAGLIA E A . Time-specific encryption[M]// Security and Cryptography for Networks, 2010: 1-16.
[26]	ZHOU L , VARADHARAJAN V , HITCHENS M . Enforcing role-based access control for secure data storage in the cloud[J]. The Computer Journal, 2011,54(10): 1675-1687.
[27]	BONEH D , FRANKLIN M . Identity-based encryption from the weil pairing[C]// CRYPTO, California,USA c2001: 213-229.
[28]	ROUSELAKIS Y , WATERS B . Practical constructions and new proof methods for large universe attribute-based encryption[C]// ACM Con-ference on Computer and Communications Security. Berlin,Germany, c2013: 463-474.
[29]	LEWKO A , WATERS B . Unbounded HIBE and attribute-based en-cryption[C]// Annual International Conference on the Theory and Ap-plications of Cryptographic Techniques. Tallinn,Estonia, c2011: 547-567.
[30]	GOYAL V , PANDEY O , SAHAI A , et al. Attribute-based encryption for fine-grained access control of encrypted data[C]// ACM Conference on Computer and Communications Security. VA,USA, c2006: 89-98.
[31]	BETHENCOURT J , WATERS B . Ciphertext-policy attribute-based encryption[C]// IEEE Symposium on Security and Privacy. California,USA, c2007: 321-334.
[32]	洪澄, 张敏, 冯登国 . AB-ACCS一种云存储密文访问控制方法[J]．计算机研究与发展， 2010,47(Z1): 259-265. HONG C , ZHANG M , FENG D G . AB-ACCS:a cryptographic access control scheme for cloud storage[J]. Journal of Computer Research and Development, 2010,47(Z1): 259-265.
[33]	CHENG Y , REN J , WANG Z , et al. Re-encryption optimization in CP-ABE based cryptographic cloud storage[C]// International Confe-rence on Cloud and Green Computing. Huanan,China, C2012: 173-179.
[34]	CHASE M , CHOW S S M . Improving privacy and security in mul-ti-authority attribute-based encryption[C]// ACM conference on Com-puter and Communications Security. Illinois,USA, C2009: 121-130.
[35]	LIU X , ZHANG Y , WANG B , et al. Mona:secure multi-owner data sharing for dynamic groups in the cloud[J]. IEEE Transaction on Pa-rallel and Distributed Systems, 2013,24(6): 1182-1191.

Metrics

Recommended 0

No Suggested Reading articles found!

约束分类	约束		描述
场景可用约束	资源访问实体—场景约束		（Q,S,T,L,D,NG,assigin _Q/deassign _Q sc to q）
	场景可用/不可用		（Q,S,T,L,D,NG,enable/disable sc）
	资源访问实体、场景—权限分配		（Q,S,T,L,D,NG,assigin _P/deassign_P p to sc）
场景激活约束	激活场景的数量	用户	（Q,S,T,L,D,NG,N _active,active_{Q_total}）
	激活场景的数量	权限	（Q,S,T,L,D,NG,N _active,active_{P_total}）
	当前系统中激活场景的总数量	用户	（Q,S,T,L,D,NG,N _{m ax},active_{Q_total}）
	当前系统中激活场景的总数量	权限	（Q,S,T,L,D,NG,N _{m ax},active_{P_total}）

Novel cyberspace-oriented access control model

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 5

References 35

Related Articles 15

Metrics

Recommended 0

[1]	Wei JIN, Fenghua LI, Mingjie YU, Yunchuan GUO, Ziyan ZHOU, Liang FANG. HDFS-oriented cryptographic key resource control mechanism [J]. Journal on Communications, 2022, 43(9): 27-41.
[2]	Jiangtao DONG, Peiwen YAN, Ruizhong DU. Verifiable access control scheme based on unpaired CP-ABE in fog computing [J]. Journal on Communications, 2021, 42(8): 139-150.
[3]	Changgen PENG, Zongfeng PENG, Hongfa DING, Youliang TIAN, Rongfei LIU. Attribute-based revocable collaborative access control scheme [J]. Journal on Communications, 2021, 42(5): 75-86.
[4]	Zuobin YING, Yuanping SI, Jianfeng MA, Ximeng LIU. Blockchain-based distributed EHR fine-grained traceability scheme [J]. Journal on Communications, 2021, 42(5): 205-215.
[5]	Ruizhong DU, Peiwen YAN, Yan LIU. Fine-grained attribute update and outsourcing computing access control scheme in fog computing [J]. Journal on Communications, 2021, 42(3): 160-170.
[6]	Jiawei ZHANG, Jianfeng MA, Zhuo MA, Teng LI. Time-based and privacy protection revocable and traceable data sharing scheme in cloud computing [J]. Journal on Communications, 2021, 42(10): 81-94.
[7]	Tianyi ZHU,Fenghua LI,Wei JIN,Yunchuan GUO,Liang FANG,Lin CHENG. Cross-domain access control policy mapping mechanism for balancing interoperability and autonomy [J]. Journal on Communications, 2020, 41(9): 29-48.
[8]	Qinglei ZHOU,Shaohuan BAN,Yingjie HAN,Feng FENG. Mimic defense authentication method for physical access control [J]. Journal on Communications, 2020, 41(6): 80-87.
[9]	Chunfu JIA,Guanxiong HA,Ruiqi LI. Data access control policy of encrypted deduplication system [J]. Journal on Communications, 2020, 41(5): 72-83.
[10]	Yonggui FU,Jianming ZHU. Design for database access control mechanism based on blockchain [J]. Journal on Communications, 2020, 41(5): 130-140.
[11]	Zheng GUAN,Lei XIONG,Yao JIA,Min HE,Zhijun YANG. Research on scheduled WLAN MAC protocol with failure retries on RoF-DAS architecture [J]. Journal on Communications, 2020, 41(3): 102-111.
[12]	Rongna XIE,Hui LI,Guozhen SHI,Yunchuan GUO. Attribute-based lightweight reconfigurable access control policy [J]. Journal on Communications, 2020, 41(2): 112-122.
[13]	Aodi LIU, Xuehui DU, Na WANG, Rui QIAO. ABAC access control policy generation technique based on deep learning [J]. Journal on Communications, 2020, 41(12): 8-20.
[14]	Rongna XIE, Hui LI, Guozhen SHI, Yunchuan GUO, Ming ZHANG, Xiuze DONG. Blockchain-based access control mechanism for data traceability [J]. Journal on Communications, 2020, 41(12): 82-93.
[15]	Xinglan ZHANG,Shenglin YIN. Intrusion detection model of random attention capsule network based on variable fusion [J]. Journal on Communications, 2020, 41(11): 160-168.