摘要
在基于内容的访问控制系统中,主体对客体只有允许访问和拒绝访问两种权限,且主体之间和客体之间都存在一种偏序关系,传统的访问控制策略需要对主客体单独进行管理,效率较低.本文利用其中的偏序关系设计一种分层密钥分配方案,使分配的密钥既能实现保密通信又能达到实施访问控制的目的,提高系统效率.该方案利用客体之间的偏序关系使所有客体形成一个有向无环图,以多方Diffie-Hellman算法为基础为图中每个节点分配密钥,使得每个节点都可以通过自己的密钥计算出其子节点的密钥,每个节点的密钥用于加密对应于该节点的资源,从而通过对密钥的分配实现对访问权限的管理.该方案分为系统建立、密钥更新、节点加入和节点删除等部分,其安全性基于DDH假设,支持成员以及分层拓扑结构的动态变化,可用于解决基于内容的分层访问控制问题.
In content-based access control systems,the subject is only allowed or denied to access the object.There are partial orders between different subjects and objects.The traditional access control policy manages these subjects and objects independently,and does not consider the partial orders which may improve the efficiency.By considering the partial orders,a hierarchical key assignment scheme is proposed in this paper,so as to make the assignment of keys to achieve secure communication and access control,improving the efficiency.The objects can be formed into a Directed Acyclic Graph(DAG) using the partial orders between these objects.Then,assign each vertex in the DAG an encryption key based on Diffie-Hellman algorithm,while each vertex may derive the encryption keys of its child vertices by the encryption key of itself.These assigned keys are used to encrypt the resources of the vertices.Thus,the access control of the resources can be achieved by the assignment of the encryption keys.The proposed scheme consists of the phases of system initialization and key updating,and supports user dynamics and topology changes.The security is based on DDH assumptions.It can be used for content-based hierarchical access control.
出处
《电子学报》
EI
CAS
CSCD
北大核心
2011年第1期119-123,共5页
Acta Electronica Sinica
基金
国家863高技术研究发展计划(No.2007AA01Z429,No.2007AA01Z472,No.2007AA01Z482,No.2009AA012420)
国家自然科学基金(No.60633020,No.6087204)
教育部重点项目(No.209156)
北京市自然科学基金(No.4102056)
北京电子科技学院信息安全重点实验室基金(No.YZDJ0807)
关键词
分层密钥分配
DH算法
分层访问控制
群组密钥管理
hierarchical key assignment
DH algorithm
hierarchical access control
group key management
