The content security requirements of a radio frequency identification (RFID) based logistics-customs clearance service platform (LCCSP) are analysed in this paper. Then, both the unified identity authentication an...The content security requirements of a radio frequency identification (RFID) based logistics-customs clearance service platform (LCCSP) are analysed in this paper. Then, both the unified identity authentication and the access control modules are designed according to those analyses. Finally, the unified identity authentication and the access control on the business level are implemented separately. In the unified identity authentication module, based on an improved Kerberos-based authentication approach, a new control transfer method is proposed to solve the sharing problem of tickets among different servers of different departments. In the access control module, the functions of access controls are divided into different granularities to make the access control management more flexible. Moreover, the access control module has significant reference value for user management in similar systems.展开更多
Security is a key problem for the development of Cloud Computing. A common service security architecture is a basic abstract to support security research work. The authorization ability in the service security faces m...Security is a key problem for the development of Cloud Computing. A common service security architecture is a basic abstract to support security research work. The authorization ability in the service security faces more complex and variable users and environment. Based on the multidimensional views, the service security architecture is described on three dimensions of service security requirement integrating security attributes and service layers. An attribute-based dynamic access control model is presented to detail the relationships among subjects, objects, roles, attributes, context and extra factors further. The model uses dynamic control policies to support the multiple roles and flexible authority. At last, access control and policies execution mechanism were studied as the implementation suggestion.展开更多
With the rapid development of computer technology, cloud-based services have become a hot topic. They not only provide users with convenience, but also bring many security issues, such as data sharing and privacy issu...With the rapid development of computer technology, cloud-based services have become a hot topic. They not only provide users with convenience, but also bring many security issues, such as data sharing and privacy issue. In this paper, we present an access control system with privilege separation based on privacy protection(PS-ACS). In the PS-ACS scheme, we divide users into private domain(PRD) and public domain(PUD) logically. In PRD, to achieve read access permission and write access permission, we adopt the Key-Aggregate Encryption(KAE) and the Improved Attribute-based Signature(IABS) respectively. In PUD, we construct a new multi-authority ciphertext policy attribute-based encryption(CP-ABE) scheme with efficient decryption to avoid the issues of single point of failure and complicated key distribution, and design an efficient attribute revocation method for it. The analysis and simulation result show that our scheme is feasible and superior to protect users' privacy in cloud-based services.展开更多
Personal cloud computing is an emerging trend in the computer industry. For a sustainable service, cloud computing services must control user access. The essential business characteristics of cloud computing are payme...Personal cloud computing is an emerging trend in the computer industry. For a sustainable service, cloud computing services must control user access. The essential business characteristics of cloud computing are payment status and service level agreement. This work proposes a novel access control method for personal cloud service business. The proposed method sets metadata, policy analysis rules, and access denying rules. Metadata define the structure of access control policies and user requirements for cloud services. The policy analysis rules are used to compare conflicts and redundancies between access control policies. The access denying rules apply policies for inhibiting inappropriate access. The ontology is a theoretical foundation of this method. In this work, ontologies for payment status, access permission, service level, and the cloud provide semantic information needed to execute rules. A scenario of personal data backup cloud service is also provided in this work. This work potentially provides cloud service providers with a convenient method of controlling user access according to changeable business and marketing strategies.展开更多
The design of distributed ledger,Asymmetric Key Algorithm(AKA)blockchain systems,is prominent in administering security and access control in various real-time services and applications.The assimilation of blockchain ...The design of distributed ledger,Asymmetric Key Algorithm(AKA)blockchain systems,is prominent in administering security and access control in various real-time services and applications.The assimilation of blockchain systems leverages the reliable access and secure service provisioning of the services.However,the distributed ledger technology’s access control and chained decisions are defaced by pervasive and service unawareness.It results in degrading security through unattended access control for limited-service users.In this article,a service-aware access control procedure(SACP)is introduced to address the afore-mentioned issue.The proposed SACP denes attended access control for all the service session by identifying the users and service provider availability.The distributed nature of the ledger systems and classication tree learning are combined to determine unattended access.The sole access is determined by summarizing the closed and open access requests and the service provider’s availability and integrity checks.In this process,the learning process classies the secured access request and completed the integrity checks of the current and previous service dissemination.This classication-based access administration reduces the service disconnections and false access rate of the applications.展开更多
For most current Web Service access control methods, Web Service providers create a series of access control roles based on specified attributes. Only by meeting all the roles can a subject obtain the access to necess...For most current Web Service access control methods, Web Service providers create a series of access control roles based on specified attributes. Only by meeting all the roles can a subject obtain the access to necessary operations and resources. However, because of the dynamic and open traits of Web Services, it is difficult for Web Service providers to work out an access control policy with moderate intensity and to realize a satisfactory balance between protecting the security of resources and maintaining the service reachable rate. To provide a solution to the above problem, this paper proposed a trust compensation access control method based on the Attribute-Based Access Control model. Our main contributions include a formal description of the access control method, a method to calculate the attribute trust degree based on time decay, and the trust compensation value of the attribute trust degree, as well as a new Service Oriented Architecture (SOA) architecture and its procedures based on a detailed trust compensation access control method.展开更多
An important feature of the traffic in mobile networks is burstiness. Drawbacks of conventional power control algorithms for time division duplex (TDD)-code division multiple access (CDMA) systems are analyzed. A ...An important feature of the traffic in mobile networks is burstiness. Drawbacks of conventional power control algorithms for time division duplex (TDD)-code division multiple access (CDMA) systems are analyzed. A joint power control algorithm based on service factor is presented to address the TDD-CDMA mobile services in the burst mode according to the Markov modulated Bernoulli process. The joint power control equation is derived. A function model is developed to verify the new algorithm and evaluate its performance. Simulation results show that the new power control algorithm can estimate interference strength more precisely, speed up convergence of power control, and enhance power efficiency and system capacity. It is shown that the proposed algorithm is more robust against link gain changes, and outperforms the reference algorithms.展开更多
Security is an essential part of the cloud environment.For ensuring the security of the data being communicated to and from the cloud server,a significant parameter called trust was introduced.Trust-based security pla...Security is an essential part of the cloud environment.For ensuring the security of the data being communicated to and from the cloud server,a significant parameter called trust was introduced.Trust-based security played a vital role in ensuring that the communication between cloud users and service providers remained unadulterated and authentic.In most cloud-based data distribution environments,emphasis is placed on accepting trusted client users’requests,but the cloud servers’integrity is seldom verified.This paper designs a trust-based access control model based on user and server characteristics in a multi-cloud environment to address this issue.The proposed methodology consists of data encryption using Cyclic Shift Transposition Algorithm and trust-based access control method.In this trust-based access control mechanism framework,trust values are assigned to cloud users using direct trust degrees.The direct trust degree is estimated based on the following metrics:success and failure rate of interactions,service satisfaction index,and dishonesty level.In addition to this,trust values are assigned to cloud servers based on the metrics:server load,service rejection rate,and service access delay.The role-Based Access control policy of each user is modified based on his trust level.If the server fails to meet the minimum trust level,then another suitable server will be selected.The proposed system is found to outperform other existing systems in a multi-cloud environment.展开更多
With the development of cloud computing, the mutual understandability among distributed data access control has become an important issue in the security field of cloud computing. To ensure security, confidentiality a...With the development of cloud computing, the mutual understandability among distributed data access control has become an important issue in the security field of cloud computing. To ensure security, confidentiality and fine-grained data access control of Cloud Data Storage (CDS) environment, we proposed Multi-Agent System (MAS) architecture. This architecture consists of two agents: Cloud Service Provider Agent (CSPA) and Cloud Data Confidentiality Agent (CDConA). CSPA provides a graphical interface to the cloud user that facilitates the access to the services offered by the system. CDConA provides each cloud user by definition and enforcement expressive and flexible access structure as a logic formula over cloud data file attributes. This new access control is named as Formula-Based Cloud Data Access Control (FCDAC). Our proposed FCDAC based on MAS architecture consists of four layers: interface layer, existing access control layer, proposed FCDAC layer and CDS layer as well as four types of entities of Cloud Service Provider (CSP), cloud users, knowledge base and confidentiality policy roles. FCDAC, it’s an access policy determined by our MAS architecture, not by the CSPs. A prototype of our proposed FCDAC scheme is implemented using the Java Agent Development Framework Security (JADE-S). Our results in the practical scenario defined formally in this paper, show the Round Trip Time (RTT) for an agent to travel in our system and measured by the times required for an agent to travel around different number of cloud users before and after implementing FCDAC.展开更多
In ACM'CCS 2009,Camenisch,et al.proposed the Oblivious Transfer with Access Control(AC-OT) in which each item is associated with an attribute set and can only be available,on request,to the users who have all the ...In ACM'CCS 2009,Camenisch,et al.proposed the Oblivious Transfer with Access Control(AC-OT) in which each item is associated with an attribute set and can only be available,on request,to the users who have all the attributes in the associated set.Namely,AC-OT achieves access control policy for conjunction of attributes.Essentially,the functionality of AC-OT is equivalent to the sim-plified version that we call AC-OT-SV:for each item,one attribute is associated with it,and it is requested that only the users who possess the associated attribute can obtain the item by queries.On one hand,AC-OT-SV is a special case of AC-OT when there is just one associated attribute with each item.On the other hand,any AC-OT can be realized by an AC-OT-SV.In this paper,we first present a concrete AC-OT-SV protocol which is proved to be secure in the model defined by Camenisch,et al..Then from the protocol,interestingly,a concrete Identity-Based Encryption(IBE) with Anonymous Key Issuing(AKI) is given which is just a direct application to AC-OT-SV.By comparison,we show that the AKI protocol we present is more efficient in communications than that proposed by Chow.展开更多
This paper introduces a solution to the secure requirement for digital rights management (DRM) by the way of geospacial access control named geospacial access control (GeoAC) in geospacial field. The issues of aut...This paper introduces a solution to the secure requirement for digital rights management (DRM) by the way of geospacial access control named geospacial access control (GeoAC) in geospacial field. The issues of authorization for geospacial DRM are concentrated on. To geospacial DRM, one aspect is the declaration and enforcement of access rights, based on geographic aspects. To the approbation of digital geographic content, it is important to adopt online access to geodata through a special data infrastructure (SDI). This results in the interoperability requirements on three different levels: data model level, service level and access control level. The interaction between the data model and service level can be obtained by criterions of the open geospacial consortium (OGC), and the interaction of the access control level may be reached by declaring and enforcing access restrictions in GeoAC. Then an archetype enforcement based on GeoAC is elucidated. As one aspect of performing usage rights, the execution of access restrictions as an extension to a regular SDI is illuminated.展开更多
基金supported by Department of Science & Technology of Guangdong Province (No.2006A15006003)National High Technology Research and Development Program of China (863 Program)(No.2006AA04A120)
文摘The content security requirements of a radio frequency identification (RFID) based logistics-customs clearance service platform (LCCSP) are analysed in this paper. Then, both the unified identity authentication and the access control modules are designed according to those analyses. Finally, the unified identity authentication and the access control on the business level are implemented separately. In the unified identity authentication module, based on an improved Kerberos-based authentication approach, a new control transfer method is proposed to solve the sharing problem of tickets among different servers of different departments. In the access control module, the functions of access controls are divided into different granularities to make the access control management more flexible. Moreover, the access control module has significant reference value for user management in similar systems.
基金supported by National Information Security Program under Grant No.2009A112
文摘Security is a key problem for the development of Cloud Computing. A common service security architecture is a basic abstract to support security research work. The authorization ability in the service security faces more complex and variable users and environment. Based on the multidimensional views, the service security architecture is described on three dimensions of service security requirement integrating security attributes and service layers. An attribute-based dynamic access control model is presented to detail the relationships among subjects, objects, roles, attributes, context and extra factors further. The model uses dynamic control policies to support the multiple roles and flexible authority. At last, access control and policies execution mechanism were studied as the implementation suggestion.
基金financially supported by the National Natural Science Foundation of China(No.61303216,No.61272457,No.U1401251,and No.61373172)the National High Technology Research and Development Program of China(863 Program)(No.2012AA013102)National 111 Program of China B16037 and B08038
文摘With the rapid development of computer technology, cloud-based services have become a hot topic. They not only provide users with convenience, but also bring many security issues, such as data sharing and privacy issue. In this paper, we present an access control system with privilege separation based on privacy protection(PS-ACS). In the PS-ACS scheme, we divide users into private domain(PRD) and public domain(PUD) logically. In PRD, to achieve read access permission and write access permission, we adopt the Key-Aggregate Encryption(KAE) and the Improved Attribute-based Signature(IABS) respectively. In PUD, we construct a new multi-authority ciphertext policy attribute-based encryption(CP-ABE) scheme with efficient decryption to avoid the issues of single point of failure and complicated key distribution, and design an efficient attribute revocation method for it. The analysis and simulation result show that our scheme is feasible and superior to protect users' privacy in cloud-based services.
文摘Personal cloud computing is an emerging trend in the computer industry. For a sustainable service, cloud computing services must control user access. The essential business characteristics of cloud computing are payment status and service level agreement. This work proposes a novel access control method for personal cloud service business. The proposed method sets metadata, policy analysis rules, and access denying rules. Metadata define the structure of access control policies and user requirements for cloud services. The policy analysis rules are used to compare conflicts and redundancies between access control policies. The access denying rules apply policies for inhibiting inappropriate access. The ontology is a theoretical foundation of this method. In this work, ontologies for payment status, access permission, service level, and the cloud provide semantic information needed to execute rules. A scenario of personal data backup cloud service is also provided in this work. This work potentially provides cloud service providers with a convenient method of controlling user access according to changeable business and marketing strategies.
基金supported by the Deanship of Scientic Research(DSR),King Abdulaziz University,Jeddah,under Grant No.(DF-444-611-1441)。
文摘The design of distributed ledger,Asymmetric Key Algorithm(AKA)blockchain systems,is prominent in administering security and access control in various real-time services and applications.The assimilation of blockchain systems leverages the reliable access and secure service provisioning of the services.However,the distributed ledger technology’s access control and chained decisions are defaced by pervasive and service unawareness.It results in degrading security through unattended access control for limited-service users.In this article,a service-aware access control procedure(SACP)is introduced to address the afore-mentioned issue.The proposed SACP denes attended access control for all the service session by identifying the users and service provider availability.The distributed nature of the ledger systems and classication tree learning are combined to determine unattended access.The sole access is determined by summarizing the closed and open access requests and the service provider’s availability and integrity checks.In this process,the learning process classies the secured access request and completed the integrity checks of the current and previous service dissemination.This classication-based access administration reduces the service disconnections and false access rate of the applications.
文摘For most current Web Service access control methods, Web Service providers create a series of access control roles based on specified attributes. Only by meeting all the roles can a subject obtain the access to necessary operations and resources. However, because of the dynamic and open traits of Web Services, it is difficult for Web Service providers to work out an access control policy with moderate intensity and to realize a satisfactory balance between protecting the security of resources and maintaining the service reachable rate. To provide a solution to the above problem, this paper proposed a trust compensation access control method based on the Attribute-Based Access Control model. Our main contributions include a formal description of the access control method, a method to calculate the attribute trust degree based on time decay, and the trust compensation value of the attribute trust degree, as well as a new Service Oriented Architecture (SOA) architecture and its procedures based on a detailed trust compensation access control method.
基金Project supported by the National Science Foundation for Creative Research Groups (Grant No.60521002), and the National Key Technologies R&D Program (Grant No.2005BA908B02)
文摘An important feature of the traffic in mobile networks is burstiness. Drawbacks of conventional power control algorithms for time division duplex (TDD)-code division multiple access (CDMA) systems are analyzed. A joint power control algorithm based on service factor is presented to address the TDD-CDMA mobile services in the burst mode according to the Markov modulated Bernoulli process. The joint power control equation is derived. A function model is developed to verify the new algorithm and evaluate its performance. Simulation results show that the new power control algorithm can estimate interference strength more precisely, speed up convergence of power control, and enhance power efficiency and system capacity. It is shown that the proposed algorithm is more robust against link gain changes, and outperforms the reference algorithms.
文摘Security is an essential part of the cloud environment.For ensuring the security of the data being communicated to and from the cloud server,a significant parameter called trust was introduced.Trust-based security played a vital role in ensuring that the communication between cloud users and service providers remained unadulterated and authentic.In most cloud-based data distribution environments,emphasis is placed on accepting trusted client users’requests,but the cloud servers’integrity is seldom verified.This paper designs a trust-based access control model based on user and server characteristics in a multi-cloud environment to address this issue.The proposed methodology consists of data encryption using Cyclic Shift Transposition Algorithm and trust-based access control method.In this trust-based access control mechanism framework,trust values are assigned to cloud users using direct trust degrees.The direct trust degree is estimated based on the following metrics:success and failure rate of interactions,service satisfaction index,and dishonesty level.In addition to this,trust values are assigned to cloud servers based on the metrics:server load,service rejection rate,and service access delay.The role-Based Access control policy of each user is modified based on his trust level.If the server fails to meet the minimum trust level,then another suitable server will be selected.The proposed system is found to outperform other existing systems in a multi-cloud environment.
文摘With the development of cloud computing, the mutual understandability among distributed data access control has become an important issue in the security field of cloud computing. To ensure security, confidentiality and fine-grained data access control of Cloud Data Storage (CDS) environment, we proposed Multi-Agent System (MAS) architecture. This architecture consists of two agents: Cloud Service Provider Agent (CSPA) and Cloud Data Confidentiality Agent (CDConA). CSPA provides a graphical interface to the cloud user that facilitates the access to the services offered by the system. CDConA provides each cloud user by definition and enforcement expressive and flexible access structure as a logic formula over cloud data file attributes. This new access control is named as Formula-Based Cloud Data Access Control (FCDAC). Our proposed FCDAC based on MAS architecture consists of four layers: interface layer, existing access control layer, proposed FCDAC layer and CDS layer as well as four types of entities of Cloud Service Provider (CSP), cloud users, knowledge base and confidentiality policy roles. FCDAC, it’s an access policy determined by our MAS architecture, not by the CSPs. A prototype of our proposed FCDAC scheme is implemented using the Java Agent Development Framework Security (JADE-S). Our results in the practical scenario defined formally in this paper, show the Round Trip Time (RTT) for an agent to travel in our system and measured by the times required for an agent to travel around different number of cloud users before and after implementing FCDAC.
文摘In ACM'CCS 2009,Camenisch,et al.proposed the Oblivious Transfer with Access Control(AC-OT) in which each item is associated with an attribute set and can only be available,on request,to the users who have all the attributes in the associated set.Namely,AC-OT achieves access control policy for conjunction of attributes.Essentially,the functionality of AC-OT is equivalent to the sim-plified version that we call AC-OT-SV:for each item,one attribute is associated with it,and it is requested that only the users who possess the associated attribute can obtain the item by queries.On one hand,AC-OT-SV is a special case of AC-OT when there is just one associated attribute with each item.On the other hand,any AC-OT can be realized by an AC-OT-SV.In this paper,we first present a concrete AC-OT-SV protocol which is proved to be secure in the model defined by Camenisch,et al..Then from the protocol,interestingly,a concrete Identity-Based Encryption(IBE) with Anonymous Key Issuing(AKI) is given which is just a direct application to AC-OT-SV.By comparison,we show that the AKI protocol we present is more efficient in communications than that proposed by Chow.
基金Funded by the Large-Scale Security SoC Project of Wuhan Science and Technology Bureau of China (No. 20061005119).
文摘This paper introduces a solution to the secure requirement for digital rights management (DRM) by the way of geospacial access control named geospacial access control (GeoAC) in geospacial field. The issues of authorization for geospacial DRM are concentrated on. To geospacial DRM, one aspect is the declaration and enforcement of access rights, based on geographic aspects. To the approbation of digital geographic content, it is important to adopt online access to geodata through a special data infrastructure (SDI). This results in the interoperability requirements on three different levels: data model level, service level and access control level. The interaction between the data model and service level can be obtained by criterions of the open geospacial consortium (OGC), and the interaction of the access control level may be reached by declaring and enforcing access restrictions in GeoAC. Then an archetype enforcement based on GeoAC is elucidated. As one aspect of performing usage rights, the execution of access restrictions as an extension to a regular SDI is illuminated.
