面向云计算的访问控制技术研究

发布时间：2018-03-25 18:00

本文选题：云计算环境　切入点：基于行为的多级访问控制　出处：《西安电子科技大学》2014年博士论文

【摘要】：云计算技术使资源共享成为了新时代网络发展的主题。数据通过托管在云端摆脱了时间、空间上的约束和限制,呈现出管理多级化、描述对象化、存储随机化和安全策略动态化的特点。云端访问控制技术的研究需要面向复杂、多变的云计算环境,解决用户访问随机、权限描述多变、资源描述细粒度、资源创建需要结合访问控制以及安全策略动态调整等方面的难题,满足云端数据可信、可靠、可控的安全管理需求。本文针对云计算环境下访问控制技术研究面临的安全问题,综合分析了云环境下数据的多级多要素管理、细粒度描述、创建、迁移以及生命周期控制等应用场景,并结合基于行为的访问控制(Action Based Access Control,ABAC)、多级安全模型、代理重加密等理论,探究了云计算环境下访问控制的若干关键技术,主要研究内容如下:(1)研究了多要素访问控制机制与多级安全相结合的访问控制模型,提出了基于行为的多级安全访问控制模型。通过将主体的安全等级、范畴的描述扩展到行为上,实现了BLP模型与ABAC模型的结合。定义了行为的读、写安全级别,描述了基本操作的安全规则,并给出了模型相应的实施方案。该模型为基于多要素的访问控制模型添加多级安全属性,能够解决多级安全访问控制实施中缺乏时空要素的问题,为目前云计算、移动计算等多种计算模式下信息系统的访问控制及管理提供了理论和实践支撑。该模型的研究将是后续研究内容论述的基石,是云计算环境下访问控制技术研究的出发点。(2)为了实现基于行为的多级访问控制模型中客体对象的多级安全管理和权限细粒度描述,研究了结构化文档多要素细粒度权限描述机制。针对结构化文档在复杂网络环境下多级安全管理的描述需求,提出了一种面向多级安全的结构化文档描述模型;针对结构化文档的对象化、细粒度权限描述需求,提出了一种基于行为的结构化文档细粒度访问控制机制,并给出了相应的访问控制协议及其相关函数的Z符号形式化定义,最后给出了上述机制的安全性、适用性等方面的分析和具体实施方案。结构化文档作为云端数据的重要表现形式和信息传播媒介,在云计算相关安全研究中至关重要,结构化文档的多级安全与细粒度描述机制的研究是云计算环境下访问控制技术中不可或缺的组成部分。(3)结合结构化文档多要素细粒度描述模型与访问控制机制,研究云计算环境下数据安全创建与管理的相关技术与机制,提出了一种面向云计算的以用户为中心的数据创建机制(User-centric data secure creation scheme,UCDSC),包含系统模型、算法和应用协议。针对算法,通过将主体访问控制条件引入到代理重加密机制中,提出了一种基于访问控制条件的代理重加密算法(Access Control Conditions based Proxy Re-encryption,ACC-PRE),该算法具有CCA安全及主密钥安全;针对应用协议,引用成熟的密码学技术,构建安全、可信的应用协议,并着重分析上述应用协议的安全性和算法的性能。最后,给出UCDSC机制在云端文档创建和管理方面的应用方案和系统框架。数据的安全创建基于数据细粒度、多级的描述模型,同时也为云端信息多级管理、权限细粒度描述机制的实现提供数据基础。(4)针对云端数据周期性管理的特点,结合基于行为的多级访问控制模型、资源权限细粒度描述机制以及创建机制,面向访问控制策略动态变化的需求,提出了一种以资源为中心的动态自适应访问控制模型(Resource-Centric Dynamic Adaptive Access Control Model,RCDA),通过对ABAC模型的扩展,实现了访问控制策略描述的动态调整。提出了一种基于云资源生命周期的动态自适应访问控制机制,以客体所处生命周期的阶段为访问控制策略自适应调整的依据,实现了数据安全策略依生命周期的动态自适应变化的目标。基于云资源生命周期的动态自适应访问控制机制充分结合了云端数据多要素访问控制、多级管理、细粒度化描述和安全创建等机制,是上述模型与机制在云端资源生命周期管理中的重要体现,将为后续云端数据全生命周期安全管理相关技术的研究奠定基础。
[Abstract]:Cloud computing technology makes the development of network resources has become the theme of the new era. From the time of data sharing in the cloud by hosting, space constraints and limitations, showing a multi-level management, object description, storage and security strategy of dynamic randomization. Research on cloud access control technology needs for complex and changeable. The cloud computing environment, solve the user access permissions to describe the random, changeable, fine-grained resource description, resource is required to create a combined puzzle of access control and security strategy of dynamic adjustment and so on, to meet the cloud data is credible and reliable, safety management needs controllable. Aiming at the security problems of cloud computing access control technology environment, comprehensive analysis of multi elements management cloud environment data, fine-grained description, creation, transfer and control the life cycle of application scenarios, combined with behavior based interview Ask (Action Based Access Control control, ABAC), multilevel security model, proxy re encryption theory, explores some key technologies of access control in cloud computing environment, the main research contents are as follows: (1) research on the multi factor and multi-level security access control mechanism combining access control model, put forward the multi-level security access control model based on behavior. The security level of the subject, the category description is extended to behavior, realizes the combination of BLP model and ABAC model. The definition of the behavior of reading and writing level of security, describes the basic safety rules of operation, and gives the corresponding implementation model. The model for multi elements the access control model based on multilevel security attributes added, can solve the multi-level security access control in the implementation of the lack of temporal elements of the problem, for the current cloud computing, mobile computing and other computer information system mode To provide theoretical and practical support for access control and management. The research of this model will be the cornerstone of follow-up studies of discourse, is the starting point of research on access control technology in cloud computing environment. (2) in order to achieve multi-level security management and access of fine-grained multilevel access control behavior description object model based on research the structured document elements of fine-grained permissions description mechanism. For structured documents in multilevel security management of complex network environment to describe the demand, we propose a new multi-level security model for structured document object; structured document, fine-grained permissions describe the demand, presents a structured document of fine-grained access control mechanism. Based on the Z symbol and gives formal definition of the corresponding access control protocol and related function, finally the mechanism of the safety, On the applicability of the analysis and specific implementation plan. Structured document data in the cloud as an important form of information and media, computing critical safety related research in the cloud of structured documents for multilevel security and fine-grained access control mechanism described is an integral part of the technology in cloud computing environment (3). The combination of structured document elements fine-grained description model and access control mechanism, related technology and management mechanism and the research of cloud computing data security environment, proposes a Cloud Computing Oriented User Centered data creation mechanism (User-centric data secure creation scheme, UCDSC), including system model, algorithm and application according to the agreement. The main algorithm, access control conditions into the proxy re encryption mechanism, put forward a kind of access control based on a proxy re The encryption algorithm (Access Control Conditions based Proxy Re-encryption, ACC-PRE), the algorithm has CCA security and the main key for construction safety; application protocol, security reference cryptography technology, mature application protocol, reliable, safety and performance of algorithm and focus on the analysis of the application protocol. Finally, the application of UCDSC in the mechanism of creating scheme cloud and document management and system security framework. Create data based on data description model of fine-grained, multi-level, but also for the multi-level management of cloud information, provide data based mechanism to describe fine-grained permissions. (4) according to the characteristics of cloud data cycle management, combined with the multi-level access control model based on behavior. A mechanism for describing fine-grained resource permissions and create a mechanism for access control strategy of dynamic changes in demand, put forward a dynamic resource centered self Adaptive access control model (Resource-Centric Dynamic Adaptive Access Control Model, RCDA), through the expansion of ABAC model, realized the dynamic adjustment of access control strategy is described. This paper proposed an adaptive dynamic cloud resources based on the life cycle of the access control mechanism, the object stage to the life cycle for the access control strategy of adaptive adjustment based on to achieve the goal, data security strategy according to the dynamic adaptive change of the life cycle. The access control mechanism of the dynamic adaptive cloud resources based on the life cycle of the combined multi factor cloud data access control, multi-level management, fine-grained description and create security mechanism is an important embodiment of the above model and mechanism in the cloud resource life cycle management that will lay the foundation for subsequent research on cloud data lifecycle safety management related technology.

【学位授予单位】：西安电子科技大学
【学位级别】：博士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】