云计算中基于属性的访问控制模型研究

发布时间：2018-06-30 19:14

本文选题：访问控制 + 属性　；参考：《东北大学》2014年硕士论文

【摘要】：随着云计算逐渐普及,对于云计算的研究也越发的多了起来,同时云计算逐渐暴露出更多的安全隐患。本文针对云服务运行和管理面临的安全隐患,结合下一代访问控制技术核心思想及基于属性的访问控制思想设计一个适用云计算中跨系统的访问控制模型。本文首先分析了传统访问控制技术的不足,进而提出了云环境中基于属性的访问控制模型C-ABAC模型,并从属性的授权管理、策略的管理、策略的决策与跨系统访问等方面对模型的系统框架结构进行设计,提出了虚拟客体、策略存储管理点和跨系统访问点等模块。在C-ABAC模型的基础上从类型和管理位置两个角度对属性进行分类定义,并形式化的定义了C-ABAC模型中访问控制请求、访问控制决策。从复杂多样化的属性管理及跨系统的安全互操作两个角度对C-ABAC模型进行深入的设计研究。在复杂多样化属性管理方面的工作,本文从三方面进行分析设计。首先,属性的自身管理方面提出了属性的创建、上传、更新及删除等演变机制。其次在属性之间的管理方面本文提出了六种属性相关关系分成了两大类。最后提出了跨系统授权和跨系统属性迁移两种方案来解决跨系统访问时属性与策略之间的一致性问题。有关C-ABAC模型安全互操作方面的工作,本文首先针对跨系统的属性迁移机制提出了三种错误检查模型,以实现迁移中的安全性验证,解决了属性迁移带来的安全隐患。其次对于属性自身安全问题,本文将信誉机制和属性结合起来,提出了两种属性信誉度的评估方法。最后,在访问控制策略的实现阶段,将C-ABAC模型应用到医疗健康管理系统的云计算案例中。结合新的访问控制实现机制XACML3.0,将该案例模型化并实施策略。根据t-way组合算法编写测试用例进行验证。分析对比C-ABAC模型和传统的属性访问控制模型访问控制决策点的反应时间,可以看出C-ABAC模型在实现了复杂多样化管理和安全互操作的基础上,系统仍然保持高效灵活性。
[Abstract]:With the popularity of cloud computing, the research on cloud computing has become more and more, at the same time, cloud computing gradually exposed more security risks. In this paper, a cross-system access control model for cloud computing is designed based on the core idea of the next generation access control technology and the attribute-based access control idea in view of the hidden security problems facing the operation and management of cloud services. In this paper, the shortcomings of traditional access control techniques are analyzed, and then the attribute-based access control model C-ABAC in cloud environment is put forward, and the authorization management of attributes and the management of policy are presented. The system frame structure of the model is designed in the aspects of policy decision and cross-system access, and the virtual object, policy storage management point and cross-system access point module are proposed. On the basis of C-ABAC model, attributes are classified and defined from two aspects of type and management position, and access control requests and access control decisions in C-ABAC model are formally defined. The C-ABAC model is designed and studied from two aspects of complex and diversified attribute management and security interoperability of cross-system. In the work of complex and diversified attribute management, this paper analyzes and designs from three aspects. Firstly, the management of attributes puts forward the mechanism of creating, uploading, updating and deleting attributes. Secondly, in the management of attributes, this paper puts forward six kinds of attribute correlation, which can be divided into two categories. Finally, two schemes of cross-system authorization and cross-system attribute migration are proposed to solve the problem of consistency between attributes and policies when accessing across systems. With regard to the security interoperability of C-ABAC model, this paper first proposes three kinds of error checking models for cross-system attribute migration mechanism, in order to implement security verification in migration, and solve the security hidden danger caused by attribute migration. Secondly, for the security of attribute itself, this paper combines reputation mechanism with attribute, and puts forward two methods to evaluate attribute reputation. Finally, the C-ABAC model is applied to the cloud computing case of the medical health management system in the implementation phase of the access control policy. Combined with the new access control implementation mechanism XACML 3.0, the case is modeled and implemented. Test cases are written according to t-way combination algorithm for verification. By analyzing and comparing the reaction time of C-ABAC model and traditional attribute access control model, it can be seen that the C-ABAC model still maintains high efficiency and flexibility on the basis of complex and diversified management and security interoperability.
【学位授予单位】：东北大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【相似文献】