"Access control technology in complex network environments," the third chapter of the book, combined with the contents of the book, focusing on understanding the basic concepts.
1 Application Scenes
- Traditional hierarchical management data based on access control security tag main body and object permissions distribution constraint. In the complex network environment, the body will be in different physical locations, using different hardware and software platforms, via a variety of networks, at any time resource management of multi-polarization of the object access. In this environment, marked only by the security of the host-guest, it has been unable to achieve multi-level access control and more safety features.
- In addition, multi-level security access control model and mechanism depends on the operating system, database management systems and achieve large-scale information systems. The operating system file as a unit of data management, database management system for data management at different tables and different fields, the multi-information systems for data management via the database management systems. Management granularity file units of access control model can not meet the data management needs fine-grained network environment, the object-oriented.
- Access control requirements
- Access methods of information resources with openness and dynamic
- Effective management of behavior-based access control model
- The problem is solved with the subject and object level security roles, tense, access control elements of the environment changes dynamically telescopic adjustment
2 ABAC-- behavior-based access control model
2.1 understand the definition of "acts" of
Refers to the act role r e achieved under certain circumstances a certain time t described rights set a desired function, i.e., when the user u desired role in obtaining permission to start a session s = P, state and environment information, wherein u ∈U, s∈S, p∈P, r∈R, t∈T, e∈E. It may be represented as a triplet (r, t, e).
用户:人或者自治代理,用户的集合记为U;
角色:实现某种功能所需权限集合的描述,其与用户是多对多的关系,角色的集合记为R;
会话:将用户与激活角色(集合)对应的映射。会话的集合记为S;
权限:系统中对象的访问模式,权限的集合记为P;
时态:时间约束集合,时态的集合记为T。
2.2 An example to understand the hierarchy and inheritance behavior
- The figure shows an example of a behavior of the hierarchical structure of FIG. Effective role for l = (al, a5, a8, a10), the behavior of a1 depends on the path l inherited set of valid state set and effective environment for the collection, respectively (rl, r5, r8, r10), (tl, t5, t8, t10), (el, e5, e8, e10).
- FIG hierarchy in behavior, and the effective behavior character set, the set of valid states and valid environmental collection versa. Effective role corpus behavior al effective temporal corpus and effective environment corpus are (r1, r3, r5, r7, r8, r10), (tl, t3, t5, t7, t8, t10), (e1, e3, e5, e7, e8, e10).
- A7 is assumed that behavior can enjoy the lowest level of authority behavior p, the effective collection of role privileges P, effective and efficient collection tense environment collections were
2.3 ABAC model
3 behavior-based access control management model
Ada management behavior is a special behavior, the behavior satisfies all the properties, but its environmental conditions and tense state is limited as the physical location of the environmental conditions inside the unit, the network location of the internal private network, software and hardware platforms support cryptographic operations, when the state status is working time. ada can be expressed as (ar, limt, lime), wherein ar∈AR, limt∈T, lime∈E. Hutchison is a collection ada ADA, a collection limt for LIMT, lime is a collection of LIME.
4 behavior-based multi-level security access control model
Based on the behavior of the basic elements of a multi-level access control model consists of the main session, roles, tense, environmental, behavioral, object, permissions and so on. To further meet the needs of multi-level security, while ensuring the confidentiality and integrity of the object, the subject needs to behavior-based access control model, behaviors, and objects to add security attributes and definitions related concepts.
- Security attributes Pr: the security level is used to describe visible and message body, object, behavior, represent a collection Pr: L × C. L is the set security level, security level and body described object sensitivity level; C is a safety category set, i.e. access category of the body and the object access category.
- Abstract user operates the four basic types,
- 1) read: read object itself or related description information.
- 2) can be written: For the read and write permissions of users, but does not destroy the integrity of the security requirements of the model, can be written class 2 as defined herein, to write a letter written with non-trusted, trusted wherein the write request made to write the main operation of trusted subjects and objects of the same level of security with the body, the operation will be written directly to the object. Trusted users may perform write object may be the owner or system administrator associated; means a non-trusted user to write object write operation, the written information is temporarily stored in the associated object area, object wait the owner or administrator to review their information is written, the write operation to be completed after the adoption of the object.
- 3) performs: a body can run a respective object (program).
- 4) Append: the object of a "write-only do not read" operation, where the difference between the write operation is that a user may write permission to operate the object may be read.
Safety rules : get-read, obtain readable permissions; get-write, can obtain permission to write; get-execute, get permission to execute; get-append, to obtain additional privileges.
references
- [1] Su Mang, Li Fenghua, Shi Guozhen multi-level access control model based on behavior [J] Computer Research and Development, 2014,51 (7):.. 1604-1613 DOI:. 10.7544 / issn1000-1239.2014.20131717.
- . [2] Li Fenghua, Wang Wei, Ma Jianfeng, and other behavior-based access control model and behavior management [J] Journal of Electronics, 2008,36 (10):. 1881-1890 DOI:. 10.3321 / j.issn: 0372- 2112.2008.10.005.