本文選題：云計(jì)算環(huán)境　切入點(diǎn)：基于行為的多級(jí)訪問(wèn)控制　出處：《西安電子科技大學(xué)》2014年博士論文

【摘要】：云計(jì)算技術(shù)使資源共享成為了新時(shí)代網(wǎng)絡(luò)發(fā)展的主題。數(shù)據(jù)通過(guò)托管在云端擺脫了時(shí)間、空間上的約束和限制,呈現(xiàn)出管理多級(jí)化、描述對(duì)象化、存儲(chǔ)隨機(jī)化和安全策略動(dòng)態(tài)化的特點(diǎn)。云端訪問(wèn)控制技術(shù)的研究需要面向復(fù)雜、多變的云計(jì)算環(huán)境,解決用戶訪問(wèn)隨機(jī)、權(quán)限描述多變、資源描述細(xì)粒度、資源創(chuàng)建需要結(jié)合訪問(wèn)控制以及安全策略動(dòng)態(tài)調(diào)整等方面的難題,滿足云端數(shù)據(jù)可信、可靠、可控的安全管理需求。本文針對(duì)云計(jì)算環(huán)境下訪問(wèn)控制技術(shù)研究面臨的安全問(wèn)題,綜合分析了云環(huán)境下數(shù)據(jù)的多級(jí)多要素管理、細(xì)粒度描述、創(chuàng)建、遷移以及生命周期控制等應(yīng)用場(chǎng)景,并結(jié)合基于行為的訪問(wèn)控制(Action Based Access Control,ABAC)、多級(jí)安全模型、代理重加密等理論,探究了云計(jì)算環(huán)境下訪問(wèn)控制的若干關(guān)鍵技術(shù),主要研究?jī)?nèi)容如下:(1)研究了多要素訪問(wèn)控制機(jī)制與多級(jí)安全相結(jié)合的訪問(wèn)控制模型,提出了基于行為的多級(jí)安全訪問(wèn)控制模型。通過(guò)將主體的安全等級(jí)、范疇的描述擴(kuò)展到行為上,實(shí)現(xiàn)了BLP模型與ABAC模型的結(jié)合。定義了行為的讀、寫(xiě)安全級(jí)別,描述了基本操作的安全規(guī)則,并給出了模型相應(yīng)的實(shí)施方案。該模型為基于多要素的訪問(wèn)控制模型添加多級(jí)安全屬性,能夠解決多級(jí)安全訪問(wèn)控制實(shí)施中缺乏時(shí)空要素的問(wèn)題,為目前云計(jì)算、移動(dòng)計(jì)算等多種計(jì)算模式下信息系統(tǒng)的訪問(wèn)控制及管理提供了理論和實(shí)踐支撐。該模型的研究將是后續(xù)研究?jī)?nèi)容論述的基石,是云計(jì)算環(huán)境下訪問(wèn)控制技術(shù)研究的出發(fā)點(diǎn)。(2)為了實(shí)現(xiàn)基于行為的多級(jí)訪問(wèn)控制模型中客體對(duì)象的多級(jí)安全管理和權(quán)限細(xì)粒度描述,研究了結(jié)構(gòu)化文檔多要素細(xì)粒度權(quán)限描述機(jī)制。針對(duì)結(jié)構(gòu)化文檔在復(fù)雜網(wǎng)絡(luò)環(huán)境下多級(jí)安全管理的描述需求,提出了一種面向多級(jí)安全的結(jié)構(gòu)化文檔描述模型;針對(duì)結(jié)構(gòu)化文檔的對(duì)象化、細(xì)粒度權(quán)限描述需求,提出了一種基于行為的結(jié)構(gòu)化文檔細(xì)粒度訪問(wèn)控制機(jī)制,并給出了相應(yīng)的訪問(wèn)控制協(xié)議及其相關(guān)函數(shù)的Z符號(hào)形式化定義,最后給出了上述機(jī)制的安全性、適用性等方面的分析和具體實(shí)施方案。結(jié)構(gòu)化文檔作為云端數(shù)據(jù)的重要表現(xiàn)形式和信息傳播媒介,在云計(jì)算相關(guān)安全研究中至關(guān)重要,結(jié)構(gòu)化文檔的多級(jí)安全與細(xì)粒度描述機(jī)制的研究是云計(jì)算環(huán)境下訪問(wèn)控制技術(shù)中不可或缺的組成部分。(3)結(jié)合結(jié)構(gòu)化文檔多要素細(xì)粒度描述模型與訪問(wèn)控制機(jī)制,研究云計(jì)算環(huán)境下數(shù)據(jù)安全創(chuàng)建與管理的相關(guān)技術(shù)與機(jī)制,提出了一種面向云計(jì)算的以用戶為中心的數(shù)據(jù)創(chuàng)建機(jī)制(User-centric data secure creation scheme,UCDSC),包含系統(tǒng)模型、算法和應(yīng)用協(xié)議。針對(duì)算法,通過(guò)將主體訪問(wèn)控制條件引入到代理重加密機(jī)制中,提出了一種基于訪問(wèn)控制條件的代理重加密算法(Access Control Conditions based Proxy Re-encryption,ACC-PRE),該算法具有CCA安全及主密鑰安全;針對(duì)應(yīng)用協(xié)議,引用成熟的密碼學(xué)技術(shù),構(gòu)建安全、可信的應(yīng)用協(xié)議,并著重分析上述應(yīng)用協(xié)議的安全性和算法的性能。最后,給出UCDSC機(jī)制在云端文檔創(chuàng)建和管理方面的應(yīng)用方案和系統(tǒng)框架。數(shù)據(jù)的安全創(chuàng)建基于數(shù)據(jù)細(xì)粒度、多級(jí)的描述模型,同時(shí)也為云端信息多級(jí)管理、權(quán)限細(xì)粒度描述機(jī)制的實(shí)現(xiàn)提供數(shù)據(jù)基礎(chǔ)。(4)針對(duì)云端數(shù)據(jù)周期性管理的特點(diǎn),結(jié)合基于行為的多級(jí)訪問(wèn)控制模型、資源權(quán)限細(xì)粒度描述機(jī)制以及創(chuàng)建機(jī)制,面向訪問(wèn)控制策略動(dòng)態(tài)變化的需求,提出了一種以資源為中心的動(dòng)態(tài)自適應(yīng)訪問(wèn)控制模型(Resource-Centric Dynamic Adaptive Access Control Model,RCDA),通過(guò)對(duì)ABAC模型的擴(kuò)展,實(shí)現(xiàn)了訪問(wèn)控制策略描述的動(dòng)態(tài)調(diào)整。提出了一種基于云資源生命周期的動(dòng)態(tài)自適應(yīng)訪問(wèn)控制機(jī)制,以客體所處生命周期的階段為訪問(wèn)控制策略自適應(yīng)調(diào)整的依據(jù),實(shí)現(xiàn)了數(shù)據(jù)安全策略依生命周期的動(dòng)態(tài)自適應(yīng)變化的目標(biāo)�；谠瀑Y源生命周期的動(dòng)態(tài)自適應(yīng)訪問(wèn)控制機(jī)制充分結(jié)合了云端數(shù)據(jù)多要素訪問(wèn)控制、多級(jí)管理、細(xì)粒度化描述和安全創(chuàng)建等機(jī)制,是上述模型與機(jī)制在云端資源生命周期管理中的重要體現(xiàn),將為后續(xù)云端數(shù)據(jù)全生命周期安全管理相關(guān)技術(shù)的研究奠定基礎(chǔ)。
[Abstract]:Cloud computing technology makes the development of network resources has become the theme of the new era. From the time of data sharing in the cloud by hosting, space constraints and limitations, showing a multi-level management, object description, storage and security strategy of dynamic randomization. Research on cloud access control technology needs for complex and changeable. The cloud computing environment, solve the user access permissions to describe the random, changeable, fine-grained resource description, resource is required to create a combined puzzle of access control and security strategy of dynamic adjustment and so on, to meet the cloud data is credible and reliable, safety management needs controllable. Aiming at the security problems of cloud computing access control technology environment, comprehensive analysis of multi elements management cloud environment data, fine-grained description, creation, transfer and control the life cycle of application scenarios, combined with behavior based interview Ask (Action Based Access Control control, ABAC), multilevel security model, proxy re encryption theory, explores some key technologies of access control in cloud computing environment, the main research contents are as follows: (1) research on the multi factor and multi-level security access control mechanism combining access control model, put forward the multi-level security access control model based on behavior. The security level of the subject, the category description is extended to behavior, realizes the combination of BLP model and ABAC model. The definition of the behavior of reading and writing level of security, describes the basic safety rules of operation, and gives the corresponding implementation model. The model for multi elements the access control model based on multilevel security attributes added, can solve the multi-level security access control in the implementation of the lack of temporal elements of the problem, for the current cloud computing, mobile computing and other computer information system mode To provide theoretical and practical support for access control and management. The research of this model will be the cornerstone of follow-up studies of discourse, is the starting point of research on access control technology in cloud computing environment. (2) in order to achieve multi-level security management and access of fine-grained multilevel access control behavior description object model based on research the structured document elements of fine-grained permissions description mechanism. For structured documents in multilevel security management of complex network environment to describe the demand, we propose a new multi-level security model for structured document object; structured document, fine-grained permissions describe the demand, presents a structured document of fine-grained access control mechanism. Based on the Z symbol and gives formal definition of the corresponding access control protocol and related function, finally the mechanism of the safety, On the applicability of the analysis and specific implementation plan. Structured document data in the cloud as an important form of information and media, computing critical safety related research in the cloud of structured documents for multilevel security and fine-grained access control mechanism described is an integral part of the technology in cloud computing environment (3). The combination of structured document elements fine-grained description model and access control mechanism, related technology and management mechanism and the research of cloud computing data security environment, proposes a Cloud Computing Oriented User Centered data creation mechanism (User-centric data secure creation scheme, UCDSC), including system model, algorithm and application according to the agreement. The main algorithm, access control conditions into the proxy re encryption mechanism, put forward a kind of access control based on a proxy re The encryption algorithm (Access Control Conditions based Proxy Re-encryption, ACC-PRE), the algorithm has CCA security and the main key for construction safety; application protocol, security reference cryptography technology, mature application protocol, reliable, safety and performance of algorithm and focus on the analysis of the application protocol. Finally, the application of UCDSC in the mechanism of creating scheme cloud and document management and system security framework. Create data based on data description model of fine-grained, multi-level, but also for the multi-level management of cloud information, provide data based mechanism to describe fine-grained permissions. (4) according to the characteristics of cloud data cycle management, combined with the multi-level access control model based on behavior. A mechanism for describing fine-grained resource permissions and create a mechanism for access control strategy of dynamic changes in demand, put forward a dynamic resource centered self Adaptive access control model (Resource-Centric Dynamic Adaptive Access Control Model, RCDA), through the expansion of ABAC model, realized the dynamic adjustment of access control strategy is described. This paper proposed an adaptive dynamic cloud resources based on the life cycle of the access control mechanism, the object stage to the life cycle for the access control strategy of adaptive adjustment based on to achieve the goal, data security strategy according to the dynamic adaptive change of the life cycle. The access control mechanism of the dynamic adaptive cloud resources based on the life cycle of the combined multi factor cloud data access control, multi-level management, fine-grained description and create security mechanism is an important embodiment of the above model and mechanism in the cloud resource life cycle management that will lay the foundation for subsequent research on cloud data lifecycle safety management related technology.

【學(xué)位授予單位】：西安電子科技大學(xué)
【學(xué)位級(jí)別】：博士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前1條

1 張穎君;馮登國(guó);陳愷;;面向空間索引樹(shù)的授權(quán)機(jī)制[J];通信學(xué)報(bào);2010年09期

，

本文編號(hào)：1664234