本文選題：分組安全信息共享 + Trill協(xié)議��； 參考：《南昌航空大學(xué)》2014年碩士論文

【摘要】：社會(huì)經(jīng)濟(jì)、文化的發(fā)展需要各個(gè)領(lǐng)域資源的共享，伴隨著信息及互聯(lián)網(wǎng)技術(shù)的迅速發(fā)展，也激發(fā)了人們對(duì)信息共享技術(shù)的關(guān)注。為了能更好的滿足信息的共享，傳統(tǒng)的訪問(wèn)控制技術(shù)將被新的訪問(wèn)控制技術(shù)所取代。 分組安全信息共享技術(shù)（G-SIS）作為一種新的訪問(wèn)控制技術(shù)的引入，不僅克服了傳統(tǒng)的訪問(wèn)控制主體授權(quán)容易傳播（DAC）、主客體安全屬性不可改變（MAC）、授權(quán)只能局限于角色（RBAC）等缺點(diǎn)也繼承了使用控制（UCON）的八要素以及屬性的可變性和連續(xù)性。利用分組的概念將主客體統(tǒng)一進(jìn)行組管理，并在核心屬性的基礎(chǔ)上提出了額外屬性使得授權(quán)更加靈活。 現(xiàn)有的數(shù)據(jù)中心級(jí)網(wǎng)絡(luò)架構(gòu)多是采用二層匯聚+三層接入模式即二層STP等協(xié)議+三層路由協(xié)議的多協(xié)議方式而不能使用統(tǒng)一的協(xié)議架構(gòu)。在二層同網(wǎng)段中使用MAC地址對(duì)主客體進(jìn)行標(biāo)記而在三層不同網(wǎng)段卻要使用IP地址對(duì)主客體標(biāo)記。而TRILL協(xié)議Nickname不僅能夠映射同網(wǎng)段二層MAC地址學(xué)習(xí)也能在不同網(wǎng)段進(jìn)行類(lèi)似三層IP路由計(jì)算，因此只需要一套協(xié)議訪問(wèn)控制策略即可。 G-SIS模型中主要是針對(duì)主體和客體進(jìn)行分組，組內(nèi)主體并沒(méi)有唯一標(biāo)記。而TRILL協(xié)議中Nickname相當(dāng)于IP地址和每臺(tái)設(shè)備MAC地址對(duì)應(yīng)且全網(wǎng)唯一，其中Egress Nickname信息發(fā)出端口Nickname確定了訪問(wèn)者來(lái)自何處可以用來(lái)唯一標(biāo)記G-SIS中主體。 G-SIS模型中組內(nèi)用戶可以訪問(wèn)對(duì)應(yīng)組內(nèi)資源但是并沒(méi)有對(duì)主體進(jìn)行等級(jí)劃分。因此我們需要加入一個(gè)等級(jí)約束，不僅使組內(nèi)不同等級(jí)主體享有不同權(quán)限，，也能讓不同等級(jí)主體在設(shè)定的條件下進(jìn)行角色轉(zhuǎn)變。我們同時(shí)在G-SIS另加入一個(gè)時(shí)間約束，它能夠解決G-SIS模型僅僅依靠組操作（主體進(jìn)入、離開(kāi)及客體加入、刪除）時(shí)態(tài)動(dòng)作。不僅能夠?yàn)橹黧w等級(jí)角色轉(zhuǎn)變提供時(shí)間上的設(shè)計(jì)也能使主體對(duì)客體資源操作實(shí)現(xiàn)了時(shí)間上約束控制。并利用線性時(shí)態(tài)邏輯（LTL）語(yǔ)言對(duì)這些策略進(jìn)行“語(yǔ)言化”描述。 最后在G-SIS模型中引用PEI框架，在策略模式（Policy Mode）下提出Nickname標(biāo)記主體等級(jí)、時(shí)間約束策略；在實(shí)施模式（Enforcement Mode）下使用LTL語(yǔ)言對(duì)G-SIS策略進(jìn)行流程化設(shè)計(jì)；最后在實(shí)現(xiàn)模式（ImplementationMode）將策略改進(jìn)后的G-SIS模型應(yīng)用于網(wǎng)上銀行系統(tǒng)、企業(yè)培訓(xùn)系統(tǒng)、電商節(jié)日活動(dòng)系統(tǒng)三個(gè)常用的大中型網(wǎng)絡(luò)信息系統(tǒng)。
[Abstract]:The development of social economy and culture needs the sharing of resources in various fields. With the rapid development of information and Internet technology, people pay more attention to information sharing technology. In order to better meet the information sharing, the traditional access control technology will be replaced by the new access control technology. As a new access control technology, packet security information sharing technology (G-SIS) is introduced. It not only overcomes the shortcomings of traditional access control subject authorization, such as easy spread of DACU, immutable security attribute of subject and object, but also inherits the eight elements of UCON and the variability and continuity of attributes. By using the concept of grouping, the subject and object are unified in group management, and on the basis of the core attributes, additional attributes are proposed to make authorization more flexible. Most of the existing data center-level network architecture is based on the two-layer convergent three-layer access mode, that is, the two-layer STP protocol, the three-layer routing protocol, but not the unified protocol architecture. The MAC address is used to mark the subject and object in the second layer of the same network segment, but the IP address is used to mark the subject and object in the three different network segments. The TRILL protocol Nickname can not only map to the same network segment level 2 MAC address learning, but also can carry on the similar three layer IP routing computation in different network segments, so only need a set of protocol access control policy. In the G-SIS model, the subject and object are divided into groups, and there is no unique mark on the subject in the group. In the TRILL protocol, the Nickname corresponds to the IP address and the MAC address of each device, and the whole network is unique, where the Egress Nickname message sending port Nickname determines where the visitor comes from and can be used to uniquely mark the body in the G-SIS. In the G-SIS model, the users in the group can access the resources in the corresponding group, but they do not grade the principal. Therefore, we need to add a hierarchy constraint, which not only makes different subjects in the group have different permissions, but also can make different agents change their roles under the set conditions. At the same time, we add another time constraint to G-SIS, which can solve the problem that the G-SIS model only depends on group operations (subject entry, leaving and object joining, deleting) temporal actions. It can not only provide the time design for the change of agent hierarchy role, but also enable the subject to control the operation of object resource in time constraint. These strategies are described "linguistically" by using linear temporal logic (LTL) language. Finally, the PEI framework is cited in the G-SIS model, and under the policy mode, the policy of Nickname marking principal level and time constraint is put forward, and the LTL language is used to design the G-SIS policy by using LTL language. Finally, in the implementation mode, the improved G-SIS model is applied to three common large and medium-sized network information systems, such as online banking system, enterprise training system, and electronic commerce festival activity system.
【學(xué)位授予單位】：南昌航空大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類(lèi)號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前4條

1 張宏;賀也平;石志國(guó);;基于周期時(shí)間限制的自主訪問(wèn)控制委托模型[J];計(jì)算機(jī)學(xué)報(bào);2006年08期

2 譚良;周明天;;帶時(shí)間特性的自主訪問(wèn)控制政策及其在Linux上的設(shè)計(jì)與實(shí)現(xiàn)[J];計(jì)算機(jī)應(yīng)用;2006年12期

3 沈海波,洪帆;訪問(wèn)控制模型研究綜述[J];計(jì)算機(jī)應(yīng)用研究;2005年06期

4 郭瑋,茅兵,謝立;強(qiáng)制訪問(wèn)控制MAC的設(shè)計(jì)及實(shí)現(xiàn)[J];計(jì)算機(jī)應(yīng)用與軟件;2004年03期

本文編號(hào)：1807752