中国科学院软件研究所机构知识库
Advanced  
ISCAS OpenIR  > 中科院软件所  > 中科院软件所
题名:
基于属性的访问控制管理
作者: 李晓峰
答辩日期: 2007-05-27
授予单位: 中国科学院软件研究所
授予地点: 软件研究所
学位: 博士
关键词: 安全 ; 访问控制 ; 访问控制管理 ; XACML ; 委托
其他题名: Administration of attribute based access control
摘要: 基于属性的访问控制是目前新兴的一种访问控制技术,由于其具有良好的可扩展性而得到广泛认可。本文对基于属性的访问控制模型和基于属性的访问控制管理模型进行了研究,分析并改进了可扩展访问控制标记语言委托策略(XACML Admin)描述方式,并提出一种策略预处理方案。本文的主要研究成果如下: ①形式化描述了基于属性的访问请求判定过程,将其归结为四个关系的计算,给出了基于属性的访问控制中策略冲突、策略合并元策略和策略依赖图的定义。并针对策略依赖图,分析了可获取有效的访问控制判定应满足的充分条件。 ②讨论了基于属性的访问控制策略管理问题,用属性逻辑表达式来表示管理范围,给出基于属性的委托策略定义,同时给出了委托策略的语义解释,总结、提出了三种信任链的建立方式,讨论了这三种方式之间的区别。 ③形式化描述了XACML和XACML Admin中的策略集、策略、规则,以及其组成元素之间的逻辑关系。针对XACML Admin草案中,对于规则中委托限制处理上存在的问题,提出一种解决方案。 ④提出了一个将XACML策略树分割为访问策略树和管理策略树来提高在线判定性能的匹配方案。并在此基础上,通过构造委托图,删除管理策略树和访问策略树中的无效节点,从而避免在线判定时引起拒绝服务攻击的无效策略。
英文摘要: Attribute based access control is one kind of new access control technologies, which is recognized widely as an extensible access control technology. This work is supported by the projects applied by Chinese State Key Laboratory of Information Security. Attribute based access control and administration of attribute based access control are studied in this paper. XACML and XACML delegation policy, also called administrative policy, are analyzed and studied either. Following are main research results in this paper. ①The basic concepts in attribute based access control are defined and explained. Decision procedure of attribute based access control is proposed, which is abstracted to calculation of four relations. Policy confliction, policy combination and policy dependent graph are defined. The soundness conditions of getting one only decision are discussed. ②In discussion of administration of attribute based access control, attribute logic expression is used to describe administration scope. Delegation policy based on attribute is defined and explained. Three ways of constructing trust chain in policies are proposed. Differences between these ways are discussed. ③The logic relationships among policy set, policy, rule and the composing elements in XACML and XACML Admin are analyzed. The first order logic explanations of XACML and XACML Admin are proposed. It is a sound base for analyzing XACML and XACML Admin policies further. A schema is proposed to solve the problem, improper method of processing Delegates in Rule that makes writing delegation policies hard. ④A scheme of pre-processing XACML policy is proposed. In the scheme, policy tree is split to access control policy tree and administrative policy tree to accelerate on-line decision performance. For rejecting Dos attack, a delegation graph is constructed and is used to delete invalid nodes in access policy tree and administrative policy tree.
语种: 中文
内容类型: 学位论文
URI标识: http://ir.iscas.ac.cn/handle/311060/6982
Appears in Collections:中科院软件所

Files in This Item:
File Name/ File Size Content Type Version Access License
10001_200318015003115李晓峰_paper.pdf(523KB)----限制开放-- 联系获取全文

Recommended Citation:
李晓峰. 基于属性的访问控制管理[D]. 软件研究所. 中国科学院软件研究所. 2007-05-27.
Service
Recommend this item
Sava as my favorate item
Show this item's statistics
Export Endnote File
Google Scholar
Similar articles in Google Scholar
[李晓峰]'s Articles
CSDL cross search
Similar articles in CSDL Cross Search
[李晓峰]‘s Articles
Related Copyright Policies
Null
Social Bookmarking
Add to CiteULike Add to Connotea Add to Del.icio.us Add to Digg Add to Reddit
所有评论 (0)
暂无评论
 
评注功能仅针对注册用户开放,请您登录
您对该条目有什么异议,请填写以下表单,管理员会尽快联系您。
内 容:
Email:  *
单位:
验证码:   刷新
您在IR的使用过程中有什么好的想法或者建议可以反馈给我们。
标 题:
 *
内 容:
Email:  *
验证码:   刷新

Items in IR are protected by copyright, with all rights reserved, unless otherwise indicated.

 

 

Valid XHTML 1.0!
Copyright © 2007-2017  中国科学院软件研究所 - Feedback
Powered by CSpace