| 基于属性的访问控制管理 |
| 其他题名 | Administration of attribute based access control
|
| 李晓峰
|
| 2007-05-27
|
| 学位授予单位 | 中国科学院软件研究所
|
| 学位 | 博士
|
| 学位授予地点 | 软件研究所
|
| 关键词 | 安全
访问控制
访问控制管理
Xacml
委托
|
| 摘要 | 基于属性的访问控制是目前新兴的一种访问控制技术,由于其具有良好的可扩展性而得到广泛认可。本文对基于属性的访问控制模型和基于属性的访问控制管理模型进行了研究,分析并改进了可扩展访问控制标记语言委托策略(XACML Admin)描述方式,并提出一种策略预处理方案。本文的主要研究成果如下:
①形式化描述了基于属性的访问请求判定过程,将其归结为四个关系的计算,给出了基于属性的访问控制中策略冲突、策略合并元策略和策略依赖图的定义。并针对策略依赖图,分析了可获取有效的访问控制判定应满足的充分条件。
②讨论了基于属性的访问控制策略管理问题,用属性逻辑表达式来表示管理范围,给出基于属性的委托策略定义,同时给出了委托策略的语义解释,总结、提出了三种信任链的建立方式,讨论了这三种方式之间的区别。
③形式化描述了XACML和XACML Admin中的策略集、策略、规则,以及其组成元素之间的逻辑关系。针对XACML Admin草案中,对于规则中委托限制处理上存在的问题,提出一种解决方案。
④提出了一个将XACML策略树分割为访问策略树和管理策略树来提高在线判定性能的匹配方案。并在此基础上,通过构造委托图,删除管理策略树和访问策略树中的无效节点,从而避免在线判定时引起拒绝服务攻击的无效策略。 |
| 其他摘要 | Attribute based access control is one kind of new access control technologies, which is recognized widely as an extensible access control technology. This work is supported by the projects applied by Chinese State Key Laboratory of Information Security. Attribute based access control and administration of attribute based access control are studied in this paper. XACML and XACML delegation policy, also called administrative policy, are analyzed and studied either. Following are main research results in this paper.
①The basic concepts in attribute based access control are defined and explained. Decision procedure of attribute based access control is proposed, which is abstracted to calculation of four relations. Policy confliction, policy combination and policy dependent graph are defined. The soundness conditions of getting one only decision are discussed.
②In discussion of administration of attribute based access control, attribute logic expression is used to describe administration scope. Delegation policy based on attribute is defined and explained. Three ways of constructing trust chain in policies are proposed. Differences between these ways are discussed.
③The logic relationships among policy set, policy, rule and the composing elements in XACML and XACML Admin are analyzed. The first order logic explanations of XACML and XACML Admin are proposed. It is a sound base for analyzing XACML and XACML Admin policies further. A schema is proposed to solve the problem, improper method of processing Delegates in Rule that makes writing delegation policies hard.
④A scheme of pre-processing XACML policy is proposed. In the scheme, policy tree is split to access control policy tree and administrative policy tree to accelerate on-line decision performance. For rejecting Dos attack, a delegation graph is constructed and is used to delete invalid nodes in access policy tree and administrative policy tree. |
| 页数 | 117
|
| 语种 | 中文
|
| 内容类型 | 学位论文
|
| URI标识 | http://ir.iscas.ac.cn/handle/311060/6982
|
| 专题 | 中科院软件所_中科院软件所
|
推荐引用方式
GB/T 7714 |
李晓峰. 基于属性的访问控制管理[D]. 软件研究所. 中国科学院软件研究所,2007.
|
除非特别说明,本系统中所有内容都受版权保护,并保留所有权利。
修改评论