基于行为的多级访问控制模型
Action-Based Multi-level Access Control Model
-
摘要: 通信、计算机、多媒体等技术的发展加速了信息的传播,网络上传播的数据呈现出多维化的特点.实行多级安全管理既可确保信息准确传递,又可保证数据的机密性和完整性.传统的多级安全模型已经与基于角色的访问控制(role-based access control, RBAC)等经典访问控制模型相结合,在一定程度上解决了多级安全访问控制的问题.但是,现有的多级安全访问控制机制缺少对时空要素的考虑,不适用于目前用户在任意时间、地点进行访问的多级授权管理,因此,如何实现具有时空特征的多级安全访问控制机制已成为亟待解决的问题.首先,针对性提出了一种基于行为的多级安全访问控制模型,实现了BLP模型与基于行为的访问控制(action-based access control, ABAC)模型的有机结合,将原有主体的安全等级、范畴的描述扩展到行为上.其次,为了解决用户权限依据时空伸缩的问题,在BLP模型的基础上细化了行为的安全级别,定义了行为读安全级别和行为写安全级别,同时描述了基本操作的安全规则,在保证数据机密性的基础上兼顾完整性.最后,结合提出的模型给出了相应的实施方案.基于行为的多级安全访问控制模型能够面向目前的复杂网络环境,结合时态、环境等时空因素,解决访问控制过程中用户、数据分级管理和访问控制问题.Abstract: The developments of communication, computer, and multimedia technologies have speeded up information transmission. The information has been becoming multi-dimensional. The multi-level security could not only ensure the correctness of information transmission, but also keep the integrality and confidentiality of the data. The traditional multi-level security models have been implemented with the classic access control models, such as RBAC (role-based access control), which solve the problems of multi-level access control to some extent. But they could not accommodate the users’ requirements of multi-level permission management at anytime and anywhere with the consideration of the temporal and environmental factors in the existing multi-level security access control mechanisms. How to implement the multi-level access control with the consideration of time and environment has become a problem to be solved. Firstly, we present an action-based multi-level access control model, which integrates the BLP and ABAC (action-based access control) together by extending the security level to action. Secondly, in order to solve the problem of permission specification with time and environment, we make the description of security level more detailed by defining the reading level (lr) and writing level (lw). The corresponding security rules and proof have been given. Finally, we give the implementing scheme of our model. By integrating the temporal state and environmental state together for the current complicated network, our scheme could solve the problems of the multi-level management and access control.