摘要: |
为了解决现有去中心化授权协议在支持传递权限时需要传递父权限信息从而容易导致权限信息泄露的问题以及单个用户信息泄露会威胁到其他用户权限的机密性的问题, 本文提出了基于检索树结构和可信平台模块的去中心化授权框架 ITTDAF,其核心思想是用户在授予其他用户权限时, 需要将授权信息告知提供相关资源的实体, 由资源实体基于授权信息生成检索树结构, 得知权限的传递关系。当用户在向资源实体请求资源时只提供自己拥有的权限信息即可证明权限有效性, 并不需要用户得知父权限的相关信息。避免了用户的权限信息泄露对其他用户的权限信息机密性的破坏, 同时降低了权限验证所需传输的数据量并减少权限验证所需要的时间。所有信息通过可信平台模块进行签名, 以保证数据的来源的唯一性并实现权限与设备的绑定,使得权限信息不会在非用户设备上得到执行。相较于比对方案, 在相同条件下本文所提出的方案在描述权限所需数据量上缩小44.2%, 权限验证所需时间减少 51.2%, 在拥有更高安全性的同时, 也有着更好的可用性。 |
关键词: 加密与解密 访问控制 去中心化授权 可传递授权 可信平台模块(TPM) |
DOI:10.19363/J.cnki.cn10-1380/tn.2022.03.11 |
投稿时间:2021-10-26修订日期:2022-01-08 |
基金项目:本课题得到国家重点研发计划项目(No.2020YFB1005500),北京市自然科学基金项目(No.M21037),广东省重点研发计划项目(No.2019B010137003),北京市自然科学基金项目(No.M21034)资助。 |
|
ITTDAF: Decentralized Authorization Framework That Does Not Rely on The Transmission of Parent Permission Information |
LUO Qifeng,SHI Ruisheng |
School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing 100876, China |
Abstract: |
To solve the problem that the existing decentralized authorization protocols need to transmit the parent permission information when one user transmits permissions to the other user, which is easy to cause the permission information leakage and threaten the confidentiality of other users’ permission information, this paper proposes a decentralized authorization framework ITTDAF(Index Tree & TPM based Decentralized Authorization Framework)based on index tree structure and trusted platform module. The core idea is that when one user authorizes permission to other users, the authorizing user needs to send the authorization information to the entities which providing relevant resources. The resource entity generates an index tree structure based on the authorization information sent by authorization user to know the transmission relationship of permissions between users. When one user requests resources from a resource entity, the user only needs to provide his own permission information to the resource entity to prove the validity of its permission and does not need to know any of the parent permission information. The permission information does not contain the relevant information of the parent permission, so as to avoid the damage of the permission information leakage to the confidentiality of the permission information of other users. This decreases the amount of data that needs to be transmitted and time consume of permission validation made by resource entity. All information is signed by the user device’s trusted platform module to ensure the source of data is from user and realize the binding between permission and device to let the permission can’t be execute on other user’s device. Compared with the comparison scheme, under the same conditions, the scheme proposed in this paper reduces the amount of data required to describe permissions by 44.2% and the time required for permission verification by 51.2%. It not only has higher security, but also has better availability. |
Key words: encryption and decryption access control decentralized authorization delegate authorization trusted platform module(TPM) |