| 引用本文: |
-
张应辉,李怡飞,吴阿新,李燕玲,郭瑞.基于SM9的双边访问控制方案[J].信息安全学报,已采用 [点击复制]
- ZHANG Yinghui,Li Yifei,WU Axin,LI Yanling,GUO Rui.An Bilateral Access Control Scheme Based on SM9[J].Journal of Cyber Security,Accept [点击复制]
|
|
| 摘要: |
| 数据作为驱动数字经济发展的核心要素,其重要性不言而喻。确保数据隐私对推动数据合法流通共享以及促进数字经济的健康发展至关重要。访问控制机制通过制定并执行合理的访问控制策略,能够对数据访问主体及其权限进行有效约束,阻止未经授权用户的非法访问,从而降低数据泄露与滥用风险。然而,当前大部分访问控制机制要么仅能实现发送者对接收者的单向访问控制,难以应对需要双方共同制定数据使用规则的复杂场景;要么是基于国外密码算法设计实现,难以满足密码技术自主可控的发展需求。另外,现有的双边访问控制机制普遍面临着密钥托管和计算开销大等问题,在实际部署和大规模应用方面仍有待提升。为解决上述问题,本文提出了基于SM9的双边访问控制方案。该方案支持数据发送者与数据接收者双方共同制定访问控制策略,当且仅当同时满足收发双方制定的访问控制策略时,消息才可被正确恢复,从而实现细粒度的双边访问控制机制;在实现消息机密性与真实性的同时,利用无证书密码机制缓解了传统身份基密码体制下的完全密钥托管问题;并引入在线/离线技术,将加密算法中部分复杂计算提前转移至离线阶段完成,从而显著降低在线加密阶段的计算开销,提升系统在线响应效率。该方案基于国密SM9算法进行设计,有助于降低对国外密码算法的依赖,增强国家密码体系的自主可控能力。最后,安全性分析与性能评估结果表明,该方案是安全高效的。 |
| 关键词: 数据隐私 访问控制 双边访问控制 SM9 密钥托管 在线/离线技术 |
| DOI: |
| 投稿时间:2026-01-16修订日期:2026-05-13 |
| 基金项目:国家自然科学基金项目(面上项目) |
|
| An Bilateral Access Control Scheme Based on SM9 |
|
ZHANG Yinghui1, Li Yifei1, WU Axin2, LI Yanling3, GUO Rui1
|
| (1.Xi’an University of Posts and Telecommunications;2.Guangzhou University;3.Luoyang Normal University) |
| Abstract: |
| Abstract Data, as a core element driving the development of the digital economy, is undeniably crucial. Ensuring data privacy is essential for promoting the legal circulation and sharing of data and fostering the healthy development of the digital economy. Access control mechanisms, by formulating and enforcing reasonable access control policies, can effectively constrain data access subjects and their permissions, preventing unauthorized access by users and thus reducing the risk of data leakage and misuse. However, most current access control mechanisms either only achieve one-way access control from sender to receiver, making it difficult to handle complex scenarios requiring both parties to jointly formulate data usage rules; or they are based on foreign cryptographic algorithms, failing to meet the needs of independent and controllable development of cryptographic technology. Furthermore, existing bilateral access control mechanisms generally face problems such as key escrow and high computational overhead, and still need improvement in practical deployment and large-scale application. To address these issues, this paper proposes a bilateral access control scheme based on SM9. This scheme supports the joint development of access control policies by both the data sender and receiver. A message can only be correctly recovered if both parties' access control policies are simultaneously satisfied, thus achieving a fine-grained bilateral access control mechanism. While ensuring message confidentiality and authenticity, it alleviates the full key escrow problem under traditional identity-based cryptography by utilizing a certificateless cryptographic mechanism. Furthermore, it introduces online/offline technology, transferring some complex calculations in the encryption algorithm to the offline stage in advance, thereby significantly reducing the computational overhead of the online encryption stage and improving the system's online response efficiency. Based on the national standard SM9 algorithm, this scheme helps reduce dependence on foreign cryptographic algorithms and enhances the independent controllability of the national cryptographic system. Finally, security analysis and performance evaluation results show that this scheme is secure and efficient. |
| Key words: Data privacy access control bilateral access control SM9 key escrow online/offline technique |
