[go: up one dir, main page]

CN114666067A - Cross-domain fine-grained attribute access control method and system based on block chain - Google Patents

Cross-domain fine-grained attribute access control method and system based on block chain Download PDF

Info

Publication number
CN114666067A
CN114666067A CN202210562634.0A CN202210562634A CN114666067A CN 114666067 A CN114666067 A CN 114666067A CN 202210562634 A CN202210562634 A CN 202210562634A CN 114666067 A CN114666067 A CN 114666067A
Authority
CN
China
Prior art keywords
node
subject
value
trust
attribute
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210562634.0A
Other languages
Chinese (zh)
Other versions
CN114666067B (en
Inventor
万武南
蒲槐霖
蒋秋璐
张仕斌
张金全
秦智
韩慧
邱晓芳
郭锦良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu University of Information Technology
Original Assignee
Chengdu University of Information Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu University of Information Technology filed Critical Chengdu University of Information Technology
Priority to CN202210562634.0A priority Critical patent/CN114666067B/en
Publication of CN114666067A publication Critical patent/CN114666067A/en
Application granted granted Critical
Publication of CN114666067B publication Critical patent/CN114666067B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a cross-domain fine-grained attribute access control method and a system based on a block chain, wherein a task state attribute is introduced into an attribute access control model on the basis of the block chain and the attribute access control method, the authority of a requester can be dynamically allocated according to information such as task state, required conditions and the like, and a method for calculating the trust value of a subject node by using the attribute of the subject node, the environment attribute and the like can help a subject node to judge whether the subject node can access own resources or not, the comprehensive trust value of the subject node can be updated in real time, the authority of the requester is dynamically allocated by using the comprehensive trust value of the subject node, the requester only has the minimum authority for accessing the resources, the attribute-based fine-grained access control is achieved, a malicious requester has no additional authority which can be utilized, and the calculation overhead and space overhead of the cross-domain access control are reduced, meanwhile, the method can well resist unauthorized attack, fake impersonation attack and collusion attack.

Description

基于区块链的跨域细粒度属性访问控制方法及系统Blockchain-based cross-domain fine-grained attribute access control method and system

技术领域technical field

本发明涉及区块链技术领域,具体的说,涉及一种基于区块链的跨域细粒度属性访问控制方法及系统。The invention relates to the technical field of blockchain, in particular to a method and system for cross-domain fine-grained attribute access control based on blockchain.

背景技术Background technique

访问控制作为维护互联网中信息、数据、资源等安全性的一种重要技术手段,随着互联网的发展,已经有了很多种类的访问控制技术被提出,比如最典型的自主访问控制、强制访问控制、基于角色的访问控制,但是这些访问控制最主要的问题就是它们都是属于静态的访问控制,无法动态分配权限,提出的一些新的访问控制技术如基于属性的访问控制、基于任务流的访问控制、基于信任的访问控制等。Access control is an important technical means to maintain the security of information, data, and resources in the Internet. With the development of the Internet, many types of access control technologies have been proposed, such as the most typical autonomous access control and mandatory access control. , role-based access control, but the main problem of these access controls is that they are all static access controls and cannot dynamically assign permissions. Some new access control technologies such as attribute-based access control and task flow-based access are proposed. control, trust-based access control, etc.

并且随着区块链技术越来越成熟,访问控制结合区块链的应用研究越来越多。从2017年开始就陆续出现了访问控制结合区块链的研究案例,这使得传统访问控制的单点故障、可靠性低和可信性难以保证的问题得以解决。随后,智能合约的出现,让访问控制在区块链上的实现更加完善,对访问主体的权限管理更加自动化。它通过将访问主客体间的信息交互作为交易信息来实现可信的访问控制。以及随着如今物联网、区块链应用于各个行业的实例越来越多,场景需求也就越来越复杂,很多情况下,组织之间的访问就显得极为重要,基于区块链跨域数据访问控制策略被提出。目前存在着多种基于区块链的访问控制方案,但面临复杂的应用系统,仍然存在动态分配访问控制权限粒度不够,访问控制流存在安全隐患,以及多域之间跨域数据访问权限的管理仍需进一步加强等问题。And as the blockchain technology becomes more and more mature, there are more and more application researches on access control combined with blockchain. Since 2017, research cases of access control combined with blockchain have appeared one after another, which has solved the problems of single point of failure, low reliability and difficulty in guaranteeing reliability of traditional access control. Subsequently, the emergence of smart contracts made the implementation of access control on the blockchain more complete, and the authority management of access subjects was more automated. It realizes credible access control by taking the information interaction between the access subject and the object as transaction information. And as there are more and more instances of IoT and blockchain being applied to various industries, scenario requirements are becoming more and more complex. In many cases, access between organizations is extremely important. Based on blockchain cross-domain Data access control policies are proposed. There are currently a variety of access control schemes based on blockchain, but in the face of complex application systems, there are still insufficient granularity of dynamic allocation of access control permissions, security risks in access control flow, and management of cross-domain data access permissions between multiple domains Still need to further strengthen and other issues.

现如今大多数国内外学者对于区块链的研究都集中在区块链的应用上面,由于区块链的去中心化的特点,区块链被应用到了很多领域中来解决这些领域已存在的中心化所带来的单点故障的问题,Jason Paul Cruz就于2018年提出了在区块链中基于角色的访问控制方案(RBAC-SC)。Riabi等人提出了基于区块链角色令牌访问控制方案,该方案的访问控制是通过区块链来实现的,模型中存在三种角色分别是资源拥有者、资源请求者、矿工,资源请求者需要通过申请加入到资源拥有者的ACL表中(该ACL表存储在智能合约上),再得到矿工的令牌才能实现访问控制,该模型的提出是为了解决物联网中的单点故障问题。G.Ali等人提出一个基于区块链的去中心化的物联网权限委托和访问控制框架——xDBAuth,构造了一个本地和全球智能合约的层次结构,为内部和外部用户/物联网执行权限委托和访问控制。史子卉等人提出一种基于区块链的跨域访问控制方法,该方法根据令牌生成阶段对令牌的处理可以防止伪造令牌的行为,根据动态验证可以抵抗中间人攻击,防止恶意节点对系统进行泛洪攻击,防止单点故障导致系统异常的行为发生,基于区块链的透明与公开特性,所有节点均可以通过访问区块链中的交易和智能合约来同步状态,提供了更加细粒度、更安全的访问控制。Nowadays, most domestic and foreign scholars' research on blockchain focuses on the application of blockchain. Due to the decentralization of blockchain, blockchain has been applied to many fields to solve existing problems in these fields. The problem of single point of failure caused by centralization, Jason Paul Cruz proposed a role-based access control scheme (RBAC-SC) in the blockchain in 2018. Riabi et al. proposed a blockchain-based role token access control scheme. The access control of this scheme is implemented through blockchain. There are three roles in the model: resource owner, resource requester, miner, and resource requester. The miner needs to apply to join the resource owner's ACL table (the ACL table is stored on the smart contract), and then obtain the miner's token to achieve access control. This model is proposed to solve the single point of failure problem in the Internet of Things . G.Ali et al. proposed a blockchain-based decentralized IoT authority delegation and access control framework - xDBAuth, which constructs a hierarchy of local and global smart contracts to enforce permissions for internal and external users/IoT Delegation and access control. Shi Zihui et al. proposed a blockchain-based cross-domain access control method. This method can prevent forgery of tokens according to the processing of tokens in the token generation stage, and can resist man-in-the-middle attacks according to dynamic verification. The system performs flooding attacks to prevent the occurrence of abnormal system behaviors caused by a single point of failure. Based on the transparency and openness of the blockchain, all nodes can synchronize their status by accessing transactions and smart contracts in the blockchain, providing more detailed information. Granular, more secure access control.

但从现有的访问控制方案来看就存在以下问题:However, from the perspective of the existing access control scheme, there are the following problems:

基于区块链属性访问控制方案中,它通过主客体的属性值、所处的环境来授予主体访问资源的权限和主体能够进行的相关的操作。但是由于主体和客体缺乏信任,导致访问控制中客体节点无法判断主体的可信度,缺乏属性与信任综合考虑的访问控制方案,从而无法避免主体节点仿冒、欺诈等安全威胁。并且大多只考虑客体资源的环境属性,缺乏对客体节点资源状态的考虑,达不到细粒度访问控制的效果,存在动态分配访问权限不足问题。In the blockchain-based attribute access control scheme, it grants the subject the authority to access resources and the related operations that the subject can perform through the attribute value of the subject and the object and the environment in which it is located. However, due to the lack of trust between the subject and the object, the object node in the access control cannot judge the credibility of the subject, and there is no access control scheme that comprehensively considers attributes and trust, so it is impossible to avoid security threats such as counterfeiting and fraud of the subject node. And most of them only consider the environmental attributes of the object resources, lack of consideration of the resource status of the object nodes, can not achieve the effect of fine-grained access control, and there is a problem of insufficient dynamic allocation of access rights.

基于区块链访问控制方案对多域之间跨域数据访问权限的管理目前大多数是基于令牌、角色跨域访问控制方案,而随着用户角色和令牌的频繁申请和撤销,会使得角色和令牌都难以管理,以至于发生角色和令牌爆炸,大量的角色和令牌也会对权限的管控带来威胁。The management of cross-domain data access rights between multiple domains based on the blockchain access control scheme is currently mostly based on token and role cross-domain access control schemes. With the frequent application and revocation of user roles and tokens, it will make Roles and tokens are difficult to manage, so that the explosion of roles and tokens occurs, and a large number of roles and tokens will also threaten the control of permissions.

发明内容SUMMARY OF THE INVENTION

本发明的目的在于克服背景技术所提出的技术问题,提出一种基于区块链的跨域细粒度属性访问控制方法。利用主体属性、环境属性等来计算主体信任值的算法,并将任务状态属性引入属性访问控制方案中,帮助客体判断主体能否访问自己的资源和资源的运行状态,使资源不会承受过大的负担,与任务状态属性结合能够实现动态授予主体访问权限,使主体只能以最小权限访问资源,提高访问控制方案的效率。并且利用区块链技术实现跨域访问控制,访问控制系统每个域有主信任节点,负责管理自己区域中主体和客体的角色值、属性值和信任值,并给出跨域访问控制流程,基于区块链技术,更好的实现跨域访问的数据安全,抵御越权攻击、伪造冒充式攻击、共谋攻击等多种威胁攻击方式。The purpose of the present invention is to overcome the technical problems raised by the background art, and to propose a cross-domain fine-grained attribute access control method based on blockchain. An algorithm that uses subject attributes, environmental attributes, etc. to calculate the subject's trust value, and introduces the task status attribute into the attribute access control scheme to help the object judge whether the subject can access its own resources and the running status of the resources, so that the resources will not be overburdened. Combined with the task state attribute, it can dynamically grant access rights to the subject, so that the subject can only access resources with the least privilege, and improve the efficiency of the access control scheme. And use blockchain technology to achieve cross-domain access control. Each domain of the access control system has a master trust node, which is responsible for managing the role value, attribute value and trust value of the subject and object in its own area, and gives the cross-domain access control process. Based on blockchain technology, it can better realize data security for cross-domain access, and resist multiple threat attacks such as unauthorized attacks, forgery and impersonation attacks, and collusion attacks.

本发明的具体技术方案如下:The concrete technical scheme of the present invention is as follows:

根据本发明的第一技术方案,提供一种基于区块链的跨域细粒度属性访问控制方法,所述方法包括:According to the first technical solution of the present invention, a blockchain-based cross-domain fine-grained attribute access control method is provided, the method comprising:

接收主体节点的加密身份、所述主体节点所在的区域以及所述主体节点的资源请求,所述主体节点的加密身份通过所述主体节点将其身份用对应私钥进行加密得到;Receive the encrypted identity of the main node, the region where the main node is located, and the resource request of the main node, and the encrypted identity of the main node is obtained by encrypting its identity with the corresponding private key by the main node;

选择一个随机数N发送给所述主体节点;Select a random number N to send to the main node;

接收所述主体节点的二次加密身份和所述主体节点的公钥,所述二次加密身份是所述主体节点在接收到随机数N后用私钥进行签名得到;Receive the secondary encryption identity of the subject node and the public key of the subject node, where the secondary encryption identity is obtained by the subject node signing with the private key after receiving the random number N ;

验证所述二次加密身份中的随机数是否是随机数NVerifying whether the random number in the secondary encrypted identity is a random number N ;

在所述二次加密身份中的随机数是随机数N的情况下,根据主体节点的公钥解密所述二次加密身份得到所述主体节点的身份,根据所述主体节点的身份和所述主体节点的公钥计算得到所述主体节点对应的地址,然后从区块链中查出所述主体节点的属性值,并根据所述主体节点的属性值计算与所述主体节点的直接信任值;In the case where the random number in the secondary encrypted identity is a random number N , decrypt the secondary encrypted identity according to the public key of the principal node to obtain the identity of the principal node, and obtain the identity of the principal node according to the identity of the principal node and the The public key of the main node is calculated to obtain the address corresponding to the main node, and then the attribute value of the main node is found from the blockchain, and the direct trust value with the main node is calculated according to the attribute value of the main node. ;

根据所述主体节点的区域号查询出区域所对应的主信任节点在区块链上的地址对所述主体节点的综合信任值,并与所述主体节点的属性值以及资源环境属性计算出主体节点的直接信任值,根据基础信任值和所述主体节点的直接信任值计算得到推荐信任值;According to the area number of the main node, the comprehensive trust value of the main trust node corresponding to the area on the blockchain is queried for the main node, and the main node is calculated with the attribute value of the main node and the resource environment attribute. The direct trust value of the node is calculated according to the basic trust value and the direct trust value of the subject node to obtain the recommended trust value;

根据所述直接信任值和所述推荐信任值计算得到综合信任值;Calculate the comprehensive trust value according to the direct trust value and the recommended trust value;

在综合信任值达到预设的信任值阈值要求时,通过任务状态属性查看当前资源所执行的任务的状态,并在当前资源所执行的任务的状态满足任务状态要求的情况下同意主体节点的资源请求。When the comprehensive trust value reaches the preset trust value threshold requirement, check the status of the task executed by the current resource through the task status attribute, and agree to the resource of the main node if the status of the task executed by the current resource meets the task status requirement ask.

进一步,所述根据所述主体节点的属性值计算与所述主体节点的直接信任值,包括:Further, calculating the direct trust value with the subject node according to the attribute value of the subject node includes:

根据主体节点的主体属性和所访问资源环境属性,通过如下公式计算主体节点当 前直接信任

Figure 415783DEST_PATH_IMAGE001
: According to the subject attribute of the subject node and the accessed resource environment attribute, the current direct trust of the subject node is calculated by the following formula
Figure 415783DEST_PATH_IMAGE001
:

Figure 660820DEST_PATH_IMAGE002
Figure 660820DEST_PATH_IMAGE002

其中,

Figure 473180DEST_PATH_IMAGE003
表示主体节点相关主体属性种类,
Figure 258602DEST_PATH_IMAGE004
表示所访问相关环境属性种类,
Figure 135292DEST_PATH_IMAGE005
Figure 787115DEST_PATH_IMAGE006
是常数,取值在[0,1]区间范围内,
Figure 319727DEST_PATH_IMAGE007
表示主体属性与所访问的资源的相关度,
Figure 846524DEST_PATH_IMAGE008
表示每个主体属性所占的权重,
Figure 577719DEST_PATH_IMAGE009
表示环境属性与所访问的资源的相关度,
Figure 462761DEST_PATH_IMAGE010
表示每 个环境属性所占的权重,满足
Figure 544987DEST_PATH_IMAGE011
Figure 344315DEST_PATH_IMAGE012
Figure 646463DEST_PATH_IMAGE013
; in,
Figure 473180DEST_PATH_IMAGE003
Indicates the type of the subject attribute related to the subject node,
Figure 258602DEST_PATH_IMAGE004
Indicates the type of related environment attributes accessed,
Figure 135292DEST_PATH_IMAGE005
and
Figure 787115DEST_PATH_IMAGE006
is a constant whose value is in the range of [0,1],
Figure 319727DEST_PATH_IMAGE007
Represents the relevance of the subject attribute to the accessed resource,
Figure 846524DEST_PATH_IMAGE008
represents the weight of each subject attribute,
Figure 577719DEST_PATH_IMAGE009
Represents the relevance of the environment attribute to the accessed resource,
Figure 462761DEST_PATH_IMAGE010
Represents the weight of each environmental attribute, satisfying
Figure 544987DEST_PATH_IMAGE011
,
Figure 344315DEST_PATH_IMAGE012
,
Figure 646463DEST_PATH_IMAGE013
;

根据时间衰减函数,计算时间衰减权重,所述时间衰减函数表示为

Figure 138625DEST_PATH_IMAGE014
,其中
Figure 708146DEST_PATH_IMAGE015
是常数,取值在[0,1]区间范围内,t表示上一次与主体节点之间交互距离此次交互的时 间; According to the time decay function, the time decay weight is calculated, and the time decay function is expressed as
Figure 138625DEST_PATH_IMAGE014
,in
Figure 708146DEST_PATH_IMAGE015
is a constant, the value is in the range of [0,1], t represents the last interaction distance with the main node and the time of this interaction;

通过如下公式计算历史信任值HVThe historical trust value HV is calculated by the following formula:

Figure 45587DEST_PATH_IMAGE016
Figure 45587DEST_PATH_IMAGE016

其中,

Figure 580735DEST_PATH_IMAGE017
表示上一次的访问控制流程,
Figure 243798DEST_PATH_IMAGE018
表示与主体节点B之前交互 过的最新的综合信任值; in,
Figure 580735DEST_PATH_IMAGE017
Indicates the last access control process,
Figure 243798DEST_PATH_IMAGE018
Represents the latest comprehensive trust value that has interacted with the main node B before;

通过如下公式计算主体节点的直接信任值:The direct trust value of the principal node is calculated by the following formula:

Figure 238299DEST_PATH_IMAGE019
Figure 238299DEST_PATH_IMAGE019

其中,

Figure 146474DEST_PATH_IMAGE020
是常数,取值在[0,1]区间范围内,如果与主体节点是A第一次进行交互, 则不存在历史信任值,只有当前信任值,令
Figure 503506DEST_PATH_IMAGE021
,即计算出来的当前信任值就是与主体节 点A之间的直接信任值。 in,
Figure 146474DEST_PATH_IMAGE020
is a constant, the value is in the range of [0,1], if the interaction with the main node is the first time A, there is no historical trust value, only the current trust value, let
Figure 503506DEST_PATH_IMAGE021
, that is, the calculated current trust value is the direct trust value with the principal node A.

进一步,所述根据基础信任值和所述主体节点的直接信任值计算得到推荐信任值,包括:Further, calculating the recommended trust value according to the basic trust value and the direct trust value of the subject node includes:

通过如下公式计算区域主信任节点对域中各主体节点的直接信任值:The direct trust value of the regional master trust node to each principal node in the domain is calculated by the following formula:

Figure 337470DEST_PATH_IMAGE022
Figure 337470DEST_PATH_IMAGE022

其中,

Figure 445365DEST_PATH_IMAGE023
表示区域号为i的区域主信任节点对于区域的主体节点 的直接信任值,直接信任值随着访问次数,访问成功和访问失败的次数进行调节,
Figure 390188DEST_PATH_IMAGE024
表示主体节点进行访问控制的成功的次数,
Figure 70568DEST_PATH_IMAGE025
表示主体节点 进行访问控制的失败的次数,
Figure 780160DEST_PATH_IMAGE026
表示主体节点进行访问控制的总的次数; in,
Figure 445365DEST_PATH_IMAGE023
Indicates the direct trust value of the main trust node of the area with the area number i to the main node of the area. The direct trust value is adjusted with the number of visits, the number of successful visits and the number of failed visits.
Figure 390188DEST_PATH_IMAGE024
Indicates the number of successful access control performed by the principal node,
Figure 70568DEST_PATH_IMAGE025
Indicates the number of times the principal node fails to perform access control,
Figure 780160DEST_PATH_IMAGE026
Indicates the total number of times the principal node performs access control;

计算不同区域的主信任节点之间的基础信任值

Figure 873887DEST_PATH_IMAGE027
: Calculate the base trust value between master trust nodes in different regions
Figure 873887DEST_PATH_IMAGE027
:

若主体节点访问失败,则区域主信任节i对区域内主减少基础信任值,计算公式如下:If the access of the main node fails, the regional master trust node i reduces the basic trust value of the master in the region, and the calculation formula is as follows:

Figure 622400DEST_PATH_IMAGE028
Figure 622400DEST_PATH_IMAGE028

其中

Figure 862014DEST_PATH_IMAGE029
取值在[0,1]区间范围内,根据系统来进行设定,默认为
Figure 631256DEST_PATH_IMAGE030
Figure 884382DEST_PATH_IMAGE031
为减 少因子,取值在[0,1]区间范围内; in
Figure 862014DEST_PATH_IMAGE029
The value is in the range of [0,1], set according to the system, the default is
Figure 631256DEST_PATH_IMAGE030
,
Figure 884382DEST_PATH_IMAGE031
In order to reduce the factor, the value is in the range of [0,1];

若主体节点访问成功,则增加基础信任值,计算公式如下:If the main node accesses successfully, the basic trust value is increased, and the calculation formula is as follows:

Figure 141314DEST_PATH_IMAGE032
Figure 141314DEST_PATH_IMAGE032

其中

Figure 593023DEST_PATH_IMAGE029
取值在[0,1]区间范围内,根据系统来进行设定,默认为
Figure 205270DEST_PATH_IMAGE030
Figure 384841DEST_PATH_IMAGE033
为增加 因子,取值在[0,1]区间范围内; in
Figure 593023DEST_PATH_IMAGE029
The value is in the range of [0,1], set according to the system, the default is
Figure 205270DEST_PATH_IMAGE030
,
Figure 384841DEST_PATH_IMAGE033
In order to increase the factor, the value is in the range of [0,1];

计算主体节点的推荐信任值

Figure 334212DEST_PATH_IMAGE034
。 Calculate the recommended trust value of the principal node
Figure 334212DEST_PATH_IMAGE034
.

进一步,根据所述直接信任值和所述推荐信任值计算得到综合信任值,包括:Further, a comprehensive trust value is calculated and obtained according to the direct trust value and the recommended trust value, including:

通过如下公式计算综合信任值TVThe comprehensive trust value TV is calculated by the following formula:

Figure 781373DEST_PATH_IMAGE035
Figure 781373DEST_PATH_IMAGE035

其中,

Figure 788689DEST_PATH_IMAGE036
是常数,取值在[0,1]区间范围内,
Figure 78724DEST_PATH_IMAGE037
表示当前正在进行的访问控制流 程中所计算出来的直接信任值,RV为推荐信任值。 in,
Figure 788689DEST_PATH_IMAGE036
is a constant whose value is in the range of [0,1],
Figure 78724DEST_PATH_IMAGE037
Indicates the direct trust value calculated in the current access control flow, and RV is the recommended trust value.

根据本发明的第二技术方案,提供一种基于区块链的跨域细粒度属性访问控制系统,所述系统包括主信任节点、主体节点、客体节点、矿工节点、资源节点和密钥管理中心,According to the second technical solution of the present invention, a blockchain-based cross-domain fine-grained attribute access control system is provided, the system includes a master trust node, a subject node, an object node, a miner node, a resource node and a key management center ,

所述主信任节点是区块链上的节点,也是每个区域的中心,被配置为分区域管理对应区域中主体节点和客体节点的角色值、属性值和信任值,将区域中主体节点和客体节点的角色值、属性值和信任值广播到区块链中,并存入自己的交易池中,以等待矿工节点取走交易池中的交易发布到区块链上;The master trust node is a node on the blockchain and is also the center of each area. It is configured to manage the role value, attribute value and trust value of the subject node and object node in the corresponding area by area. The role value, attribute value and trust value of the object node are broadcast to the blockchain and stored in its own transaction pool, waiting for the miner node to take the transaction in the transaction pool and publish it on the blockchain;

所述主体节点是访问控制的发起方,被配置为将其身份用对应私钥进行加密得到对应主体节点的加密身份;向客体节点发送对应主体节点的加密身份、所述主体节点所在的区域后以及所述主体节点的资源请求,在接收到来自客体节点发出的随机数N后用私钥进行签名得到二次加密身份,并将主体节点的二次加密身份和公钥发送至客体节点;The subject node is the initiator of access control, and is configured to encrypt its identity with the corresponding private key to obtain the encrypted identity of the corresponding subject node; after sending the encrypted identity of the corresponding subject node and the area where the subject node is located to the object node And the resource request of the subject node, after receiving the random number N sent from the object node, use the private key to sign to obtain a secondary encryption identity, and send the secondary encryption identity and public key of the subject node to the object node;

所述客体节点是拥有资源的一方,被配置为接收主体节点的加密身份、所述主体节点所在的区域以及所述主体节点的资源请求;选择一个随机数N发送给所述主体节点;接收所述主体节点的二次加密身份和所述主体节点的公钥;验证所述二次加密身份中的随机数是否是随机数N;在所述二次加密身份中的随机数是随机数N的情况下,根据主体节点的公钥解密所述二次加密身份得到所述主体节点的身份,根据所述主体节点的身份和所述主体节点的公钥计算得到所述主体节点对应的地址,然后从区块链中查出所述主体节点的属性值,并根据所述主体节点的属性值计算与所述主体节点的直接信任值;根据所述主体节点的区域号查询出区域所对应的主信任节点在区块链上的地址对所述主体节点的综合信任值,并与所述主体节点的属性值以及资源环境属性计算出主体节点的直接信任值,根据基础信任值和所述主体节点的直接信任值计算得到推荐信任值;根据所述直接信任值和所述推荐信任值计算得到综合信任值;在综合信任值达到预设的信任值阈值要求时,通过任务状态属性查看当前资源所执行的任务的状态,并在当前资源所执行的任务的状态满足任务状态要求的情况下同意主体节点的资源请求;The object node is the party that owns the resource, and is configured to receive the encrypted identity of the subject node, the region where the subject node is located, and the resource request of the subject node; select a random number N to send to the subject node; receive all The secondary encryption identity of the subject node and the public key of the subject node; verify whether the random number in the secondary encryption identity is a random number N ; the random number in the secondary encryption identity is a random number N In this case, decrypt the secondary encrypted identity according to the public key of the main node to obtain the identity of the main node, calculate the address corresponding to the main node according to the identity of the main node and the public key of the main node, and then calculate the corresponding address of the main node. Find the attribute value of the main node from the blockchain, and calculate the direct trust value with the main node according to the attribute value of the main node; according to the area number of the main node, query the main node corresponding to the area. The address of the trust node on the blockchain has the comprehensive trust value of the subject node, and calculates the direct trust value of the subject node with the attribute value of the subject node and the resource environment attribute. According to the basic trust value and the subject node The recommended trust value is calculated from the direct trust value of The status of the executed task, and agrees to the resource request of the principal node if the status of the task executed by the current resource meets the task status requirement;

所述资源节点配置为存储所述客体节点拥有的资源;The resource node is configured to store resources owned by the object node;

所述矿工节点被配置为将各区域的主信任节点的交易池中的交易取走并发布到区块链上;The miner node is configured to take the transaction from the transaction pool of the master trust node of each region and publish it on the blockchain;

所述密钥管理中心配置为负责每一个区域中的主信任节点、主体节点、客体节点、矿工节点的密钥初始化工作,创建和生成密钥。The key management center is configured to be responsible for key initialization of the master trust node, subject node, object node, and miner node in each area, and to create and generate keys.

进一步,通过如下方法获得所述主体节点的主体属性:Further, the subject attribute of the subject node is obtained by the following method:

主体节点提出主体属性注册请求:每个主体节点向所属区域主信任节点提出主体节点属性注册请求;The subject node submits a subject attribute registration request: each subject node submits a subject node attribute registration request to the main trust node in the region to which it belongs;

主信任节点生成主体属性表:每个区域主信任节点根据每个主体节点申请信息, 首先验证区域内主体的资格,如果主体节点有资格,则会根据主体申请信息生成主体属性 表

Figure 175993DEST_PATH_IMAGE038
Figure 307023DEST_PATH_IMAGE039
表示区域内身 份ID为
Figure 57810DEST_PATH_IMAGE040
的主体节点的主体属性表,其中
Figure 772825DEST_PATH_IMAGE041
表示该主体节点具有第k种主体属性,
Figure 909671DEST_PATH_IMAGE042
表示系统总共有
Figure 128162DEST_PATH_IMAGE042
种不同主体属性,所属区域主信任节点会将区域内每个主体所对 应的属性值在自己本地存放一份; The master trust node generates the subject attribute table: each regional master trust node first verifies the qualifications of the subject in the area according to the application information of each subject node. If the subject node is qualified, it will generate the subject attribute table according to the subject application information.
Figure 175993DEST_PATH_IMAGE038
,
Figure 307023DEST_PATH_IMAGE039
Indicates that the identity ID in the area is
Figure 57810DEST_PATH_IMAGE040
The principal attribute table of the principal node, where
Figure 772825DEST_PATH_IMAGE041
Indicates that the subject node has the kth subject attribute,
Figure 909671DEST_PATH_IMAGE042
Indicates that the system has a total of
Figure 128162DEST_PATH_IMAGE042
There are different subject attributes, and the master trust node of the area to which it belongs will store a copy of the attribute value corresponding to each subject in the area locally;

主信任节点生成一个主体节点的主体属性交易:区域主信任节点TMD生成主体节 点的主体属性交易形式如下式所示:

Figure 315430DEST_PATH_IMAGE043
,该交易 表示地址为
Figure 956889DEST_PATH_IMAGE044
的主体拥有了主体属性
Figure 458278DEST_PATH_IMAGE045
。 The master trust node generates a subject attribute transaction of the subject node: The regional master trust node TMD generates the subject attribute transaction form of the subject node as shown in the following formula:
Figure 315430DEST_PATH_IMAGE043
, the transaction represents an address of
Figure 956889DEST_PATH_IMAGE044
The subject has the subject property
Figure 458278DEST_PATH_IMAGE045
.

进一步,通过如下方法获得客体节点资源:Further, the object node resources are obtained by the following methods:

拥有资源的客体节点向所属区域主信任节点提出资源请求;The object node that owns the resource makes a resource request to the master trust node of the region to which it belongs;

主信任节点生成资源列表:区域主信任节点根据所属区域客体节点申请信息,验 证区域内客体资源,如果客体节点有相应资源,生成相应资源列表

Figure 859172DEST_PATH_IMAGE046
Figure 656489DEST_PATH_IMAGE047
表示区域内身份ID为
Figure 18200DEST_PATH_IMAGE048
的主体节点的资源列表,其中
Figure 57700DEST_PATH_IMAGE049
表示该节点拥有第k种 资源,
Figure 283408DEST_PATH_IMAGE050
表示系统总共有
Figure 78057DEST_PATH_IMAGE050
种不同资源,然后主信任节点会将区域中每个客体资源列表 在自己本地存放一份; The master trust node generates a resource list: the regional master trust node verifies the object resources in the region according to the application information of the object node in the region, and generates the corresponding resource list if the object node has corresponding resources
Figure 859172DEST_PATH_IMAGE046
,
Figure 656489DEST_PATH_IMAGE047
Indicates that the identity ID in the area is
Figure 18200DEST_PATH_IMAGE048
The resource list of the principal node, where
Figure 57700DEST_PATH_IMAGE049
Indicates that the node owns the kth resource,
Figure 283408DEST_PATH_IMAGE050
Indicates that the system has a total of
Figure 78057DEST_PATH_IMAGE050
different resources, and then the master trust node will store a copy of each object resource list in the area locally;

区域主信任节点生成一个资源列表交易:区域主信任节点生成交易形式如下式所 示:

Figure 723802DEST_PATH_IMAGE051
, 表示地址为
Figure 6141DEST_PATH_IMAGE052
的节点拥有了资源
Figure 647207DEST_PATH_IMAGE053
; The regional master trust node generates a resource list transaction: the regional master trust node generates a transaction in the form of the following formula:
Figure 723802DEST_PATH_IMAGE051
, indicating that the address is
Figure 6141DEST_PATH_IMAGE052
of nodes own the resource
Figure 647207DEST_PATH_IMAGE053
;

主信任节点对应将交易打包,放入交易池;The master trust node will package the transaction accordingly and put it into the transaction pool;

资源环境属性初始化:拥有资源的客体节点首先根据自身资源生成资源的环境属 性列表

Figure 284862DEST_PATH_IMAGE054
Figure 122630DEST_PATH_IMAGE055
表示区域内身份ID 为
Figure 503933DEST_PATH_IMAGE056
的节点的资源环境属性表,
Figure 202767DEST_PATH_IMAGE057
表示环境属性的种类,
Figure 258928DEST_PATH_IMAGE058
表示具备第k种环 境属性,资源环境属性存放在该节点本地。 Resource environment attribute initialization: The object node that owns the resource first generates the resource environment attribute list according to its own resources
Figure 284862DEST_PATH_IMAGE054
,
Figure 122630DEST_PATH_IMAGE055
Indicates that the identity ID in the area is
Figure 503933DEST_PATH_IMAGE056
The resource environment attribute table of the node,
Figure 202767DEST_PATH_IMAGE057
Indicates the kind of environment attribute,
Figure 258928DEST_PATH_IMAGE058
Indicates that it has the kth environment attribute, and the resource environment attribute is stored locally on the node.

进一步,所述客体节点被进一步配置为:Further, the object node is further configured to:

根据主体节点的主体属性和所访问资源环境属性,通过如下公式计算主体节点当 前直接信任

Figure 879265DEST_PATH_IMAGE059
: According to the subject attribute of the subject node and the accessed resource environment attribute, the current direct trust of the subject node is calculated by the following formula
Figure 879265DEST_PATH_IMAGE059
:

Figure 392155DEST_PATH_IMAGE061
Figure 392155DEST_PATH_IMAGE061

其中,

Figure 853485DEST_PATH_IMAGE062
表示主体节点相关主体属性种类,
Figure 160839DEST_PATH_IMAGE063
表示所访问相关环境属性种类,
Figure 534051DEST_PATH_IMAGE005
Figure 696305DEST_PATH_IMAGE006
是常数,取值在[0,1]区间范围内,
Figure 572994DEST_PATH_IMAGE007
表示主体属性与所访问的资源的相关度,
Figure 51248DEST_PATH_IMAGE064
表示每个主体属性所占的权重,
Figure 882063DEST_PATH_IMAGE009
表示环境属性与所访问的资源的相关度,
Figure 408860DEST_PATH_IMAGE010
表示每 个环境属性所占的权重,满足
Figure 77738DEST_PATH_IMAGE011
Figure 398998DEST_PATH_IMAGE012
Figure 982689DEST_PATH_IMAGE013
; in,
Figure 853485DEST_PATH_IMAGE062
Indicates the type of the subject attribute related to the subject node,
Figure 160839DEST_PATH_IMAGE063
Indicates the type of related environment attributes accessed,
Figure 534051DEST_PATH_IMAGE005
and
Figure 696305DEST_PATH_IMAGE006
is a constant whose value is in the range of [0,1],
Figure 572994DEST_PATH_IMAGE007
Represents the relevance of the subject attribute to the accessed resource,
Figure 51248DEST_PATH_IMAGE064
represents the weight of each subject attribute,
Figure 882063DEST_PATH_IMAGE009
Represents the relevance of the environment attribute to the accessed resource,
Figure 408860DEST_PATH_IMAGE010
Represents the weight of each environmental attribute, satisfying
Figure 77738DEST_PATH_IMAGE011
,
Figure 398998DEST_PATH_IMAGE012
,
Figure 982689DEST_PATH_IMAGE013
;

根据时间衰减函数,计算时间衰减权重,所述时间衰减函数表示为

Figure 109914DEST_PATH_IMAGE065
, 其中
Figure 961195DEST_PATH_IMAGE015
是常数,取值在[0,1]区间范围内,t表示上一次与主体节点之间交互距离此次交互 的时间; According to the time decay function, the time decay weight is calculated, and the time decay function is expressed as
Figure 109914DEST_PATH_IMAGE065
, in
Figure 961195DEST_PATH_IMAGE015
is a constant, the value is in the range of [0,1], t represents the last interaction distance with the main node and the time of this interaction;

通过如下公式计算历史信任值HVThe historical trust value HV is calculated by the following formula:

Figure 158083DEST_PATH_IMAGE016
Figure 158083DEST_PATH_IMAGE016

其中,

Figure 462026DEST_PATH_IMAGE066
表示上一次的访问控制流程,
Figure 392941DEST_PATH_IMAGE067
表示与主体节点B之前交互过的最 新的综合信任值; in,
Figure 462026DEST_PATH_IMAGE066
Indicates the last access control process,
Figure 392941DEST_PATH_IMAGE067
Represents the latest comprehensive trust value that has interacted with the main node B before;

通过如下公式计算主体节点的直接信任值:The direct trust value of the principal node is calculated by the following formula:

Figure 334615DEST_PATH_IMAGE019
Figure 334615DEST_PATH_IMAGE019

其中,

Figure 59994DEST_PATH_IMAGE020
是常数,取值在[0,1]区间范围内,如果与主体节点是A第一次进行交互, 则不存在历史信任值,只有当前信任值,令
Figure 116812DEST_PATH_IMAGE021
,即计算出来的当前信任值就是与主体节 点A之间的直接信任值。 in,
Figure 59994DEST_PATH_IMAGE020
is a constant, the value is in the range of [0,1], if the interaction with the main node is the first time A, there is no historical trust value, only the current trust value, let
Figure 116812DEST_PATH_IMAGE021
, that is, the calculated current trust value is the direct trust value with the principal node A.

进一步,所述客体节点被进一步配置为:Further, the object node is further configured to:

通过如下公式计算区域主信任节点对域中各主体节点的直接信任值:The direct trust value of the regional master trust node to each principal node in the domain is calculated by the following formula:

Figure 759408DEST_PATH_IMAGE022
Figure 759408DEST_PATH_IMAGE022

其中,

Figure 522965DEST_PATH_IMAGE023
表示区域号为i的区域主信任节点对于区域的主体节点 的直接信任值,直接信任值随着访问次数,访问成功和访问失败的次数进行调节,
Figure 356929DEST_PATH_IMAGE068
表示主体节点进行访问控制的成功的次数,
Figure 718685DEST_PATH_IMAGE069
表示主体节点进 行访问控制的失败的次数,
Figure 663507DEST_PATH_IMAGE070
表示主体节点进行访问控制的总的次数; in,
Figure 522965DEST_PATH_IMAGE023
Indicates the direct trust value of the main trust node of the area with the area number i to the main node of the area. The direct trust value is adjusted with the number of visits, the number of successful visits and the number of failed visits.
Figure 356929DEST_PATH_IMAGE068
Indicates the number of successful access control performed by the principal node,
Figure 718685DEST_PATH_IMAGE069
Indicates the number of times the principal node fails to perform access control,
Figure 663507DEST_PATH_IMAGE070
Indicates the total number of times the principal node performs access control;

计算不同区域的主信任节点之间的基础信任值

Figure 281570DEST_PATH_IMAGE027
: Calculate the base trust value between master trust nodes in different regions
Figure 281570DEST_PATH_IMAGE027
:

若主体节点访问失败,则区域主信任节i对区域内主减少基础信任值,计算公式如下:If the access of the main node fails, the regional master trust node i reduces the basic trust value of the master in the region, and the calculation formula is as follows:

Figure 552014DEST_PATH_IMAGE071
Figure 552014DEST_PATH_IMAGE071

其中

Figure 350468DEST_PATH_IMAGE029
取值在[0,1]区间范围内,根据系统来进行设定,默认为
Figure 833402DEST_PATH_IMAGE030
Figure 368289DEST_PATH_IMAGE031
为减 少因子,取值在[0,1]区间范围内; in
Figure 350468DEST_PATH_IMAGE029
The value is in the range of [0,1], set according to the system, the default is
Figure 833402DEST_PATH_IMAGE030
,
Figure 368289DEST_PATH_IMAGE031
In order to reduce the factor, the value is in the range of [0,1];

若主体节点访问成功,则增加基础信任值,计算公式如下:If the main node accesses successfully, the basic trust value is increased, and the calculation formula is as follows:

Figure 45520DEST_PATH_IMAGE032
Figure 45520DEST_PATH_IMAGE032

其中

Figure 626543DEST_PATH_IMAGE029
取值在[0,1]区间范围内,根据系统来进行设定,默认为
Figure 382010DEST_PATH_IMAGE030
Figure 272867DEST_PATH_IMAGE033
为增加 因子,取值在[0,1]区间范围内; in
Figure 626543DEST_PATH_IMAGE029
The value is in the range of [0,1], set according to the system, the default is
Figure 382010DEST_PATH_IMAGE030
,
Figure 272867DEST_PATH_IMAGE033
In order to increase the factor, the value is in the range of [0,1];

计算主体节点的推荐信任值

Figure 947431DEST_PATH_IMAGE034
。 Calculate the recommended trust value of the principal node
Figure 947431DEST_PATH_IMAGE034
.

进一步,所述客体节点被进一步配置为:通过如下公式计算综合信任值TVFurther, the object node is further configured to: calculate the comprehensive trust value TV by the following formula:

Figure 687854DEST_PATH_IMAGE072
Figure 687854DEST_PATH_IMAGE072

其中,

Figure 482897DEST_PATH_IMAGE073
是常数,取值在[0,1]区间范围内,
Figure 54693DEST_PATH_IMAGE074
表示当前正在进行的访问控制流 程中所计算出来的直接信任值,RV为推荐信任值。 in,
Figure 482897DEST_PATH_IMAGE073
is a constant whose value is in the range of [0,1],
Figure 54693DEST_PATH_IMAGE074
Indicates the direct trust value calculated in the current access control flow, and RV is the recommended trust value.

根据本发明各个实施例公开的一种基于区块链的跨域细粒度属性访问控制方法及系统,本发明以区块链和基于属性访问控制方法作为基础,任务状态属性引入属性访问控制模型中,可以根据任务的状态、所需条件等信息来动态的分配请求者的权限,并且利用主体节点属性、环境属性等来计算主体节点信任值的方法,能够帮助客体节点判断主体节点能否访问自己的资源,还能够实时更新主体节点的综合信任值,再通过主体节点的综合信任值来动态的分配请求者的权限,这样请求者就只会拥有访问资源的最小的权限,达到了基于属性细粒度访问控制,使得恶意请求者没有能够利用的额外权限,降低了跨域访问控制的计算开销和空间开销,同时还可以很好地抵御越权攻击、伪造冒充式攻击和共谋攻击。According to a blockchain-based cross-domain fine-grained attribute access control method and system disclosed in various embodiments of the present invention, the present invention is based on the blockchain and the attribute-based access control method, and the task state attribute is introduced into the attribute access control model , which can dynamically allocate the authority of the requester according to the status of the task, required conditions and other information, and use the method of calculating the trust value of the subject node by using the attributes of the subject node and the environment attribute, etc., which can help the object node to judge whether the subject node can access itself. It can also update the comprehensive trust value of the main node in real time, and then dynamically assign the requester's authority through the comprehensive trust value of the main node, so that the requester will only have the minimum authority to access the resource, which achieves the attribute-based detailed information. Granular access control makes malicious requestors have no additional permissions that can be exploited, reduces the computational overhead and space overhead of cross-domain access control, and can also well defend against unauthorized attacks, forgery and impersonation attacks, and collusion attacks.

附图说明Description of drawings

为了更清楚地说明本发明具体实施方式或现有技术中的技术方案,下面将对具体实施方式或现有技术描述中所需要使用的附图作简单地介绍。在所有附图中,类似的元件或部分一般由类似的附图标记标识。附图中,各元件或部分并不一定按照实际的比例绘制。In order to illustrate the specific embodiments of the present invention or the technical solutions in the prior art more clearly, the following briefly introduces the accompanying drawings that are required to be used in the description of the specific embodiments or the prior art. Similar elements or parts are generally identified by similar reference numerals throughout the drawings. In the drawings, each element or section is not necessarily drawn to actual scale.

图1示出了根据本发明实施例的一种基于区块链的跨域细粒度属性访问控制模型的系统结构图。FIG. 1 shows a system structure diagram of a blockchain-based cross-domain fine-grained attribute access control model according to an embodiment of the present invention.

图2示出了根据本发明实施例的基于属性的信任值计算方法的流程图。FIG. 2 shows a flowchart of an attribute-based trust value calculation method according to an embodiment of the present invention.

图3示出了根据本发明实施例的一种基于区块链的跨域细粒度属性访问控制方法的流程图。FIG. 3 shows a flowchart of a blockchain-based cross-domain fine-grained attribute access control method according to an embodiment of the present invention.

具体实施方式Detailed ways

下面将对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明的一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention will be clearly and completely described below. Obviously, the described embodiments are only a part of the embodiments of the present invention, rather than all the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

为了使本发明的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本发明进行进一步的详细说明。应当理解,此处所描述的具体实施例仅用以解释本发明,并不用于限定发明。In order to make the objectives, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are only used to explain the present invention, but not to limit the invention.

现在结合说明书附图对本发明做进一步的说明。The present invention will now be further described with reference to the accompanying drawings.

本发明实施例提供一种基于区块链的跨域细粒度属性访问控制系统。如图1所述系统包含了访问主信任节点(TMD),主体节点(S),客体节点(O)、矿工节点(M)、资源(R)和密钥管理中心(KM)六部分,其中用户可以既是主体又是客体,主体和客体分别是主体节点和客体节点的控制端,都由用户进行操作。Embodiments of the present invention provide a blockchain-based cross-domain fine-grained attribute access control system. As shown in Figure 1, the system includes access to the master trust node (TMD), the subject node (S), the object node (O), the miner node (M), the resource (R) and the key management center (KM). The user can be both the subject and the object. The subject and the object are the control terminals of the subject node and the object node respectively, and both are operated by the user.

主信任节点(TMD):主信任节点是区块链上的节点,也是每个区域的中心,分区域管理自己区域中主体和客体的角色值、属性值和信任值,将区域中主体和客体的角色值、属性值和信任值广播到区块链中,然后存入自己的交易池中,等待矿工取走交易池中的交易发布到区块链上。Master Trust Node (TMD): The master trust node is the node on the blockchain and the center of each area. It manages the role value, attribute value and trust value of the subject and object in its own area by area, and combines the subject and object in the area. The role value, attribute value and trust value of the miner are broadcast to the blockchain, and then stored in their own transaction pool, waiting for miners to take the transactions in the transaction pool and publish them on the blockchain.

主体节点(S):主体是访问控制的发起者,访问自己所需的资源,每个主体都拥有自己的角色、属性值,属性值用于计算出信任值,信任值用于最终实现访问控制和权限分配。Principal node (S): The principal is the initiator of access control and accesses the resources it needs. Each principal has its own role and attribute value. The attribute value is used to calculate the trust value, and the trust value is used to finally realize the access control. and permission assignment.

客体节点(O):客体是拥有资源的一方,在访问控制流程中主体会去请求客体的资源,客体再来判断是否允许主体的访问请求。每个客体也都拥有自己的属性值。Object node (O): The object is the party that owns the resources. In the access control process, the subject will request the object's resources, and the object will then determine whether to allow the subject's access request. Each object also has its own attribute value.

资源(R):节点拥有的资源。Resource (R): The resource owned by the node.

矿工节点:矿工角色和区块链中的矿工一样来争夺区块的记账权,争夺到记账权 的矿工将各区域的主信任节点

Figure 41103DEST_PATH_IMAGE075
的交易池中的交易取走并发布到区块链上。 Miner node: The role of the miner is the same as that of the miners in the blockchain to compete for the accounting right of the block, and the miners who have won the accounting right trust the master node of each region.
Figure 41103DEST_PATH_IMAGE075
The transactions in the transaction pool are taken and published on the blockchain.

密钥管理中心(KM):负责每一个区域主信任节点、从信任节点、主体、客体、矿工的密钥初始化工作,创建和生成密钥。Key Management Center (KM): Responsible for the key initialization work of each regional master trust node, slave trust node, subject, object, and miner, creating and generating keys.

为了描述本发明的访问控制方法的具体流程,先给出相关符号的定义:In order to describe the specific flow of the access control method of the present invention, the definitions of relevant symbols are given first:

Figure 504708DEST_PATH_IMAGE076
:主信任节点身份ID ,其中
Figure 726611DEST_PATH_IMAGE077
,n1表示区域数,i 1 表示区域号。
Figure 504708DEST_PATH_IMAGE076
: ID of the primary trust node, where
Figure 726611DEST_PATH_IMAGE077
, n 1 represents the area number, i 1 represents the area number.

Figure 293858DEST_PATH_IMAGE078
Figure 77269DEST_PATH_IMAGE079
:表示身份ID为
Figure 792284DEST_PATH_IMAGE080
的主信任节点的公钥、私钥,由 密钥管理中心事先分配。
Figure 293858DEST_PATH_IMAGE078
,
Figure 77269DEST_PATH_IMAGE079
: Indicates that the identity ID is
Figure 792284DEST_PATH_IMAGE080
The public key and private key of the main trusted node of the system are distributed in advance by the key management center.

Figure 257025DEST_PATH_IMAGE081
:身份ID为
Figure 475517DEST_PATH_IMAGE082
主信任节点在区块链上的地址,其中地址是主 信任节点的公钥
Figure 600468DEST_PATH_IMAGE083
和身份ID
Figure 474883DEST_PATH_IMAGE084
计算得出的。
Figure 257025DEST_PATH_IMAGE081
: The identity ID is
Figure 475517DEST_PATH_IMAGE082
The address of the master trust node on the blockchain, where the address is the public key of the master trust node
Figure 600468DEST_PATH_IMAGE083
and ID
Figure 474883DEST_PATH_IMAGE084
calculated.

Figure 817351DEST_PATH_IMAGE085
:每个区域每个节点的身份ID,其中
Figure 359191DEST_PATH_IMAGE086
表示用户节点号,
Figure 484404DEST_PATH_IMAGE087
Figure 377274DEST_PATH_IMAGE088
表示 某区域的用户节点数,用户节点系统中可以是主体也可以是客体角色。
Figure 817351DEST_PATH_IMAGE085
: The identity ID of each node in each region, where
Figure 359191DEST_PATH_IMAGE086
Indicates the user node number,
Figure 484404DEST_PATH_IMAGE087
,
Figure 377274DEST_PATH_IMAGE088
Indicates the number of user nodes in a certain area. The user node system can be a subject or an object role.

Figure 213512DEST_PATH_IMAGE089
Figure 173640DEST_PATH_IMAGE090
:身份ID为
Figure 843655DEST_PATH_IMAGE091
用户节点的公钥和私钥
Figure 213512DEST_PATH_IMAGE089
,
Figure 173640DEST_PATH_IMAGE090
: The identity ID is
Figure 843655DEST_PATH_IMAGE091
The public and private keys of the user node

Figure 817297DEST_PATH_IMAGE092
:身份ID为
Figure 896373DEST_PATH_IMAGE093
的用户节点的区块链地址,由每个节点的公钥和 身份ID计算得出。
Figure 817297DEST_PATH_IMAGE092
: The identity ID is
Figure 896373DEST_PATH_IMAGE093
The blockchain address of the user node, calculated from the public key and identity ID of each node.

根据本发明实施例所述的系统,其初始运行可以包括两个阶段,分别是系统初始化以及系统运行。According to the system according to the embodiment of the present invention, the initial operation of the system may include two stages, namely system initialization and system operation.

阶段一:系统初始化Phase 1: System Initialization

步骤1:用户节点身份注册Step 1: User node identity registration

步骤1.1区域内每个用户节点向所属区域主信任节点TMD提出注册请求;Step 1.1 Each user node in the area submits a registration request to the master trust node TMD of the area to which it belongs;

步骤1.2 区域主信任节点根据每个节点申请信息,首先验证区域内用户节点的资 格,若验证通过,则会根据用户信息生成节点所属区域身份

Figure 412805DEST_PATH_IMAGE093
,并向密钥管理中KM申请 密钥,生成用户节点的公钥
Figure 784881DEST_PATH_IMAGE089
和私钥
Figure 747283DEST_PATH_IMAGE090
,并根据用户节点公钥和私钥值,生成 用户节点区块链地址
Figure 331848DEST_PATH_IMAGE092
; Step 1.2 According to the application information of each node, the regional master trust node first verifies the eligibility of user nodes in the region. If the verification is passed, it will generate the regional identity of the node according to the user information.
Figure 412805DEST_PATH_IMAGE093
, and apply for a key to the KM in the key management to generate the public key of the user node
Figure 784881DEST_PATH_IMAGE089
and private key
Figure 747283DEST_PATH_IMAGE090
, and generate the user node blockchain address according to the user node public key and private key values
Figure 331848DEST_PATH_IMAGE092
;

步骤2:主体节点主体属性注册Step 2: Principal node principal attribute registration

步骤2.1 主体节点提出主体属性注册请求:每个主体节点向所属区域主信任节点TMD提出主体节点属性注册请求;Step 2.1 The subject node submits a subject attribute registration request: each subject node submits a subject node attribute registration request to the regional master trust node TMD ;

步骤2.2 主信任节点TMD生成主体属性表:每个区域主信任节点TMD根据每个主体 节点申请信息,首先验证区域内主体的资格,如果主体节点有资格,则会根据主体申请信息 生成主体属性表

Figure 233945DEST_PATH_IMAGE094
Figure 871862DEST_PATH_IMAGE095
表示区域 内身份ID为
Figure 695461DEST_PATH_IMAGE096
的主体节点的主体属性表,其中
Figure 880455DEST_PATH_IMAGE097
表示该主体节点具有第k种 主体属性,
Figure 731999DEST_PATH_IMAGE098
表示系统总共有
Figure 649139DEST_PATH_IMAGE098
种不同主体属性。然后所属区域主信任节点TMD会将区域 内每个主体所对应的属性值在自己本地存放一份。 Step 2.2 The master trust node TMD generates the subject attribute table: Each regional master trust node TMD first verifies the qualifications of the subject in the area according to the application information of each subject node. If the subject node is qualified, it will generate the subject attribute table according to the subject application information.
Figure 233945DEST_PATH_IMAGE094
,
Figure 871862DEST_PATH_IMAGE095
Indicates that the identity ID in the area is
Figure 695461DEST_PATH_IMAGE096
The principal attribute table of the principal node, where
Figure 880455DEST_PATH_IMAGE097
Indicates that the subject node has the kth subject attribute,
Figure 731999DEST_PATH_IMAGE098
Indicates that the system has a total of
Figure 649139DEST_PATH_IMAGE098
different subject attributes. Then the master trust node TMD of the area to which it belongs will store a copy of the attribute value corresponding to each subject in the area locally.

步骤2.3:主信任节点TMD则会生成一个主体节点的主体属性交易:区域主信任节 点TMD生成主体节点的主体属性交易形式如:

Figure 22352DEST_PATH_IMAGE099
,该交易表示地址为
Figure 574818DEST_PATH_IMAGE100
的主体拥有了 主体属性
Figure 654769DEST_PATH_IMAGE101
。 Step 2.3: The master trust node TMD will generate a subject attribute transaction of the subject node: The regional master trust node TMD generates the subject attribute transaction of the subject node in the form of:
Figure 22352DEST_PATH_IMAGE099
, the transaction represents an address of
Figure 574818DEST_PATH_IMAGE100
The subject has the subject property
Figure 654769DEST_PATH_IMAGE101
.

步骤2.4:主信任节点TMD将节点的交易打包: TMD会将这个交易与时间戳相结合, 再用自己的私钥进行签名

Figure 805128DEST_PATH_IMAGE102
,并将交 易、签名与时间戳打包放入自己的交易池中。 Step 2.4: The master trust node TMD packages the node's transaction: TMD will combine the transaction with the timestamp, and then sign it with its own private key
Figure 805128DEST_PATH_IMAGE102
, and package the transaction, signature and timestamp into its own transaction pool.

步骤3 客体节点资源注册Step 3 Object node resource registration

步骤3.1 拥有资源的用户节点向所属区域主信任节点TMD提出资源请求;Step 3.1 The user node that owns the resource submits a resource request to the master trust node TMD of the region to which it belongs;

步骤3.2 主信任节点生成资源列表:区域主信任节点TMD根据所属区域客体节点 申请信息,验证区域内客体资源,如果客体节点有相应资源,生成相应资源列表

Figure 217700DEST_PATH_IMAGE103
Figure 416600DEST_PATH_IMAGE104
表示区域内身份ID为
Figure 413375DEST_PATH_IMAGE105
的主体节点的资源列 表,其中
Figure 829575DEST_PATH_IMAGE106
表示该节点拥有第k种资源,
Figure 849483DEST_PATH_IMAGE107
表示系统总共有
Figure 242287DEST_PATH_IMAGE107
种不同资源。然后主信任 节点会将区域中每个客体资源列表在自己本地存放一份。 Step 3.2 The master trust node generates a resource list: the regional master trust node TMD verifies the object resources in the region according to the application information of the object node in the region to which it belongs, and generates the corresponding resource list if the object node has corresponding resources
Figure 217700DEST_PATH_IMAGE103
,
Figure 416600DEST_PATH_IMAGE104
Indicates that the identity ID in the area is
Figure 413375DEST_PATH_IMAGE105
The resource list of the principal node, where
Figure 829575DEST_PATH_IMAGE106
Indicates that the node owns the kth resource,
Figure 849483DEST_PATH_IMAGE107
Indicates that the system has a total of
Figure 242287DEST_PATH_IMAGE107
different resources. Then the master trust node will store a copy of each object resource list in the area locally.

步骤3.3 区域主信任节点TMD则会生成一个资源列表交易:区域主信任节点生成 交易形式如:

Figure 595034DEST_PATH_IMAGE108
, 表示地址为
Figure 24878DEST_PATH_IMAGE109
的节点拥有了资 源
Figure 922296DEST_PATH_IMAGE110
。 Step 3.3 The regional master trust node TMD will generate a resource list transaction: the regional master trust node generates a transaction in the form of:
Figure 595034DEST_PATH_IMAGE108
, indicating that the address is
Figure 24878DEST_PATH_IMAGE109
of nodes own the resource
Figure 922296DEST_PATH_IMAGE110
.

步骤3.4主信任节点TMD将交易打包,放入交易池:TMD会将这个交易与时间戳相结 合,再用自己的私钥进行签名

Figure 495622DEST_PATH_IMAGE112
Step 3.4 The master trust node TMD packages the transaction and puts it into the transaction pool: TMD will combine the transaction with the timestamp, and then sign it with its own private key
Figure 495622DEST_PATH_IMAGE112

,再将交易、签名与时间戳打包放入自己的交易池中。, and then package the transaction, signature and timestamp into its own transaction pool.

步骤3.5 资源环境属性初始化:拥有资源的用户节点首先根据自身资源生成资源 的环境属性列表

Figure 794885DEST_PATH_IMAGE113
Figure 661210DEST_PATH_IMAGE114
表示区域内身份ID 为
Figure 953913DEST_PATH_IMAGE115
的节点的资源环境属性表,
Figure 688520DEST_PATH_IMAGE116
表示环境属性的种类,
Figure 717656DEST_PATH_IMAGE117
表示具备第k种环境 属性,资源环境属性存放在该节点本地。 Step 3.5 Resource environment attribute initialization: The user node that owns the resource first generates the resource environment attribute list according to its own resources
Figure 794885DEST_PATH_IMAGE113
,
Figure 661210DEST_PATH_IMAGE114
Indicates that the identity ID in the area is
Figure 953913DEST_PATH_IMAGE115
The resource environment attribute table of the node,
Figure 688520DEST_PATH_IMAGE116
Indicates the kind of environment attribute,
Figure 717656DEST_PATH_IMAGE117
Indicates that it has the kth environment attribute, and the resource environment attribute is stored locally on the node.

步骤3.2 资源任务状态属性初始化:拥有资源的客体节点根据节点的资源在执行 一些任务的时候的任务状态属性初始化设置资源任务状态属性,资源的任务处于任意一个 或多个状态属性中,任务状态属性表

Figure 787505DEST_PATH_IMAGE118
Figure 331619DEST_PATH_IMAGE119
表示区域内身份ID为
Figure 869916DEST_PATH_IMAGE120
的节点的任务状态属性表。任务状态属性有五种状态属性,其 中
Figure 989444DEST_PATH_IMAGE121
表示准备状态,
Figure 994310DEST_PATH_IMAGE122
表示激活状态,
Figure 822457DEST_PATH_IMAGE123
表示执行状态,
Figure 338014DEST_PATH_IMAGE124
表示挂起状态,
Figure 810584DEST_PATH_IMAGE125
表 示无效状态。资源任务状态属性存放该节点本地。 Step 3.2 Resource task state attribute initialization: The object node that owns the resource initializes and sets the resource task state attribute according to the task state attribute of the node resource when executing some tasks. The task of the resource is in any one or more state attributes, and the task state attribute surface
Figure 787505DEST_PATH_IMAGE118
,
Figure 331619DEST_PATH_IMAGE119
Indicates that the identity ID in the area is
Figure 869916DEST_PATH_IMAGE120
The task state attribute table of the node. The task status attribute has five status attributes, among which
Figure 989444DEST_PATH_IMAGE121
indicates a state of readiness,
Figure 994310DEST_PATH_IMAGE122
indicates the active state,
Figure 822457DEST_PATH_IMAGE123
represents the execution state,
Figure 338014DEST_PATH_IMAGE124
Indicates the suspended state,
Figure 810584DEST_PATH_IMAGE125
Indicates an invalid state. The resource task status attribute is stored locally on the node.

步骤4 主体节点信任值注册Step 4 Principal node trust value registration

步骤4.1 主信任节点

Figure 251930DEST_PATH_IMAGE126
根据区域中主客之间进行访问控制的情况对各个主体 生成相应的信任值属性列表
Figure 346136DEST_PATH_IMAGE127
Figure 836023DEST_PATH_IMAGE128
表示区域内身份ID为
Figure 490996DEST_PATH_IMAGE129
的节点信任值属性表,其中DV表示直接信任 值,
Figure 667024DEST_PATH_IMAGE130
当前直接信任值,HV表示历史信任值,RV表示推荐信任值,TV表示综合信任 值,TT表示信任值的阈值,区域主信任节点在自己本地存放一份节点的信任属性表。然后区 块链中存储主体节点综合信任值TV,主信任节点将综合信任值TV形成一个信任值的交易, 形式如:
Figure 345130DEST_PATH_IMAGE131
,表示地址
Figure 28921DEST_PATH_IMAGE132
主信任节点为对地址为
Figure 39865DEST_PATH_IMAGE133
的主体节点所产生的综合信任值TV, TV计算公式如下: Step 4.1 Master Trust Node
Figure 251930DEST_PATH_IMAGE126
According to the access control between the subject and the guest in the area, the corresponding trust value attribute list is generated for each subject
Figure 346136DEST_PATH_IMAGE127
,
Figure 836023DEST_PATH_IMAGE128
Indicates that the identity ID in the area is
Figure 490996DEST_PATH_IMAGE129
The node trust value attribute table of , where DV represents the direct trust value,
Figure 667024DEST_PATH_IMAGE130
The current direct trust value, HV represents the historical trust value, RV represents the recommended trust value, TV represents the comprehensive trust value, TT represents the threshold value of the trust value, and the regional master trust node stores a trust attribute table of the node locally. Then, the main node's comprehensive trust value TV is stored in the blockchain, and the main trust node forms a trust value transaction with the comprehensive trust value TV, in the form of:
Figure 345130DEST_PATH_IMAGE131
, indicating the address
Figure 28921DEST_PATH_IMAGE132
The primary trusted node is the pair whose address is
Figure 39865DEST_PATH_IMAGE133
The comprehensive trust value TV generated by the main node of , the TV calculation formula is as follows:

Figure 760696DEST_PATH_IMAGE134
Figure 760696DEST_PATH_IMAGE134

其中

Figure 988415DEST_PATH_IMAGE135
是常数,由客体节点进行定义,取值在[0,1]区间范围内,
Figure 446204DEST_PATH_IMAGE136
表示当前正 在进行的访问控制流程中所计算出来的直接信任值,RV为推荐信任值。直接信任值
Figure 279031DEST_PATH_IMAGE136
和 推荐信任值RV的计算方法具体在后续的实施例中阐述。 in
Figure 988415DEST_PATH_IMAGE135
is a constant, defined by the object node, the value is in the range of [0,1],
Figure 446204DEST_PATH_IMAGE136
Indicates the direct trust value calculated in the current access control flow, and RV is the recommended trust value. direct trust value
Figure 279031DEST_PATH_IMAGE136
and the calculation method of the recommended trust value RV will be specifically described in the following embodiments.

步骤4.2 区域内主信任节点将信任值交易打包:主信任节点会将这个交易与时间 戳相结合,再用自己的私钥进行签名

Figure 967501DEST_PATH_IMAGE137
。再 将交易、签名与时间戳打包放入自己的交易池中。 Step 4.2 The master trust node in the area packages the trust value transaction: the master trust node will combine the transaction with the timestamp, and then sign it with its own private key
Figure 967501DEST_PATH_IMAGE137
. Then package the transaction, signature and timestamp into your own transaction pool.

步骤5 广播交易Step 5 Broadcast transaction

区块链产生新的区块时,得到区块记账权的矿工会查看各个区域的

Figure 246298DEST_PATH_IMAGE138
的交易池 中的各交易,然后将这些交易打包,广播给其他区块链上的节点,其他节点通过共识算法来 达成共识。 When a new block is generated in the blockchain, the miner who has obtained the block accounting right will check the status of each area.
Figure 246298DEST_PATH_IMAGE138
Each transaction in the transaction pool is packaged and broadcast to nodes on other blockchains, and other nodes reach consensus through consensus algorithms.

阶段二:系统运行Stage 2: System Operation

系统完成初始化之后,区域内和区域间的节点之间可以实现基于区块链的跨域细粒度访问控制。假设主体节点A与客体节点B在不同的区域上,如主体节点A在区域1中,客体节点B在区域2中,主体节点A先与客体节点B之间协商了一个会话密钥K,这个会话密钥K是用对称加密算法生成的,主体节点A与客体节点B之间的通信都是用这个会话密钥进行了加解密的。跨域访问控制具体流程,如图3所示:After the system is initialized, blockchain-based cross-domain fine-grained access control can be implemented between nodes within and between regions. Assuming that the subject node A and the object node B are in different areas, such as the subject node A in the area 1, the object node B in the area 2, the subject node A negotiates a session key K with the object node B first, this The session key K is generated by a symmetric encryption algorithm, and the communication between the subject node A and the object node B is encrypted and decrypted by this session key. The specific process of cross-domain access control is shown in Figure 3:

步骤1:主体节点A将身份

Figure 881678DEST_PATH_IMAGE139
用私钥
Figure 693645DEST_PATH_IMAGE140
进行加密,然后向客体节点 B发送自己加密后的身份
Figure 320061DEST_PATH_IMAGE141
和所在的区域号,并向客体节点B请求所需要的资源。 Step 1: Principal node A will identify
Figure 881678DEST_PATH_IMAGE139
with private key
Figure 693645DEST_PATH_IMAGE140
Encrypt, and then send its encrypted identity to the object node B
Figure 320061DEST_PATH_IMAGE141
and the area number where it is located, and request the required resources from the object node B.

步骤2:客体节点B接收到主体节点A加密后的身份

Figure 460055DEST_PATH_IMAGE142
与区域号后,会选 择一个随机数
Figure 23761DEST_PATH_IMAGE143
发送给主体节点A。 Step 2: The object node B receives the encrypted identity of the subject node A
Figure 460055DEST_PATH_IMAGE142
After the area number, a random number will be chosen
Figure 23761DEST_PATH_IMAGE143
Sent to the main node A.

步骤3:主体节点A接收到随机数

Figure 801486DEST_PATH_IMAGE143
后,用私钥进行签名得到
Figure 97338DEST_PATH_IMAGE144
,再把 Step 3: The main node A receives the random number
Figure 801486DEST_PATH_IMAGE143
Then, sign with the private key to get
Figure 97338DEST_PATH_IMAGE144
, then put

Figure 583683DEST_PATH_IMAGE145
Figure 124648DEST_PATH_IMAGE146
发送给客体节点B。
Figure 583683DEST_PATH_IMAGE145
and
Figure 124648DEST_PATH_IMAGE146
Sent to the object node B.

步骤4:客体节点B在接收到

Figure 520995DEST_PATH_IMAGE147
Figure 315644DEST_PATH_IMAGE146
后会验证是否是随机数
Figure 185556DEST_PATH_IMAGE143
。 Step 4: The object node B receives the
Figure 520995DEST_PATH_IMAGE147
and
Figure 315644DEST_PATH_IMAGE146
It will be verified later whether it is a random number
Figure 185556DEST_PATH_IMAGE143
.

步骤5:如果验证成功,则证明主体节点A的身份真实。然后客体节点B用主体节点A 的公钥

Figure 232009DEST_PATH_IMAGE148
解密
Figure 545179DEST_PATH_IMAGE149
得到主体节点A的身份
Figure 746616DEST_PATH_IMAGE150
,根据
Figure 82919DEST_PATH_IMAGE150
和主体节点A的 公钥
Figure 198642DEST_PATH_IMAGE151
计算得到主体节点A对应的地址
Figure 366319DEST_PATH_IMAGE152
,然后从区块链中查出主体节点A 的属性值用于计算出当前直接信任值。 Step 5: If the verification is successful, the identity of the principal node A is proved to be true. Then the object node B uses the public key of the subject node A
Figure 232009DEST_PATH_IMAGE148
decrypt
Figure 545179DEST_PATH_IMAGE149
Get the identity of the principal node A
Figure 746616DEST_PATH_IMAGE150
,according to
Figure 82919DEST_PATH_IMAGE150
and the public key of principal node A
Figure 198642DEST_PATH_IMAGE151
Calculate the address corresponding to the main node A
Figure 366319DEST_PATH_IMAGE152
, and then find out the attribute value of main node A from the blockchain and use it to calculate the current direct trust value.

步骤6:客体节点B通过主体节点A发送的区域号查询出区域所对应的

Figure 738656DEST_PATH_IMAGE153
对访问主体节点A的综合信任值TV,并与A的主体属性,B的资源环境属性计算出主体直接信 任值DV;并且查询出自己区域的
Figure 827835DEST_PATH_IMAGE154
对于
Figure 842190DEST_PATH_IMAGE155
的基础信任值,再计算出推 荐信任值
Figure 67635DEST_PATH_IMAGE156
。 Step 6: The object node B queries the area corresponding to the area through the area number sent by the main node A.
Figure 738656DEST_PATH_IMAGE153
For the comprehensive trust value TV of the visiting subject node A, and the subject attribute of A and the resource environment attribute of B, the direct trust value DV of the subject is calculated;
Figure 827835DEST_PATH_IMAGE154
for
Figure 842190DEST_PATH_IMAGE155
The basic trust value of , and then calculate the recommended trust value
Figure 67635DEST_PATH_IMAGE156
.

步骤7:客体节点B通过直接信任值

Figure 47092DEST_PATH_IMAGE157
和推荐信任值
Figure 984086DEST_PATH_IMAGE158
计算出综合信任值
Figure 644875DEST_PATH_IMAGE159
, 如图2所示,图2是基于属性的信任值计算方法的流程图。 Step 7: The object node B passes the direct trust value
Figure 47092DEST_PATH_IMAGE157
and recommendation trust value
Figure 984086DEST_PATH_IMAGE158
Calculate the comprehensive trust value
Figure 644875DEST_PATH_IMAGE159
, as shown in FIG. 2 , which is a flowchart of an attribute-based trust value calculation method.

如果综合信任值

Figure 787143DEST_PATH_IMAGE160
达到了信任值阈值TT的要求,则客体节点B再通过任务状态属 性查看当前资源所执行的任务的状态,如果满足任务状态要求则允许主体节点A的请求,否 则拒绝请求。 If the comprehensive trust value
Figure 787143DEST_PATH_IMAGE160
If the requirement of the trust value threshold TT is met, the object node B checks the status of the task executed by the current resource through the task status attribute. If the task status requirement is met, the request of the subject node A is allowed, otherwise the request is rejected.

在一些实施例中中,如图2所示,计算主体节点A与客体节点B的直接信任值

Figure 766863DEST_PATH_IMAGE161
包括如下步骤: In some embodiments, as shown in FIG. 2, the direct trust value of the subject node A and the object node B is calculated
Figure 766863DEST_PATH_IMAGE161
It includes the following steps:

步骤1:根据主体节点A的主体属性和访问客体节点B所访问资源环境属性,首先客 体节点计算主体节点当前直接信任

Figure 892951DEST_PATH_IMAGE162
,计算公式如下 Step 1: According to the subject attribute of subject node A and the resource environment attribute accessed by object node B, first the object node calculates the current direct trust of the subject node
Figure 892951DEST_PATH_IMAGE162
,Calculated as follows

Figure 419747DEST_PATH_IMAGE164
Figure 419747DEST_PATH_IMAGE164

其中

Figure 449145DEST_PATH_IMAGE165
表示主体节点相关主体属性种类,
Figure 770405DEST_PATH_IMAGE166
表示客体节点相关环境属性种类,
Figure 790314DEST_PATH_IMAGE005
Figure 622266DEST_PATH_IMAGE006
是常数,由客体节点进行定义,取值都在[0,1]区间范围内,
Figure 207968DEST_PATH_IMAGE167
表示主体属性与所 访问的资源的相关度,
Figure 762446DEST_PATH_IMAGE168
表示每个主体属性所占的权重,
Figure 48413DEST_PATH_IMAGE169
表示环境属性与所访问的 资源的相关度,
Figure 651433DEST_PATH_IMAGE170
表示每个环境属性所占的权重,满足
Figure 357221DEST_PATH_IMAGE171
Figure 849644DEST_PATH_IMAGE012
Figure 640883DEST_PATH_IMAGE013
,相关度与权重都由客体节点进行分配。 in
Figure 449145DEST_PATH_IMAGE165
Indicates the type of the subject attribute related to the subject node,
Figure 770405DEST_PATH_IMAGE166
Indicates the type of environment attributes related to the object node,
Figure 790314DEST_PATH_IMAGE005
and
Figure 622266DEST_PATH_IMAGE006
is a constant, defined by the object node, and its values are all within the range of [0,1],
Figure 207968DEST_PATH_IMAGE167
Represents the relevance of the subject attribute to the accessed resource,
Figure 762446DEST_PATH_IMAGE168
represents the weight of each subject attribute,
Figure 48413DEST_PATH_IMAGE169
Represents the relevance of the environment attribute to the accessed resource,
Figure 651433DEST_PATH_IMAGE170
Represents the weight of each environmental attribute, satisfying
Figure 357221DEST_PATH_IMAGE171
,
Figure 849644DEST_PATH_IMAGE012
,
Figure 640883DEST_PATH_IMAGE013
, the relevance and weight are assigned by the object nodes.

步骤2:根据时间衰减函数,计算时间衰减权重:

Figure 250856DEST_PATH_IMAGE172
,其中
Figure 640511DEST_PATH_IMAGE015
是常数,由客 体节点进行定义,取值在[0,1]区间范围内。
Figure 740054DEST_PATH_IMAGE173
表示上一次客体节点与主体节点之间交互 距离此次交互的时间。 Step 2: Calculate the time decay weight according to the time decay function:
Figure 250856DEST_PATH_IMAGE172
,in
Figure 640511DEST_PATH_IMAGE015
is a constant, defined by the object node, and its value is in the range of [0,1].
Figure 740054DEST_PATH_IMAGE173
Indicates the time of the last interaction between the object node and the subject node.

步骤3:计算历史信任值:

Figure 956272DEST_PATH_IMAGE174
,其中
Figure 166673DEST_PATH_IMAGE066
表示上一次的访问控制流 程,即
Figure 82939DEST_PATH_IMAGE175
表示主体节点A与客体节点B之前交互过的最新的综合信任值。 Step 3: Calculate the historical trust value:
Figure 956272DEST_PATH_IMAGE174
,in
Figure 166673DEST_PATH_IMAGE066
Indicates the last access control process, that is
Figure 82939DEST_PATH_IMAGE175
Indicates the latest comprehensive trust value that the subject node A and the object node B have interacted with before.

步骤4:计算主体节点直接信任值:

Figure 415700DEST_PATH_IMAGE176
,其中
Figure 181531DEST_PATH_IMAGE177
是常数,由客体节点B进行 定义,取值在[0,1]区间范围内。如果客体节点B与主体节点是A第一次进行交互,则它们之 间不存在历史信任值,只有当前信任值,就可以令
Figure 634771DEST_PATH_IMAGE178
,即客体节点B计算出来的当前信任 值就是客体节点B与主体节点A之间的直接信任值。 Step 4: Calculate the direct trust value of the principal node:
Figure 415700DEST_PATH_IMAGE176
,in
Figure 181531DEST_PATH_IMAGE177
is a constant, defined by the object node B, and its value is in the range of [0,1]. If the object node B interacts with the subject node A for the first time, there is no historical trust value between them, only the current trust value can make
Figure 634771DEST_PATH_IMAGE178
, that is, the current trust value calculated by the object node B is the direct trust value between the object node B and the subject node A.

在一些实施例中,如图2所示,计算主体节点A的推荐信任值

Figure 169658DEST_PATH_IMAGE179
采用如下的 方法,假设主体节点A所在区域编号为i值,客体节点B所在区域编号为j值,则主体节点A的 推荐信任值计算步骤如下: In some embodiments, as shown in FIG. 2, the recommended trust value of the principal node A is calculated
Figure 169658DEST_PATH_IMAGE179
Using the following method, assuming that the number of the area where the subject node A is located is the value i, and the number of the area where the object node B is located is the value j, the calculation steps of the recommended trust value of the subject node A are as follows:

步骤1:计算区域主信任节点对域中各主体节点A直接信任值:Step 1: Calculate the direct trust value of the main trust node in the domain to each main node A in the domain:

Figure 938899DEST_PATH_IMAGE181
Figure 938899DEST_PATH_IMAGE181

其中

Figure 631174DEST_PATH_IMAGE182
表示区域号为i的区域主信任节点对于区域的主体节点A的直 接信任值。直接信任值随着访问次数,访问成功和访问失败的次数进行调节,
Figure 511274DEST_PATH_IMAGE183
表示主体节点A进行访问控制的成功的次数,
Figure 900667DEST_PATH_IMAGE184
表示主体节点A 进行访问控制的失败的次数,
Figure 748800DEST_PATH_IMAGE185
表示主体节点A进行访问控制的总的次数。 in
Figure 631174DEST_PATH_IMAGE182
Indicates the direct trust value of the main trust node of the area with the area number i to the main node A of the area. The direct trust value is adjusted with the number of visits, the number of successful and unsuccessful visits,
Figure 511274DEST_PATH_IMAGE183
Indicates the number of successful access control performed by the principal node A,
Figure 900667DEST_PATH_IMAGE184
Indicates the number of times the principal node A fails to perform access control,
Figure 748800DEST_PATH_IMAGE185
Indicates the total number of times that the principal node A performs access control.

步骤2:计算不同区域的

Figure 426906DEST_PATH_IMAGE186
之间的基础信任值
Figure 517222DEST_PATH_IMAGE187
: Step 2: Calculate the different regions
Figure 426906DEST_PATH_IMAGE186
base trust value between
Figure 517222DEST_PATH_IMAGE187
:

步骤2.1 若主体节点A对客体节点B访问失败,则区域主信任节i对区域内主减少基础信任值,计算公式如下:Step 2.1 If the subject node A fails to access the object node B, the regional master trust node i reduces the basic trust value of the master in the region, and the calculation formula is as follows:

Figure 26700DEST_PATH_IMAGE188
Figure 26700DEST_PATH_IMAGE188

其中

Figure 639210DEST_PATH_IMAGE029
取值在[0,1]区间范围内,根据系统来进行设定,默认为
Figure 804612DEST_PATH_IMAGE030
Figure 516261DEST_PATH_IMAGE031
为减 少因子,取值在[0,1]区间范围内。in
Figure 639210DEST_PATH_IMAGE029
The value is in the range of [0,1], set according to the system, the default is
Figure 804612DEST_PATH_IMAGE030
,
Figure 516261DEST_PATH_IMAGE031
In order to reduce the factor, the value is in the range of [0,1].

步骤2.2 若主体节点A对客体节点B访问成功,则增加基础信任值,计算公式如下:Step 2.2 If the subject node A successfully accesses the object node B, the basic trust value is increased, and the calculation formula is as follows:

Figure 83508DEST_PATH_IMAGE189
Figure 83508DEST_PATH_IMAGE189

其中

Figure 365454DEST_PATH_IMAGE029
取值在[0,1]区间范围内,根据系统来进行设定,默认为
Figure 316355DEST_PATH_IMAGE030
Figure 951735DEST_PATH_IMAGE033
为增加 因子,取值在[0,1]区间范围内。 in
Figure 365454DEST_PATH_IMAGE029
The value is in the range of [0,1], set according to the system, the default is
Figure 316355DEST_PATH_IMAGE030
,
Figure 951735DEST_PATH_IMAGE033
In order to increase the factor, the value is in the range of [0,1].

步骤3:计算主体节点A的推荐信任值:

Figure 435806DEST_PATH_IMAGE190
。 Step 3: Calculate the recommended trust value of the principal node A:
Figure 435806DEST_PATH_IMAGE190
.

以上各实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述各实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的范围,其均应涵盖在本发明的权利要求和说明书的范围当中。The above embodiments are only used to illustrate the technical solutions of the present invention, but not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that the foregoing embodiments can still be used for The technical solutions described in the examples are modified, or some or all of the technical features thereof are equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the scope of the technical solutions of the embodiments of the present invention, and all of them should cover within the scope of the claims and description of the invention.

Claims (10)

1. A block chain-based cross-domain fine-grained attribute access control method is characterized by comprising the following steps:
receiving an encrypted identity of a main body node, an area where the main body node is located and a resource request of the main body node, wherein the encrypted identity of the main body node is obtained by encrypting the identity of the main body node by using a corresponding private key;
selecting a random numberNSending the data to the main node;
receiving a secondary encrypted identity of the subject node and a public key of the subject node, wherein the secondary encrypted identity is that the subject node receives a random numberNThen, signing by using a private key to obtain;
verifying whether the random number in the twice encrypted identity is a random numberN
The random number in the twice-encrypted identity is a random numberNIn the case of (3), the identity of the subject node is obtained by decrypting the secondary encrypted identity according to the public key of the subject node, the address corresponding to the subject node is obtained by calculation according to the identity of the subject node and the public key of the subject node, then the attribute value of the subject node is found out from the block chain, and the direct trust with the subject node is calculated according to the attribute value of the subject nodeA value;
inquiring a comprehensive trust value of the address of the main trust node corresponding to the region on the block chain to the main node according to the region number of the main node, calculating a direct trust value of the main node with the attribute value of the main node and the resource environment attribute, and calculating to obtain a recommended trust value according to the basic trust value and the direct trust value of the main node;
calculating to obtain a comprehensive trust value according to the direct trust value and the recommended trust value;
and when the comprehensive trust value reaches the preset trust value threshold value requirement, checking the state of the task executed by the current resource through the task state attribute, and agreeing with the resource request of the main node under the condition that the state of the task executed by the current resource meets the task state requirement.
2. The method of claim 1, wherein the calculating a direct trust value with the subject node based on the attribute value of the subject node comprises:
according to the subject attribute of the subject node and the accessed resource environment attribute, calculating the current direct trust of the subject node by the following formula
Figure 932049DEST_PATH_IMAGE001
Figure 645927DEST_PATH_IMAGE002
Wherein,
Figure 160085DEST_PATH_IMAGE003
representing the class of the relevant subject attribute of the subject node,
Figure 352032DEST_PATH_IMAGE004
indicating the type of the accessed relevant context attribute,
Figure 900825DEST_PATH_IMAGE005
and
Figure 520025DEST_PATH_IMAGE006
is a constant, takes on the value of [0,1]Within the range of the interval, the content of the active ingredients,
Figure 521479DEST_PATH_IMAGE007
indicating the relevance of the subject attributes to the accessed resource,
Figure 517117DEST_PATH_IMAGE009
representing the weight that each subject attribute occupies,
Figure 920417DEST_PATH_IMAGE010
indicating the relevance of the environment attribute to the accessed resource,
Figure 710518DEST_PATH_IMAGE011
represents the weight of each environment attribute, satisfies
Figure 996006DEST_PATH_IMAGE012
Figure 467438DEST_PATH_IMAGE013
Figure 787561DEST_PATH_IMAGE014
Calculating a time decay weight from a time decay function, said time decay function being expressed as
Figure 951826DEST_PATH_IMAGE015
Wherein
Figure 990190DEST_PATH_IMAGE016
Is a constant, takes on the value of [0,1]Within the range of the interval, the content of the active ingredients,
Figure 999734DEST_PATH_IMAGE017
representing the interaction distance between the last time and the subject node and the time of the interaction;
calculating a historical trust value by the following formulaHV
Figure 439943DEST_PATH_IMAGE018
Wherein,
Figure 509530DEST_PATH_IMAGE019
the last access control flow is shown,
Figure 35189DEST_PATH_IMAGE020
represents the latest integrated trust value that was previously interacted with the subject node B;
calculating the direct trust value of the subject node by the following formula:
Figure 848424DEST_PATH_IMAGE021
wherein,
Figure 143139DEST_PATH_IMAGE022
is a constant, takes on the value of [0,1]In the interval range, if the interaction with the main node A is carried out for the first time, the historical trust value does not exist, and only the current trust value exists, so that
Figure 649207DEST_PATH_IMAGE023
I.e. the calculated current trust value is the direct trust value with the subject node a.
3. The method of claim 1 or 2, wherein calculating a recommended trust value from the base trust value and the direct trust value of the subject node comprises:
calculating the direct trust value of the main trust node of the region to each main node in the region by the following formula:
Figure 396583DEST_PATH_IMAGE024
wherein,
Figure 13509DEST_PATH_IMAGE025
denotes a region number ofiThe direct trust value of the main trust node of the area to the main node of the area is adjusted along with the access times, the access success times and the access failure times,
Figure 162731DEST_PATH_IMAGE026
indicating the number of successes of the subject node to access control,
Figure 839700DEST_PATH_IMAGE027
indicating the number of failures of the subject node to perform access control,
Figure 74372DEST_PATH_IMAGE028
representing the total times of access control of the subject node;
computing base trust values between master trust nodes of different regions
Figure 229410DEST_PATH_IMAGE029
If the access of the main node fails, the area main trust node i reduces the basic trust value of the main node in the area, and the calculation formula is as follows:
Figure 498717DEST_PATH_IMAGE030
wherein
Figure 143325DEST_PATH_IMAGE031
Take on a value of [0,1]Within the interval range, the setting is performed according to the system and the default is
Figure 802977DEST_PATH_IMAGE032
Figure 824022DEST_PATH_IMAGE033
For reducing the factor, the value is [0,1 ]]Within the interval range;
if the access of the main node is successful, increasing a basic trust value, wherein the calculation formula is as follows:
Figure 619940DEST_PATH_IMAGE034
wherein
Figure 701028DEST_PATH_IMAGE031
Take on a value of [0,1]Within the interval range, the setting is performed according to the system and the default is
Figure 847976DEST_PATH_IMAGE032
Figure 672713DEST_PATH_IMAGE035
For increasing the factor, the value is [0,1 ]]Within the interval range;
calculating a recommended trust value for a subject node
Figure 588716DEST_PATH_IMAGE036
4. The method of claim 1, wherein computing a composite trust value from the direct trust value and the recommended trust value comprises:
calculating a composite confidence value by the following formulaTV
Figure 575127DEST_PATH_IMAGE037
Wherein,
Figure 209370DEST_PATH_IMAGE038
is a constant, takes on the value of [0,1]Within the range of the interval, the content of the active ingredients,
Figure 572218DEST_PATH_IMAGE039
indicating the direct trust value calculated in the currently ongoing access control flow,RVis a recommended trust value.
5. A cross-domain fine-grained attribute access control system based on a block chain is characterized by comprising a main trust node, a main body node, an object node, a miner node, a resource node and a key management center,
the main trust node is a node on the block chain and is also the center of each area, and is configured to manage the angular color value, the attribute value and the trust value of the main node and the object node in the corresponding areas in a sub-area mode, broadcast the angular color value, the attribute value and the trust value of the main node and the object node in the areas to the block chain and store the angular color value, the attribute value and the trust value into a transaction pool of the main node and the object node in the areas so as to wait for the miner node to take the transaction in the transaction pool and issue the transaction to the block chain;
the main body node is an initiator of access control and is configured to encrypt the identity of the main body node by using a corresponding private key to obtain an encrypted identity of the corresponding main body node; sending an encryption identity corresponding to a subject node, a region where the subject node is located and a resource request of the subject node to a subject node, and receiving a random number sent by the subject nodeNThen, a private key is used for signing to obtain a secondary encryption identity, and the secondary encryption identity and a public key of the subject node are sent to the object node;
the object node is a party with resources and is configured to receive the encrypted identity of a subject node, the area where the subject node is located and a resource request of the subject node; selecting a random numberNSending the data to the main node; receiving a secondary encrypted identity of the subject node and a public key of the subject node; verifying whether the random number in the twice encrypted identity is a random numberN(ii) a At the second placeThe random number in the secondary encrypted identity is a random numberNUnder the condition, the secondary encrypted identity is decrypted according to a public key of a main body node to obtain the identity of the main body node, an address corresponding to the main body node is obtained through calculation according to the identity of the main body node and the public key of the main body node, then an attribute value of the main body node is found out from a block chain, and a direct trust value with the main body node is calculated according to the attribute value of the main body node; inquiring a comprehensive trust value of an address of a main trust node corresponding to a region on a block chain to the main node according to the region number of the main node, calculating a direct trust value of the main node with the attribute value of the main node and the resource environment attribute, and calculating to obtain a recommended trust value according to a basic trust value and the direct trust value of the main node; calculating to obtain a comprehensive trust value according to the direct trust value and the recommended trust value; when the comprehensive trust value reaches the preset trust value threshold value requirement, checking the state of the task executed by the current resource through the task state attribute, and agreeing with the resource request of the main node under the condition that the state of the task executed by the current resource meets the task state requirement;
the resource node is configured to store resources owned by the object node;
the mineworker node is configured to take and distribute the transactions in the transaction pools of the main trust nodes of each region to a block chain;
the key management center is configured to be responsible for key initialization work, key creation and key generation of a main trust node, a main body node, an object node and a miner node in each area.
6. The system of claim 5, wherein the subject attributes of the subject nodes are obtained by:
the main body node proposes a main body attribute registration request: each main body node provides a main body node attribute registration request to a main trust node of the belonging area;
the main trust node generates a main attribute table: each regional master trust node applies for information according to each master node,firstly, the qualification of the subject in the area is verified, if the subject node is qualified, a subject attribute table is generated according to the subject application information
Figure 608308DEST_PATH_IMAGE040
Figure 765619DEST_PATH_IMAGE041
Indicating an in-area identity ID of
Figure 887159DEST_PATH_IMAGE042
Subject attribute table of subject node of (1), wherein
Figure 53698DEST_PATH_IMAGE043
Indicating that the subject node has a k-th subject attribute,
Figure 678715DEST_PATH_IMAGE044
total sharing of presentation system
Figure 272507DEST_PATH_IMAGE044
Different subject attributes are planted, and a subject trust node in a region can locally store an attribute value corresponding to each subject in the region;
the main trust node generates a main attribute transaction of the main node: regional master trust nodeTMDThe transaction form of the subject attribute of the subject node is generated as follows:
Figure 615764DEST_PATH_IMAGE045
the transaction is indicated as an address
Figure 585994DEST_PATH_IMAGE046
The subject of (2) has subject attributes
Figure 331096DEST_PATH_IMAGE047
7. The system of claim 5, wherein the guest node resource is obtained by:
an object node with resources makes a resource request to a main trust node of a region to which the object node belongs;
the master trust node generates a resource list: the region host trust node verifies the object resource in the region according to the region object node application information, if the object node has corresponding resource, a corresponding resource list is generated
Figure 830210DEST_PATH_IMAGE048
Figure 723080DEST_PATH_IMAGE049
Indicating an in-area identity ID of
Figure 169105DEST_PATH_IMAGE050
The resource list of the subject node of (1), wherein
Figure 831030DEST_PATH_IMAGE051
Indicating that the node has the firstkThe kind of the resource is selected from the group,
Figure 704308DEST_PATH_IMAGE052
total sharing of presentation system
Figure 84474DEST_PATH_IMAGE052
Different resources are planted, and then the host trust node can locally store one list of each object resource in the area;
the zone master trust node generates a resource list transaction: the transaction form generated by the zone master trust node is shown as the following formula:
Figure 68611DEST_PATH_IMAGE053
indicating an address of
Figure 850622DEST_PATH_IMAGE054
Node of has resources
Figure 894801DEST_PATH_IMAGE055
The main trust node correspondingly packs the transaction and puts the transaction into a transaction pool;
resource environment attribute initialization: firstly, an object node with resources generates an environment attribute list of the resources according to the resources thereof
Figure 762263DEST_PATH_IMAGE056
Figure 550091DEST_PATH_IMAGE057
Indicating an in-area identity ID of
Figure 186608DEST_PATH_IMAGE058
A resource environment attribute table of the node of (a),
Figure 401689DEST_PATH_IMAGE059
a category representing an attribute of the environment is indicated,
Figure 490868DEST_PATH_IMAGE060
the indication is provided withkAnd the environment attribute and the resource environment attribute are stored locally in the node.
8. The system of claim 5, wherein the guest node is further configured to:
according to the subject attribute of the subject node and the accessed resource environment attribute, calculating the current direct trust of the subject node by the following formula
Figure 82386DEST_PATH_IMAGE061
Figure 573410DEST_PATH_IMAGE062
Wherein,
Figure 959392DEST_PATH_IMAGE063
representing the class of the relevant subject attribute of the subject node,
Figure 801446DEST_PATH_IMAGE064
indicating the type of the accessed relevant context attribute,
Figure 931076DEST_PATH_IMAGE065
and
Figure 276607DEST_PATH_IMAGE066
is a constant, takes on the value of [0,1]Within the range of the interval, the content of the active ingredients,
Figure 99069DEST_PATH_IMAGE007
indicating the relevance of the subject attributes to the accessed resource,
Figure 162840DEST_PATH_IMAGE067
representing the weight that each subject attribute occupies,
Figure 96161DEST_PATH_IMAGE010
indicating the relevance of the environment attribute to the accessed resource,
Figure 296199DEST_PATH_IMAGE011
represents the weight of each environment attribute, satisfies
Figure 289562DEST_PATH_IMAGE012
Figure 840629DEST_PATH_IMAGE068
Figure 312062DEST_PATH_IMAGE014
Calculating a time decay weight from a time decay function, said time decay function being expressed as
Figure 632185DEST_PATH_IMAGE015
Wherein
Figure 796450DEST_PATH_IMAGE069
Is a constant, takes on the value of [0,1]Within the range of the interval, the content of the active ingredients,
Figure 569234DEST_PATH_IMAGE070
representing the interaction distance between the last time and the subject node and the time of the interaction;
calculating a historical trust value by the following formulaHV
Figure 844357DEST_PATH_IMAGE018
Wherein,
Figure 296285DEST_PATH_IMAGE019
the last access control flow is shown,
Figure 365872DEST_PATH_IMAGE020
represents the latest integrated trust value that was previously interacted with the subject node B;
calculating the direct trust value of the subject node by the following formula:
Figure 891531DEST_PATH_IMAGE021
wherein,
Figure 704767DEST_PATH_IMAGE022
is a constant, and takes on a value of [0,1]In the interval range, if the interaction with the main node A is carried out for the first time, the historical trust value does not exist, and only the current trust value exists, so that
Figure 999482DEST_PATH_IMAGE023
I.e. the calculated current trust value is the direct trust value with the subject node a.
9. The system of claim 5, wherein the guest node is further configured to:
calculating the direct trust value of the main trust node of the region to each main node in the region by the following formula:
Figure 239970DEST_PATH_IMAGE024
wherein,
Figure 252925DEST_PATH_IMAGE071
denotes a region number ofiThe direct trust value of the main trust node of the region to the main node of the region is adjusted along with the access times, the access success times and the access failure times,
Figure 869852DEST_PATH_IMAGE026
indicating the number of successes of the subject node to access control,
Figure 19073DEST_PATH_IMAGE027
indicating the number of failures of the subject node to perform access control,
Figure 696042DEST_PATH_IMAGE028
representing the total times of access control of the subject node;
computing base trust values between master trust nodes of different regions
Figure 930714DEST_PATH_IMAGE029
If the access of the main node fails, the area main trust node i reduces the basic trust value of the main node in the area, and the calculation formula is as follows:
Figure 85752DEST_PATH_IMAGE030
wherein
Figure 355060DEST_PATH_IMAGE031
Take on a value of [0,1]Within the interval range, the setting is performed according to the system and the default is
Figure 937351DEST_PATH_IMAGE032
Figure 659319DEST_PATH_IMAGE072
For reducing the factor, the value is [0,1 ]]Within the interval range;
if the access of the main node is successful, increasing a basic trust value, wherein the calculation formula is as follows:
Figure 618048DEST_PATH_IMAGE073
wherein
Figure 741862DEST_PATH_IMAGE031
Take on a value of [0,1]Within the interval range, the setting is performed according to the system and the default is
Figure 760633DEST_PATH_IMAGE032
Figure 969898DEST_PATH_IMAGE074
For increasing the factor, the value is [0,1 ]]Within the interval range;
calculating a recommended trust value for a subject node
Figure 466738DEST_PATH_IMAGE075
10. The system of claim 5, wherein the guest node is further configured to: by the followingFormula calculating integrated trust valueTV
Figure 445058DEST_PATH_IMAGE076
Wherein,
Figure 634731DEST_PATH_IMAGE077
is a constant, takes on the value of [0,1]Within the range of the interval, the content of the active carbon,
Figure 331292DEST_PATH_IMAGE078
indicating a direct trust value calculated in the currently ongoing access control flow,RVis a recommended trust value.
CN202210562634.0A 2022-05-23 2022-05-23 Blockchain-based cross-domain fine-grained attribute access control method and system Active CN114666067B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210562634.0A CN114666067B (en) 2022-05-23 2022-05-23 Blockchain-based cross-domain fine-grained attribute access control method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210562634.0A CN114666067B (en) 2022-05-23 2022-05-23 Blockchain-based cross-domain fine-grained attribute access control method and system

Publications (2)

Publication Number Publication Date
CN114666067A true CN114666067A (en) 2022-06-24
CN114666067B CN114666067B (en) 2022-08-16

Family

ID=82037399

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210562634.0A Active CN114666067B (en) 2022-05-23 2022-05-23 Blockchain-based cross-domain fine-grained attribute access control method and system

Country Status (1)

Country Link
CN (1) CN114666067B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114936384A (en) * 2022-06-21 2022-08-23 云南财经大学 Electronic medical record access control method based on intuition fuzzy trust
CN116633615A (en) * 2023-05-23 2023-08-22 之江实验室 An Access Control Method Based on Blockchain and Risk Assessment
CN116800435A (en) * 2023-08-21 2023-09-22 成都信息工程大学 Access control methods, systems and storage media based on zero-knowledge proof and cross-chain

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180005235A1 (en) * 2016-06-29 2018-01-04 Ca, Inc. Electronic transaction risk assessment based on digital identifier trust evaluation
CN108810073A (en) * 2018-04-05 2018-11-13 西安电子科技大学 A kind of Internet of Things multiple domain access control system and method based on block chain
CN111062807A (en) * 2019-12-17 2020-04-24 北京工业大学 A blockchain-based IoT data service reputation assessment method
CN112000936A (en) * 2020-07-31 2020-11-27 天翼电子商务有限公司 Identity service method, medium and device based on cross-domain attribute heterogeneity
CN112236987A (en) * 2018-06-01 2021-01-15 诺基亚技术有限公司 Method and apparatus for decentralized trust assessment in a distributed network
CN112487443A (en) * 2020-11-11 2021-03-12 昆明理工大学 Energy data fine-grained access control method based on block chain
CN113572734A (en) * 2021-06-24 2021-10-29 福建师范大学 Blockchain-based cross-domain access control method in mobile edge computing
CN113612754A (en) * 2021-07-28 2021-11-05 中国科学院深圳先进技术研究院 Cross-domain access method and system based on block chain
CN114154193A (en) * 2021-11-26 2022-03-08 哈尔滨工程大学 A blockchain-based cross-domain access control method

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180005235A1 (en) * 2016-06-29 2018-01-04 Ca, Inc. Electronic transaction risk assessment based on digital identifier trust evaluation
CN108810073A (en) * 2018-04-05 2018-11-13 西安电子科技大学 A kind of Internet of Things multiple domain access control system and method based on block chain
CN112236987A (en) * 2018-06-01 2021-01-15 诺基亚技术有限公司 Method and apparatus for decentralized trust assessment in a distributed network
US20210160056A1 (en) * 2018-06-01 2021-05-27 Nokia Technologies Oy Method and apparatus for decentralized trust evaluation in a distributed network
CN111062807A (en) * 2019-12-17 2020-04-24 北京工业大学 A blockchain-based IoT data service reputation assessment method
CN112000936A (en) * 2020-07-31 2020-11-27 天翼电子商务有限公司 Identity service method, medium and device based on cross-domain attribute heterogeneity
CN112487443A (en) * 2020-11-11 2021-03-12 昆明理工大学 Energy data fine-grained access control method based on block chain
CN113572734A (en) * 2021-06-24 2021-10-29 福建师范大学 Blockchain-based cross-domain access control method in mobile edge computing
CN113612754A (en) * 2021-07-28 2021-11-05 中国科学院深圳先进技术研究院 Cross-domain access method and system based on block chain
CN114154193A (en) * 2021-11-26 2022-03-08 哈尔滨工程大学 A blockchain-based cross-domain access control method

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
S. ALANSARI等: "A Distributed Access Control System for Cloud Federations", 《2017 IEEE 37TH INTERNATIONAL CONFERENCE ON DISTRIBUTED COMPUTING SYSTEMS (ICDCS)》 *
史锦山等: "物联网下的区块链访问控制综述", 《软件学报》 *
王秀利等: "应用区块链的数据访问控制与共享模型", 《软件学报》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114936384A (en) * 2022-06-21 2022-08-23 云南财经大学 Electronic medical record access control method based on intuition fuzzy trust
CN116633615A (en) * 2023-05-23 2023-08-22 之江实验室 An Access Control Method Based on Blockchain and Risk Assessment
CN116800435A (en) * 2023-08-21 2023-09-22 成都信息工程大学 Access control methods, systems and storage media based on zero-knowledge proof and cross-chain
CN116800435B (en) * 2023-08-21 2023-12-19 成都信息工程大学 Access control methods, systems and storage media based on zero-knowledge proof and cross-chain

Also Published As

Publication number Publication date
CN114666067B (en) 2022-08-16

Similar Documents

Publication Publication Date Title
Hao et al. A blockchain-based cross-domain and autonomous access control scheme for internet of things
CN111680324B (en) Credential verification method, management method and issuing method for blockchain
CN108737370B (en) Block chain-based Internet of things cross-domain authentication system and method
AU2020200584B2 (en) Parameter based key derivation
Riabi et al. A survey on Blockchain based access control for Internet of Things
CN114666067B (en) Blockchain-based cross-domain fine-grained attribute access control method and system
Panda et al. A blockchain based decentralized authentication framework for resource constrained iot devices
Shehab et al. Secure collaboration in mediator-free environments
CN113660206B (en) A cross-organization access control method based on consortium chain and multi-signature
Feng et al. Blockchain enabled zero trust based authentication scheme for railway communication networks
CN115865418B (en) A cross-domain access control method based on blockchain and Byzantine fault tolerance algorithm
CN118427876A (en) Distributed digital identity privacy protection method and system
Wang et al. An Efficient Data Sharing Scheme for Privacy Protection Based on Blockchain and Edge Intelligence in 6G‐VANET
CN111901432A (en) Block chain-based safety data exchange method
Ma et al. Catch me if you can: A secure bilateral access control system with anonymous credentials
CN120257367A (en) A cross-platform social privacy collaborative protection system based on federated learning and blockchain
CN119675840A (en) A decentralized digital asset management method and system
Wang et al. Owner-enabled secure authorized keyword search over encrypted data with flexible metadata
US8365298B2 (en) Comprehensive security architecture for dynamic, web service based virtual organizations
CN118368067A (en) VPP distributed security and trusted authentication implementation method based on master-slave blockchain
Wu et al. Data privacy protection model based on blockchain in mobile edge computing
CN112491845B (en) Ordinary node access method, device, electronic equipment and readable storage medium
CN114168921A (en) Crowdsourcing task allocation method, system and storage medium with privacy protection
Sahi et al. Self-sovereign identity in semi-permissioned blockchain networks leveraging ethereum and hyperledger fabric
Xia et al. An efficient anonymous identity authentication based on CP-ABE and consortium blockchain for IoV

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant