分布式环境下可信使用控制实施方案  被引量：3

作　　者：胡浩[1,2,3] 冯登国[2,3] 秦宇[2,3] 于爱民[2,3] 

机构地区：[1]中国科学技术大学电子工程与信息科学系,合肥230027 [2]信息安全国家重点实验室(中国科学院软件研究所),北京100190 [3]信息安全共性技术国家工程研究中心,北京100190

出　　处：《计算机研究与发展》2011年第12期2201-2211,共11页Journal of Computer Research and Development

基　　金：国家科技支撑计划基金项目(2008BAH22B06);国家"八六三"高技术研究发展计划基金项目(2007AA01Z465);国家自然科学基金项目(60970028);中国科学院知识创新工程领域前沿项目(ISCAS2009-DR14;ISCAS2009-GR03)

摘　　要：当前分布式环境下,数据分发后产生了多种新的安全需求,传统的访问控制模型早已无法满足实际需要.因此,基于新型的使用控制模型UCON和可信计算技术,针对分布式环境下的信息安全需求,构建了一种通用的、可协商的可信使用控制架构TUC(trusted usage control).该架构利用硬件信任根TPM实施使用控制,引入策略和密钥协商机制,保证数据分发、传输、存储和使用控制过程中的机密性、完整性、可控性.此外,通过使用控制策略与分发数据的绑定,TUC的使用控制实施不会局限于特定的应用环境,增强了方案的通用性.针对原型系统的性能测试表明,TUC的表现达到了预期,为分布式环境下的访问控制实施提供了可行的解决方案.In distributed environment, digital data can be easily distributed and various kinds of security requirements emerge after the data distribution. However, traditional access control solutions suffer from difficulties both in the access rights authorization and the usage policy enforcement, especially under the heterogeneous, distributed network environments. In this paper, a new architecture called TUC （trusted usage control） is proposed against the information security requirements under distributed environment based on usage control model and trusted computing technology. TUC is presented to achieve usage control based upon the hardware trust root TPM. In this way, confidentiality, integrity and controllability of the data are assured not only in distribution, transmission, storage but also in usage control. It is necessary to design TUC as a general access solution by binding policies to the usage-controlled digital content. So TUC isn＇t limited to the specific application environment. Moreover, TUC is a negotiable solution because of the key and policy negotiation in our design. In this way, both the user＇s and the owner＇s requirements are taken into consideration. The design and implementation of TUC is then detailed in this paper. Test results show that the performance of TUC is acceptable for access control in distributed environment.

关 键 词：可信计算 可信平台模块 UCON模型 分布式访问控制 可信使用控制 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]