面向多维数字媒体的访问控制机制  被引量：2

作　　者：单芳芳[1] 李凤华[2] 谢绒娜[3] 熊金波[2] 王彦超[2] 

机构地区：[1]西安电子科技大学综合业务网理论与关键技术国家重点实验室,陕西西安710071 [2]中国科学院信息工程研究所信息安全国家重点实验室,北京100195 [3]北京电子科技学院信息安全系,北京100070

出　　处：《通信学报》2015年第11期52-60,共9页Journal on Communications

基　　金：国家自然科学基金资助项目(61170251);教育部重点基金资助项目(209156)~~

摘　　要：在多维数字媒体场景中,用户期望利用环境、时态等因素实现访问权限的自我约束。针对该需求,综合环境、时态、角色定义授权属性,提出面向多维数字媒体的访问控制机制,该机制定义用户—授权属性分配关系和授权属性—访问权限分配关系,根据用户的ID、属性信息、所处环境和时态、角色,用户—授权属性分配关系为用户分配相应授权属性;根据用户所赋予的授权属性,授权属性—访问权限分配关系为用户分配相应访问权限。引入约束条件,用户通过设置约束条件进行访问权限的自我约束,实现访问权限随环境、时态、角色等因素的变化而动态缩减。使用Z符号对该机制进行形式化描述,通过实例分析验证其可行性,与现有工作的比较表明所提机制支持最小权限、职责分离、数据抽象等安全原则,支持访问权限的动态缩减。In the emerging scenario of multidimensional digital media, users desire the self-constraining access permission by using environmental state, temporal state and etc. To achieve this goal, an authorization attribute based on concepts of environmental state, temporal state and roles was defined, then a multidimensional digital media-oriented access control scheme was proposed. Specifically, the assignment relationships of user-authorization attribute and authorization attribute-access permission were defined. On the basis of this, the authorization attributes for users according to their ID, attribute information, environmental states, temporal states and roles were assigned using the assignment relationship of the user-authorization attribute, the access permission for users in accordance with the authorization attributes were as- signed with the assignment relationship of the authorization attribute-access permission. Additionally, constraint conditions were introduced into the proposed scheme to set self-constraining of the access permission for users in terms of the authorization attributes. Through this way, the dynamic reduction of the access permission was realized. Finally, the description of the Z-notation was employed to formalize our scheme. Results of instance analysis demonstrate that the proposed scheme is effective and efficiency. Comparing with related works, the proposed scheme is able to support the principles of the least privilege, separation of duty, data abstraction and etc.

关 键 词：访问控制 多维数字媒体 授权属性 访问权限动态缩减 

分 类 号：TP309.2[自动化与计算机技术—计算机系统结构]