基于属性的访问控制关键技术研究综述  被引量：86

作　　者：房梁[1,2,3] 殷丽华[2,3] 郭云川[2,3] 方滨兴[1,2] 

机构地区：[1]北京邮电大学计算机学院,北京100876 [2]中国科学院信息工程研究所信息内容安全国家工程实验室,北京100093 [3]中国科学院信息工程研究所物联网信息安全技术北京市重点实验室,北京100093

出　　处：《计算机学报》2017年第7期1680-1698,共19页Chinese Journal of Computers

基　　金：国家重点研究发展计划基金资助项目(2016YFB0800303);中国科学院战略性先导科技专项(XDA06030200)资助~~

摘　　要：云计算、物联网等新型计算模式为我们提供了便捷的数据共享、高效计算等服务,极大地提高了数据的处理效率,提升了计算和存储资源的利用能力.但这些新型计算模式存储并融合了大量具有"所有权"特征的数据,如果不对这些数据提供可靠的保护,一旦泄漏就会给用户带来巨大的损失.作为数据保护的基石性技术之一,访问控制可保障数据仅能被拥有相应权限的用户访问,得到了广泛的研究.其中,基于属性的访问控制通过使用属性作为访问控制的关键要素,有效解决了具有大规模、强动态性及强隐私性特点的新型计算环境下的细粒度访问控制问题,为云计算、物联网计算等新型计算环境提供了理想的访问控制策略.该文将基于属性的访问控制的整体流程分为准备阶段和执行阶段,并对两阶段面临的关键问题、研究现状和发展趋势进行分析.针对其中的实体属性发现、权限分配关联关系挖掘、访问控制策略描述、多机构合作、身份认证、权限更新与撤销等难点问题进行深入探讨.最后,在对已有技术进行深入分析对比的基础上,指出未来基于属性的访问控制的研究方向.New computing paradigms, including Cloud Computing and Internet of Things（IOTs） provide us convenient services such as data sharing and effective computing. It greatly improves the efficiency of data processing and makes full use of the computing and storage resources. However, huge number of data with specific ownership also stored in these new computing paradigms. If they don＇t obtain efficient protection, it will bring serious risks of data leakage, thus causing tremendous loses for users. Therefore, measures should be taken to make sure that the data only can be accessed by users with appropriate permissions. Access control, which can be used to prevent unauthorized access, attracts extensive attention from both academia and industry. Among the access control schemes, Attribute-Based Access Control（ABAC）, which takes attributes as the key element to build up the whole access control system, is the most suitable scheme to achieve fine-grained access control for the new computing paradigms which have features such as largescale, dynamicity and strong privacy need etc. With the help of ABAC, we can provide an ideal access control system for computing paradigms like Cloud Computing and Internet of Things. In this paper, we discuss and analyze the existing problem, current research situation and development trend in the preparation and executing stage of ABAC. In particular, we elaborate the researches including the entity attributes mining, permission allocate mining, access control policy specification, multi-authorities research, user identity and access permission management. Finally, possible future work and some conclusions are pointed out.

关 键 词：基于属性的访问控制 实体属性发现 权限分配关联关系 策略描述 多机构合作 身份认证 权限更新与撤销 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]