微信服务号

微信订阅号

2025年8月4日 20:56 星期一
首页 > 过刊浏览>2025年第36卷第9期 >4224-4241. DOI:10.13328/j.cnki.jos.007274
PDF HTML阅读 XML下载 导出引用 引用提醒
面向跨信任域互联网场景的拜占庭容错访问控制架构
作者:
中图分类号:

TP309

基金项目:

国家重点研发计划(2022YFB2701600)


Access Control Structure Based on Byzantine Fault Tolerance in Cross-trust-domain Internet Scenarios
Author:
  • 摘要
    • | |
  • 访问统计
    • |
  • 参考文献 [45]
    • |
  • 相似文献 [20]
    • | | |
  • 文章评论
    摘要:

    工业界现用的访问权限控制技术愈来愈难以应对广域互联网场景下部署的分布式系统的访问控制问题, 特别是跨多个信任域部署的大型信息系统在地理分布上不断分散化, 造成防护弱点不断增加. 基于共识的访问控制策略共享技术能够使跨信任域部署的访问控制节点安全快速地达成一致决策. 首先提出面向多节点的基于共识的访问权限控制模型, 提出强安全高性能的访问控制引擎共识算法Super-Dumbo. 该算法突破Dumbo2共识协议的性能瓶颈, 优化消息广播、随机掷币、共识算法设计等关键步骤的设计, 减少数字签名验证等计算开销、有效提升带宽利用率, 从而在吞吐量和延迟时间等性能方面取得大幅提升, 满足CBAC访问控制模型对底层共识算法低延迟、大吞吐量的性能要求.

    Abstract:

    In the industrial field, currently used access permission control technologies are increasingly struggling to address access control issues of distributed systems deployed in wide-area internet scenarios. This situation is particularly exacerbated when dealing with large-scale information systems distributed across multiple trust domains, thereby engendering an escalating proliferation of vulnerabilities. Consensus-based access control policy sharing technologies can facilitate the secure and expeditious attainment of consensus decisions among access control nodes deployed across trust domains. This study first proposes a consensus-based access permission control model for multiple nodes and presents the Super-Dumbo consensus algorithm for access control engines, which features robust security and high performance. Super-Dumbo surmounts the performance bottlenecks of Dumbo2 by optimizing the design of key steps encompassing message broadcasting, random coin toss procedures, and consensus algorithm constructs. Notably, it reduces computational overhead such as digital signature verification, thereby effectively enhancing bandwidth utilization. This achieves a substantial improvement in performance metrics, such as throughput and latency, aligning seamlessly with the performance prerequisites of the CBAC access control model, which demands low latency and high throughput from the underlying consensus algorithm.

    参考文献
    [1] Bertino E, Bettini C, Ferrari E, Samarati P. A temporal access control mechanism for database systems. IEEE Trans. on Knowledge and Data Engineering, 1996, 8(1): 67–80.
    [2] Ryutov T, Neuman C, Kim DH, Zhou L. Integrated access control and intrusion detection for Web servers. IEEE Trans. on Parallel and Distributed Systems, 2003, 14(9): 841–850.
    [3] Centonze P. Security and privacy frameworks for access control big data systems. Computers, Materials & Continua, 2019, 59(2): 361–374. [doi: 10.32604/cmc.2019.06223]
    [4] Xue KP, Gai N, Hong JN, Wei DSL, Hong PL, Yu NH. Efficient and secure attribute-based access control with identical sub-policies frequently used in cloud storage. IEEE Trans. on Dependable and Secure Computing, 2022, 19(1): 635–646.
    [5] Han DZ, Zhu YJ, Li D, Liang W, Souri A, Li KC. A blockchain-based auditable access control system for private data in service-centric IoT environments. IEEE Trans. on Industrial Informatics, 2022, 18(5): 3530–3540.
    [6] Ameer S, Benson J, Sandhu R. An attribute-based approach toward a secured smart-home IoT access control and a comparison with a role-based approach. Information, 2022, 13(2): 60.
    [7] Sandhu RS, Coyne EJ, Feinstein HL, Youman CE. Role-based access control models. Computer, 1996, 29(2): 38–47.
    [8] Goyal V, Pandey O, Sahai A, Waters B. Attribute-based encryption for fine-grained access control of encrypted data. In: Proc. of the 13th ACM Conf. on Computer and Communications Security. Alexandria: Association for Computing Machinery, 2006. 89–98.
    [9] Yu SC, Wang C, Ren K, Lou WJ. Achieving secure, scalable, and fine-grained data access control in cloud computing. In: Proc. of the 2010 IEEE INFOCOM. San Diego: IEEE, 2010. 1–9. [doi: 10.1109/INFCOM.2010.5462174]
    [10] Hebig RN, Meinel C, Menzel M, Thomas I, Warschofsky R. A Web service architecture for decentralised identity- and attribute-based access control. In: Proc. of the 2009 IEEE Int’l Conf. on Web Services. Los Angeles: IEEE, 2009. 551–558.
    [11] 新华网. 脸书5000万用户信息泄露. 2018. http://www.xinhuanet.com/world/2018-03/24/c_129836684.htm
    Xinhuanet.com. Facebook’s 50 million user information leaked. 2018 (in Chinese). http://www.xinhuanet.com/world/2018-03/24/c_129836684.htm
    [12] CISOMAG. Instagram data breach! 49 million users’ sensitive data exposed online. 2019. https://cisomag.com/instagram-data-breach-49-million-users-sensitive-data-exposed-online/#:~:text=May%2023%2C%202019%20Another%20data%20leak%20in%20Facebook%E2%80%99s, accounts%20have%20been%20found%20online%2C%20the%20TechCrunch%20reported
    [13] ZDNET. Companies are leaking sensitive files via Box accounts. 2019. https://www.zdnet.com/article/companies-are-leaking-sensitive-files-via-box-accounts/
    [14] 央视网. 西北工业大学遭美国NSA网络攻击: 美方逐步渗透、长期窃密. 2022. https://news.cctv.com/2022/09/27/ARTI1YjUCAzciKAsNQsy1Rxd220927.shtml
    CCTV. Northwestern Polytechnical University was attacked by the US NSA cyber attack: The US has gradually infiltrated and stolen secrets for a long time (in Chinese). 2022. https://news.cctv.com/2022/09/27/ARTI1YjUCAzciKAsNQsy1Rxd220927.shtml
    [15] National Computer Security Center. A guide to understanding discretionary access control in trusted systems. In: The ‘Orange Book’ Series. London: Springer, 1987.
    [16] Upadhyaya S. Mandatory access control. In: van Tilborg HCA, Jajodia S, eds. Encyclopedia of Cryptography and Security. 2nd ed., New York: Springer, 2011. 756–758. [doi: 10.1007/978-1-4419-5906-5_784]
    [17] Maulina A, Rasjid ZE. Unified access management for digital evidence storage: Integrating attribute-based and role-based access control with XACML. Int’l Journal of Advanced Computer Science and Applications, 2024, 15(3): 1345–1353.
    [18] Kalam AAE, Baida RE, Balbiani P, Benferhat S, Cuppens F, Deswarte Y, Miege A, Saurel C, Trouessin G. Organization based access control. In: Proc. of the 4th Int’l Workshop on Policies for Distributed Systems and Networks. Lake Como: IEEE, 2003. 120–131. [doi: 10.1109/POLICY.2003.1206966]
    [19] Laamech N, Munier M, Pham C. Translating usage control policies to semantic rules: A model using OrBAC and SWRL. Procedia Computer Science, 2023, 225: 1881–1890.
    [20] Yuan E, Tong J. Attributed based access control (ABAC) for Web services. In: Proc. of the 2005 IEEE Int’l Conf. on Web Services. Orlando: IEEE, 2005. 561–569. [doi: 10.1109/ICWS.2005.25]
    [21] Hu VC, Ferraiolo D, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone K. Guide to attribute based access control (ABAC) definition and considerations. Gaithersburg: National Institute of Standards and Technology, 2014.
    [22] Shang SY, Wang XH, Liu AD. ABAC policy mining method based on hierarchical clustering and relationship extraction. Computers & Security, 2024, 139: 103717.
    [23] Choksy P, Chaurasia A, Rao UP, Kumar S. Attribute based access control (ABAC) scheme with a fully flexible delegation mechanism for IoT healthcare. Peer-to-peer Networking and Applications, 2023, 16(3): 1445–1467.
    [24] Liu YF, Zhao B, An Y, Guo JB. DACAS: Integration of attribute-based access control for northbound interface security in SDN. World Wide Web, 2023, 26(4): 2143–2173.
    [25] Perez-Haro A, Diaz-Perez A. Attribute-based access control rules supported by biclique patterns. In: Proc. of the 9th Int’l Conf. on Big Data Computing Service and Applications (BigDataService). Athens: IEEE, 2023. 95–102.
    [26] Ruan CH, Hu CQ, Li XW, Deng SJ, Liu ZW, Yu JG. A revocable and fair outsourcing attribute-based access control scheme in metaverse. IEEE Trans. on Consumer Electronics, 2024, 70(1): 3781–3791.
    [27] Guo BY, Lu ZL, Tang Q, Xu J, Zhang ZF. Dumbo: Faster asynchronous BFT protocols. In: Proc. of the 2020 ACM SIGSAC Conf. on Computer and Communications Security. New York: Association for Computing Machinery, 2020. 803–818.
    [28] Bai QH, Zheng Y. Study on the access control model. In: Proc. of the 2011 Cross Strait Quad-regional Radio Science and Wireless Technology Conf. Harbin: IEEE, 2011. 830–834. [doi: 10.1109/CSQRWC.2011.6037079]
    [29] 林闯, 封富君, 李俊山. 新型网络环境下的访问控制技术. 软件学报, 2007, 18(4): 955–966. http://www.jos.org.cn/1000-9825/18/955.htm
    Lin C, Feng FJ, Li JS. Access control in new network environment. Ruan Jian Xue Bao/Journal of Software, 2007, 18(4): 955–966 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/18/955.htm
    [30] 王于丁, 杨家海, 徐聪, 凌晓, 杨洋. 云计算访问控制技术研究综述. 软件学报, 2015, 26(5): 1129–1150. http://www.jos.org.cn/1000-9825/4820.htm
    Wang YD, Yang JH, Xu C, Ling X, Yang Y. Survey on access control technologies for cloud computing. Ruan Jian Xue Bao/Journal of Software, 2015, 26(5): 1129–1150 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/4820.htm
    [31] Jemel M, Serhrouchni A. Decentralized access control mechanism with temporal dimension based on blockchain. In: Proc. of the 14th IEEE Int’l Conf. on e-Business Engineering (ICEBE). Shanghai: IEEE, 2017. 177–182. [doi: 10.1109/ICEBE.2017.35]
    [32] Ravidas S, Lekidis A, Paci F, Zannone N. Access control in Internet-of-Things: A survey. Journal of Network and Computer Applications, 2019, 144: 79–101.
    [33] Paillisse J, Subira J, Lopez A, Rodriguez-Natal A, Ermagan V, Maino F, Cabellos A. Distributed access control with blockchain. In: Proc. of the 2019 IEEE Int’l Conf. on Communications (ICC). Shanghai: IEEE, 2019. 1–6. [doi: 10.1109/ICC.2019.8761995]
    [34] Cruz JP, Kaji Y, Yanai N. RBAC-SC: Role-based access control using smart contract. IEEE Access, 2018, 6: 12240–12251.
    [35] Hardjono T, Pentland A. Verifiable anonymous identities and access control in permissioned blockchains. arXiv:1903.04584, 2019.
    [36] Anjana PS, Kumari S, Peri S, Rathor S, Somani A. An efficient framework for optimistic concurrent execution of smart contracts. In: Proc. of the 27th Euromicro Int’l Conf. on Parallel, Distributed and Network-Based Processing (PDP). Pavia: IEEE, 2019. 83–92. [doi: 10.1109/EMPDP.2019.8671637]
    [37] Dickerson T, Gazzillo P, Herlihy M, Koskinen E. Adding concurrency to smart contracts. In: Proc. of the 2017 ACM Symp. on Principles of Distributed Computing. Washington: Association for Computing Machinery, 2017. 303–312. [doi: 10.1145/3087801.3087835]
    [38] Lamport L, Shostak R, Pease M. The Byzantine generals problem. ACM Trans. on Programming Languages and Systems (TOPLAS). ACM, 1982, 4(3): 382–401.
    [39] Cachin C, Kursawe K, Petzold F, Shoup V. Secure and efficient asynchronous broadcast protocols. In: Proc. of the 21st Annual Int’l Cryptology Conf. (CRYPTO). Santa Barbara: Springer, 2001. 524–541. [doi: 10.1007/3-540-44647-8_31]
    [40] Boldyreva A. Threshold signatures, multisignatures and blind signatures based on the Gap-Diffie-Hellman-Group signature scheme. In: Proc. of the 6th Int’l Workshop on Theory and Practice in Public Key Cryptography. Springer, 2003, 31–46.
    [41] Baek J, Zheng YL. Simple and efficient threshold cryptosystem from the gap Diffie-Hellman group. In: Proc. of the 2003 IEEE Global Telecommunications Conf. San Francisco: IEEE, 2003. 1491–1495. [doi: 10.1109/GLOCOM.2003.1258486]
    引证文献
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

韩将,张振峰,刘雨果,胡可欣,何双羽.面向跨信任域互联网场景的拜占庭容错访问控制架构.软件学报,2025,36(9):4224-4241

复制
分享
文章指标
  • 点击次数:120
  • 下载次数: 647
  • HTML阅读次数: 0
  • 引用次数: 0
历史
  • 收稿日期:2023-11-14
  • 最后修改日期:2024-05-13
  • 在线发布日期: 2024-12-25
  • 出版日期: 2025-09-06
文章二维码
友情链接:中国科学院软件研究所中国计算机学会中国科学院国家自然科学基金委员会CCF数字图书馆Int'l J of Softw Info计算机系统应用
您是第20434570位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号