多级安全系统中访问控制新方案

研究了利用密码技术实现多级安全系统中的访问控制的方法。提出了一个新的基于密钥分配的动态访问控制方案。其中的密钥分配方法是基于Rabin公钥体制和中国剩余定理的。在该方案中，系统中每一用户被赋于一个安全权限，具有较高安全权限的用户可以利用自己私有的秘密信息和公共信息导出具有较低安全权限的用户的密钥，而低权限用户则不能导出高权限用户的密钥。这样高权限用户可以读取和存储属于低权限用户的保密信息，而低权限用户则不读取和存储属于高权限用户的保密信息。从而实现了利用密钥分配进行授权的访问控制。而且从系统中添加／删除一用户以及改变用户权限和改变用户密钥都无需变更整个系统。

A NEW SCHEME FOR ACCESS CONTROL IN MULTILEVEL SECURITY SYSTEMS

Several multilevel access control schemes have been proposed. However, they all have one or all of the following drawbacks: 1) the users must store large amount of common information when the number of classes of users is large; 2) the system must be rebuilt when there is a need to add/delete a user class or to change the clearance of some user classes; and 3) it is difficult to change keys for the users. With the aim of overcoming these drawbacks, the problem of efficiently implementing authorized access control in multilevel security systems using cryptographic techniques is studied in this paper. A new dynamic access control scheme based on key distribution is proposed. In the scheme, each user is assigned a security clearance. The user in a higher security class can read and store information items that belong to users in a lower security class, but the opposite direction of this operation is infeasible. Hence, authorized access control through the use of this type of key distribution schemes can be implemented. The key distribution scheme is based on Rabin public key system and Chinese remainder theorem. It has the following advantages over the previous ones: 1) the algorithms of key generation and derivation are simple; 2) there is no need to change the keys of other user classes when adding/deleting a user class; and 3) there is no need to change the whole system when some user classes change their keys for some security reasons.