共查询到20条相似文献,搜索用时 78 毫秒
1.
This paper describes a decision cache for the eXtensible Access Control Markup Language (XACML) that supports fine-grained authorisation and anonymisation of XML based messages and documents down to XML attribute and element level. The decision cache is implemented as an XACML obligation service, where a specification of the XML elements to be authorised and anonymised is sent to the Policy Enforcement Point (PEP) during initial authorisation. Further authorisation of individual XML elements according to the authorisation specification is then performed on all matching XML resources, and decisions are stored in the decision cache. This makes it possible to cache fine-grained XACML authorisation and anonymisation decisions, which reduces the authorisation load on the Policy Decision Point (PDP). The theoretical solution is related to a practical case study consisting of a privacy-enhanced intrusion detection system that needs to perform anonymisation of Intrusion Detection Message Exchange Format (IDMEF) XML messages before they are sent to a security operations centre that operates in privacy-preserving mode. The solution increases the scalability of XACML based authorisation significantly, and may be instrumental in implementing federated authorisation and anonymisation based on XACML in several areas, including intrusion detection systems, web services, content management systems and GRID based authentication and authorisation. 相似文献
2.
《Computer Standards & Interfaces》2013,35(6):527-534
This paper describes a decision cache for the eXtensible Access Control Markup Language (XACML) that supports fine-grained authorisation and anonymisation of XML based messages and documents down to XML attribute and element level. The decision cache is implemented as an XACML obligation service, where a specification of the XML elements to be authorised and anonymised is sent to the Policy Enforcement Point (PEP) during initial authorisation. Further authorisation of individual XML elements according to the authorisation specification is then performed on all matching XML resources, and decisions are stored in the decision cache. This makes it possible to cache fine-grained XACML authorisation and anonymisation decisions, which reduces the authorisation load on the Policy Decision Point (PDP). The theoretical solution is related to a practical case study consisting of a privacy-enhanced intrusion detection system that needs to perform anonymisation of Intrusion Detection Message Exchange Format (IDMEF) XML messages before they are sent to a security operations centre that operates in privacy-preserving mode. The solution increases the scalability of XACML based authorisation significantly, and may be instrumental in implementing federated authorisation and anonymisation based on XACML in several areas, including intrusion detection systems, web services, content management systems and GRID based authentication and authorisation. 相似文献
3.
在传统的属性加密方案中,用户可能会共享私钥给具有相同属性集的多个用户而不怕被追责;此外,访问策略包含的信息可能会泄露用户隐私。针对这2个问题,提出一种可追责的隐匿策略的层次化属性加密方案。该方案在合数阶双线性群下基于访问树进行构造,具有灵活的表达能力,在访问策略中插入合数阶子群的随机元素实现策略隐匿;将用户标识加入私钥运算中,实现对泄露信息的违规用户的可追责;使用层次授权体系,降低单权威授权的计算负荷,提高了整体安全性和效率。实验结果和效率对比分析表明,该方案在加解密计算开销方面具备优势,且支持访问策略的隐匿和对违规用户的追责,大大提高了方案的安全性。 相似文献
4.
5.
属性基加密作为一种一对多的加密机制,能够为云存储提供良好的安全性和细粒度访问控制。但在密文策略属性基加密中,一个解密私钥可能会对应多个用户,用户可能会非法共享其私钥以获取不当利益;另外,访问策略通常包含敏感信息,这对隐私性要求较高的场合造成了重大挑战。针对上述问题,提出一个隐藏访问策略的可追踪密文策略属性基加密方案。该方案基于合数阶双线性群进行构造,通过将用户的身份信息嵌入到该用户的私钥中实现可追踪性,将访问策略中的特定敏感属性值隐藏在密文中实现策略隐藏,利用解密测试技术提高解密效率,给出了在标准模型下方案是完全安全和可追踪的证明。对比分析表明,该方案在解密运算方面有所优化,从而降低了解密运算开销,提高了效率。 相似文献
6.
《Computer Standards & Interfaces》2014,36(3):454-464
When eXtensible Markup Language (XML) becomes a widespread data representation and exchange format for Web applications, safeguarding the privacy of data represented in XML documents can be indispensable. In this paper, we propose an XML privacy protection model by separating the structure and content, and with cloud storage to save content information and Trusted Third Party (TTP) to help manage structure information. To protect data privacy more effectively, we will create different Document Type Definition (DTD) views for different users according to users' privacy practice and the provider's privacy preferences. To further speed up the process of gaining access to data we will adopt the start–end region encoding scheme to encode the nodes in XML document and DTD views. The experiment result shows that this mechanism has a good performance in space and time. 相似文献
7.
在智能电网环境中,电力运营商和消费者通过智能电表进行大量高精度的用电数据的实时监测,用户机密数据持续暴露于未经授权的访问,在这种传统通信模式下,智能电表对家庭用户能源消耗的细粒度测量造成了严重的隐私安全问题,而现有的静态访问控制方法并不满足智能电网环境基于上下文的动态访问特性。针对此问题,提出一种基于物联网通信协议(MQTT协议)的访问控制方案,通过在MQTT协议中对树型结构的主题列表设计基于ABAC访问控制模型的动态上下文授权策略,并在WSO2系统使用XACML策略语言实现了提出的访问控制方案。性能评估结果表明,该方案能在较低的通信开销内支持动态的访问控制,以解决智能电网中用户的用电信息未经授权而泄露的隐私安全问题。 相似文献
8.
9.
云计算和物联网的快速发展使多用户信息共享机制备受关注,然而当用户将个人数据上传到云服务器与不同用户共享时,未经授权的用户和不可信的第三方云服务提供商会窥探这些隐私数据,对数据安全和用户隐私构成严重威胁。此外,多用户共享机制还存在访问控制不灵活、用户撤销和动态管理等问题。为了解决这些问题,文章结合属性基加密与广播加密技术提出一种动态广播加密机制。该方案在保证数据安全的同时,利用不经意传输协议,实现了接收者的匿名,保护了用户隐私。此外,该方案还支持新用户随时动态加入系统,且不影响原用户在系统中的解密能力,并实现了用户撤销和快速解密。性能分析表明,该方案较已有方案在安全性和效率方面有明显优势。 相似文献
10.
属性基加密作为一种一对多的加密机制,能够为云存储提供良好的安全性和细粒度访问控制。但在密文策略属性基加密中,一个解密私钥可能会对应多个用户,因此用户可能会非法共享其私钥以获取不当利益,半可信的属性授权机构亦可能会给非法用户颁发解密私钥。此外,加密消息所产生的指数运算随着访问策略复杂性的增加而增长,其产生的计算开销给通过移动设备进行加密的用户造成了重大挑战。对此,文中提出了一种支持大属性域的用户和属性授权机构可追责的在线/离线密文策略属性基加密方案。该方案是基于素数阶双线性群构造的,通过将用户的身份信息嵌入该用户的私钥中实现可追责性,利用在线/离线加密技术将大部分的加密开销转移至离线阶段。最后,给出了方案在标准模型下的选择性安全和可追责证明。分析表明,该方案的加密开销主要在离线阶段,用于追责的存储开销也极低,其适用于使用资源受限的移动设备进行加密的用户群体。 相似文献
11.
In a multi-agent system, agents are required to interact in order to exchange information. To achieve a reliable information exchange, a sound security protection must be in place. Unfortunately, security and privacy in multi-agent systems have not drawn adequate attention. They have been actually ignored or mistreated in most proposed multi-agent protocols. We observe that security and privacy issues are indeed not trivial and cannot be resolved with traditional security mechanisms, if agents are not trusted each other and their privacy must be protected. In this paper, we propose a secure multi-agent protocol that captures several most important security properties including agent privacy, data confidentiality, and agent authenticity. Intuitionally, we allow each agent in a group to hold a set of policy attributes. To access a protected data set, an agent must hold a correct policy attribute. In other words, the private information between two agents can be exchanged, if and only if the policy attribute embedded in the transmitted message matches that held by the receiver. In case of mismatching attributes, the private information of the corresponding agent will not be revealed to their counterpart. The proposed scheme is formalized with a sound cryptographic algorithm with a rigorous security proof. 相似文献
12.
13.
Damiani E. Samarati P. De Capitani di Vimercati S. Paraboschi S. 《Internet Computing, IEEE》2001,5(6):18-28
Access control techniques for XML provide a simple way to protect confidential information at the same granularity level provided by XML schemas. In this article, we describe our approach to these problems and the design guidelines that led to our current implementation of an access control system for XML information 相似文献
14.
15.
基于群签名与属性加密的区块链可监管隐私保护方案 总被引:1,自引:0,他引:1
区块链技术的去中心化、数据难篡改等特性使其在溯源问题上体现出明显优势,基于区块链的溯源系统可以解决传统系统中信息孤岛、共享程度低以及数据可篡改等问题,从而保证数据的可追溯性。然而,区块链溯源系统中的数据可追溯性与用户隐私保护之间难以取得平衡。提出一种结合群签名、隐私地址协议、零知识证明以及属性加密的分布式可监管隐私保护方案。对群签名的群管理员机制进行改进,设置多群管理员生成用户私钥片段,用户根据返回的私钥片段计算自身私钥,并根据需要有选择性地对溯源数据进行属性加密,同时为链上数据设置特定的访问结构,以实现数据与用户的“一对多”通信。群管理员利用群公钥对交易双方的身份进行追踪与追责。符合数据特定访问结构的用户通过自身的属性私钥对密文进行解密从而获取数据信息。实验结果表明,该方案能在保证数据可追溯并实现交易双方监管的同时,提高链上数据的隐私保护水平,与现有隐私保护方案相比安全性更高。 相似文献
16.
基于SOAP的细粒度访问控制模型 总被引:1,自引:0,他引:1
本文提出了一种符合SOAP消息的XML框架结构的安全规范。该规范利用SOAP的Header部分和XML技术,实现了对SOAP消息的XML元素和属性层次上的细粒度访问控制,减少了由于SOAP没有定义标准的访问控制安全规范而可能给应用带来的安全漏洞,一定程度上保证了基于SOAP的分布式网络应用系统的安全性和可靠性。 相似文献
17.
与公有链不同,联盟区块链超级账本Fabric额外集成了成员管理服务机制,能够提供基于通道层面的数据隔离保护。但这种数据隔离保护机制在通道内同步的仍是明文数据,因此存在一定程度的数据泄露风险。另外,基于通道的数据访问控制在一些细粒度隐私保护场景下也不适用。为了解决上述提及的联盟链超级账本中存在的数据隐私安全问题,提出了一种基于CP-ABE算法的区块链数据访问控制方案。结合超级账本中原有的Fabric-CA模块,提出的方案在实现用户级细粒度安全访问控制区块链数据的同时,还能够实现对CP-ABE方案中用户属性密钥的安全分发。对该方案进行的安全分析表明,该方案实现了ABE用户属性私钥安全分发和数据隐私性保护的安全性目标,性能分析部分也说明了所提方案具有良好的可用性。 相似文献
18.
《Computer Communications》2013,36(1):20-28
Medical information systems facilitate ambulatory patient care, and increase safer and more intelligent diagnostic and therapeutic capabilities through automated interoperability among distributed medical devices. In modern medical information systems, dependability is one of the most important factors for patient safety in the presence of delayed or lost system alarm and data streams due to the intermittent medical device network connection or failure. In addition, since the medical information need to be frequently audited by many human operators as well as the automated medical devices, secure access control is another pivotal factor for patient privacy and data confidentiality against inside or outside adversaries. In this study, we propose a dependable and secure access policy enforcement scheme for disruption-tolerant medical information systems. The proposed scheme exploits the external storage node operated by the device controller, which enables reliable communications between medical devices. Fine-grained data access control is also achieved, while the key escrow problem is resolved such that any curious device controller or key generation center cannot decrypt the private medical data of patients. The proposed scheme allows the device controller to partially decrypt the encrypted medical information for the authorized receivers with their corresponding attributes without leaking any confidential information to it. Thus, computational efficiency at the medical devices is also enhanced by enabling the medical devices to delegate most laborious tasks of decryption to the device controller. 相似文献
19.
The evolution of the role of online social networks in the Web has led to a collision between private, public and commercial spheres that have been inevitably connected together in social networking services since their beginning. The growing awareness on the opaque data management operated by many providers reveals that a privacy-aware service that protects user information from privacy leaks would be very attractive for a consistent portion of users. In order to meet this need we propose LotusNet, a framework for the development of social network services relying on a peer-to-peer paradigm which supports strong user authentication. We tackle the trade-off problem between security, privacy and services in distributed social networks by providing the users the possibility to tune their privacy settings through a very flexible and fine-grained access control system. Moreover, our architecture is provided with a powerful suite of high-level services that greatly facilitates custom application development and mash up. 相似文献
20.
Sun-Moon Jo 《Journal in Computer Virology》2017,13(4):297-303
As the Internet was activated and the mobile environment developed, it has become more common to access dynamic XML data regardless of location and time. XML is widely used for information exchange and representation of data for databases, applications, etc., using the advantage to describe information. As a result, large-capacity XML data becomes increasingly complex, and demand for data access policies is increasing. Security issues such as authorization of access to resources, authentication, security enhancement and privacy arise. The mobile computing environment differs from existing information systems in several ways, so it is difficult to apply the existing access control as it is. Therefore, this paper proposes a secure access policy method for query processing to enable efficient resource management in dynamic XML data environment. The results of the evaluation are also presented to show that the additionally proposed method is efficient and excellent. 相似文献