Techniques and algorithms for access control list optimization

Access control lists are core features of today’s internetwork routers. They serve several purposes, most notably in filtering network traffic and securing critical networked resources. However, the addition of access control lists increases packet latency due to the overhead of extra computations involved. This paper presents simple techniques and algorithms for optimizing access control lists that can reduce significantly expected packet latencies without sacrificing security requirements. The emphasis throughout the paper is in providing a modular approach that can be implemented either fully or partially, both online and offline, based on the amount of overhead allowed. It also shows empirically and analytically where and why the greatest potential for optimization lies.     

Hybrid concurrency control protocol for data sharing among heterogeneous blockchains

With the development of information technology and cloud computing, data sharing has become an important part of scientific research. In traditional data sharing, data is stored on a third-party storage platform, which causes the owner to lose control of the data. As a result, there are issues of intentional data leakage and tampering by third parties, and the private information contained in the data may lead to more significant issues. Furthermore, data is frequently maintained on multiple storage platforms, posing significant hurdles in terms of enlisting multiple parties to engage in data sharing while maintaining consistency. In this work, we propose a new architecture for applying blockchains to data sharing and achieve efficient and reliable data sharing among heterogeneous blockchains. We design a new data sharing transaction mechanism based on the system architecture to protect the security of the raw data and the processing process. We also design and implement a hybrid concurrency control protocol to overcome issues caused by the large differences in blockchain performance in our system and to improve the success rate of data sharing transactions. We took Ethereum and Hyperledger Fabric as examples to conduct cross-blockchain data sharing experiments. The results show that our system achieves data sharing across heterogeneous blockchains with reasonable performance and has high scalability.     

Enabling privacy and leakage resistance for dynamic blockchain-based access control systems

With rise of 5G/6G network, low-storage devices usually outsource data for higher rate and less latency. Non-controlled outsourcing and complex communications incur security issues for IoT applications. Specially, user privacy and access reliability pose technical challenges for sensitive data outsourcing and sharing. In this paper, we harmonize functional encryption and blockchain to propose a reliable and privacy-aware access control system named R-PAC. It allows a result-form access without learning raw information and fair interaction against malicious users. With a combination of all-or-nothing encapsulation technology, R-PAC supports users’ dynamic joining and key leakage resistance. We design R-PAC from Boneh–Franklin identity-based encryption, with forward-coverable encryption and reverse-discoverable decryption, and formally prove its indistinguishability security. We implement a R-PAC prototype and deploy it to a simulated Ethereum network to evaluate its performance. Experiments from both data access and transaction overhead show that R-PAC is with reasonable cost and has a trade-off between efficiency and strong security/functionality.     

An efficient key assignment scheme for access control in a large leaf class hierarchy

The employees of an organization are usually divided into different security classes to authorize the information retrieval, and the number of leaf classes is substantially larger than the number of non-leaf classes. Additionally, the alternations in leaf classes are more frequent than in non-leaf classes. We proposed a new key assignment scheme for controlling the access right in a large POSET (partially ordered set) hierarchy to reduce the required computation for key generation and derivation with the storage amount of data decreased.     

基于CP-ABE算法的区块链数据访问控制方案

与公有链不同,联盟区块链超级账本Fabric额外集成了成员管理服务机制,能够提供基于通道层面的数据隔离保护。但这种数据隔离保护机制在通道内同步的仍是明文数据,因此存在一定程度的数据泄露风险。另外,基于通道的数据访问控制在一些细粒度隐私保护场景下也不适用。为了解决上述提及的联盟链超级账本中存在的数据隐私安全问题,提出了一种基于CP-ABE算法的区块链数据访问控制方案。结合超级账本中原有的Fabric-CA模块,提出的方案在实现用户级细粒度安全访问控制区块链数据的同时,还能够实现对CP-ABE方案中用户属性密钥的安全分发。对该方案进行的安全分析表明,该方案实现了ABE用户属性私钥安全分发和数据隐私性保护的安全性目标,性能分析部分也说明了所提方案具有良好的可用性。     

Smart grid data access control scheme based on blockchain

The smart grid communication parties need to process the data by the trusted central node, which will lead to security issues such as single-point attacks and data tampering. This paper proposes a smart grid data access control scheme based on blockchain, the user completes the registration of the smart meter by three encryptions. After the registration is completed, the registration information will be uploaded to the blockchain. In the data access phase, the verification center verifies the user's data access request, the database will accept the user's request for data if the verification is passed, and that will be broadcasted on the entire network and uploaded to the blockchain. The security of the scheme is analyzed by using a random oracle model. Analysis shows that this scheme can resist public key replacement attacks and malicious key generation center (KGC) attacks. Compared with the existing scheme, this scheme can more effectively resist more types of attacks. It shows that the smart grid data access control scheme proposed in this paper is safe, reliable and efficient.     

基于区块链的能源数据访问控制方法

针对能源互联网跨企业、跨部门的数据共享过程中存在的能源数据易篡改、泄密、数据所有权争议的问题,结合区块链可追溯、难以篡改等特点,提出一种基于区块链多链架构的能源数据访问控制方法,在保护用户隐私的同时实现了能源数据跨企业、跨部门的访问控制。该方法中采用监管链与多数据链相结合的方式保护了数据的隐私,提高了可扩展性;使用链上存储数据摘要、链下存储原始数据的方式缓解了区块链的存储压力;通过支持外包的多授权属性加密技术实现了对能源数据的细粒度访问控制。实验仿真结果表明,所提方法的区块链网络具有可用性而且该方法中支持外包的多授权属性加密技术在功能性及计算花销方面具有优势,因此所提方法可以在保护用户隐私的同时实现能源数据的细粒度访问控制。     

Capability-based egress network access control by using DNS server

In conventional egress network access control (NAC) based on access control lists (ACLs), modifying the ACLs is a heavy task for administrators. To enable configuration without a large amount of administrators’ effort, we introduce capabilities to egress NAC. In our method, a user can transfer his/her access rights (capabilities) to other persons without asking administrators. To realize our method, we use a DNS cache server and a router. A resolver of the client sends the user name, domain name, and service name to the DNS cache server. The DNS server issues capabilities according to a policy and sends them to the client. The client puts these capabilities into the IP options of packets and sends them to the router. The router verifies the capabilities, and determines whether to pass or block the packets. In this paper, we describe the design and implementation of our method in detail. Experimental results show that our method does not reduce the router's performance.     

Energy trading scheme based on consortium blockchain and game theory

With the gradual opening of the electricity sales market, distributed energy trading is becoming an important research topic. However, it is not easy to design practical energy trading schemes in distributed scenario. In particular, known distributed energy trading schemes do not address the security of transaction data and the maximization of benefits among all the participants. In this paper, we propose a distributed energy trading scheme based on consortium blockchain and game theory. In our scheme, a peer-to-peer trading platform is constructed to realize direct transactions among all the participants by the property of decentralization in consortium blockchain. The direct transactions greatly reduce operating costs of energy trading, and at the same time, the security of transaction data can be obtained by the cryptographic techniques such as digital signatures and hash functions associated with the underlying blockchain. Moreover, we design an energy transaction matching mechanism by game theory in our scheme. In the matching mechanism, we construct a game model among all the participants and design an equilibrium solving algorithm, which are the key techniques to realize the maximization of benefits among all the participants in energy trading. The security analysis and experimental results show that our scheme can realize the best transaction price and quantity in the transaction matching and has high security in distributed energy transaction scenarios.     

Reducing inference control to access control for normalized database schemas

Considering relational databases, controlled query evaluation preserves confidentiality even under inferences but at the expense of efficiency. Access control, however, enables efficiently computable access decisions but cannot automatically assure confidentiality because of missing inference control. In this paper we investigate constraints sufficient to eliminate (nontrivial) inferences in relational databases with the objective of replacing controlled query evaluation by access control mechanisms under preservation of confidentiality.     

PBAC: Provision-based access control model

Over the years a wide variety of access control models and policies have been proposed, and almost all the models have assumed “grant the access request or deny it.” They do not provide any mechanism that enables us to bind authorization rules with required operations such as logging and encryption. We propose the notion of a “provisional action” that tells the user that his request will be authorized provided he (and/or the system) takes certain actions. The major advantage of our approach is that arbitrary actions such as cryptographic operations can all coexist in the access control policy rules. We define a fundamental authorization mechanism and then formalize a provision-based access control model. We also present algorithms and describe their algorithmic complexity. Finally, we illustrate how provisional access control policy rules can be specified effectively in practical usage scenarios. Published online: 22 January 2002     

基于联盟区块链的智能电网数据安全存储与共享系统

智能电网为了实现电网可靠、安全、高效地运行,需要广泛部署无线传感网络（WSN）监控电网状态,并及时对电网异常情况进行处理。在现有的智能电网中,WSN的感知数据需要上传到可信的中心节点进行存储与共享,但是这种中心化的存储方式容易引起中心节点遭受恶意攻击而发生单点失效、数据被故意篡改等信息安全问题。针对这些信息安全问题,利用新兴的联盟区块链技术在智能电网中选定若干数据采集基站,组成智能电网数据存储联盟链（DSCB）系统。DSCB中节点间数据共享通过智能合约的方式来完成,数据拥有者设定数据共享的约束条件,使用计算机语言代替法律条款来规范数据访问者行为,从而实现以去中心化的方式集体维护一个安全可靠的数据存储数据库。安全分析表明所提数据存储联盟链系统能实现安全、有效的数据存储与共享。     

The dynamic predicate: integrating access control with query processing in XML databases

Recently, access control on XML data has become an important research topic. Previous research on access control mechanisms for XML data has focused on increasing the efficiency of access control itself, but has not addressed the issue of integrating access control with query processing. In this paper, we propose an efficient access control mechanism tightly integrated with query processing for XML databases. We present the novel concept of the dynamic predicate (DP), which represents a dynamically constructed condition during query execution. A DP is derived from instance-level authorizations and constrains accessibility of the elements. The DP allows us to effectively integrate authorization checking into the query plan so that unauthorized elements are excluded in the process of query execution. Experimental results show that the proposed access control mechanism improves query processing time significantly over the state-of-the-art access control mechanisms. We conclude that the DP is highly effective in efficiently checking instance-level authorizations in databases with hierarchical structures.     

Attribute-based data access control in mobile cloud computing: Taxonomy and open issues

With the thriving growth of the cloud computing, the security and privacy concerns of outsourcing data have been increasing dramatically. However, because of delegating the management of data to an untrusted cloud server in data outsourcing process, the data access control has been recognized as a challenging issue in cloud storage systems. One of the preeminent technologies to control data access in cloud computing is Attribute-based Encryption (ABE) as a cryptographic primitive, which establishes the decryption ability on the basis of a user’s attributes. This paper provides a comprehensive survey on attribute-based access control schemes and compares each scheme’s functionality and characteristic. We also present a thematic taxonomy of attribute-based approaches based on significant parameters, such as access control mode, architecture, revocation mode, revocation method, revocation issue, and revocation controller. The paper reviews the state-of-the-art ABE methods and categorizes them into three main classes, such as centralized, decentralized, and hierarchal, based on their architectures. We also analyzed the different ABE techniques to ascertain the advantages and disadvantages, the significance and requirements, and identifies the research gaps. Finally, the paper presents open issues and challenges for further investigations.     

改进的基于属性的访问控制策略评估管理决策图

针对多数据类型区间决策图（MIDD）方法不能正确表示、处理属性的重要性标记特性，以及表示、处理责任及忠告等不清晰，造成节点表示不一致并增加了处理的复杂性等问题，对MIDD方法进行改进和扩展。首先，将MIDD的以实体属性为单位的图节点修改为以元素为单位的图节点，精准地表示基于属性的访问控制元素，使原来不能正确处理重要标志的问题得以解决；然后，将责任及忠告作为元素，用节点表示出来；最后，把规则和策略的组合算法加到决策节点中，以便在策略决策点（PDP）对访问请求进行决策时使用。分析结果表明，改进方法与原方法的时空复杂度相当。两种方法的对比仿真实验结果表明，在每个属性只有1个附属属性时（最一般的应用情况），两种方法每个访问请求的平均决策时间差异的数量级仅在0.01 μs。验证了复杂度分析的正确性，说明两种方法的性能相当。附属属性个数仿真实验表明，即使1个属性有10个附属属性（实际应用中十分稀少），两种方法的平均决策时间差异也在相同的数量级。改进方法不但保证了原方法的正确性、一致性和方便性，更将其使用范围从可扩展访问控制标记语言（XACML）策略扩展到一般的基于属性的访问控制策略。     

Cryptographic key assignment schemes for any access control policy

The access control problem deals with the management of sensitive information among a number of users who are classified according to their suitability in accessing the information in a computer system. The set of rules that specify the information flow between different user classes in the system defines an access control policy. Akl and Taylor first considered the access control problem in a system organized as a partially ordered hierarchy. They proposed a cryptographic key assignment scheme, where each class is assigned an encryption key that can be used, along with some public parameters generated by a central authority, to compute the key assigned to any class lower down in the hierarchy. Subsequently, many researchers have proposed schemes that either have better performances or allow insertion and deletion of classes in the hierarchy.In this paper we show how to construct a cryptographic key assignment scheme for any arbitrary access control policy. Our construction uses as a building block a cryptographic key assignment scheme for partially ordered hierarchies. The security of our scheme holds with respect to adversaries of limited computing power and directly derives from the security of the underlying scheme for partially ordered hierarchies. Moreover, the size of the keys assigned to classes in our scheme is exactly the same as in the underlying scheme.     

基于访问控制列表机制的Android权限管控方案

Android采用基于权限的访问控制方式对系统资源进行保护,其权限管控存在管控力度过粗的问题。同时,部分恶意程序会在用户不知情的情况下,在隐私场景下偷偷地对资源进行访问,给用户隐私和系统资源带来一定的威胁。在原有权限管控的基础上引入了访问控制列表（ACL）机制,设计并实现了一个基于ACL机制的Android细粒度权限管控系统。所提系统能根据用户的策略动态地设置应用程序的访问权限,避免恶意代码的访问,保护系统资源。对该系统的兼容性、有效性的测试结果表明,该系统能够为应用程序提供稳定的环境。     

Automated verification of access control policies using a SAT solver

Managing access control policies in modern computer systems can be challenging and error-prone. Combining multiple disparate access policies can introduce unintended consequences. In this paper, we present a formal model for specifying access to resources, a model that encompasses the semantics of the xacml access control language. From this model we define several ordering relations on access control policies that can be used to automatically verify properties of the policies. We present a tool for automatically verifying these properties by translating these ordering relations to Boolean satisfiability problems and then applying a sat solver. Our experimental results demonstrate that automated verification of xacml policies is feasible using this approach. This work is supported by NSF grants CCF-0614002 and CCF-0716095.     

Personal information leakage detection method using the inference-based access control model on the Android platform

The web services used on desktop can be accessed through a smartphone due to the development of smart devices. As the usage of smartphones increases, the importance of personal information security inside the smartphone is emphasized. The openness features of Android platform make a lot easier to develop an application and also deploying malicious codes into application is an easy task for hackers. The security practices are also growing rapidly as the number of malicious code increases exponentially. According to these circumstances, new methods for detecting and protecting the behavior of leaked personal information are needed to manage the personal information within a smartphone.In this paper, we study the permission access category in order to detect the malicious code, which discloses the personal information on Android environment such as equipment and location information, address book and messages, and solve the problem related to Resource access of Random Access Control method in conventional Android file system to detect the new malware or malicious code via the context ontology reasoning of permission access and API resource information which the personal information are leaked through. Then we propose an inference-based access control model, which can be enabled to access the proactive security. There is more improvement accuracy than existing malicious detecting techniques and effectiveness of access control model is verified through the proposal of inference-based access control model.