支持权限管理的高效属性撤销机制

针对基于属性的访问控制模型中存在属性撤销后权限确定的问题，本文提出一种支持权限管理的高效属性撤销机制。该方案通过在访问控制机制中引入基于密文策略的属性加密机制CP-ABE来实现密文访问控制，将访问树用主析取范式来表示,主析取范式的每个子集即为访问主体访问资源所需满足的限定条件最小属性集。因此，当属性撤销时，通过判断最小属性集与被撤销属性的关系，来确定被撤销属性对主体的访问是否有影响，进而确定主体的访问权限。性能分析表明，该方案具有较高的安全性，不仅能够实现属性撤销后权限的确定，而且能够抵抗共谋攻击等。

An Efficient Attribute Revocation Scheme of Supporting Rights Management

Aiming at the problem of permission determination after attributes revocation existing in the attribute based access control model, the paper proposes an efficient attribute revocation scheme supporting rights management. The scheme implements ciphertext access control by introducing attribute encryption mechanism CP-ABE based on ciphertext policy. On the basis of that, the scheme uses the main disjunctive normal form to express the access tree. Every subset in the main disjunctive normal form is called the minimum attribute set of the restrictive condition that the access subject needs to satisfy to access resource. Once occurring attribute revocation, the scheme considers the relationship between the minimum attribute set and the revoked attributes to determine whether the subject’s access permission is changed. The performance analysis shows that the scheme has high security, which not only can determine the authority after the attribute is revoked, but also can resist collusion attacks.