Research On Distributed Access Control Based On Trusted Computing

In highly distributed environments, data distribution and flow are inevitable between network nodes. Thus trustworthiness of the network nodes is one of the key security requirements for distributed access contrl in such cross-platform or even cross-domain interactions. Trusted computing takes TPM as its hardware root of trust and solves trust establishment from architectural view, which presents a new solution for trust establishment on network nodes platform.Based on the abovebackground, this thesis proceeds the theoretical research and engineering practice of distributed access control with trusted computing and usage control model:(1) For the current research problems of distributed access control, such as too coarse granularity, lack of dynamic, proceed research on the architecture and related mechanisams which are more suitable for distributed access control. (2) According to lack of trust on the terminal platform in distributed system, define four security attributes of the terminal platform and research on the effective trust establishment approach in distributed environments. (3) Summarize special requirements in distributed access control architecture, such as privacy protection in remote attestation, enforcement attestation to access control policies ananlyze the specifications of XACML based usage control policies. On this basis above, proceed extend research on traditional remote attestation. (4) Based on the above-mentioned, we implement a prototype of distributed access control architecture:Trust Usage Control, and apply it in three specific scenarios.Our contributions in this thesis are summarized as follow:(1) Propose a novel integrity protection and trust establishment approach from the view of information flow and extended Biba model, which keep the inter-process dependency semantics of Biba but ameliorates its monotonic behavior, which solve the problem of trust chain estabulishment on the terminal platform. (2) Design a novel trust evaluation mechanism, which evaluates from both the subjective behavior and the objective attributes. Evaluated trust is applied to remote attestation and access control to solve their problem of too coarse granularity and lack of dynamic. Besides, privacy protection is achieved to a certain extent. As far as I know, it is the first tentative research on this trust evaluation mechanism and its application in distributed access control based on trusted computing. (3) Propose a policy enforcement attestation approach which extends traditional remote attestation, so that the problem of trust establishment on the policy enforcement behavior of the terminal platform is solved and makes the distributed access control architecture more provable. (4) Conclude platform security attributes in distributed environments from the generality of usage control and its enforcement, as well as the semantics and classification of usage control policies, so that the design theory of distributed access control architecture is enriched and the application practice of distributed access control is supported.This thesis focuses on the practical application research to distributed access control. We build our application model against complicated practical requirements, which is not restricted to the formal semantics of usage control model. As a result, we enlarge the research extension of distributed access control, so that it could be a inspiration and reference to relative subsequent application research.