Research On Attribute Based Access Control In Industrial Cloud Environment

With the development of the industrial internet,the traditional industrial control system is integrated with the cloud computing,big data and internet of things,and leads to the industrial cloud,which makes itself more and more exposed to the outside world.This integration changes the architecture of the industrial control system from the isolated and closed architecture to the remote accessible internet architecture.It has improved the production efficiency but also brought security threats and challenges.From a control perspective,the security threats include data theft,illegal access to the sensitive data and overtaking of the control of the system.Attribute based access control scheme can concurrently realize data encryption and fine-grained access control.This has been considered as one of the most suitable data protection and access control schemes for the cloud computing.However,the industrial cloud is a kind of special cloud computing platform,which has higher requirements for availability,security and real-time performance.The existing attribute based access control schemes have poor scalability and is not suitable for this new architecture so that we cannot directly deploy them in the industrial cloud.In order to fulfil the theory and practical application requirements of the asset security protection under the industrial cloud system,this dissertation analyze and study the attribute based access control mechanism and extend its function to suitable for the industrial cloud.The dissertation makes the mechanism to realize the flexible and fine-grained access control,reduce the consumption of system resources,support user access in emergency and have the access control ability for the authenticated users in the cloud.The main contributions of this dissertation include the following four aspects:(1)This dissertation proposes a data interaction scheme with one-time pad.In the industrial cloud environment,there is a massive and frequent data interaction between human and machine.Therefore,it is necessary to study the methods to verify the legitimacy of users' access to resources and protect the confidentiality of communication between the two sides.Then,combined with the chaotic cryptography technology,we utilize the logistic map to construct a one-time-pad encrypted communication channel,and realize the real-time and bidirectional secure communication between human and machine.Finally,this dissertation constructs the integrity auditing schemes for the decryption key,the data ciphertext and the control instruction to ensure the availability of the transmitted messages in the channel.(2)This dissertation proposes an access control scheme of collaborative computing among the cloud and fog.In the cloud environment,the data generated by a large number of nodes may lead to network congestion.Besides,the computing resources of industrial devices and users are limited.It is necessary to study the methods for users to quickly access the device data in the resource constrained and delay sensitive environment.Therefore,we introduce the fog computing model into the industrial cloud,design a flexible and fine-grained access control scheme supporting attribute revocation and access policy update.Our scheme utilizes the proxy re-encryption and a pooling technique to outsource the attribute revocation,access policy updating and most of the encryption/decryption to the semi-trusted cloud and the fog securely,thus reduce the consumption on the devices and users.(3)This dissertation proposes an access control scheme supporting the break glass access.In industrial environment,the rapid emergency response requirement tumbles the traditional attribute based access control schemes.In this dissertation,we introduce the password-controlled encryption and extend the function of the attribute based access control scheme to support breaking glass and quick accessing data in emergency through a secure two-party computation.In order to prevent abusing the emergency access channel,the break glass key is traceable.Finally,we use the asymmetric bilinear pairings to construct the scheme and design an outsourcing access policy updating algorithm,thus improving the efficiency of the scheme.(4)This dissertation proposes an access control scheme supporting user behavior trust.In the industrial cloud environment,users who enter the system after authentication may also pose a threat to the system,therefore it is necessary to study the access control method for the whole life cycle of users.In this dissertation,we extend the function of the attribute based access control scheme,integrate the ABAC with the behavior trust based access control,and utilize the multi-dimensional range derivation function to make the ABAC supporting the inequality comparison of the trust attribute,thus preventing internal and external risks.Finally,the scheme limits the storage consumption and computation overhead,which is suitable for the resource constrained industrial environment.