| The large-scale application systems based on Internet have special features such as distributed, open-ended and dynamic, how to control the access the resources which belong to the service providers become urgent security problems during the procedure of spanning multiple administrative domains through the internet dynamic alliance organizational collaboration, and the role-based access control model is the more important research hot spot. In the traditional distributed access control model, often using optimistic mode, the requester for service always disclosed its ability or subject property to the service provider. However, the ability and subject property of the requester usually carry a lot of private information, so the unlimited disclosures of the requesters will bring many security risks for multi-domain interoperability environment. Therefore, how to protect sensitive and private information with multi-domain interoperability of access control model have great significance.In this paper, we firstly introduce the development history of the role-based access control, as well as analyze the strengths and weaknesses of the current researches about the privacy protection. Based on the traditional role-based access control model, combining the identity-based encryption idea, we propose an role access control model to support safety goal except the confidentiality, integrity, availability and extension of privacy protection.The model describes the role of policy expression by Boolean variables, then transforms it to disjunctive normal expression, based on it the map between the access control policy strategy and the Boolean expression is established. In the encryption stage the access control strategy is embedded implicitly in public key by the service providers, so the decryption key of the requester contains the individual authorization assignment, if and only if the requester who has the corresponding private key encryption public key can decrypt correctly, mean while the consistency between the strategy and the role of the user can be validated during the decryption process. In addition, this model does not disclose the other information other than the user ID, and completes the data exchange during the interacting between the requester of the resource and the provider of the resource. Last we discuss the privacy protection logic mainly, and describe the five stage of the model, such as system initialization, authorized assignment, customized strategies and response, encryption, message recovery and verification in detail. In the end, We assess the security of the model by the success probability of adversary attacking protocol and the computational cost, using random oracle model to certificate the model meeting the IND-CCA2semantic security, and analysis the complexity of the algorithm, comparing the cost with other programs. The experiments show that the model does not significantly increase the amount of the computation and executing more efficiency. |
PDF Full Text Request