Research On Data Access Control Mechanisms In DDS Based Distributed Systems

Data distribution service(DDS)adopts a data centric publish / subscribe model,which enables flexible data transmission among domain participants through publish / subscribe topics.It is suitable for distributed systems that need efficient data distribution.Due to the loose coupling characteristics of publish / subscribe communication mode,there are often security threats such as unauthorized publish / Subscribe in DDS distributed systems.Therefore,it is urgent to study the access control mechanism to ensure the security of the system.However,the current research on DDS access control mechanism often focuses on entity resources such as domain participants to control entity access,and lacks the ability of fine-grained access control for data resources based on subject.To solve the above problems,according to the characteristics of DDS based distributed systems and its access control requirements,a topic level fine-grained data access control mechanism is proposed.In this mechanism,attribute-based encryption technology is used to dynamically manage one to many publish / subscribe permissions of DDS,and signature authentication and information encryption technology are combined to achieve flexible and efficient publish / subscribe access control.The main work of this thesis includes:(1)A topic level data access control model is proposed.In this model,the data transmission permissions between domain participants are divided into publish permissions and subscribe permissions of topics,and three basic elements,namely DDS user component,DDS data manager and authorization center,are defined.The interaction relationship is abstracted into two parts: permission management and permission control.Permission management is carried out according to the access control policy of DDS data manager and the permission key of authorization center;According to the attribute set of DDS user components and the publish/ subscribe process of topics,the access control of data resources in DDS based distributed systems is realized.(2)An access control scheme for DDS distributed systems based on attribute based encryption is presented.By encrypting topic data by local publishers,remote subscribers are prevented from subscribing to topics without authorization to get data,thus solving the problem of unauthorized subscription;Through the signature of the remote publisher to the topic data,the local subscriber authenticates the publishing authority,so as to solve the problem of unauthorized publishing.Furthermore,attribute based encryption technology is used to encrypt and distribute the privilege key,which ensures the efficiency and flexibility of access control.(3)An improved access control scheme based on rtps automatic discovery mechanism is proposed.In order to minimize the impact of access control on system performance,the signature authentication technology is applied to the DDS automatic discovery process,which fundamentally controls the establishment of publish subscribe relationship between datawriter and datareader entities,and avoids the duplicate signature authentication of multiple data transfers under the same publish subscribe relationship in the original scheme,thus effectively reducing the computational overhead caused by access control.(4)Based on the above scheme,the DDS access control subsystem is designed and implemented.The function test and performance test of the prototype system show that the scheme proposed in this paper can reduce the impact on the DDS performance as far as possible,realize the topic level fine-grained data access control,and improve the system security.