计算机科学

计算机科学 ›› 2015, Vol. 42 ›› Issue (3): 117-123.doi: 10.11896/j.issn.1002-137X.2015.03.024

• 信息安全 • 上一篇    下一篇

基于RBAC的授权管理安全准则分析与研究

熊厚仁,陈性元,张 斌,杨 艳   

  1. 解放军信息工程大学 郑州450001 河南省信息安全重点实验室 郑州450001,解放军信息工程大学 郑州450001 河南省信息安全重点实验室 郑州450001,解放军信息工程大学 郑州450001 河南省信息安全重点实验室 郑州450001,解放军信息工程大学 郑州450001 河南省信息安全重点实验室 郑州450001
  • 出版日期:2018-11-14 发布日期:2018-11-14
  • 基金资助:
    本文受国家“863”高技术研究发展计划(2012AA012704),国家“973”重点基础研究发展计划 (2011CB311801),河南省基础研究计划项目(142300413201),河南省科技创新人才计划(114200510001)资助

Security Principles for RBAC-based Authorization Management

XIONG Hou-ren, CHEN Xing-yuan, ZHANG Bin and YANG Yan   

  • Online:2018-11-14 Published:2018-11-14

PDF (PC)

659

摘要: 针对安全准则在授权管理安全性验证中具有的重要意义,提出了基于RBAC的授权管理安全准则。以保障授权管理的安全性为目标,分析了授权管理中的RBAC安全特性,深入剖析了授权管理安全需求,从数据一致性、授权无冗余、权限扩散可控、管理权限委托可控、满足职责分离和访问权限可用等方面给出了一致性准则、安全性准则和可用性准则3项授权管理安全准则。分析表明,该安全准则与现有的RBAC安全特性相一致,能够为基于RBAC授权管理的安全性提供有效支撑,为衡量其安全性提供标准和依据。

关键词: 访问控制,授权管理,基于角色的访问控制,安全准则,职责分离,互斥

Abstract: Security principles are greatly significant to security analysis of authorization management model,but they are given little attention and are open problems.This paper proposed many security principles for RBAC-based authorization model with the aim at the security of the model.The security properties of RBAC were presented,including simple safety,simple availability,bounded safety,liveness and containment.Based on deep anatomy of security requirement in authorization management,the problems including data consistency,authorization without redundancy,controllable privi-lege diffusing,controllable management privilege delegating,satisfaction of separation of duty and privilege availability were discussed.The proposed security principles include consistency,security and availability principles.Analysis result indicates that the security principles are consistent with the security properties of RBAC,which can support the security requirements of authorization management efficiently and provide criterions for evaluating the security of RBAC-based authorization model.

Key words: Access control,Authorization management,Role-base access control,Security principles,Separation of duty,Mutually exclusive

[1] Ferraiolo D,Kuhn D R.Role-Based access control[C]∥Procee-dings of the 15th National Computer Security Conference.1992:554-563
[2] Sandhu R,Coyne E,Feinstein H,et al.Role-based Access Control Models[J].IEEE Computer,1996,29(2):38-47
[3] Ferraiolo D,Sandhu R,Guirila S,et al.Proposed NIST Standard for Role-based Access Control[J].ACM Transactions on Information and System Security,2001,4(3):224-274
[4] Munawer Q,Sandhu R S.Simulation of the augmented typed access matrix model (ATAM) using roles[C]∥Proceedings of INFOSECU99 International Conference on Information and Security.1999
[5] Crampton J.Authorizations and antichains[D].Thesis,BirbeckCollege,University of London,UK,2002
[6] Koch M,Mancini LV,Parisi-Presicce F.Decidability of safety in graph based models for access control[C]∥Proceedings of the 7th European Symposiumon Research in Computer Security.2002:229-243
[7] Li N H,Mitchell J C,Winsborough W H.Beyond proof-of-compliance:Security analysis in trust management[J].Journal of the ACM,2005,2(3):474-514
[8] Li N,Tripunitara M.Security analysis in role based access control[J].ACM Transactions on Information and System Security,2006,9(4):391-420
[9] Sasturkar A,Yang P,Stoller S D,et al.Policy analysis for administrative role based access control[C]∥Proceedings of the 19th IEEE Workshop on Computer Security Foundations.Washington:IEEE Computer Society,2006:124-138
[10] Habib M A,Abbas Q.Mutually exclusive permissions in RBAC[J].Int.J.Internet Technology and Secured Transactions,2012, 4(2/3):207-220
[11] Ferrara A L,Madhusudan P,Parlato G.Security Analysis ofRole-based Access Control through Program Verification[C]∥Proceedings of 2012 IEEE 25TH Computer Security Foundations Symposium.2012:113-125
[12] Yang Ping,Gofman M,Yang Zi-jiang.Policy Analysis for Ad-ministrative Role Based Access Control without Separate Administration[C]∥Wang L,Shafiq B,eds.IFIP International Federation for Information Processing 2013(DBSec 2013).LNCS 7964,2013:49-64
[13] Liu Xiao-fan,Alechina N,Logan B.Expressing User Access Authorization Exceptions in Conventional Role-Based Access Control[C]∥Deng R H,Feng T,eds.Springer-Verlag Berlin Heidelberg 2013(ISPEC 2013).LNCS 7863,2013:233-247
[14] 王婷.面向授权管理的资源管理模型研究[D].郑州:信息工程大学,2011
[15] Harrison M A,Ruzzo W L,Ullman J D.Protection in operation systems[J].Communications of the ACM,1976,19(8):461-471
[16] 刘强,姜云飞,李黎明.RBAC系统的权限泄漏问题及分析方法[J].计算机集成制造系统,2010,16(2):431-438
[17] 徐璐.基于安全标记的Web应用访问控制技术研究[D].郑州:信息工程大学,2009
No related articles found!
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发