基于TCB子集的访问控制信息安全传递模型

doi:10.6040/j.issn.1671-9352.0.2015.571

山东大学学报（理学版） ›› 2016, Vol. 51 ›› Issue (7): 98-106.doi: 10.6040/j.issn.1671-9352.0.2015.571

基于TCB子集的访问控制信息安全传递模型

唐乾¹,杨飞¹,黄琪²,林果园^1,3

1. 中国矿业大学计算机科学与技术学院, 江苏徐州 221116;2.北京中电普华信息技术有限公司, 北京 100192;3. 南京大学软件新技术国家重点实验室, 江苏南京 210093

收稿日期:2015-11-27 出版日期:2016-07-20 发布日期:2016-07-27
通讯作者: 林果园(1975— ),男,博士,副教授,研究方向为云计算及其安全、隐蔽信道与可信计算等. E-mail:lingy@cumt.edu.cn E-mail:cumt_-tangqian@163.com
作者简介:唐乾(1989— ),男,硕士研究生,研究方向为可信计算、云计算及其安全.E-mail:cumt_-tangqian@163.com
基金资助:
国家青年科学自然基金资助项目(61303263);江苏省基础研究计划(自然科学基金)项目(BK20150201)

Security transfer model of access control information based on TCB subsets

TANG Qian¹, YANG Fei¹, HUANG Qi², LIN Guo-yuan^1,3

1. School of Computer Science and Technology, China University of Mining and Technology, Xuzhou 221116, Jiangsu, China;
2. Beijing China-Power Information Technology Co., Ltd., Beijing 100192, China;
3. State Key Laboratory for Novel Software Technology, Nanjing University, Nanjing 210093, Jiangsu, China

Received:2015-11-27 Online:2016-07-20 Published:2016-07-27

摘要/Abstract

摘要： 综合考虑应用层向内核层传递访问控制信息的安全需求,提出了一种基于TCB子集的访问控制信息安全传递模型。应用层安全管理器与内核层安全管理器通过安全通路相联,安全通路为已加密状态,密钥存放在可信平台模块TPM(trusted platform model)中,访问控制信息进入安全通路前必须通过TPM的控制处理;安全通路解密后应用层安全通路接口把访问控制信息和校验标签传到内核层安全通路接口,随后应用层接口进行随机抽查,内核层接口返回验证证据并由应用层接口判断数据真实性和有效性。安全传递模型不仅可以有效地保证访问控制信息的安全性,还可以抵抗恶意欺骗和恶意攻击从而提高了访问控制的可靠性与有效性。

关键词: 安全通路, 访问控制信息, 有效性, 安全性, TCB子集

Abstract: A security transfer model of access control information based on TCB subsets was proposed by taking a comprehensive consideration of the security requirements for the application layer transferring the access control information to the kernel layer. One security manager in the application layer and the other security manager in the kernel layer are connected by security channel, which has been encrypted. The key is stored in the trusted platform module. The access control information must be managed by the trusted platform module before passing through the security channel. The application layer interface of the security channel transfers the access control information and the labels to the kernel layer interface of the security channel and then does random check, after the security channel has been encrypted. The kernel layer interface returns the proofs and the application layer interface judges the result. The security transfer model can not only ensure the security of the access control information, but also resist the spiteful cheat and the hostile attack, thus improving the reliability and valid of the access control.

Key words: security channel, security, TCB subset, access control information, valid

中图分类号:

TP309

唐乾,杨飞,黄琪,林果园. 基于TCB子集的访问控制信息安全传递模型[J]. 山东大学学报（理学版）, 2016, 51(7): 98-106.

TANG Qian, YANG Fei, HUANG Qi, LIN Guo-yuan. Security transfer model of access control information based on TCB subsets[J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2016, 51(7): 98-106.

参考文献

[1] MOHAN C.Survey of recent operating systems research,designs and implementations[J].ACM SIGOPS Operating Systems Review, 1978, 12(1):53-89.
[2] KRISTAL T P, SCOTT A B. Efficient access control for distributed hierarchical file systems[C] //Proceedings of the 22nd IEEE/13th NASA Goddard Conference on Mass Storage Systems and Technologies.Washington: IEEE Computer Society, 2005:253-260.
[3] LOSCOCCO P, SMALLEY S. Integrating flexible support for security policies into the Linux operating system[C] //Proceedings of USENIX Annual Technical Conference.New York: ACM, 2001:29-42.
[4] 蔡谊.支持可信操作平台的安全操作系统研究[D].武汉:海军工程大学,2005. CAI Yi.Research on secure operating system supporting trusted operating platform[D].Wuhan: Naval University of Engineering, PLA, 2005.
[5] 郑志蓉,沈昌祥.支持应用类安全的操作系统安全结构框架设计[J].计算机工程与应用,2002,38(22):45-47. ZHENG Zhirong, SHEN Changxiang.The design of operating system security framework supporting application class security[J].Computer Engineering and Applications, 2002, 38(22):45-47.
[6] 李勇,王飞,胡俊,等.TCB可信扩展模型研究[J].计算机工程与应用,2010,46(13):1-3,50. LI Yong, WANG Fei, HU Jun, et al. Research of trusted expand model of TCB[J].Computer Engineering and Applications, 2010, 46(13):1-3,50.
[7] 沈昌祥,张焕国,王怀民,等.可信计算的研究与发展[J].中国科学:信息科学, 2010,40(2):139-166. SHEN Changxiang, ZHANG Huanguo, WANG Huaimin, et al.Research and development of trusted computing[J]. Science China: Information Science, 2010, 40(2):139-166.
[8] Trusted Computing Group. TPM main specification version 1.2 revision 116 parts 1-3.[2015-04-10]. http://www.trustedcomputinggroup.org.Accessed 14 Sept 2013.
[9] 陈旭东,曹斌,闾凡兵,等.基于X.509标准的证书交换接口的安全性研究[J].贵州大学学报(自然科学版),2013,30(1):84-87. CHEN Xundong, CAO Bin, LÜ Fanbing, et al. Certificates exchange interface security based on the X. 509 standard[J]. Journal of Guizhou University(Natural Science Edition), 2013, 30(1):84-87.
[10] SYVERSON P F, VANOORSCHO P C. An unified cryptographic protocol logic[R].Washington:Naval Research Lab, 1996.
[11] BURROWS M, ABADI M, NEEDHAM R. A logic of authentication[J]. ACM Transactions on Computer Systems, 1990, 8(1):18-36
[12] CHANG E-C, JIA X. Remote integrity check with dishonest storage server[C] //Proceedings of the 13th European Symposium on Research in ComputerSecurity. Berlin: Springer-Verlag, 2008: 223-237.
[13] 曹夕,许力,陈兰香.云存储系统中数据完整性验证协议[J].计算机应用,2012,01:8-12. CAO Xi, XU Li, CHEN Lanxiang. Data integrity verification protocol in cloud storage system[J].Journal of Computer Applications, 2012, 01:8-12.
[14] 冯登国.安全协议—理论与实践[M].北京:清华大学出版社,2011. FENG Dengguo. Security protocols-theory and practice[M].Beijing: Tsinghua University Press, 2011.
[15] EASTLAKE D, JONES P. RFC 3174: US secure hash algorithm1(SHA1)[EB/OL].[2015-04-06]. http://www.faqs.org/rfcs/rfc3174.html.

多维度评价

Viewed

Full text

Abstract

Cited

Shared

Discussed

基于TCB子集的访问控制信息安全传递模型

Security transfer model of access control information based on TCB subsets

PDF (PC)

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 13

多维度评价

本文评价

推荐阅读 0

[1]	朱智强,马可欣,孙磊. 一种基于零知识证明的远程桌面认证协议[J]. 山东大学学报（理学版）, 2016, 51(9): 47-52.
[2]	苏彬庭,许力,方禾,王峰. 基于Diffie-Hellman的无线Mesh网络快速认证机制[J]. 山东大学学报（理学版）, 2016, 51(9): 101-105.
[3]	谢建民,姚兵,赵廷刚. 广义太阳图S_m,n奇优雅标号算法及实现[J]. 山东大学学报（理学版）, 2016, 51(4): 79-85.
[4]	杜军威, 江峰, 张会萍, 曹玲, 殷文文. 基于图形转换的组合状态安全性验证技术[J]. 山东大学学报（理学版）, 2014, 49(09): 41-49.
[5]	王华田,王延平*. 关于连作人工林衰退机理几个热点问题的探讨[J]. J4, 2013, 48(7): 1-8.
[6]	倪亮1,2,3,陈恭亮3,李建华3. eCK模型的安全性分析[J]. J4, 2013, 48(7): 46-50.
[7]	余丽. 集值映射的ε-强次微分及应用[J]. J4, 2013, 48(3): 99-105.
[8]	巨春飞1,仇晓涛2,王保仓2,3. 基于矩阵环的快速公钥密码算法[J]. J4, 2012, 47(9): 56-59.
[9]	汪定1,2,薛锋1,王立萍1,马春光2. 改进的具有PFS特性的口令认证密钥协商方案[J]. J4, 2012, 47(9): 19-25.
[10]	王侃1,吴磊2,3,郝蓉4. 一个弹性分布式数据安全方案[J]. J4, 2011, 46(9): 39-42.
[11]	崔玉泉1,马立杰2,赵晶3,白金燕4. DEA方法在投资组合中的应用[J]. J4, 2011, 46(2): 82-88.
[12]	阎召祥. ZS加密方案的选密安全性证明[J]. J4, 2010, 45(11): 115-121.
[13]	阎召祥 . 2^m次根方案在同步攻击下的安全性证明[J]. J4, 2007, 42(4): 10-13 .