The content security requirements of a radio frequency identification (RFID) based logistics-customs clearance service platform (LCCSP) are analysed in this paper. Then, both the unified identity authentication an...The content security requirements of a radio frequency identification (RFID) based logistics-customs clearance service platform (LCCSP) are analysed in this paper. Then, both the unified identity authentication and the access control modules are designed according to those analyses. Finally, the unified identity authentication and the access control on the business level are implemented separately. In the unified identity authentication module, based on an improved Kerberos-based authentication approach, a new control transfer method is proposed to solve the sharing problem of tickets among different servers of different departments. In the access control module, the functions of access controls are divided into different granularities to make the access control management more flexible. Moreover, the access control module has significant reference value for user management in similar systems.展开更多
Attribute-based Encryption(ABE)enhances the confidentiality of Electronic Health Records(EHR)(also known as Personal Health Records(PHR))by binding access rights not to individual identities,but to user attribute sets...Attribute-based Encryption(ABE)enhances the confidentiality of Electronic Health Records(EHR)(also known as Personal Health Records(PHR))by binding access rights not to individual identities,but to user attribute sets such as roles,specialties,or certifications.This data-centric cryptographic paradigm enables highly fine-grained,policydriven access control,minimizing the need for identity management and supporting scalable multi-user scenarios.This paper presents a comprehensive and critical survey of ABE schemes developed specifically for EHR/PHR systems over the past decade.It explores the evolution of these schemes,analyzing their design principles,strengths,limitations,and the level of granularity they offer in access control.The review also evaluates the security guarantees,efficiency,and practical applicability of these schemes in real-world healthcare environments.Furthermore,the paper outlines the current state of ABE as a mechanism for safeguarding EHR data and managing user access,while also identifying the key challenges that remain.Open issues such as scalability,revocation mechanisms,policy updates,and interoperability are discussed in detail,providing valuable insights for researchers and practitioners aiming to advance the secure management of health information systems.展开更多
The conception of trusted network connection (TNC) is introduced, and the weakness of TNC to control user's action is analyzed. After this, the paper brings out a set of secure access and control model based on acc...The conception of trusted network connection (TNC) is introduced, and the weakness of TNC to control user's action is analyzed. After this, the paper brings out a set of secure access and control model based on access, authorization and control, and related authentication protocol. At last the security of this model is analyzed. The model can improve TNC's security of user control and authorization.展开更多
The 6G network architecture introduces the paradigm of Trust+Security,representing a shift in network protection strategies from external defense mechanisms to endogenous security enforcement.While ZTNs(zerotrust netw...The 6G network architecture introduces the paradigm of Trust+Security,representing a shift in network protection strategies from external defense mechanisms to endogenous security enforcement.While ZTNs(zerotrust networks)have demonstrated significant advancements in constructing trust-centric frameworks,most existing ZTN implementations lack comprehensive integration of security deployment and traffic monitoring capabilities.Furthermore,current ZTN designs generally do not facilitate dynamic assessment of user reputation.To address these limitations,this study proposes a DPZTN(Data-plane-based Zero Trust Network).DPZTN framework extends traditional ZTN models by incorporating security mechanisms directly into the data plane.Additionally,blockchain infrastructure is used to enable decentralized identity authentication and distributed access control.A pivotal element within the proposed framework is ZTNE(Zero-Trust Network Element),which executes access control policies and performs real-time user traffic inspection.To enable dynamic and fine-grained evaluation of user trustworthiness,this study introduces BBEA(Bayesian-based Behavior Evaluation Algorithm).BBEA provides a framework for continuous user behavior analysis,supporting adaptive privilege management and behavior-informed access control.Experimental results demonstrate that ZTNE combined with BBEA,can effectively respond to both individual and mixed attack types by promptly adjusting user behavior scores and dynamically modifying access privileges based on initial privilege levels.Under conditions supporting up to 10,000 concurrent users,the control system maintains approximately 65%CPU usage and less than 60%memory usage,with average user authentication latency around 1 s and access control latency close to 1 s.展开更多
To prevent misuse of privacy,numerous anonymous authentication schemes with linkability and/or traceability have been proposed to ensure different types of accountabilities.Previous schemes cannot simultaneously achie...To prevent misuse of privacy,numerous anonymous authentication schemes with linkability and/or traceability have been proposed to ensure different types of accountabilities.Previous schemes cannot simultaneously achieve public linking and tracing while holding access control,therefore,a new tool named linkable and traceable anonymous authentication with fine-grained access control(LTAA-FGAC)is offered,which is designed to satisfy:(i)access control,i.e.,only authorized users who meet a designated authentication policy are approved to authenticate messages;(ii)public linkability,i.e.,anyone can tell whether two authentications with respect to a common identifier are created by an identical user;(iii)public traceability,i.e.,everyone has the ability to deduce a double-authentication user’s identity from two linked authentications without the help of other parties.We formally define the basic security requirements for the new tool,and also give a generic construction so as to satisfy these requirements.Then,we present a formal security proof and an implementation of our proposed LTAA-FGAC scheme.展开更多
An effective and reliable access control is crucial to a PDM system.This article has discussed the commonly used access control models,analyzed their advantages and disadvantages,and proposed a new Role and Object bas...An effective and reliable access control is crucial to a PDM system.This article has discussed the commonly used access control models,analyzed their advantages and disadvantages,and proposed a new Role and Object based access control model that suits the particular needs of a PDM system.The new model has been implemented in a commercial PDM system,which has demonstrated enhanced flexibility and convenience.展开更多
Renewable Energy Systems(RES)provide a sustainable solution to climate warming and environmental pollution by enhancing stability and reliability through status acquisition and analysis on cloud platforms and intellig...Renewable Energy Systems(RES)provide a sustainable solution to climate warming and environmental pollution by enhancing stability and reliability through status acquisition and analysis on cloud platforms and intelligent processing on edge servers(ES).However,securely distributing encrypted data stored in the cloud to terminals that meet decryption requirements has become a prominent research topic.Additionally,managing attributes,including addition,deletion,and modification,is a crucial issue in the access control scheme for RES.To address these security concerns,a trust-based ciphertext-policy attribute-based encryption(CP-ABE)device access control scheme is proposed for RES(TB-CP-ABE).This scheme effectivelymanages the distribution and control of encrypted data on the cloud through robust attribute key management.By introducing trust management mechanisms and outsourced decryption technology,the ES system can effectively assess and manage the trust worthiness of terminal devices,ensuring that only trusted devices can participate in data exchange and access sensitive information.Besides,the ES system dynamically evaluates trust scores to set decryption trust thresholds,thereby regulating device data access permissions and enhancing the system’s security.To validate the security of the proposed TB-CP-ABE against chosen plaintext attacks,a comprehensive formal security analysis is conducted using the widely accepted random oraclemodel under the decisional q-Bilinear Diffie-Hellman Exponent(q-BDHE)assumption.Finally,comparative analysis with other schemes demonstrates that the TB-CP-ABE scheme cuts energy/communication costs by 43%,and scaleswell with rising terminals,maintaining average latency below 50ms,ensuring real-time service feasibility.The proposed scheme not only provides newinsights for the secure management of RES but also lays a foundation for future secure energy solutions.展开更多
This paper first introduces attribute expression to describe attribute-based access control policy.Secondly,an access control policy enforcement language named A-XACML (attribute-XACML)is proposed,which is an extens...This paper first introduces attribute expression to describe attribute-based access control policy.Secondly,an access control policy enforcement language named A-XACML (attribute-XACML)is proposed,which is an extension of XACML.A-XACML is used as a simple,flexible way to express and enforce access control policies,especially attribute-based access control policy,in a variety of environments.The language and schema support include data types,functions,and combining logic which allow simple and complex policies to be defined.Finally,a system architecture and application case of user-role assignment is given to show how attribute expressions and A-XACML work in access control policy description and enforcement.The case shows that attribute expression and A-XACML can describe and enforce the complex access control policy in a simple and flexible way.展开更多
Ciphertext-Policy Attribute-Based Encryption(CP-ABE)enables fine-grained access control on ciphertexts,making it a promising approach for managing data stored in the cloud-enabled Internet of Things.But existing schem...Ciphertext-Policy Attribute-Based Encryption(CP-ABE)enables fine-grained access control on ciphertexts,making it a promising approach for managing data stored in the cloud-enabled Internet of Things.But existing schemes often suffer from privacy breaches due to explicit attachment of access policies or partial hiding of critical attribute content.Additionally,resource-constrained IoT devices,especially those adopting wireless communication,frequently encounter affordability issues regarding decryption costs.In this paper,we propose an efficient and fine-grained access control scheme with fully hidden policies(named FHAC).FHAC conceals all attributes in the policy and utilizes bloom filters to efficiently locate them.A test phase before decryption is applied to assist authorized users in finding matches between their attributes and the access policy.Dictionary attacks are thwarted by providing unauthorized users with invalid values.The heavy computational overhead of both the test phase and most of the decryption phase is outsourced to two cloud servers.Additionally,users can verify the correctness of multiple outsourced decryption results simultaneously.Security analysis and performance comparisons demonstrate FHAC's effectiveness in protecting policy privacy and achieving efficient decryption.展开更多
Security attributes are the premise and foundation for implementing Attribute-Based Access Control(ABAC)mechanisms.However,when dealing with massive volumes of unstructured text big data resources,the current attribut...Security attributes are the premise and foundation for implementing Attribute-Based Access Control(ABAC)mechanisms.However,when dealing with massive volumes of unstructured text big data resources,the current attribute management methods based on manual extraction face several issues,such as high costs for attribute extraction,long processing times,unstable accuracy,and poor scalability.To address these problems,this paper proposes an attribute mining technology for access control institutions based on hybrid capsule networks.This technology leverages transfer learning ideas,utilizing Bidirectional Encoder Representations from Transformers(BERT)pre-trained language models to achieve vectorization of unstructured text data resources.Furthermore,we have designed a novel end-to-end parallel hybrid network structure,where the parallel networks handle global and local information features of the text that they excel at,respectively.By employing techniques such as attention mechanisms,capsule networks,and dynamic routing,effective mining of security attributes for access control resources has been achieved.Finally,we evaluated the performance level of the proposed attribute mining method for access control institutions through experiments on the medical referral text resource dataset.The experimental results show that,compared with baseline algorithms,our method adopts a parallel network structure that can better balance global and local feature information,resulting in improved overall performance.Specifically,it achieves a comprehensive performance enhancement of 2.06%to 8.18%in the F1 score metric.Therefore,this technology can effectively provide attribute support for access control of unstructured text big data resources.展开更多
This study proposes a system for biometric access control utilising the improved Cultural Chicken Swarm Optimization(CCSO)technique.This approach mitigates the limitations of conventional Chicken Swarm Optimization(CS...This study proposes a system for biometric access control utilising the improved Cultural Chicken Swarm Optimization(CCSO)technique.This approach mitigates the limitations of conventional Chicken Swarm Optimization(CSO),especially in dealing with larger dimensions due to diversity loss during solution space exploration.Our experimentation involved 600 sample images encompassing facial,iris,and fingerprint data,collected from 200 students at Ladoke Akintola University of Technology(LAUTECH),Ogbomoso.The results demonstrate the remarkable effectiveness of CCSO,yielding accuracy rates of 90.42%,91.67%,and 91.25%within 54.77,27.35,and 113.92 s for facial,fingerprint,and iris biometrics,respectively.These outcomes significantly outperform those achieved by the conventional CSO technique,which produced accuracy rates of 82.92%,86.25%,and 84.58%at 92.57,63.96,and 163.94 s for the same biometric modalities.The study’s findings reveal that CCSO,through its integration of Cultural Algorithm(CA)Operators into CSO,not only enhances algorithm performance,exhibiting computational efficiency and superior accuracy,but also carries broader implications beyond biometric systems.This innovation offers practical benefits in terms of security enhancement,operational efficiency,and adaptability across diverse user populations,shaping more effective and resource-efficient access control systems with real-world applicability.展开更多
The increasing deployment of Internet of Things(IoT)devices has introduced significant security chal-lenges,including identity spoofing,unauthorized access,and data integrity breaches.Traditional security mechanisms r...The increasing deployment of Internet of Things(IoT)devices has introduced significant security chal-lenges,including identity spoofing,unauthorized access,and data integrity breaches.Traditional security mechanisms rely on centralized frameworks that suffer from single points of failure,scalability issues,and inefficiencies in real-time security enforcement.To address these limitations,this study proposes the Blockchain-Enhanced Trust and Access Control for IoT Security(BETAC-IoT)model,which integrates blockchain technology,smart contracts,federated learning,and Merkle tree-based integrity verification to enhance IoT security.The proposed model eliminates reliance on centralized authentication by employing decentralized identity management,ensuring tamper-proof data storage,and automating access control through smart contracts.Experimental evaluation using a synthetic IoT dataset shows that the BETAC-IoT model improves access control enforcement accuracy by 92%,reduces device authentication time by 52%(from 2.5 to 1.2 s),and enhances threat detection efficiency by 7%(from 85%to 92%)using federated learning.Additionally,the hybrid blockchain architecture achieves a 300%increase in transaction throughput when comparing private blockchain performance(1200 TPS)to public chains(300 TPS).Access control enforcement accuracy was quantified through confusion matrix analysis,with high precision and minimal false positives observed across access decision categories.Although the model presents advantages in security and scalability,challenges such as computational overhead,blockchain storage constraints,and interoperability with existing IoT systems remain areas for future research.This study contributes to advancing decentralized security frameworks for IoT,providing a resilient and scalable solution for securing connected environments.展开更多
An access control model is proposed based on the famous Bell-LaPadula (BLP) model.In the proposed model,hierarchical relationships among departments are built,a new concept named post is proposed,and assigning secur...An access control model is proposed based on the famous Bell-LaPadula (BLP) model.In the proposed model,hierarchical relationships among departments are built,a new concept named post is proposed,and assigning security tags to subjects and objects is greatly simplified.The interoperation among different departments is implemented through assigning multiple security tags to one post, and the more departments are closed on the organization tree,the more secret objects can be exchanged by the staff of the departments.The access control matrices of the department,post and staff are defined.By using the three access control matrices,a multi granularity and flexible discretionary access control policy is implemented.The outstanding merit of the BLP model is inherited,and the new model can guarantee that all the information flow is under control.Finally,our study shows that compared to the BLP model,the proposed model is more flexible.展开更多
We introduce a new notion called accountable attribute-based authentication with fine-grained access control (AccABA), which achieves (i) fine-grained access control that prevents ineligible users from authenticating;...We introduce a new notion called accountable attribute-based authentication with fine-grained access control (AccABA), which achieves (i) fine-grained access control that prevents ineligible users from authenticating;(ii) anonymity such that no one can recognize the identity of a user;(iii) public accountability, i.e., as long as a user authenticates two different messages, the corresponding authentications will be easily identified and linked, and anyone can reveal the user’s identity without any help from a trusted third party. Then, we formalize the security requirements in terms of unforgeability, anonymity, linkability and traceability, and give a generic construction to fulfill these requirements. Based on AccABA, we further present the first attribute-based, fair, anonymous and publicly traceable crowdsourcing scheme on blockchain, which is designed to filter qualified workers to participate in tasks, and ensures the fairness of the competition between workers, and finally balances the tension between anonymity and accountability.展开更多
A new role hierarchy model for RBAC (role-based access control) is presented and its features are illustrated through examples. Some new concepts such as private permission, public permission and special permission ar...A new role hierarchy model for RBAC (role-based access control) is presented and its features are illustrated through examples. Some new concepts such as private permission, public permission and special permission are introduced, based on the RRA97 model. Some new role-role inheriting forms such as normal inheritance, private inheritance, public inheritance and special-without inheritance are defined. Based on the ideas mentioned, the new role hierarchy model is formulated. It is easier and more comprehensible to describe role-role relationships through the new model than through the traditional ones. The new model is closer to the real world and its mechanism is more powerful. Particularly it is more suitable when used in large-scale role hierarchies.展开更多
Role based access control is one of the widely used access control models.There are investigations in the literature that use knowledge representation mechanisms such as formal concept analysis(FCA),description logics...Role based access control is one of the widely used access control models.There are investigations in the literature that use knowledge representation mechanisms such as formal concept analysis(FCA),description logics,and Ontology for representing access control mechanism.However,while using FCA,investigations reported in the literature so far work on the logic that transforms the three dimensional access control matrix into dyadic formal contexts.This transformation is mainly to derive the formal concepts,lattice structure and implications to represent role hierarchy and constraints of RBAC.In this work,we propose a methodology that models RBAC using triadic FCA without transforming the triadic access control matrix into dyadic formal contexts.Our discussion is on two lines of inquiry.We present how triadic FCA can provide a suitable representation of RBAC policy and we demonstrate how this representation follows role hierarchy and constraints of RBAC on sample healthcare network available in the literature.展开更多
In this paper, an extended version of standard susceptible-infected (SI) model is proposed to consider the influence of a medium access control mechanism on virus spreading in wireless sensor networks. Theoretical a...In this paper, an extended version of standard susceptible-infected (SI) model is proposed to consider the influence of a medium access control mechanism on virus spreading in wireless sensor networks. Theoretical analysis shows that the medium access control mechanism obviously reduces the density of infected nodes in the networks, which has been ignored in previous studies. It is also found that by increasing the network node density or node communication radius greatly increases the number of infected nodes. The theoretical results are confirmed by numerical simulations.展开更多
Efficient response speed and information processing speed are among the characteristics of mobile edge computing(MEC).However,MEC easily causes information leakage and loss problems because it requires frequent data e...Efficient response speed and information processing speed are among the characteristics of mobile edge computing(MEC).However,MEC easily causes information leakage and loss problems because it requires frequent data exchange.This work proposes an anonymous privacy data protection and access control scheme based on elliptic curve cryptography(ECC)and bilinear pairing to protect the communication security of the MEC.In the proposed scheme,the information sender encrypts private information through the ECC algorithm,and the information receiver uses its own key information and bilinear pairing to extract and verify the identity of the information sender.During each round of communication,the proposed scheme uses timestamps and random numbers to ensure the freshness of each round of conversation.Experimental results show that the proposed scheme has good security performance and can provide data privacy protection,integrity verification,and traceability for the communication process of MEC.The proposed scheme has a lower cost than other related schemes.The communication and computational cost of the proposed scheme are reduced by 31.08% and 22.31% on average compared with those of the other related schemes.展开更多
Role mining and setup affect the usage of role-based access control(RBAC).Traditionally,user's role and permission assigning are manipulated by security administrator of system.However,the cost is expensive and th...Role mining and setup affect the usage of role-based access control(RBAC).Traditionally,user's role and permission assigning are manipulated by security administrator of system.However,the cost is expensive and the operating process is complex.A new role analyzing method was proposed by generating mappings and using them to provide recommendation for systems.The relation among sets of permissions,roles and users was explored by generating mappings,and the relation between sets of users and attributes was analyzed by means of the concept lattice model,generating a critical mapping between the attribute and permission sets,and making the meaning of the role natural and operational.Thus,a role is determined by permission set and user's attributes.The generated mappings were used to automatically assign permissions and roles to new users.Experimental results show that the proposed algorithm is effective and efficient.展开更多
Quorum system is a preferable model to construct distributed access control architecture, but not all quorum system can satisfy the requirements of distributed access control architecture. Aiming at the dependable pro...Quorum system is a preferable model to construct distributed access control architecture, but not all quorum system can satisfy the requirements of distributed access control architecture. Aiming at the dependable problem of authorization server in distributed system and combining the requirements of access control, a set of criterions to select and evaluate quorum system is presented. The scheme and algorithm of constructing an authorization server system based on Paths quorum system are designed, and the integrated sys- tem performance under some servers attacked is fully analyzed. Role-based access control on the Web implemented by this scheme is introduced. Analysis shows that with certain node failure probability, the scheme not only has high dependability but also can satisfy the special requirements of distributed access control such as real-time, parallelism, and consistency of security policy.展开更多
基金supported by Department of Science & Technology of Guangdong Province (No.2006A15006003)National High Technology Research and Development Program of China (863 Program)(No.2006AA04A120)
文摘The content security requirements of a radio frequency identification (RFID) based logistics-customs clearance service platform (LCCSP) are analysed in this paper. Then, both the unified identity authentication and the access control modules are designed according to those analyses. Finally, the unified identity authentication and the access control on the business level are implemented separately. In the unified identity authentication module, based on an improved Kerberos-based authentication approach, a new control transfer method is proposed to solve the sharing problem of tickets among different servers of different departments. In the access control module, the functions of access controls are divided into different granularities to make the access control management more flexible. Moreover, the access control module has significant reference value for user management in similar systems.
文摘Attribute-based Encryption(ABE)enhances the confidentiality of Electronic Health Records(EHR)(also known as Personal Health Records(PHR))by binding access rights not to individual identities,but to user attribute sets such as roles,specialties,or certifications.This data-centric cryptographic paradigm enables highly fine-grained,policydriven access control,minimizing the need for identity management and supporting scalable multi-user scenarios.This paper presents a comprehensive and critical survey of ABE schemes developed specifically for EHR/PHR systems over the past decade.It explores the evolution of these schemes,analyzing their design principles,strengths,limitations,and the level of granularity they offer in access control.The review also evaluates the security guarantees,efficiency,and practical applicability of these schemes in real-world healthcare environments.Furthermore,the paper outlines the current state of ABE as a mechanism for safeguarding EHR data and managing user access,while also identifying the key challenges that remain.Open issues such as scalability,revocation mechanisms,policy updates,and interoperability are discussed in detail,providing valuable insights for researchers and practitioners aiming to advance the secure management of health information systems.
基金Supported by Specialized Research Fund for theDoctoral Programof Higher Education of China (20050013011)
文摘The conception of trusted network connection (TNC) is introduced, and the weakness of TNC to control user's action is analyzed. After this, the paper brings out a set of secure access and control model based on access, authorization and control, and related authentication protocol. At last the security of this model is analyzed. The model can improve TNC's security of user control and authorization.
基金funded by the Basic Research Operating Expenses Postgraduate Innovation Programme(Grant No.W24YJS00010,received by J.Yan)the National Key R&D Program of China(Grant No.2018YFA0701604,received by H.Zhou)the National Natural Science Foundation of China(NSFC)(Grant No.62341102,received by H.Zhou).
文摘The 6G network architecture introduces the paradigm of Trust+Security,representing a shift in network protection strategies from external defense mechanisms to endogenous security enforcement.While ZTNs(zerotrust networks)have demonstrated significant advancements in constructing trust-centric frameworks,most existing ZTN implementations lack comprehensive integration of security deployment and traffic monitoring capabilities.Furthermore,current ZTN designs generally do not facilitate dynamic assessment of user reputation.To address these limitations,this study proposes a DPZTN(Data-plane-based Zero Trust Network).DPZTN framework extends traditional ZTN models by incorporating security mechanisms directly into the data plane.Additionally,blockchain infrastructure is used to enable decentralized identity authentication and distributed access control.A pivotal element within the proposed framework is ZTNE(Zero-Trust Network Element),which executes access control policies and performs real-time user traffic inspection.To enable dynamic and fine-grained evaluation of user trustworthiness,this study introduces BBEA(Bayesian-based Behavior Evaluation Algorithm).BBEA provides a framework for continuous user behavior analysis,supporting adaptive privilege management and behavior-informed access control.Experimental results demonstrate that ZTNE combined with BBEA,can effectively respond to both individual and mixed attack types by promptly adjusting user behavior scores and dynamically modifying access privileges based on initial privilege levels.Under conditions supporting up to 10,000 concurrent users,the control system maintains approximately 65%CPU usage and less than 60%memory usage,with average user authentication latency around 1 s and access control latency close to 1 s.
基金supported by the National Natural Science Foundation of China(Grant Nos.U2001205,61932010)Guangdong Basic and Applied Basic Research Foundation(Nos.2023B1515040020,2019B030302008)Guangdong Provincial Key Laboratory of Power System Network Security(No.GPKLPSNS-2022-KF-05).
文摘To prevent misuse of privacy,numerous anonymous authentication schemes with linkability and/or traceability have been proposed to ensure different types of accountabilities.Previous schemes cannot simultaneously achieve public linking and tracing while holding access control,therefore,a new tool named linkable and traceable anonymous authentication with fine-grained access control(LTAA-FGAC)is offered,which is designed to satisfy:(i)access control,i.e.,only authorized users who meet a designated authentication policy are approved to authenticate messages;(ii)public linkability,i.e.,anyone can tell whether two authentications with respect to a common identifier are created by an identical user;(iii)public traceability,i.e.,everyone has the ability to deduce a double-authentication user’s identity from two linked authentications without the help of other parties.We formally define the basic security requirements for the new tool,and also give a generic construction so as to satisfy these requirements.Then,we present a formal security proof and an implementation of our proposed LTAA-FGAC scheme.
文摘An effective and reliable access control is crucial to a PDM system.This article has discussed the commonly used access control models,analyzed their advantages and disadvantages,and proposed a new Role and Object based access control model that suits the particular needs of a PDM system.The new model has been implemented in a commercial PDM system,which has demonstrated enhanced flexibility and convenience.
基金supported by the Science and Technology Project of the State Grid Corporation of China,Grant number 5700-202223189A-1-1-ZN.
文摘Renewable Energy Systems(RES)provide a sustainable solution to climate warming and environmental pollution by enhancing stability and reliability through status acquisition and analysis on cloud platforms and intelligent processing on edge servers(ES).However,securely distributing encrypted data stored in the cloud to terminals that meet decryption requirements has become a prominent research topic.Additionally,managing attributes,including addition,deletion,and modification,is a crucial issue in the access control scheme for RES.To address these security concerns,a trust-based ciphertext-policy attribute-based encryption(CP-ABE)device access control scheme is proposed for RES(TB-CP-ABE).This scheme effectivelymanages the distribution and control of encrypted data on the cloud through robust attribute key management.By introducing trust management mechanisms and outsourced decryption technology,the ES system can effectively assess and manage the trust worthiness of terminal devices,ensuring that only trusted devices can participate in data exchange and access sensitive information.Besides,the ES system dynamically evaluates trust scores to set decryption trust thresholds,thereby regulating device data access permissions and enhancing the system’s security.To validate the security of the proposed TB-CP-ABE against chosen plaintext attacks,a comprehensive formal security analysis is conducted using the widely accepted random oraclemodel under the decisional q-Bilinear Diffie-Hellman Exponent(q-BDHE)assumption.Finally,comparative analysis with other schemes demonstrates that the TB-CP-ABE scheme cuts energy/communication costs by 43%,and scaleswell with rising terminals,maintaining average latency below 50ms,ensuring real-time service feasibility.The proposed scheme not only provides newinsights for the secure management of RES but also lays a foundation for future secure energy solutions.
基金The National High Technology Research and Development Program of China(863Program)(No.2007AA01Z445)
文摘This paper first introduces attribute expression to describe attribute-based access control policy.Secondly,an access control policy enforcement language named A-XACML (attribute-XACML)is proposed,which is an extension of XACML.A-XACML is used as a simple,flexible way to express and enforce access control policies,especially attribute-based access control policy,in a variety of environments.The language and schema support include data types,functions,and combining logic which allow simple and complex policies to be defined.Finally,a system architecture and application case of user-role assignment is given to show how attribute expressions and A-XACML work in access control policy description and enforcement.The case shows that attribute expression and A-XACML can describe and enforce the complex access control policy in a simple and flexible way.
基金supported in part by the National Key R&D Program of China(Grant No.2019YFB2101700)the National Natural Science Foundation of China(Grant No.62272102,No.62172320,No.U21A20466)+4 种基金the Open Research Fund of Key Laboratory of Cryptography of Zhejiang Province(Grant No.ZCL21015)the Qinghai Key R&D and Transformation Projects(Grant No.2021-GX-112)the Natural Science Foundation of Nanjing University of Posts and Telecommunications(Grant No.NY222141)the Natural Science Foundation of Jiangsu Higher Education Institutions of China under Grant(No.22KJB520029)Henan Key Laboratory of Network Cryptography Technology(No.LNCT2022-A10)。
文摘Ciphertext-Policy Attribute-Based Encryption(CP-ABE)enables fine-grained access control on ciphertexts,making it a promising approach for managing data stored in the cloud-enabled Internet of Things.But existing schemes often suffer from privacy breaches due to explicit attachment of access policies or partial hiding of critical attribute content.Additionally,resource-constrained IoT devices,especially those adopting wireless communication,frequently encounter affordability issues regarding decryption costs.In this paper,we propose an efficient and fine-grained access control scheme with fully hidden policies(named FHAC).FHAC conceals all attributes in the policy and utilizes bloom filters to efficiently locate them.A test phase before decryption is applied to assist authorized users in finding matches between their attributes and the access policy.Dictionary attacks are thwarted by providing unauthorized users with invalid values.The heavy computational overhead of both the test phase and most of the decryption phase is outsourced to two cloud servers.Additionally,users can verify the correctness of multiple outsourced decryption results simultaneously.Security analysis and performance comparisons demonstrate FHAC's effectiveness in protecting policy privacy and achieving efficient decryption.
基金supported by National Natural Science Foundation of China(No.62102449).
文摘Security attributes are the premise and foundation for implementing Attribute-Based Access Control(ABAC)mechanisms.However,when dealing with massive volumes of unstructured text big data resources,the current attribute management methods based on manual extraction face several issues,such as high costs for attribute extraction,long processing times,unstable accuracy,and poor scalability.To address these problems,this paper proposes an attribute mining technology for access control institutions based on hybrid capsule networks.This technology leverages transfer learning ideas,utilizing Bidirectional Encoder Representations from Transformers(BERT)pre-trained language models to achieve vectorization of unstructured text data resources.Furthermore,we have designed a novel end-to-end parallel hybrid network structure,where the parallel networks handle global and local information features of the text that they excel at,respectively.By employing techniques such as attention mechanisms,capsule networks,and dynamic routing,effective mining of security attributes for access control resources has been achieved.Finally,we evaluated the performance level of the proposed attribute mining method for access control institutions through experiments on the medical referral text resource dataset.The experimental results show that,compared with baseline algorithms,our method adopts a parallel network structure that can better balance global and local feature information,resulting in improved overall performance.Specifically,it achieves a comprehensive performance enhancement of 2.06%to 8.18%in the F1 score metric.Therefore,this technology can effectively provide attribute support for access control of unstructured text big data resources.
基金supported by Ladoke Akintola University of Technology,Ogbomoso,Nigeria and the University of Zululand,South Africa.
文摘This study proposes a system for biometric access control utilising the improved Cultural Chicken Swarm Optimization(CCSO)technique.This approach mitigates the limitations of conventional Chicken Swarm Optimization(CSO),especially in dealing with larger dimensions due to diversity loss during solution space exploration.Our experimentation involved 600 sample images encompassing facial,iris,and fingerprint data,collected from 200 students at Ladoke Akintola University of Technology(LAUTECH),Ogbomoso.The results demonstrate the remarkable effectiveness of CCSO,yielding accuracy rates of 90.42%,91.67%,and 91.25%within 54.77,27.35,and 113.92 s for facial,fingerprint,and iris biometrics,respectively.These outcomes significantly outperform those achieved by the conventional CSO technique,which produced accuracy rates of 82.92%,86.25%,and 84.58%at 92.57,63.96,and 163.94 s for the same biometric modalities.The study’s findings reveal that CCSO,through its integration of Cultural Algorithm(CA)Operators into CSO,not only enhances algorithm performance,exhibiting computational efficiency and superior accuracy,but also carries broader implications beyond biometric systems.This innovation offers practical benefits in terms of security enhancement,operational efficiency,and adaptability across diverse user populations,shaping more effective and resource-efficient access control systems with real-world applicability.
文摘The increasing deployment of Internet of Things(IoT)devices has introduced significant security chal-lenges,including identity spoofing,unauthorized access,and data integrity breaches.Traditional security mechanisms rely on centralized frameworks that suffer from single points of failure,scalability issues,and inefficiencies in real-time security enforcement.To address these limitations,this study proposes the Blockchain-Enhanced Trust and Access Control for IoT Security(BETAC-IoT)model,which integrates blockchain technology,smart contracts,federated learning,and Merkle tree-based integrity verification to enhance IoT security.The proposed model eliminates reliance on centralized authentication by employing decentralized identity management,ensuring tamper-proof data storage,and automating access control through smart contracts.Experimental evaluation using a synthetic IoT dataset shows that the BETAC-IoT model improves access control enforcement accuracy by 92%,reduces device authentication time by 52%(from 2.5 to 1.2 s),and enhances threat detection efficiency by 7%(from 85%to 92%)using federated learning.Additionally,the hybrid blockchain architecture achieves a 300%increase in transaction throughput when comparing private blockchain performance(1200 TPS)to public chains(300 TPS).Access control enforcement accuracy was quantified through confusion matrix analysis,with high precision and minimal false positives observed across access decision categories.Although the model presents advantages in security and scalability,challenges such as computational overhead,blockchain storage constraints,and interoperability with existing IoT systems remain areas for future research.This study contributes to advancing decentralized security frameworks for IoT,providing a resilient and scalable solution for securing connected environments.
基金The National Natural Science Foundation of China(No.60403027,60773191,70771043)the National High Technology Research and Development Program of China(863 Program)(No.2007AA01Z403)
文摘An access control model is proposed based on the famous Bell-LaPadula (BLP) model.In the proposed model,hierarchical relationships among departments are built,a new concept named post is proposed,and assigning security tags to subjects and objects is greatly simplified.The interoperation among different departments is implemented through assigning multiple security tags to one post, and the more departments are closed on the organization tree,the more secret objects can be exchanged by the staff of the departments.The access control matrices of the department,post and staff are defined.By using the three access control matrices,a multi granularity and flexible discretionary access control policy is implemented.The outstanding merit of the BLP model is inherited,and the new model can guarantee that all the information flow is under control.Finally,our study shows that compared to the BLP model,the proposed model is more flexible.
基金supported by the National Natural Science Foundation of China(Grant Nos.U2001205,61922036,61932011)Guangdong Basic and Applied Basic Research Foundation(Grant Nos.2019B030302008,2019B1515120010)+2 种基金Science and Technology Project of Guangzhou City(Grant No.201707010320)TESTBED2(Grant No.H2020-MSCA-RISE-2019)National Key Research and Development Program of China(Grant No.2019YFE0123600).
文摘We introduce a new notion called accountable attribute-based authentication with fine-grained access control (AccABA), which achieves (i) fine-grained access control that prevents ineligible users from authenticating;(ii) anonymity such that no one can recognize the identity of a user;(iii) public accountability, i.e., as long as a user authenticates two different messages, the corresponding authentications will be easily identified and linked, and anyone can reveal the user’s identity without any help from a trusted third party. Then, we formalize the security requirements in terms of unforgeability, anonymity, linkability and traceability, and give a generic construction to fulfill these requirements. Based on AccABA, we further present the first attribute-based, fair, anonymous and publicly traceable crowdsourcing scheme on blockchain, which is designed to filter qualified workers to participate in tasks, and ensures the fairness of the competition between workers, and finally balances the tension between anonymity and accountability.
文摘A new role hierarchy model for RBAC (role-based access control) is presented and its features are illustrated through examples. Some new concepts such as private permission, public permission and special permission are introduced, based on the RRA97 model. Some new role-role inheriting forms such as normal inheritance, private inheritance, public inheritance and special-without inheritance are defined. Based on the ideas mentioned, the new role hierarchy model is formulated. It is easier and more comprehensible to describe role-role relationships through the new model than through the traditional ones. The new model is closer to the real world and its mechanism is more powerful. Particularly it is more suitable when used in large-scale role hierarchies.
基金the financial support from Department of Science and Technology,Government of India under the grant:SR/CSRI/118/2014
文摘Role based access control is one of the widely used access control models.There are investigations in the literature that use knowledge representation mechanisms such as formal concept analysis(FCA),description logics,and Ontology for representing access control mechanism.However,while using FCA,investigations reported in the literature so far work on the logic that transforms the three dimensional access control matrix into dyadic formal contexts.This transformation is mainly to derive the formal concepts,lattice structure and implications to represent role hierarchy and constraints of RBAC.In this work,we propose a methodology that models RBAC using triadic FCA without transforming the triadic access control matrix into dyadic formal contexts.Our discussion is on two lines of inquiry.We present how triadic FCA can provide a suitable representation of RBAC policy and we demonstrate how this representation follows role hierarchy and constraints of RBAC on sample healthcare network available in the literature.
基金Project supported by the National Natural Science Foundation of China (Grant Nos. 61103231 and 61103230)the Natural Science Foundation of Jiangsu Province, China (Grant No. BK2012082)+2 种基金the Innovation Program of Graduate Scientific Research in Institution of Higher Education of Jiangsu Province,China (Grant No. CXZZ11 0401)the Natural Science Basic Research Plan in Shaanxi Province of China (Grant No. 2011JM8012)the Basic Research Foundation of Engineering University of the Chinese People’s Armed Police Force (Grant No. WJY201218)
文摘In this paper, an extended version of standard susceptible-infected (SI) model is proposed to consider the influence of a medium access control mechanism on virus spreading in wireless sensor networks. Theoretical analysis shows that the medium access control mechanism obviously reduces the density of infected nodes in the networks, which has been ignored in previous studies. It is also found that by increasing the network node density or node communication radius greatly increases the number of infected nodes. The theoretical results are confirmed by numerical simulations.
基金partially supported by the National Natural Science Foundation of China under Grant 62072170 and Grant 62177047the Fundamental Research Funds for the Central Universities under Grant 531118010527+1 种基金the Science and Technology Key Projects of Hunan Province under Grant 2022GK2015the Hunan Provincial Natural Science Foundation of China under Grant 2021JJ30141.
文摘Efficient response speed and information processing speed are among the characteristics of mobile edge computing(MEC).However,MEC easily causes information leakage and loss problems because it requires frequent data exchange.This work proposes an anonymous privacy data protection and access control scheme based on elliptic curve cryptography(ECC)and bilinear pairing to protect the communication security of the MEC.In the proposed scheme,the information sender encrypts private information through the ECC algorithm,and the information receiver uses its own key information and bilinear pairing to extract and verify the identity of the information sender.During each round of communication,the proposed scheme uses timestamps and random numbers to ensure the freshness of each round of conversation.Experimental results show that the proposed scheme has good security performance and can provide data privacy protection,integrity verification,and traceability for the communication process of MEC.The proposed scheme has a lower cost than other related schemes.The communication and computational cost of the proposed scheme are reduced by 31.08% and 22.31% on average compared with those of the other related schemes.
基金Project(61003140) supported by the National Natural Science Foundation of ChinaProject(013/2010/A) supported by Macao Science and Technology Development FundProject(10YJC630236) supported by Social Science Foundation for the Youth Scholars of Ministry of Education of China
文摘Role mining and setup affect the usage of role-based access control(RBAC).Traditionally,user's role and permission assigning are manipulated by security administrator of system.However,the cost is expensive and the operating process is complex.A new role analyzing method was proposed by generating mappings and using them to provide recommendation for systems.The relation among sets of permissions,roles and users was explored by generating mappings,and the relation between sets of users and attributes was analyzed by means of the concept lattice model,generating a critical mapping between the attribute and permission sets,and making the meaning of the role natural and operational.Thus,a role is determined by permission set and user's attributes.The generated mappings were used to automatically assign permissions and roles to new users.Experimental results show that the proposed algorithm is effective and efficient.
基金Supported by the National Natural Science Foundation of China (70771043, 60873225, 60773191)
文摘Quorum system is a preferable model to construct distributed access control architecture, but not all quorum system can satisfy the requirements of distributed access control architecture. Aiming at the dependable problem of authorization server in distributed system and combining the requirements of access control, a set of criterions to select and evaluate quorum system is presented. The scheme and algorithm of constructing an authorization server system based on Paths quorum system are designed, and the integrated sys- tem performance under some servers attacked is fully analyzed. Role-based access control on the Web implemented by this scheme is introduced. Analysis shows that with certain node failure probability, the scheme not only has high dependability but also can satisfy the special requirements of distributed access control such as real-time, parallelism, and consistency of security policy.
