Ciphertext-Policy Attribute-Based Encryption(CP-ABE)enables fine-grained access control on ciphertexts,making it a promising approach for managing data stored in the cloud-enabled Internet of Things.But existing schem...Ciphertext-Policy Attribute-Based Encryption(CP-ABE)enables fine-grained access control on ciphertexts,making it a promising approach for managing data stored in the cloud-enabled Internet of Things.But existing schemes often suffer from privacy breaches due to explicit attachment of access policies or partial hiding of critical attribute content.Additionally,resource-constrained IoT devices,especially those adopting wireless communication,frequently encounter affordability issues regarding decryption costs.In this paper,we propose an efficient and fine-grained access control scheme with fully hidden policies(named FHAC).FHAC conceals all attributes in the policy and utilizes bloom filters to efficiently locate them.A test phase before decryption is applied to assist authorized users in finding matches between their attributes and the access policy.Dictionary attacks are thwarted by providing unauthorized users with invalid values.The heavy computational overhead of both the test phase and most of the decryption phase is outsourced to two cloud servers.Additionally,users can verify the correctness of multiple outsourced decryption results simultaneously.Security analysis and performance comparisons demonstrate FHAC's effectiveness in protecting policy privacy and achieving efficient decryption.展开更多
The Energy Internet has generated huge amounts of information on the production devices,transmission devices,and energy consumption devices.The leakage of data in the collection,transmission,and storage process will c...The Energy Internet has generated huge amounts of information on the production devices,transmission devices,and energy consumption devices.The leakage of data in the collection,transmission,and storage process will cause serious security problems.The existing Energy Internet security methods rely on traditional access control mechanisms and specific network boundary defense mechanisms,which has the limitations of static strategies and coarse design.We combine the advantages of role-based access control(RBAC)and attribute-based access control(ABAC),and propose a trusted Energy Internet fine-grained access control model based on devices'attribute and users'roles.We have not only achieved fine-grained Energy Internet resource allocation,but also ensured that the access control process is related to the security status of the environment in real time.Experimental results show that the access control model can safely and accurately execute access decisions in the Energy Internet scenario,and the processing performance is more stable.展开更多
In Cloud Computing, the application software and the databases are moved to large centralized data centers, where the management of the data and services may not be fully trustworthy. This unique paradigm brings many ...In Cloud Computing, the application software and the databases are moved to large centralized data centers, where the management of the data and services may not be fully trustworthy. This unique paradigm brings many new security challenges, which have not been well solved. Data access control is an effective way to ensure the big data security in the cloud. In this paper,we study the problem of fine-grained data access control in cloud computing.Based on CP-ABE scheme,we propose a novel access control policy to achieve fine-grainedness and implement the operation of user revocation effectively.The analysis results indicate that our scheme ensures the data security in cloud computing and reduces the cost of the data owner significantly.展开更多
To prevent misuse of privacy,numerous anonymous authentication schemes with linkability and/or traceability have been proposed to ensure different types of accountabilities.Previous schemes cannot simultaneously achie...To prevent misuse of privacy,numerous anonymous authentication schemes with linkability and/or traceability have been proposed to ensure different types of accountabilities.Previous schemes cannot simultaneously achieve public linking and tracing while holding access control,therefore,a new tool named linkable and traceable anonymous authentication with fine-grained access control(LTAA-FGAC)is offered,which is designed to satisfy:(i)access control,i.e.,only authorized users who meet a designated authentication policy are approved to authenticate messages;(ii)public linkability,i.e.,anyone can tell whether two authentications with respect to a common identifier are created by an identical user;(iii)public traceability,i.e.,everyone has the ability to deduce a double-authentication user’s identity from two linked authentications without the help of other parties.We formally define the basic security requirements for the new tool,and also give a generic construction so as to satisfy these requirements.Then,we present a formal security proof and an implementation of our proposed LTAA-FGAC scheme.展开更多
We introduce a new notion called accountable attribute-based authentication with fine-grained access control (AccABA), which achieves (i) fine-grained access control that prevents ineligible users from authenticating;...We introduce a new notion called accountable attribute-based authentication with fine-grained access control (AccABA), which achieves (i) fine-grained access control that prevents ineligible users from authenticating;(ii) anonymity such that no one can recognize the identity of a user;(iii) public accountability, i.e., as long as a user authenticates two different messages, the corresponding authentications will be easily identified and linked, and anyone can reveal the user’s identity without any help from a trusted third party. Then, we formalize the security requirements in terms of unforgeability, anonymity, linkability and traceability, and give a generic construction to fulfill these requirements. Based on AccABA, we further present the first attribute-based, fair, anonymous and publicly traceable crowdsourcing scheme on blockchain, which is designed to filter qualified workers to participate in tasks, and ensures the fairness of the competition between workers, and finally balances the tension between anonymity and accountability.展开更多
Fine-grained access control (FGAC) must be supported by relational databases to satisfy the requirements of privacy preserving and Internet-based applications.Though much work on FGAC models has been conducted,there a...Fine-grained access control (FGAC) must be supported by relational databases to satisfy the requirements of privacy preserving and Internet-based applications.Though much work on FGAC models has been conducted,there are still a number of ongoing problems.We propose a new FGAC model which supports the specification of open access control policies as well as closed access control policies in relational databases.The negative authorization is supported,which allows the security administrator to specify what data should not be accessed by certain users.Moreover,multiple policies defined to regulate user access together are also supported.The definition and combination algorithm of multiple policies are thus provided.Finally,we implement the proposed FGAC model as a component of the database management system (DBMS) and evaluate its performance.The performance results show that the proposed model is feasible.展开更多
As an important resource in data link,time slots should be strategically allocated to enhance transmission efficiency and resist eavesdropping,especially considering the tremendous increase in the number of nodes and ...As an important resource in data link,time slots should be strategically allocated to enhance transmission efficiency and resist eavesdropping,especially considering the tremendous increase in the number of nodes and diverse communication needs.It is crucial to design control sequences with robust randomness and conflict-freeness to properly address differentiated access control in data link.In this paper,we propose a hierarchical access control scheme based on control sequences to achieve high utilization of time slots and differentiated access control.A theoretical bound of the hierarchical control sequence set is derived to characterize the constraints on the parameters of the sequence set.Moreover,two classes of optimal hierarchical control sequence sets satisfying the theoretical bound are constructed,both of which enable the scheme to achieve maximum utilization of time slots.Compared with the fixed time slot allocation scheme,our scheme reduces the symbol error rate by up to 9%,which indicates a significant improvement in anti-interference and eavesdropping capabilities.展开更多
The traditional centralized data sharing systems have potential risks such as single point of failures and excessive working load on the central node.As a distributed and collaborative alternative,approaches based upo...The traditional centralized data sharing systems have potential risks such as single point of failures and excessive working load on the central node.As a distributed and collaborative alternative,approaches based upon blockchain have been explored recently for Internet of Things(IoTs).However,the access from a legitimate user may be denied without the pre-defined policy and data update on the blockchain could be costly to the owners.In this paper,we first address these issues by incorporating the Accountable Subgroup Multi-Signature(ASM)algorithm into the Attribute-based Access Control(ABAC)method with Policy Smart Contract,to provide a finegrained and flexible solution.Next,we propose a policy-based Chameleon Hash algorithm that allows the data to be updated in a reliable and convenient way by the authorized users.Finally,we evaluate our work by comparing its performance with the benchmarks.The results demonstrate significant improvement on the effectiveness and efficiency.展开更多
With the development of cloud computing, the mutual understandability among distributed data access control has become an important issue in the security field of cloud computing. To ensure security, confidentiality a...With the development of cloud computing, the mutual understandability among distributed data access control has become an important issue in the security field of cloud computing. To ensure security, confidentiality and fine-grained data access control of Cloud Data Storage (CDS) environment, we proposed Multi-Agent System (MAS) architecture. This architecture consists of two agents: Cloud Service Provider Agent (CSPA) and Cloud Data Confidentiality Agent (CDConA). CSPA provides a graphical interface to the cloud user that facilitates the access to the services offered by the system. CDConA provides each cloud user by definition and enforcement expressive and flexible access structure as a logic formula over cloud data file attributes. This new access control is named as Formula-Based Cloud Data Access Control (FCDAC). Our proposed FCDAC based on MAS architecture consists of four layers: interface layer, existing access control layer, proposed FCDAC layer and CDS layer as well as four types of entities of Cloud Service Provider (CSP), cloud users, knowledge base and confidentiality policy roles. FCDAC, it’s an access policy determined by our MAS architecture, not by the CSPs. A prototype of our proposed FCDAC scheme is implemented using the Java Agent Development Framework Security (JADE-S). Our results in the practical scenario defined formally in this paper, show the Round Trip Time (RTT) for an agent to travel in our system and measured by the times required for an agent to travel around different number of cloud users before and after implementing FCDAC.展开更多
Renewable Energy Systems(RES)provide a sustainable solution to climate warming and environmental pollution by enhancing stability and reliability through status acquisition and analysis on cloud platforms and intellig...Renewable Energy Systems(RES)provide a sustainable solution to climate warming and environmental pollution by enhancing stability and reliability through status acquisition and analysis on cloud platforms and intelligent processing on edge servers(ES).However,securely distributing encrypted data stored in the cloud to terminals that meet decryption requirements has become a prominent research topic.Additionally,managing attributes,including addition,deletion,and modification,is a crucial issue in the access control scheme for RES.To address these security concerns,a trust-based ciphertext-policy attribute-based encryption(CP-ABE)device access control scheme is proposed for RES(TB-CP-ABE).This scheme effectivelymanages the distribution and control of encrypted data on the cloud through robust attribute key management.By introducing trust management mechanisms and outsourced decryption technology,the ES system can effectively assess and manage the trust worthiness of terminal devices,ensuring that only trusted devices can participate in data exchange and access sensitive information.Besides,the ES system dynamically evaluates trust scores to set decryption trust thresholds,thereby regulating device data access permissions and enhancing the system’s security.To validate the security of the proposed TB-CP-ABE against chosen plaintext attacks,a comprehensive formal security analysis is conducted using the widely accepted random oraclemodel under the decisional q-Bilinear Diffie-Hellman Exponent(q-BDHE)assumption.Finally,comparative analysis with other schemes demonstrates that the TB-CP-ABE scheme cuts energy/communication costs by 43%,and scaleswell with rising terminals,maintaining average latency below 50ms,ensuring real-time service feasibility.The proposed scheme not only provides newinsights for the secure management of RES but also lays a foundation for future secure energy solutions.展开更多
Security attributes are the premise and foundation for implementing Attribute-Based Access Control(ABAC)mechanisms.However,when dealing with massive volumes of unstructured text big data resources,the current attribut...Security attributes are the premise and foundation for implementing Attribute-Based Access Control(ABAC)mechanisms.However,when dealing with massive volumes of unstructured text big data resources,the current attribute management methods based on manual extraction face several issues,such as high costs for attribute extraction,long processing times,unstable accuracy,and poor scalability.To address these problems,this paper proposes an attribute mining technology for access control institutions based on hybrid capsule networks.This technology leverages transfer learning ideas,utilizing Bidirectional Encoder Representations from Transformers(BERT)pre-trained language models to achieve vectorization of unstructured text data resources.Furthermore,we have designed a novel end-to-end parallel hybrid network structure,where the parallel networks handle global and local information features of the text that they excel at,respectively.By employing techniques such as attention mechanisms,capsule networks,and dynamic routing,effective mining of security attributes for access control resources has been achieved.Finally,we evaluated the performance level of the proposed attribute mining method for access control institutions through experiments on the medical referral text resource dataset.The experimental results show that,compared with baseline algorithms,our method adopts a parallel network structure that can better balance global and local feature information,resulting in improved overall performance.Specifically,it achieves a comprehensive performance enhancement of 2.06%to 8.18%in the F1 score metric.Therefore,this technology can effectively provide attribute support for access control of unstructured text big data resources.展开更多
This study proposes a system for biometric access control utilising the improved Cultural Chicken Swarm Optimization(CCSO)technique.This approach mitigates the limitations of conventional Chicken Swarm Optimization(CS...This study proposes a system for biometric access control utilising the improved Cultural Chicken Swarm Optimization(CCSO)technique.This approach mitigates the limitations of conventional Chicken Swarm Optimization(CSO),especially in dealing with larger dimensions due to diversity loss during solution space exploration.Our experimentation involved 600 sample images encompassing facial,iris,and fingerprint data,collected from 200 students at Ladoke Akintola University of Technology(LAUTECH),Ogbomoso.The results demonstrate the remarkable effectiveness of CCSO,yielding accuracy rates of 90.42%,91.67%,and 91.25%within 54.77,27.35,and 113.92 s for facial,fingerprint,and iris biometrics,respectively.These outcomes significantly outperform those achieved by the conventional CSO technique,which produced accuracy rates of 82.92%,86.25%,and 84.58%at 92.57,63.96,and 163.94 s for the same biometric modalities.The study’s findings reveal that CCSO,through its integration of Cultural Algorithm(CA)Operators into CSO,not only enhances algorithm performance,exhibiting computational efficiency and superior accuracy,but also carries broader implications beyond biometric systems.This innovation offers practical benefits in terms of security enhancement,operational efficiency,and adaptability across diverse user populations,shaping more effective and resource-efficient access control systems with real-world applicability.展开更多
Terminals and their access represent a vulnerable aspect in the security framework of 5G-railway(5G-R)system.To enhance the control of 5G-R terminals and their access to applications,this paper analyzes the applicatio...Terminals and their access represent a vulnerable aspect in the security framework of 5G-railway(5G-R)system.To enhance the control of 5G-R terminals and their access to applications,this paper analyzes the application scenarios,operational modes,services supported by 5G-R terminals,and the data paths between these terminals and the connected railway application service systems.Further analysis concentrates on the security risks posed by the characteristics of intelligent 5G-R handheld terminals,lightweight Internet of Things(IoT)communication terminals,and onboard integrated wireless transmission equipment with public-private convergence.In light of the risks above,this paper presents the terminal security control requirements.Furthermore,based on the planned architecture of the 5G-R system and security technologies such as terminal identity authentication and behavior auditing,the paper proposes a solution package for the 5G-R terminal security control system,including the overall architecture,functional implementation,and interface configuration.These solutions aim to achieve unified control over the admission and access of 5G-R handheld terminals,IoT communication terminals,and onboard integrated wireless communication equipment to railway application systems.Additionally,they enable the security control and analysis of terminal behaviors and application data,facilitate the security management of terminals,and ensure the secure release,download,and installation of mobile applications.展开更多
The increasing deployment of Internet of Things(IoT)devices has introduced significant security chal-lenges,including identity spoofing,unauthorized access,and data integrity breaches.Traditional security mechanisms r...The increasing deployment of Internet of Things(IoT)devices has introduced significant security chal-lenges,including identity spoofing,unauthorized access,and data integrity breaches.Traditional security mechanisms rely on centralized frameworks that suffer from single points of failure,scalability issues,and inefficiencies in real-time security enforcement.To address these limitations,this study proposes the Blockchain-Enhanced Trust and Access Control for IoT Security(BETAC-IoT)model,which integrates blockchain technology,smart contracts,federated learning,and Merkle tree-based integrity verification to enhance IoT security.The proposed model eliminates reliance on centralized authentication by employing decentralized identity management,ensuring tamper-proof data storage,and automating access control through smart contracts.Experimental evaluation using a synthetic IoT dataset shows that the BETAC-IoT model improves access control enforcement accuracy by 92%,reduces device authentication time by 52%(from 2.5 to 1.2 s),and enhances threat detection efficiency by 7%(from 85%to 92%)using federated learning.Additionally,the hybrid blockchain architecture achieves a 300%increase in transaction throughput when comparing private blockchain performance(1200 TPS)to public chains(300 TPS).Access control enforcement accuracy was quantified through confusion matrix analysis,with high precision and minimal false positives observed across access decision categories.Although the model presents advantages in security and scalability,challenges such as computational overhead,blockchain storage constraints,and interoperability with existing IoT systems remain areas for future research.This study contributes to advancing decentralized security frameworks for IoT,providing a resilient and scalable solution for securing connected environments.展开更多
Fine-grained rocks(FGR) are the important source rocks and reservoirs of shale hydrocarbon which is the prospect hotspot at present. Widely distributed fine-grained sediments(FGS) of the upper fourth member of Sha...Fine-grained rocks(FGR) are the important source rocks and reservoirs of shale hydrocarbon which is the prospect hotspot at present. Widely distributed fine-grained sediments(FGS) of the upper fourth member of Shahejie Formation in Dongying depression are taken as an example to study the space-time evolution and controlling factor of FGS in this paper. Based on the analysis of well cores, thin sections, inorganic and organic geochemistry indicators, FGR are divided into 7 types of lithofacies. Through the study of ‘point-line-plane', this study shows that FGS has the characteristics of rhythum, diversity and succession. The first stage is characterized by clayey FGS(massive claystone). The second stage is characterized by carbonate FGS(low-TOC laminated limestone) and dolomitic FGS(dolomitic-silty shale) formed by transgression. The third stage is characterized by organic-rich carbonate FGS(middle/high-TOC laminated limestone) distributed in cycle. The fourth stage is characterized by FGS mixed carbonate and siliciclastic sediments(calcareous-silty shale). A variety of space-time evolution of FGS are controlled by multiple factors including tectonism, climate and lake conditions.展开更多
This paper first introduces attribute expression to describe attribute-based access control policy.Secondly,an access control policy enforcement language named A-XACML (attribute-XACML)is proposed,which is an extens...This paper first introduces attribute expression to describe attribute-based access control policy.Secondly,an access control policy enforcement language named A-XACML (attribute-XACML)is proposed,which is an extension of XACML.A-XACML is used as a simple,flexible way to express and enforce access control policies,especially attribute-based access control policy,in a variety of environments.The language and schema support include data types,functions,and combining logic which allow simple and complex policies to be defined.Finally,a system architecture and application case of user-role assignment is given to show how attribute expressions and A-XACML work in access control policy description and enforcement.The case shows that attribute expression and A-XACML can describe and enforce the complex access control policy in a simple and flexible way.展开更多
A new role hierarchy model for RBAC (role-based access control) is presented and its features are illustrated through examples. Some new concepts such as private permission, public permission and special permission ar...A new role hierarchy model for RBAC (role-based access control) is presented and its features are illustrated through examples. Some new concepts such as private permission, public permission and special permission are introduced, based on the RRA97 model. Some new role-role inheriting forms such as normal inheritance, private inheritance, public inheritance and special-without inheritance are defined. Based on the ideas mentioned, the new role hierarchy model is formulated. It is easier and more comprehensible to describe role-role relationships through the new model than through the traditional ones. The new model is closer to the real world and its mechanism is more powerful. Particularly it is more suitable when used in large-scale role hierarchies.展开更多
An access control model is proposed based on the famous Bell-LaPadula (BLP) model.In the proposed model,hierarchical relationships among departments are built,a new concept named post is proposed,and assigning secur...An access control model is proposed based on the famous Bell-LaPadula (BLP) model.In the proposed model,hierarchical relationships among departments are built,a new concept named post is proposed,and assigning security tags to subjects and objects is greatly simplified.The interoperation among different departments is implemented through assigning multiple security tags to one post, and the more departments are closed on the organization tree,the more secret objects can be exchanged by the staff of the departments.The access control matrices of the department,post and staff are defined.By using the three access control matrices,a multi granularity and flexible discretionary access control policy is implemented.The outstanding merit of the BLP model is inherited,and the new model can guarantee that all the information flow is under control.Finally,our study shows that compared to the BLP model,the proposed model is more flexible.展开更多
针对IEEE802.11e Medium Access Control层的QoS机制高负载时存在远端节点冲突和低优先级业务资源被耗尽的问题,提出在牺牲较小带宽的基础上增加一条忙音信道,取代CTS帧在数据信道上的广播,减少远端节点的冲突.仿真结果表明,该方案具有...针对IEEE802.11e Medium Access Control层的QoS机制高负载时存在远端节点冲突和低优先级业务资源被耗尽的问题,提出在牺牲较小带宽的基础上增加一条忙音信道,取代CTS帧在数据信道上的广播,减少远端节点的冲突.仿真结果表明,该方案具有较小的冲突概率,有效地减少了远端节点冲突.同时提出一个解决公平性问题的新思路:在避退时间发送忙音抢占信道,以期提高低优先级业务的接入概率.展开更多
Role based access control is one of the widely used access control models.There are investigations in the literature that use knowledge representation mechanisms such as formal concept analysis(FCA),description logics...Role based access control is one of the widely used access control models.There are investigations in the literature that use knowledge representation mechanisms such as formal concept analysis(FCA),description logics,and Ontology for representing access control mechanism.However,while using FCA,investigations reported in the literature so far work on the logic that transforms the three dimensional access control matrix into dyadic formal contexts.This transformation is mainly to derive the formal concepts,lattice structure and implications to represent role hierarchy and constraints of RBAC.In this work,we propose a methodology that models RBAC using triadic FCA without transforming the triadic access control matrix into dyadic formal contexts.Our discussion is on two lines of inquiry.We present how triadic FCA can provide a suitable representation of RBAC policy and we demonstrate how this representation follows role hierarchy and constraints of RBAC on sample healthcare network available in the literature.展开更多
基金supported in part by the National Key R&D Program of China(Grant No.2019YFB2101700)the National Natural Science Foundation of China(Grant No.62272102,No.62172320,No.U21A20466)+4 种基金the Open Research Fund of Key Laboratory of Cryptography of Zhejiang Province(Grant No.ZCL21015)the Qinghai Key R&D and Transformation Projects(Grant No.2021-GX-112)the Natural Science Foundation of Nanjing University of Posts and Telecommunications(Grant No.NY222141)the Natural Science Foundation of Jiangsu Higher Education Institutions of China under Grant(No.22KJB520029)Henan Key Laboratory of Network Cryptography Technology(No.LNCT2022-A10)。
文摘Ciphertext-Policy Attribute-Based Encryption(CP-ABE)enables fine-grained access control on ciphertexts,making it a promising approach for managing data stored in the cloud-enabled Internet of Things.But existing schemes often suffer from privacy breaches due to explicit attachment of access policies or partial hiding of critical attribute content.Additionally,resource-constrained IoT devices,especially those adopting wireless communication,frequently encounter affordability issues regarding decryption costs.In this paper,we propose an efficient and fine-grained access control scheme with fully hidden policies(named FHAC).FHAC conceals all attributes in the policy and utilizes bloom filters to efficiently locate them.A test phase before decryption is applied to assist authorized users in finding matches between their attributes and the access policy.Dictionary attacks are thwarted by providing unauthorized users with invalid values.The heavy computational overhead of both the test phase and most of the decryption phase is outsourced to two cloud servers.Additionally,users can verify the correctness of multiple outsourced decryption results simultaneously.Security analysis and performance comparisons demonstrate FHAC's effectiveness in protecting policy privacy and achieving efficient decryption.
基金the State Grid Corporation of China Science and Technology Project Funding。
文摘The Energy Internet has generated huge amounts of information on the production devices,transmission devices,and energy consumption devices.The leakage of data in the collection,transmission,and storage process will cause serious security problems.The existing Energy Internet security methods rely on traditional access control mechanisms and specific network boundary defense mechanisms,which has the limitations of static strategies and coarse design.We combine the advantages of role-based access control(RBAC)and attribute-based access control(ABAC),and propose a trusted Energy Internet fine-grained access control model based on devices'attribute and users'roles.We have not only achieved fine-grained Energy Internet resource allocation,but also ensured that the access control process is related to the security status of the environment in real time.Experimental results show that the access control model can safely and accurately execute access decisions in the Energy Internet scenario,and the processing performance is more stable.
基金This research is supported by a grant from National Natural Science Foundation of China (No. 61170241, 61472097).This paper is funded by the International Exchange Program of Harbin Engineering University for Innovationoriented Talents Cultivation.
文摘In Cloud Computing, the application software and the databases are moved to large centralized data centers, where the management of the data and services may not be fully trustworthy. This unique paradigm brings many new security challenges, which have not been well solved. Data access control is an effective way to ensure the big data security in the cloud. In this paper,we study the problem of fine-grained data access control in cloud computing.Based on CP-ABE scheme,we propose a novel access control policy to achieve fine-grainedness and implement the operation of user revocation effectively.The analysis results indicate that our scheme ensures the data security in cloud computing and reduces the cost of the data owner significantly.
基金supported by the National Natural Science Foundation of China(Grant Nos.U2001205,61932010)Guangdong Basic and Applied Basic Research Foundation(Nos.2023B1515040020,2019B030302008)Guangdong Provincial Key Laboratory of Power System Network Security(No.GPKLPSNS-2022-KF-05).
文摘To prevent misuse of privacy,numerous anonymous authentication schemes with linkability and/or traceability have been proposed to ensure different types of accountabilities.Previous schemes cannot simultaneously achieve public linking and tracing while holding access control,therefore,a new tool named linkable and traceable anonymous authentication with fine-grained access control(LTAA-FGAC)is offered,which is designed to satisfy:(i)access control,i.e.,only authorized users who meet a designated authentication policy are approved to authenticate messages;(ii)public linkability,i.e.,anyone can tell whether two authentications with respect to a common identifier are created by an identical user;(iii)public traceability,i.e.,everyone has the ability to deduce a double-authentication user’s identity from two linked authentications without the help of other parties.We formally define the basic security requirements for the new tool,and also give a generic construction so as to satisfy these requirements.Then,we present a formal security proof and an implementation of our proposed LTAA-FGAC scheme.
基金supported by the National Natural Science Foundation of China(Grant Nos.U2001205,61922036,61932011)Guangdong Basic and Applied Basic Research Foundation(Grant Nos.2019B030302008,2019B1515120010)+2 种基金Science and Technology Project of Guangzhou City(Grant No.201707010320)TESTBED2(Grant No.H2020-MSCA-RISE-2019)National Key Research and Development Program of China(Grant No.2019YFE0123600).
文摘We introduce a new notion called accountable attribute-based authentication with fine-grained access control (AccABA), which achieves (i) fine-grained access control that prevents ineligible users from authenticating;(ii) anonymity such that no one can recognize the identity of a user;(iii) public accountability, i.e., as long as a user authenticates two different messages, the corresponding authentications will be easily identified and linked, and anyone can reveal the user’s identity without any help from a trusted third party. Then, we formalize the security requirements in terms of unforgeability, anonymity, linkability and traceability, and give a generic construction to fulfill these requirements. Based on AccABA, we further present the first attribute-based, fair, anonymous and publicly traceable crowdsourcing scheme on blockchain, which is designed to filter qualified workers to participate in tasks, and ensures the fairness of the competition between workers, and finally balances the tension between anonymity and accountability.
基金Project (No.2006AA01Z430) supported by the National High-Tech Research and Development Program (863) of China
文摘Fine-grained access control (FGAC) must be supported by relational databases to satisfy the requirements of privacy preserving and Internet-based applications.Though much work on FGAC models has been conducted,there are still a number of ongoing problems.We propose a new FGAC model which supports the specification of open access control policies as well as closed access control policies in relational databases.The negative authorization is supported,which allows the security administrator to specify what data should not be accessed by certain users.Moreover,multiple policies defined to regulate user access together are also supported.The definition and combination algorithm of multiple policies are thus provided.Finally,we implement the proposed FGAC model as a component of the database management system (DBMS) and evaluate its performance.The performance results show that the proposed model is feasible.
基金supported by the National Science Foundation of China(No.62171387)the Science and Technology Program of Sichuan Province(No.2024NSFSC0468)the China Postdoctoral Science Foundation(No.2019M663475).
文摘As an important resource in data link,time slots should be strategically allocated to enhance transmission efficiency and resist eavesdropping,especially considering the tremendous increase in the number of nodes and diverse communication needs.It is crucial to design control sequences with robust randomness and conflict-freeness to properly address differentiated access control in data link.In this paper,we propose a hierarchical access control scheme based on control sequences to achieve high utilization of time slots and differentiated access control.A theoretical bound of the hierarchical control sequence set is derived to characterize the constraints on the parameters of the sequence set.Moreover,two classes of optimal hierarchical control sequence sets satisfying the theoretical bound are constructed,both of which enable the scheme to achieve maximum utilization of time slots.Compared with the fixed time slot allocation scheme,our scheme reduces the symbol error rate by up to 9%,which indicates a significant improvement in anti-interference and eavesdropping capabilities.
基金supported by the National Natural Science Foundation of China under Grant 61972148。
文摘The traditional centralized data sharing systems have potential risks such as single point of failures and excessive working load on the central node.As a distributed and collaborative alternative,approaches based upon blockchain have been explored recently for Internet of Things(IoTs).However,the access from a legitimate user may be denied without the pre-defined policy and data update on the blockchain could be costly to the owners.In this paper,we first address these issues by incorporating the Accountable Subgroup Multi-Signature(ASM)algorithm into the Attribute-based Access Control(ABAC)method with Policy Smart Contract,to provide a finegrained and flexible solution.Next,we propose a policy-based Chameleon Hash algorithm that allows the data to be updated in a reliable and convenient way by the authorized users.Finally,we evaluate our work by comparing its performance with the benchmarks.The results demonstrate significant improvement on the effectiveness and efficiency.
文摘With the development of cloud computing, the mutual understandability among distributed data access control has become an important issue in the security field of cloud computing. To ensure security, confidentiality and fine-grained data access control of Cloud Data Storage (CDS) environment, we proposed Multi-Agent System (MAS) architecture. This architecture consists of two agents: Cloud Service Provider Agent (CSPA) and Cloud Data Confidentiality Agent (CDConA). CSPA provides a graphical interface to the cloud user that facilitates the access to the services offered by the system. CDConA provides each cloud user by definition and enforcement expressive and flexible access structure as a logic formula over cloud data file attributes. This new access control is named as Formula-Based Cloud Data Access Control (FCDAC). Our proposed FCDAC based on MAS architecture consists of four layers: interface layer, existing access control layer, proposed FCDAC layer and CDS layer as well as four types of entities of Cloud Service Provider (CSP), cloud users, knowledge base and confidentiality policy roles. FCDAC, it’s an access policy determined by our MAS architecture, not by the CSPs. A prototype of our proposed FCDAC scheme is implemented using the Java Agent Development Framework Security (JADE-S). Our results in the practical scenario defined formally in this paper, show the Round Trip Time (RTT) for an agent to travel in our system and measured by the times required for an agent to travel around different number of cloud users before and after implementing FCDAC.
基金supported by the Science and Technology Project of the State Grid Corporation of China,Grant number 5700-202223189A-1-1-ZN.
文摘Renewable Energy Systems(RES)provide a sustainable solution to climate warming and environmental pollution by enhancing stability and reliability through status acquisition and analysis on cloud platforms and intelligent processing on edge servers(ES).However,securely distributing encrypted data stored in the cloud to terminals that meet decryption requirements has become a prominent research topic.Additionally,managing attributes,including addition,deletion,and modification,is a crucial issue in the access control scheme for RES.To address these security concerns,a trust-based ciphertext-policy attribute-based encryption(CP-ABE)device access control scheme is proposed for RES(TB-CP-ABE).This scheme effectivelymanages the distribution and control of encrypted data on the cloud through robust attribute key management.By introducing trust management mechanisms and outsourced decryption technology,the ES system can effectively assess and manage the trust worthiness of terminal devices,ensuring that only trusted devices can participate in data exchange and access sensitive information.Besides,the ES system dynamically evaluates trust scores to set decryption trust thresholds,thereby regulating device data access permissions and enhancing the system’s security.To validate the security of the proposed TB-CP-ABE against chosen plaintext attacks,a comprehensive formal security analysis is conducted using the widely accepted random oraclemodel under the decisional q-Bilinear Diffie-Hellman Exponent(q-BDHE)assumption.Finally,comparative analysis with other schemes demonstrates that the TB-CP-ABE scheme cuts energy/communication costs by 43%,and scaleswell with rising terminals,maintaining average latency below 50ms,ensuring real-time service feasibility.The proposed scheme not only provides newinsights for the secure management of RES but also lays a foundation for future secure energy solutions.
基金supported by National Natural Science Foundation of China(No.62102449).
文摘Security attributes are the premise and foundation for implementing Attribute-Based Access Control(ABAC)mechanisms.However,when dealing with massive volumes of unstructured text big data resources,the current attribute management methods based on manual extraction face several issues,such as high costs for attribute extraction,long processing times,unstable accuracy,and poor scalability.To address these problems,this paper proposes an attribute mining technology for access control institutions based on hybrid capsule networks.This technology leverages transfer learning ideas,utilizing Bidirectional Encoder Representations from Transformers(BERT)pre-trained language models to achieve vectorization of unstructured text data resources.Furthermore,we have designed a novel end-to-end parallel hybrid network structure,where the parallel networks handle global and local information features of the text that they excel at,respectively.By employing techniques such as attention mechanisms,capsule networks,and dynamic routing,effective mining of security attributes for access control resources has been achieved.Finally,we evaluated the performance level of the proposed attribute mining method for access control institutions through experiments on the medical referral text resource dataset.The experimental results show that,compared with baseline algorithms,our method adopts a parallel network structure that can better balance global and local feature information,resulting in improved overall performance.Specifically,it achieves a comprehensive performance enhancement of 2.06%to 8.18%in the F1 score metric.Therefore,this technology can effectively provide attribute support for access control of unstructured text big data resources.
基金supported by Ladoke Akintola University of Technology,Ogbomoso,Nigeria and the University of Zululand,South Africa.
文摘This study proposes a system for biometric access control utilising the improved Cultural Chicken Swarm Optimization(CCSO)technique.This approach mitigates the limitations of conventional Chicken Swarm Optimization(CSO),especially in dealing with larger dimensions due to diversity loss during solution space exploration.Our experimentation involved 600 sample images encompassing facial,iris,and fingerprint data,collected from 200 students at Ladoke Akintola University of Technology(LAUTECH),Ogbomoso.The results demonstrate the remarkable effectiveness of CCSO,yielding accuracy rates of 90.42%,91.67%,and 91.25%within 54.77,27.35,and 113.92 s for facial,fingerprint,and iris biometrics,respectively.These outcomes significantly outperform those achieved by the conventional CSO technique,which produced accuracy rates of 82.92%,86.25%,and 84.58%at 92.57,63.96,and 163.94 s for the same biometric modalities.The study’s findings reveal that CCSO,through its integration of Cultural Algorithm(CA)Operators into CSO,not only enhances algorithm performance,exhibiting computational efficiency and superior accuracy,but also carries broader implications beyond biometric systems.This innovation offers practical benefits in terms of security enhancement,operational efficiency,and adaptability across diverse user populations,shaping more effective and resource-efficient access control systems with real-world applicability.
文摘Terminals and their access represent a vulnerable aspect in the security framework of 5G-railway(5G-R)system.To enhance the control of 5G-R terminals and their access to applications,this paper analyzes the application scenarios,operational modes,services supported by 5G-R terminals,and the data paths between these terminals and the connected railway application service systems.Further analysis concentrates on the security risks posed by the characteristics of intelligent 5G-R handheld terminals,lightweight Internet of Things(IoT)communication terminals,and onboard integrated wireless transmission equipment with public-private convergence.In light of the risks above,this paper presents the terminal security control requirements.Furthermore,based on the planned architecture of the 5G-R system and security technologies such as terminal identity authentication and behavior auditing,the paper proposes a solution package for the 5G-R terminal security control system,including the overall architecture,functional implementation,and interface configuration.These solutions aim to achieve unified control over the admission and access of 5G-R handheld terminals,IoT communication terminals,and onboard integrated wireless communication equipment to railway application systems.Additionally,they enable the security control and analysis of terminal behaviors and application data,facilitate the security management of terminals,and ensure the secure release,download,and installation of mobile applications.
文摘The increasing deployment of Internet of Things(IoT)devices has introduced significant security chal-lenges,including identity spoofing,unauthorized access,and data integrity breaches.Traditional security mechanisms rely on centralized frameworks that suffer from single points of failure,scalability issues,and inefficiencies in real-time security enforcement.To address these limitations,this study proposes the Blockchain-Enhanced Trust and Access Control for IoT Security(BETAC-IoT)model,which integrates blockchain technology,smart contracts,federated learning,and Merkle tree-based integrity verification to enhance IoT security.The proposed model eliminates reliance on centralized authentication by employing decentralized identity management,ensuring tamper-proof data storage,and automating access control through smart contracts.Experimental evaluation using a synthetic IoT dataset shows that the BETAC-IoT model improves access control enforcement accuracy by 92%,reduces device authentication time by 52%(from 2.5 to 1.2 s),and enhances threat detection efficiency by 7%(from 85%to 92%)using federated learning.Additionally,the hybrid blockchain architecture achieves a 300%increase in transaction throughput when comparing private blockchain performance(1200 TPS)to public chains(300 TPS).Access control enforcement accuracy was quantified through confusion matrix analysis,with high precision and minimal false positives observed across access decision categories.Although the model presents advantages in security and scalability,challenges such as computational overhead,blockchain storage constraints,and interoperability with existing IoT systems remain areas for future research.This study contributes to advancing decentralized security frameworks for IoT,providing a resilient and scalable solution for securing connected environments.
基金supported by the National Science and Technology Special Grant of China (No. 2017zx05036-004)
文摘Fine-grained rocks(FGR) are the important source rocks and reservoirs of shale hydrocarbon which is the prospect hotspot at present. Widely distributed fine-grained sediments(FGS) of the upper fourth member of Shahejie Formation in Dongying depression are taken as an example to study the space-time evolution and controlling factor of FGS in this paper. Based on the analysis of well cores, thin sections, inorganic and organic geochemistry indicators, FGR are divided into 7 types of lithofacies. Through the study of ‘point-line-plane', this study shows that FGS has the characteristics of rhythum, diversity and succession. The first stage is characterized by clayey FGS(massive claystone). The second stage is characterized by carbonate FGS(low-TOC laminated limestone) and dolomitic FGS(dolomitic-silty shale) formed by transgression. The third stage is characterized by organic-rich carbonate FGS(middle/high-TOC laminated limestone) distributed in cycle. The fourth stage is characterized by FGS mixed carbonate and siliciclastic sediments(calcareous-silty shale). A variety of space-time evolution of FGS are controlled by multiple factors including tectonism, climate and lake conditions.
基金The National High Technology Research and Development Program of China(863Program)(No.2007AA01Z445)
文摘This paper first introduces attribute expression to describe attribute-based access control policy.Secondly,an access control policy enforcement language named A-XACML (attribute-XACML)is proposed,which is an extension of XACML.A-XACML is used as a simple,flexible way to express and enforce access control policies,especially attribute-based access control policy,in a variety of environments.The language and schema support include data types,functions,and combining logic which allow simple and complex policies to be defined.Finally,a system architecture and application case of user-role assignment is given to show how attribute expressions and A-XACML work in access control policy description and enforcement.The case shows that attribute expression and A-XACML can describe and enforce the complex access control policy in a simple and flexible way.
文摘A new role hierarchy model for RBAC (role-based access control) is presented and its features are illustrated through examples. Some new concepts such as private permission, public permission and special permission are introduced, based on the RRA97 model. Some new role-role inheriting forms such as normal inheritance, private inheritance, public inheritance and special-without inheritance are defined. Based on the ideas mentioned, the new role hierarchy model is formulated. It is easier and more comprehensible to describe role-role relationships through the new model than through the traditional ones. The new model is closer to the real world and its mechanism is more powerful. Particularly it is more suitable when used in large-scale role hierarchies.
基金The National Natural Science Foundation of China(No.60403027,60773191,70771043)the National High Technology Research and Development Program of China(863 Program)(No.2007AA01Z403)
文摘An access control model is proposed based on the famous Bell-LaPadula (BLP) model.In the proposed model,hierarchical relationships among departments are built,a new concept named post is proposed,and assigning security tags to subjects and objects is greatly simplified.The interoperation among different departments is implemented through assigning multiple security tags to one post, and the more departments are closed on the organization tree,the more secret objects can be exchanged by the staff of the departments.The access control matrices of the department,post and staff are defined.By using the three access control matrices,a multi granularity and flexible discretionary access control policy is implemented.The outstanding merit of the BLP model is inherited,and the new model can guarantee that all the information flow is under control.Finally,our study shows that compared to the BLP model,the proposed model is more flexible.
文摘针对IEEE802.11e Medium Access Control层的QoS机制高负载时存在远端节点冲突和低优先级业务资源被耗尽的问题,提出在牺牲较小带宽的基础上增加一条忙音信道,取代CTS帧在数据信道上的广播,减少远端节点的冲突.仿真结果表明,该方案具有较小的冲突概率,有效地减少了远端节点冲突.同时提出一个解决公平性问题的新思路:在避退时间发送忙音抢占信道,以期提高低优先级业务的接入概率.
基金the financial support from Department of Science and Technology,Government of India under the grant:SR/CSRI/118/2014
文摘Role based access control is one of the widely used access control models.There are investigations in the literature that use knowledge representation mechanisms such as formal concept analysis(FCA),description logics,and Ontology for representing access control mechanism.However,while using FCA,investigations reported in the literature so far work on the logic that transforms the three dimensional access control matrix into dyadic formal contexts.This transformation is mainly to derive the formal concepts,lattice structure and implications to represent role hierarchy and constraints of RBAC.In this work,we propose a methodology that models RBAC using triadic FCA without transforming the triadic access control matrix into dyadic formal contexts.Our discussion is on two lines of inquiry.We present how triadic FCA can provide a suitable representation of RBAC policy and we demonstrate how this representation follows role hierarchy and constraints of RBAC on sample healthcare network available in the literature.
