【作者】 宋锴；

【导师】 曹珍富； 何冰；

【作者基本信息】 上海交通大学 ， 软件工程， 2009， 硕士

【摘要】 随着Internet和信息化技术的发展,企业信息系统得到了更多的关注和应用。公安系统信息化的建设为公安各部门用户实现信息共享提供了快捷、方便的渠道。在信息化建设的道路上,信息系统的访问控制策略和机制是一个关键问题,特别对一些用户和信息资源数量巨大的信息系统。访问控制策略是避免信息系统内部信息被非法获取、修改、破坏和避免系统被未授权使用的重要手段之一。由于公安综合信息系统涉及到数据的保密性和敏感性,实现严格的安全访问控制是十分关键的。本文首先对几种目前比较传统的访问控制模型及其特点进行了简单的介绍,主要包括以下三种:自主访问控制,强制访问控制和基于角色的访问控制。而其中又以基于角色的访问控制RBAC(Role-Base Access Control)应用最为广泛。其基本思想是通过角色来实现用户与权限之间的逻辑隔离,从而简化对访问控制的管理。但是,随着人们对数据安全性要求的提高,以及对访问控制灵活性的进一步提高,传统的访问控制模型逐渐显现出其诸多不足之处,并在许多实际应用中显现出了他们的局限性。人们迫切需要一种功能更为强大的访问控制模型,来达到实际应用中更加复杂的要求。随着密码学技术的不断发展,属性基密码系统的研究在近四年来受到了广泛的关注。它可以有效地解决访问控制中一直以来难解的问题,同时提供消息的私密性和访问控制的灵活性。本文结合属性基密码的特性,提出了一种全新的基于属性的访问控制模型,它是由一个在标准模型下选择树CPA安全的属性基加密方案改进而来。与传统的访问控制模型相比,它不仅使得密文资源能够被有效的利用,既增强了访问控制的灵活性,又增加了访问控制的模糊性,而且消息始终以密文形式存储也放宽了对服务器和访问存储器的安全限制。最后,对基于属性的访问控制模块进行了实现,并在公安综合系统中加以应用。其中基于属性的加密模块部分采用了C语言独立实现,因为C语言有着计算效率高的特点,而基于属性的加密模块又是该系统的底层核心算法,因此很有必要对其效率加以控制。另外单独实现也增强了该模块的可重用性。更多还原

【Abstract】 With the development of the Internet and information technology, the information systems have gotten more attention and are being used more as applications. The construction of information system for police makes users of all apartments of police can share information conveniently and effectively. Access control mode is very important on the way of informationization, especially for some information system that has large amount of users and resource. Access control is important to prevent inner information is lawlessly obtained, modified and destroyed and to prevent the system is unauthorized use. The strict security access control of the Police integrated system is critical to its implementation due to confidentiality and sensitivity of the data involved.We firstly described three kinds of traditional access control models recently used: discretionary access control, mandatory access control and role-base access control. And among them, role-base access control (RBAC) is the most widely used one. The basic idea of RBAC is to achieve logical isolation between User and Privilege through Role, thus simplifying the access control management. From the view of application,this thesis researches systematically on the access control technology, RBAC models, summarize characteristics, advantages and disadvantages of them. Think over the character of the police, it expends the common RBAC model. The new model makes the access control more convenient and flexible. With the improvement of requirement of flexibility of access control and security of data, the traditional access control models were unveiling their shortage and appeared their localization in lots of applications. People exigently recommend a stronger new access control model, in order to deal with the more complex requirements.As the development of cryptography, attribute based cryptosystem draws large attention from the researchers in this community recently. It is an efficient way to solve open problems in access control scenarios, such as how to provide data confidentiality and expressive control at the same time. By combining the techniques of attribute based cryptosystem, we provided a totally new Attribute-Base Access Control model. It is extended from an attribute-based encrypt scheme of selection tree CPA security under standard model. Compared with the traditional access control models, the new model makes use of ciphertext more effectively, improves the flexibility of access control, adds some illegibility of access control, and relaxes the security limitation of server and access control system by storing the data in the form of ciphertext.At last, we realized the attribute-based access control model, and used it in the police integrated information system. The attribute-based encryption model in it was realized in C language independently. Since the encryption model is the core algorithm of the system and we know codes in C language can run more effectively. And realize it independently can let the model reusable in other applications.更多还原