阅读说明：本技术 一种区块链访问控制中的权限传递方法 (Authority transfer method in block chain access control ) 是由 李茹 史锦山 张新 张晓东 张江徽 于 2019-11-15 设计创作，主要内容包括：本发明公开了一种区块链访问控制中的权限传递方法,在区块链访问控制中将资源的权限抽象成非同质通证存储在区块链中,本发明通过智能合约实现权限的传递,使用户可以对权限进行更加灵活的操作。当资源访问者想要将自己所拥有的权限传递给另一个用户,使用部署在区块链上的权限传递智能合约将代表权限的通证传递给另一个用户,由智能合约自动验证接收通证的用户是否有接收的权限,避免将权限传递给非法用户。本申请中的权限传递方法使基于区块链的访问控制更加灵活安全。(The invention discloses a permission transfer method in block chain access control, which abstracts the permission of resources into non-homogeneous general evidence and stores the non-homogeneous general evidence in a block chain in the block chain access control. When a resource visitor wants to transmit the own authority to another user, the authority transmission intelligent contract deployed on the block chain is used for transmitting the permit representing the authority to the other user, whether the user receiving the permit has the authority to receive or not is automatically verified by the intelligent contract, and the authority is prevented from being transmitted to an illegal user. The permission transfer method enables access control based on the block chain to be more flexible and safer.)

1. A method for transferring permissions in blockchain access control, comprising: the method uses the authority granted in the block chain access control of the intelligent contract transfer, the authority transfer intelligent contract can detect whether the authority receiver is qualified to use the authority, if the detection is passed, the owner of the authority is changed from the authority sender to the authority receiver by the intelligent contract, otherwise, the transfer is failed.

2. As claimed in claim 1, a method for transferring rights in blockchain access control comprises the following steps: step 1: the authority owner A and the resource visitor B, which have the access authority of the resource s, negotiate to decide to transmit the authority permit of the resource s to the resource visitor B; step 2: the authority owner A sends the authority transfer message generated by the negotiation result to the intelligent contract of authority transfer in the block chain network, and the content of the authority transfer message is the authority T of the authority owner A_SPassed to resource accessor B; and 3, step 3: resource accessor B sends confirmation receiving authorization token T to authority transfer intelligent contract_SA request for (2); and 4, step 4: validation of rights delivery requires full agreement by A, B and the access control contract for resource s, so SC_ACInformation of the entitlement delivery message is to be sent to the SC_T(ii) a And 5, step 5: SC (Single chip computer)_ACThe access control policy in (1) requires a decision to be made whether to grant the passing of the authorization token, and therefore requires the verification of the authorization token T_SWhether the attribute and the constraint of the system are legal or not, then obtaining related information of the B from the PIP and verifying whether the B is legal or not; and 6, step 6: SC (Single chip computer)_TMaking a decision according to the collected information and then returning the decision result to the SC_AC(ii) a And 7, step 7: if yes, SC_ACGeneral certificate T_SIs sent toB and informing A; if rejected, SC_ACThe rejection information is sent to B and informed to a.

3. The method is characterized in that the permission comprises data reading, data writing, data creating, data deleting, operation on Internet of things equipment and the like, and a certain permission can be granted to a subject through fine-grained selection.

4. A first method for transferring rights, as claimed in claim 1, is characterized in that, in each transfer of rights, a complete authorization decision process is performed on the rights receiver, and the transfer of rights can only take place if the rights receiver is judged by the access control system to be satisfactory for using the rights, otherwise the transfer of rights fails.

5. The first authority transferring method as claimed in claim 1, wherein the method integrates the index of the access policy corresponding to the authority into the authority pass certificate, and during each authority transfer, the corresponding access control policy is directly found according to the access policy index in the pass certificate, and then the authority receiver makes a decision, and the authority transfer can occur only when the authority receiver is judged by the access control system to satisfy the use of the authority, otherwise, the authority transfer fails.

6. The first authority transferring method as claimed in claim 1, wherein the method integrates the access control policy corresponding to the authority directly into the pass certificate, so that when the authority is transferred, the access control policy in the pass certificate is directly read to make a decision, and whether the authority receiver has the right to use the authority is judged, and the authority transfer can occur only when the authority receiver is judged to satisfy the use of the authority, otherwise, the authority transfer fails.

Technical Field

The invention relates to the field of access control based on a block chain, in particular to a method for transferring authority in block chain access control.

Background

The block chain is used as a distributed decentralized calculation and storage framework, and the problems caused by the design of an access control centralized decision mechanism are solved. The problems of the centralized decision mechanism are mainly reflected in single point failure and the safety problem of the central mechanism. After a researcher introduces a blockchain into access control, various access control models based on the blockchain are provided, and the blockchain is originally used as a point-to-point distributed book technology based on a cryptographic algorithm, so that the permission of resources is abstracted into non-homogeneous general evidence based on the blockchain in the access control, and the permission is granted through transaction transfer of the general evidence.

The method for mapping the authority into the evidence naturally conforms to the authority transfer function, and the authority can be flexibly transferred through the transaction or the intelligent contract in the block chain. But also brings potential safety hazard, and the authority owner may transfer the authority to an illegal user, thereby causing the problem of authority disclosure. At present, the existing permission transfer methods implemented through transactions on a block chain have serious potential safety hazards, and the permission constraints are not considered in the transfer methods, namely, a user receiving the permission is not subjected to the decision of an access control strategy and is directly endowed with the permission by a permission owner, so that the transfer of the permission can cause that the access permission of resources can be transferred to illegal users by legal users. How to ensure the security of the authority in the authority transfer process is a problem which must be solved by the access control based on the block chain at present

Disclosure of Invention

Aiming at the defects of the prior art, the invention provides a method for transferring the authority in the block chain access control, which not only improves the flexibility of the authority management in the access control, but also avoids the safety problem caused by the transfer of the authority among users.

The purpose of the invention is realized by the following technical scheme: a method for transferring authority in block chain access control adds an access control strategy of authority as another party on the basis of the authority transfer method that only a sender and a receiver of the authority are needed to participate originally, and the authority receiver must meet the access control strategy of the corresponding authority if the receiver of the authority wants to receive the corresponding authority. The new rights delivery scheme is implemented by intelligent contracts deployed on blockchains.

A workflow of rights transfer in blockchain access control:

when the authority is allowed to be transferred, when an authority owner A who owns the resource access authority wants to transfer the authority to a resource visitor B, the authority transfer messages meeting the requirement of the intelligent contract for authority transfer need to be agreed together under the condition of meeting the authority constraint.

The content of the rights transfer message is that rights owner a transfers rights to resource visitor B.

The rights transfer message is required to be validated to obtain a joint approval of the rights owner A, B and the access control contract for the resource.

If the authority transfer message is sent to the authority transfer intelligent contract in the block chain, the contract sends the transferred content to the access control contract of the resource

The access control contract S can acquire the information of the resource visitor B from the PIP and make a decision by combining the constraint and the attribute of the authority.

If the transfer is approved, the access control contract sends the approval information to the authority transfer contract, and then the authority transfer contract changes the owner of the authority from the authority owner A to the resource visitor B. Otherwise the rights transfer fails.

The authority transfer method in block chain access control comprises three implementation methods, the first method is to perform a complete authorization decision process on an authority receiver during each authority transfer, the authority transfer can only occur when the authority receiver is judged by an access control system to meet the use of the authority, and otherwise the authority transfer fails.

In the second method for transferring the authority in the access control based on the block chain, the authority is usually represented in a non-homogeneous evidence-based access control mode, and the expression of the authority transfer in the block chain is the evidence-based transfer. The first method of authority transfer requires a complete authorization decision process for an authority receiver, for example, in a complex environment such as the internet of things, an access control system has a large number of access policies, and policies corresponding to a certain authority often need to be searched and combined in the large number of access policies, and the search time increases with the increase of the number of access policies.

Therefore, the second method of authority transfer integrates the index of the access strategy corresponding to the authority into the authority pass certificate, and during each authority transfer, the corresponding access control strategy is directly found according to the access strategy index in the pass certificate, and then the authority receiver makes a decision, and the authority transfer can only occur when the authority receiver is judged by the access control system to meet the requirement of using the authority, otherwise, the authority transfer fails.

The third method of authority transfer in block chain access control directly integrates the access control strategy corresponding to the authority into the pass-certificate, so that when the authority is transferred, the access control strategy in the pass-certificate is directly read for decision making, whether the authority receiver has the authority to use the authority is judged, the authority transfer can only occur when the authority receiver is judged to meet the requirement of using the authority, otherwise, the authority transfer fails.

The three permission transfer methods have respective advantages and disadvantages, and applicable scenes are different. If the first method of rights transfer takes too long, the second method may be used. If the second method takes a long time, the third method may be used, but the storage overhead required by the three methods is sequentially increased, and different methods for transferring the rights need to be selected according to different applications.

In general, the beneficial effects of the invention are as follows:

the three permission transferring methods of the invention verify the permission receiver in the permission transferring process, judge whether the permission receiver has the permission to use the transferred permission, and only when the permission receiver is judged to meet the permission, the permission transfer can occur, otherwise the permission transfer fails. The invention avoids the possibility that the authority is obtained by an illegal user in the process of transmission, and solves an unauthorized access vulnerability in access control.

Drawings

FIG. 1 is a diagram illustrating a method of transferring permissions in blockchain access control according to the present invention;

FIG. 2 is a flowchart illustrating a method for transferring permissions in blockchain access control according to a first embodiment of the present invention;

FIG. 3 is a flowchart illustrating a method for transferring permissions in blockchain access control according to a second embodiment of the present invention;

fig. 4 is a flowchart illustrating a method for transferring permissions in blockchain access control according to a third embodiment of the present invention.

Detailed Description

It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

As shown in fig. 1, fig. 1 is a schematic diagram of a block chain access control-based privilege delivery flow according to the present invention. The method uses an intelligent contract for transferring the rights. The transfer of the authority refers to a process of transferring the authority to the user B after the authority of a certain resource is acquired by the user a, and the term used in the application is explained as follows:

(1) the token is an entity representing access control authority in a block chain, and the token in the present invention refers to a non-homogeneous token.

(2) A Policy Enforcement Point (PEP) is an entity that performs access control in a specific application environment.

(3) Policy Information Point (PIP) refers to an entity that provides access control system Information through which attribute Information of a subject, a resource, and an environment can be acquired.

The rights transfer flow shown in fig. 1 completes the transfer of rights according to the following steps:

step 1: and the authority owner A and the resource visitor B, which have the access authority of the resource s, negotiate to decide to pass the authority permit of the resource s to the resource visitor B.

Step 2: the authority owner A sends the authority transfer message generated by the negotiation result to the intelligent contract of authority transfer in the block chain network, and the content of the authority transfer message is the authority T of the authority owner A_STo resource visitor B.

And 3, step 3: resource accessor B directionAuthority transfer intelligent contract sending confirmation receiving authorization token T_SThe request of (1).

And 4, step 4: validation of rights delivery requires full agreement by A, B and the access control contract for resource s, so SC_ACInformation of the entitlement delivery message is to be sent to the SC_T。

And 5, step 5: SC (Single chip computer)_ACThe access control policy in (1) requires a decision to be made whether to grant the passing of the authorization token, and therefore requires the verification of the authorization token T_SAnd then obtaining relevant information of B from PIP to verify whether B is legal.

And 6, step 6: SC (Single chip computer)_TMaking a decision according to the collected information and then returning the decision result to the SC_AC。

And 7, step 7: if yes, SC_ACGeneral certificate T_SSending the information to B and informing A; if rejected, SC_ACThe rejection information is sent to B and informed to a.

Based on the above-mentioned permission transfer flow, various embodiments of permission transfer in block chain access control are proposed.

Referring to fig. 2, fig. 2 is a flowchart illustrating a method for transferring permissions in blockchain access control according to a first embodiment of the present invention.

While a logical order is shown in the flow chart, in some cases, the steps shown or described may be performed in an order different than that shown.

The first embodiment of the authority transfer method in block chain access control comprises the following steps:

and after the authority transfer parties determine to transfer the authority, the authority sender sends an authority transfer message to the authority transfer intelligent contract in the block chain.

After receiving the authority transfer message, the authority transfer contract first verifies whether the message is correct, then sends the transferred message and the information of the authority receiver to the access control intelligent contract, and the access control contract judges whether the authority receiver has the authority to use the authority according to the access control strategy of the authority.

If the authority receiver has the right to use, the authority transfer contract date changes the owner of the authority from the authority sender to the authority receiver, records the content of the authority transfer in the block chain, and returns the result.

If the authority receiver does not have the authority of using the authority, the authority transfer fails, and a failure result is returned.

Referring to fig. 3, fig. 3 is a flowchart illustrating a method for transferring permissions in blockchain access control according to a second embodiment of the present invention. The second embodiment of the method for transferring rights differs from the first embodiment of the method for controlling block chain access in that:

(1) and the authority pass certificate is integrated with an index of the authority corresponding to the access control strategy.

(2) After receiving the authority transfer message, the authority transfer contract firstly verifies whether the message is correct, then extracts the index of the access control strategy corresponding to the authority from the authority pass certificate, and then sends the index information and the information of the authority receiver to the access control intelligent contract.

(3) And combining the received strategy indexes into a complete access control strategy corresponding to the authority, and then judging an authority receiver to judge whether the authority receiver can use the authority.

Referring to fig. 4, fig. 4 is a flowchart illustrating a method for transferring permissions in blockchain access control according to a third embodiment of the present invention. The third embodiment of the rights transfer method differs from the previous two embodiments in that:

(1) the access control strategy corresponding to the authority is directly integrated into the pass certificate, so that after the authority transfer contract receives the authority transfer message, the access control strategy in the pass certificate can be directly extracted to judge whether the authority receiver has the right to use the authority.

(2) No information needs to be passed to the access control contract arbitration and therefore the time taken for transfer is shorter, but the storage cost of the voucher is higher.

It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and although the invention has been described in detail with reference to the foregoing examples, it will be apparent to those skilled in the art that various changes in the form and details of the embodiments may be made and equivalents may be substituted for elements thereof. All modifications, equivalents and the like which come within the spirit and principle of the invention are intended to be included within the scope of the invention.