45 results about "Attribute-based access control" patented technology

The invention discloses an access control system and an access control method between a public cloud and a private cloud. The access control system includes a private cloud control module at a private cloud end, and a public cloud control module at a public cloud end. The private cloud control module comprises an inter-cloud data exchange module and a user access control module. The inter-cloud data exchange module is respectively connected with the user access control module and the public cloud control module through a network. The access control method combines role-based access control and attribute-based access control, an attribute-based access control mode is adopted in the private cloud, and a role-based access control mode is adopted when the private cloud accesses the public cloud. Due to the fact that the access control system limits the access right of users of the private cloud to resources or services of the public cloud, the access control system has the advantages of being quite high in inter-cloud data exchange safety.

A multitude of systems and methods are provided. An encryption method and system utilizing vector label input threshold encryption is included, enabling decentralized confidentiality and decentralized, fine-grained, and attributed-based access control, enabling clients to define by whom, when, and how their data is accessed. Additionally, the disclosed systems and methods can include publish / subscribe mechanisms while achieving confidentiality-preserving and decoupled publish / subscribe messaging and strong total order for publications even with crytographic access control enforced.

The invention provides a dynamic risk access control method of a cloud platform. The control method comprises steps of submitting an access request, implementing a rule matching strategy, carrying out an event deduction process, extracting a risk evaluation index, carrying out risk evaluation index weight distribution, calculating a risk value, calculating a threshold value, and making an access control decision. According to the dynamic risk access control method, an attribute based access control (ABAC) strategy is improved by using an event deduction mechanism with high expressivity and flexibility, thereby enhancing the dynamic and flexible properties during rule matching and thus realizing high adaptability to the complicated cloud environment; and a risk assessment index is constructed by using a system security state and historical behavior information of the user, a mathematic model for calculating a risk assessment index weight is put forward, and a corresponding weight is calculated based on a formula regression algorithm, so that the sensitivity to the access request by the risk value is improved. On the basis of observation of a simulated experiment, the rule is adjusted dynamically based on a change of an access request attribute; and the risk assessment index weights are distributed dynamically in real time and the sensitivity to the risk value by the access request is improved. The method has the good real-time and dynamic performances.

An attribute-based access control policy (e.g., XACML policy) for a set of elements depends on attributes carried by elements in one of several predefined categories. In order to evaluate such policy for a set of elements, the invention provides a method including the steps of (I) selecting a primary category; (II) partitioning the elements in the primary category into equivalence classes with respect to their influence on the policy; and (III) using the equivalence classes to replace at least one policy evaluation by a deduction. The result of the evaluation may be represented as an access matrix in backward-compatible format. The efficiency of the policy evaluation may be further improved by applying partial policy evaluation at intermediate stages, by forming combined equivalence classes containing n-tuples of elements and / or by analyzing the influence of each element by extracting functional expressions of maximal length from the policy.

The invention relates to a cryptography attribute-based access control method and system based on a dynamic rule, mainly belonging to the technical field of information. In the cryptography attribute-based access control system based on the dynamic rule, protected objects are stored in a encrypted form, and only the requests satisfying the requirements of access policies in the attribute-based access control can be authorized to decrypt the objects, therefore, it can be ensured that data in an unsafe environment can be accessed with authorization according to a security policy, and meanwhile,the extensibility of the policies and the dynamic acquisition of the attributes are also supported. The cryptography attribute-based access control method and system based on the dynamic rule are divorced from the traditional encryption system framework, and are a new attribute-based access control model, method and system supporting the cryptography decision. The cryptography attribute-based access control method and system based on the dynamic rule can achieve more secure, diversified, dynamic and flexible access authorization, which are suitable for large-scale organizations or informationsystems, and can be applied to the environments such as cloud computing, grid computing, distributed computing, and so on.

Systems and methods are disclosed for receiving an access request from a user device, the access request including an identity claim for a user; evaluating a risk of access based on matching an attribute of the user device with attributes stored in a user information database; authenticating the access request based on the identity claim and the risk evaluation to determine an authentication confidence level; generating a token based on the confidence level and the attribute matched; producing an authorization response based on inputs from the token, a risk based access control, a role based access control, and an attribute based access control, in which the authorization response determines whether to allow access to a system, deny access to the system, or request additional input from the user device.

The invention discloses an attribute-based access control method for a smart grid based on Bloom Filter. The method comprises the following steps that (1) a data owner stores data into a data center; (2) if a user wants to visit the data, the user submits an access request and an attribute set to the control center; (3) the control center utilizes a Bloom Filter algorithm to judge whether the user belongs to an authorization set; and (4) if judging that the user belongs to the authorization set, a key is obtained and is decrypted to obtain plaintext data, otherwise the data is inaccessible. The method adopts a bit array to represent the attribute set of the user concisely and utilizes the Bloom Filter to carry out quick attribute belonging judgement on the user, so that the efficient attribute-based access control is realized. In comparison with the conventional algorithm, the requirements of a program for the server memory is greatly reduced, and meanwhile, the matching efficiency is improved and the complexity for attribute encryption of mass data in the smart grid is reduced.

The invention discloses a multi-key searchable encryption method and system based on an attribute access control structure, and the method comprises the steps: dividing an attribute set through employing a VBTree under the background of cloud storage, binding the attribute set with the access authority of a file, and effectively determining whether a user is a legal user or not and a file set which can be accessed by the user according to an attribute set submitted by the user. Huge expenditure for traversing all files of a data owner once when the user is verified to be the legal user or notis avoided; meanwhile, combined query of multiple keywords is achieved, so that a query result is more flexible and accurate; and the data owner does not need to generate an authorization key for eachauthorized user and each file which can be accessed by the authorized user, and only needs to generate an authorization key for each authorized user.

Methods and devices for constructing a simplified attribute-based access control policy, which more faithfully reproduces not only Permit and Deny decisions but also data relating to errors and quasi-errors resulting from the evaluation. To this end, the simplified policy includes new data fields for storing intermediate results. Further, improved simplification rules allowing partial evaluation to be used in a broader range of situations.

The invention discloses an access control system and an access control method between a public cloud and a private cloud. The access control system includes a private cloud control module at a private cloud end, and a public cloud control module at a public cloud end. The private cloud control module comprises an inter-cloud data exchange module and a user access control module. The inter-cloud data exchange module is respectively connected with the user access control module and the public cloud control module through a network. The access control method combines role-based access control and attribute-based access control, an attribute-based access control mode is adopted in the private cloud, and a role-based access control mode is adopted when the private cloud accesses the public cloud. Due to the fact that the access control system limits the access right of users of the private cloud to resources or services of the public cloud, the access control system has the advantages of being quite high in inter-cloud data exchange safety.

An attribute-based access control policy (e.g., XACML policy) for a set of elements depends on attributes carried by elements in one of several predefined categories. In order to evaluate such policy for a set of elements, the invention provides a method including the steps of (I) selecting a primary category; (II) partitioning the elements in the primary category into equivalence classes with respect to their influence on the policy; and (III) using the equivalence classes to replace at least one policy evaluation by a deduction. The result of the evaluation may be represented as an access matrix in backward-compatible format. The efficiency of the policy evaluation may be further improved by applying partial policy evaluation at intermediate stages, by forming combined equivalence classes containing n-tuples of elements and / or by analyzing the influence of each element by extracting functional expressions of maximal length from the policy.

An apparatus, computer-readable medium, and computer-implemented method to facilitate scalable compliance and issuer governance of decentralized financial transactions especially for the trade and transfer of tokenized securities. The resulting Compliance Aware Tokens contain the rulesets to restrict transactions and facilitate regulatory reporting and oversight. The embodied process, includes ofa novel combination of compliance workflows, attribute verification tools, smart contracts and other ledger controls, provides a decentralized Attribute Based Access Control (ABAC) capability. ABAC patterns are extended to govern global financial transactions without the need for an active intermediary.

Real-time techniques for determining all access requests to an attribute-based access control policy which evaluate to a given decision, “permit” or “deny”. The policy is enforced to control access to one or more resources in a computer network. In one embodiment, a method includes: (i) receiving a reverse query and a set of admissible access requests, each of which includes one or more attributes in the policy and values of these; (ii) extracting attributes to which all access requests in the set assign identical values; (iii) reducing the ABAC policy by substituting values for the extracted attributes; (iv) caching the policy as a simplified policy; (v) translating the simplified policy and the given decision into a satisfiable logic proposition; (vi) deriving all solutions satisfying the proposition; and (vi) extracting, based on the solutions, all access requests from the set for which the policy yields the given decision.

Real-time techniques for determining all access requests to an attribute-based access control policy which evaluate to a given decision, “permit” or “deny”. The policy is enforced to control access to one or more resources in a computer network. In one embodiment, a method includes: (i) receiving a reverse query and a set of admissible access requests, each of which includes one or more attributes in the policy and values of these; (ii) extracting attributes to which all access requests in the set assign identical values; (iii) reducing the ABAC policy by substituting values for the extracted attributes; (iv) caching the policy as a simplified policy; (v) translating the simplified policy and the given decision into a satisfiable logic proposition; (vi) deriving all solutions satisfying the proposition; and (vi) extracting, based on the solutions, all access requests from the set for which the policy yields the given decision.

The invention discloses an access control method based on an attribute-based access control policy. The method is characterized by 1) extracting attribute information of a user-role table and a role-authority table in a database and generating a user-role-authority access control relation Hash table; 2) generating an access control policy according to the access control relation Hash table: carrying out iteration traversal on the access control relation Hash table to obtain key value pairs, that is, an attribute set of each user and authority thereof, and then, generating an access control policy rule of the user according to the authority attribute of the user; and 3) for each received access request, an internet-of-thing search engine judging the access request according to the access control policy rule to determine whether access is allowed. The method can give a quick response to the search request, thereby greatly improving efficiency of the internet-of-thing search engine.