Access control method and system based on security tag

A security label and access control technology, applied in the field of access control systems based on security labels, can solve the problem that information cannot be marked with security labels in real time, and achieve the effects of improving security and reliability, avoiding information leakage, and implementing a simple mechanism.

Active Publication Date: 2018-07-10
INST OF INFORMATION ENG CAS
10 Cites 15 Cited by

AI-Extracted Technical Summary

Problems solved by technology

[0005] The technology of the present invention solves the problem: overcomes the fact that the information generated in real time cannot be marked with a security label in real time and performs access control in the prior art, and provides an access control method and system based on a security label, which can control the information generated in real time in the network and the existing information Carry out security marking, mark its security level, security category and display attribute information, mark sec...
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Abstract

The invention relates to an access control method and system based on a security tag; the method comprises the following steps of marking security permission for an information access subject, markinga security tag for the information, and generating a security policy according to a security requirement; when the information is in a circulation process, starting an access control mechanism in theinformation access subject to analyze the security tag in the information; matching the security permission and the security tag according to the security policy; and deciding the information flow direction according to a matched result, so as to achieve a purpose of controlling an information awareness range; and the security is improved.

Application Domain

Technology Topic

Security policyInformation awareness +2

Image

  • Access control method and system based on security tag
  • Access control method and system based on security tag

Examples

  • Experimental program(1)

Example Embodiment

[0037] The invention will be described in detail below with reference to the drawings and embodiments.
[0038] Such as figure 1 It is a schematic diagram of an access control method based on security tags. When the subject processes the information, the access control decision unit will check whether the security permission can match the security label of the information according to the security policy. If it can match, the subject is allowed to access the information, otherwise the access is denied.
[0039] The core of the present invention is to control the subject's access authority to information according to a preset security policy. The specific implementation method is based on the security label, marking the information access subject with security permission, marking the information with security label, and generating an access control policy according to the security requirements. When information is in circulation, the access control mechanism is activated at the four key nodes of information transmission, information transmission, information storage, and information reception. The subject security license and information security label are matched according to the security policy, and the information flow direction is determined according to the matching result to achieve The purpose of controlling the scope of information awareness.
[0040] The security label is a piece of digital entity bound to information, and records security policy identification, security level, security category, display attributes, and custom extended information.
[0041] The security policy identifier refers to the number of the security policy.
[0042] The security level is related to the system that uses the security label and is consistent with the existing level definition of the system, such as: "public", "sensitive", and "restricted";
[0043] The security category is used to determine whether the information access subject can access the information when the security level of the information access subject is not lower than the security level of the information, such as: "country name", "institution name", "project name" Wait
[0044] The display attributes are used to define the name, font, size, and color information when the security label is displayed;
[0045] The self-defined extended information refers to a reserved segment of digital entity, which can be filled in according to the system security requirements of using security tags.
[0046] Such as figure 2 As shown, the present invention proposes a security label-based access control system, which includes an information sending agent module, an information transmission agent module, an information storage agent module, and an information receiving agent module. The specific steps are described as follows:
[0047] Step 11: The information sending agent module, when it detects that there is information to be sent, the access control decision unit in the information sending agent module searches for the information recipient, and matches the information recipient’s security permission and security label according to the security policy. If the match passes It indicates that the receiver has information access authority, sends the information to the information transmission agent module, and executes step 21; otherwise, prompts;
[0048] Step 21: After the information transmission agent module receives the information, it identifies the processing operation of the information. If the processing operation of the information is to forward the information to the information receiver, perform step 22; if the processing operation of the information is to forward the information to the next information transmission For the proxy module, perform step 23; if the information processing operation is to forward information to the information storage proxy module, perform step 24;
[0049] Step 22: The access control decision unit in the information transmission agent module parses the security label of the information, and matches the security permission of the information receiver with the security label of the information according to the security policy. If the match passes, it indicates that the information receiver has the right to access the information, and forward Send the information to the information receiving agent module, otherwise it will give up forwarding the information;
[0050] Step 23: The access control decision unit in the information transmission agent module parses the security label of the information, and matches the security permission of the next information transmission agent module with the security label of the information according to the security policy, and if the match passes, the information is forwarded to the next information transmission Proxy module; otherwise, give up forwarding the information;
[0051] Step 24: The access control decision unit in the information transmission agent module analyzes the security label of the information, matches the security permission of the information storage agent module with the security label of the information according to the security policy, and if the match passes, then forward the information to the information storage agent module; Otherwise, give up forwarding the information;
[0052] Step 31: The information storage agent module identifies whether the information is the information forwarded by the information transmission agent module or the information request sent by the information transmission agent module. If it is the information forwarded by the information transmission agent module, perform step 32; if it is an information request, perform step 33;
[0053] Step 32: The access control decision-making unit of the information storage agent module parses the security label of the information, matches its own security permission with the security label of the information according to the security policy, and stores the information if it matches, otherwise abandons storing the information;
[0054] Step 33: The access control decision-making unit of the information storage agent module parses the security label of the information, and matches the security permission of the information transmission agent module with the security label of the information according to the security policy. If the match passes, the information is sent to the information forwarding agent module, otherwise Refuse to send information;
[0055] Step 41: The access control decision unit in the information receiving agent module activates the access control function and analyzes the security label;
[0056] Step 42: According to the security policy, the security permission of the information receiver is matched with the security label of the information, and if the match is passed, the information is received and forwarded to the information receiver, otherwise the receiving of the information is abandoned.
[0057] The above embodiments are provided only for the purpose of describing the present invention, and are not intended to limit the scope of the present invention. The scope of the invention is defined by the appended claims. Various equivalent replacements and modifications made without departing from the spirit and principle of the present invention should all fall within the scope of the present invention.
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

no PUM

Description & Claims & Application Information

We can also present the details of the Description, Claims and Application information to help users get a comprehensive understanding of the technical details of the patent, such as background art, summary of invention, brief description of drawings, description of embodiments, and other original content. On the other hand, users can also determine the specific scope of protection of the technology through the list of claims; as well as understand the changes in the life cycle of the technology with the presentation of the patent timeline. Login to view more.
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Similar technology patents

Cheating prevention electronic weighing apparatus calibrating system and method

Owner:CHENGDU JIUZHOU ELECTRONIC INFORMATION SYSTEM CO LTD

Classification and recommendation of technical efficacy words

  • Improve safety and reliability
  • Avoid Information Leakage

Electric power supply device with electric shock protection function

Owner:国网安徽省电力有限公司铜陵市义安区供电公司

People also interested in

Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products