Access control method and system based on security tag

[0037] The invention will be described in detail below with reference to the drawings and embodiments.

[0038] Such as figure 1 It is a schematic diagram of an access control method based on security tags. When the subject processes the information, the access control decision unit will check whether the security permission can match the security label of the information according to the security policy. If it can match, the subject is allowed to access the information, otherwise the access is denied.

[0039] The core of the present invention is to control the subject's access authority to information according to a preset security policy. The specific implementation method is based on the security label, marking the information access subject with security permission, marking the information with security label, and generating an access control policy according to the security requirements. When information is in circulation, the access control mechanism is activated at the four key nodes of information transmission, information transmission, information storage, and information reception. The subject security license and information security label are matched according to the security policy, and the information flow direction is determined according to the matching result to achieve The purpose of controlling the scope of information awareness.

[0040] The security label is a piece of digital entity bound to information, and records security policy identification, security level, security category, display attributes, and custom extended information.

[0041] The security policy identifier refers to the number of the security policy.

[0042] The security level is related to the system that uses the security label and is consistent with the existing level definition of the system, such as: "public", "sensitive", and "restricted";

[0043] The security category is used to determine whether the information access subject can access the information when the security level of the information access subject is not lower than the security level of the information, such as: "country name", "institution name", "project name" Wait

[0044] The display attributes are used to define the name, font, size, and color information when the security label is displayed;

[0045] The self-defined extended information refers to a reserved segment of digital entity, which can be filled in according to the system security requirements of using security tags.

[0046] Such as figure 2 As shown, the present invention proposes a security label-based access control system, which includes an information sending agent module, an information transmission agent module, an information storage agent module, and an information receiving agent module. The specific steps are described as follows:

[0047] Step 11: The information sending agent module, when it detects that there is information to be sent, the access control decision unit in the information sending agent module searches for the information recipient, and matches the information recipient’s security permission and security label according to the security policy. If the match passes It indicates that the receiver has information access authority, sends the information to the information transmission agent module, and executes step 21; otherwise, prompts;

[0048] Step 21: After the information transmission agent module receives the information, it identifies the processing operation of the information. If the processing operation of the information is to forward the information to the information receiver, perform step 22; if the processing operation of the information is to forward the information to the next information transmission For the proxy module, perform step 23; if the information processing operation is to forward information to the information storage proxy module, perform step 24;

[0049] Step 22: The access control decision unit in the information transmission agent module parses the security label of the information, and matches the security permission of the information receiver with the security label of the information according to the security policy. If the match passes, it indicates that the information receiver has the right to access the information, and forward Send the information to the information receiving agent module, otherwise it will give up forwarding the information;

[0050] Step 23: The access control decision unit in the information transmission agent module parses the security label of the information, and matches the security permission of the next information transmission agent module with the security label of the information according to the security policy, and if the match passes, the information is forwarded to the next information transmission Proxy module; otherwise, give up forwarding the information;

[0051] Step 24: The access control decision unit in the information transmission agent module analyzes the security label of the information, matches the security permission of the information storage agent module with the security label of the information according to the security policy, and if the match passes, then forward the information to the information storage agent module; Otherwise, give up forwarding the information;

[0052] Step 31: The information storage agent module identifies whether the information is the information forwarded by the information transmission agent module or the information request sent by the information transmission agent module. If it is the information forwarded by the information transmission agent module, perform step 32; if it is an information request, perform step 33;

[0053] Step 32: The access control decision-making unit of the information storage agent module parses the security label of the information, matches its own security permission with the security label of the information according to the security policy, and stores the information if it matches, otherwise abandons storing the information;

[0054] Step 33: The access control decision-making unit of the information storage agent module parses the security label of the information, and matches the security permission of the information transmission agent module with the security label of the information according to the security policy. If the match passes, the information is sent to the information forwarding agent module, otherwise Refuse to send information;

[0055] Step 41: The access control decision unit in the information receiving agent module activates the access control function and analyzes the security label;

[0056] Step 42: According to the security policy, the security permission of the information receiver is matched with the security label of the information, and if the match is passed, the information is received and forwarded to the information receiver, otherwise the receiving of the information is abandoned.

[0057] The above embodiments are provided only for the purpose of describing the present invention, and are not intended to limit the scope of the present invention. The scope of the invention is defined by the appended claims. Various equivalent replacements and modifications made without departing from the spirit and principle of the present invention should all fall within the scope of the present invention.