31 results about "Extended Access Control" patented technology

A global policy store, in which policies applicable to multiple applications in an enterprise environment can be stored, can be stored in association with that environment. An application-level policy combining algorithm can be associated with a specific application to resolve conflicts between the results of evaluating policies that pertain to that application's resources. A persistent model is defined for an Extensible Access Control Markup Language (XACML) target definition.

The invention discloses a ciphertext access control method based on CP-ABE (Ciphertext-Policy Attribute-Based Encryption), which belongs to the field of information security. The method comprises the following steps: preparation and maintenance work which comprises initialization of CP-ABE (Ciphertext-Policy Attribute-Based Encryption), user registration and auditing, generation of an asymmetric key pair for signature and encryption by the system and the user, generation of a CP-ABE attribute key SK for the user and key and attribute certificate management is carried out; 2, and file sharing requires a file provider, an extensible access control markup language (XACML) access control system and a sharing user to work cooperatively. The attribute certificate in a PMI system is used as an expression document for a CP-ABE attribute set and the access structure, the XACML expresses the CP-ABE policy, and security of the attribute set and the access control structure description is ensured. A hierarchical structure with an inheritance relationship is introduced, features such as distribution, authorization and calculability are supported, the attribute authorization ability needs to comply with constraints, and the method is applicable to a distributed and open network application environment.

The invention discloses an access control method and a system. The access control method comprises: a network side device broadcasts extended access control (extended attribute block) parameters through system messages, the EAB parameters comprise at least one of the following two parameters: access classification barring (AC barring ) information acting on all access classifications (AC), and/or specific terminal types, and/or control instruments of specific business types, user equipment (UE) carries out an EAB judgment according to the received EAB parameters, and carries out relative access control. Through the access control method and the system, access control based on the EAB parameters is achieved, and uniform control of a plurality of ACs (or the specific terminal types or the specific business types) is achieved in case of reducing signaling load to the greatest extent.

The invention discloses method and device for generating an access controlling policy. The method comprises the following steps of: generating an ABAC policy expression according to ABAC policy information input by a user through a pre-established attribute-based access control (ABAC) policy view template; and converting the ABAC policy expression into an ABAC policy which is based on XACML and conforms to the XACML template according to mapping rules of the preset ABAC policy view template and an extensible access control markup language (XACML) template. In the invention, the user only needs to input some simple ABAC policy information through the ABAC policy view template and does not need to write a complicated ABAC policy based on XACML in a manual mode, therefore, the problem that the user difficultly defines the ABAC policy based on XACML is solved, the problem that errors are made in the process of writing the complicated ABAC policy based on XACML in a manual mode by the useris avoided, and the accuracy of the ABAC policy based on XACML is ensured.

The invention relates to a method for generating a cross-domain access control strategy by rising from credit assessment to trust management. According to the method, a credit assessment model is established to realize a corresponding credit assessment subsystem; uncertainty assessment is carried out on a credit degree of an evaluated entity according to evaluation information given by an interaction entity; association relations between an attribute of an assessment entity, an attribute of an assessed entity, a resource attribute, a behavior attribute, an environment attribute and an entity credit degree are extracted; and then an access control strategy based on attributes is generated and description is carried out by an extensible access control mark language; at last, the generated access control strategy is converted into a strategy of a concrete trust management system. According to the invention, authorization strategy is generated dynamically according to behavior and environment attributes of an entity; and the method has good self adaptability and can be applied to cross-domain environments like cloud calculating having a lot of unfamilar entities.

The invention discloses an identification cryptographic technique-based electronic passport extended access control system and an identification cryptographic technique-based authentication method. The authentication method comprises the following steps that: a key service centre provides a key service; a passport verification center makes an application for sensitive biological characteristic information-reading authority, the key service center issues an authorization smart card to perform authorization, and the passport verification center distributes the authorization smart card to a verification terminal controlled thereby; and a passport issuing center applies the key service center for an authentication key and a public parameter for authentication and writes the authentication key and the public parameter into passport smart card of an electronic passport. During passport verification, the authorization smart card and the passport smart card implement an identification cryptographic algorithm-based authentication protocol to judge if the verification terminal has the authority to read sensitive biological characteristic data. The system and the method avoid loopholes in authentication trust transmission in a European proposal, save the establishment of a complicate PKI system, and allow for low system construction cost. Compared with Singaporean EAC, the method provides flexible authorization for a certifying organization, and can still authorize the certifying organization after the issue of a passport.

The invention discloses an XACML frame extension system and method for a network access control system. The XACML frame extension system is composed of a body establishing module, a rulemaking module, a rule-based reasoning module, a consistency detecting module and a strategy rule generating module. The XACML frame extension method comprises the steps that firstly, the body establishing module establishes a body; secondly, the rulemaking module makes rules; thirdly, the rule-based reasoning module generates access control results; fourthly, the consistency detecting module detects whether conflict exists between the access control results; fifthly, the rulemaking module makes a conflict eliminating rule, and the rule-based reasoning module generates access control results of the conflict eliminating rule; sixthly, the consistency detecting module detects whether the conflict is eliminated; seventhly, the strategy rule generating module generates an extensible access control markup language strategy rule. Due to conflict detection of the access control results, the XACML frame extension system and method for the network access control system have the advantages of being high in detection efficiency and automatic.

The invention relates to methods and arrangements for controlling access of a mobile device to a network, such as GSM. The mobile devices belong to an access control class (ACC) and for providing extended access control, and may also belong to an additional access control class (EACC). The arrangement broadcasts system information to the mobile devices, which system information indicates whether mobile device, which belong to an access control class (ACC), is allowed to access or are barred from accessing the network, and the system information further indicates whether the mobile device, which also belong to an extended access control class (EACC), is allowed to access or are limited from accessing the network. Different ways for limiting access is provided. An example is to block the mobile device from initiating communication, and allow the mobile device for communication initiated by the network. An example is to block the mobile device from communication initiated from the network, and allow the mobile for initiating communication. An example is to block the mobile device from initiating communication, as well as for communication initiated by the network. A mobile device blocked from network initiated communication is not allowed to answer a paging from the network.

The invention discloses a method, a device and a system for obtaining access control information, and belongs to the field of communication networks. The method includes the following steps: receiving control information which is sent by a network side and is scrambled by first identification, wherein the control information can be monitored by users with an extended access control embedded array block (EAB) configured, the control information can not be monitored by users with the extended access control EAB not configured, and the control information contains scheduling information on a physical downlink control channel (PDCCH); descrambling the control information to obtain the control information, and receiving radio resource control (RRC) information on a physical downlink shared channel (PDSCH) according to the scheduling information in the control information, wherein EAB relevant information is contained in the RRC information; and obtaining EAB information according to the EAB relevant information. By means of the method, the device and the system for obtaining the access control information, X-radio network temporary identity (RNTI) identification arranged specially for the user with the EAB configured, when only does the EAB information vary, ordinary H2H users can not receive the RRC information, and thus received quantity of ordinary users is reduced.

The invention provides a strategy-based multi-tenant access control method and system. The method comprises the following steps of: when a user carries out an operation on an object, judging whether the user has a right to execute the operation on the type of object or not, and if the user does not have the right, rejecting the operation; if the user has the right, judging whether the user is an owner of the object or not; if the user is the owner of the object, allowing the operation; if the user is not the owner of the object, judging a relationship between the user and the owner of the object; reading an access control strategy of a tenant to which the user belongs according to the relationship between the user and the owner of the object; and judging whether the access control strategyallows the operation or not. The strategy-based multi-tenant access control method is capable of defining flexibly and easily-extended access control strategies, so as to effectively control access of objects under multi-tenant conditions.

The invention discloses an extensible access control method for fog computing. According to the method, a linear secret sharing matrix is used as an access structure to realize attribute-based accesscontrol, fog nodes are used as edge service nodes, and encryption and decryption operations in the access control are reasonably distributed, so that the operation overhead of a terminal user in the access control is reduced. In addition, on the basis of maintaining the original access strategy, new legal members can be added to form a new access strategy, meanwhile, whether the access user tampers the original data or not when uploading the new access strategy can be detected, and integrity protection of the original data is achieved.

The invention relates to the technical field of network security, particularly an extended access control method based on traffic statistics. The extended access control method based on flow statistics of the invention extracts statistical information of corresponding flow on the basis of access control rules, further expands the access control list, and improves the flexibility of access controland the safety of network equipment.

The invention discloses an access control method comprising the following steps that: user equipment (UE) suitable for extended access control block (EAB) initiates a random access by use of a random access resource mapped corresponding to a self-mapped access service class (ASC), specifically, the UE suitable for extended EAB obtains the self-mapped ASC according to the system information of the network side, or obtains the self-mapped ASC according to a protocol based predetermined configuration. The invention correspondingly discloses an access control system and the UE. According to the invention, the random access process of the UE suitable for the EAB is controlled, and the high impact to the UE unsuitable for the EAB caused by the access of a large amount of UE suitable for the EAB, is avoided.

The invention discloses an extensible access control markup language strategy searching method based on a matching tree structure. The extensible access control markup language strategy searching method mainly solves the problems that in the prior art, strategy searching efficiency is low, and node information in a matching tree and a combination tree is repeated. According to the implementation scheme, the method includes forming an initial matching tree according to the structure and information of an original strategy, and removing repeated attributes under the same path in the initial matching tree; generating a path identifier according to the path of the initial matching tree, replacing the path information in the initial matching leaf node with the path identifier to obtain a simplified matching tree, and storing the path information and the corresponding path identifier in a mapping table; according to an access request sent by a user, searching a path identifier suitable for arule path on the matching tree, and finding a suitable strategy of the request in a strategy library by utilizing the mapping table. By optimizing the matching tree structure, the strategy migrationcost is reduced, the strategy search efficiency is improved, and the method can be used in the access control process using large-scale strategies.

The invention provides a message forwarding method and equipment. A processor in the equipment determines that a spanning tree protocol STP control instance of a ring protection link RPL port is switched from a forwarding state to a blocking state, and configures an extended access control table entry for a switch chip; the priority of the extended access control table item is higher than that of a global Ethernet protection switching protocol ERPS access control table item; the switch chip is used for mapping a first ERPS protocol message which is received by the RPL port and belongs to a control virtual local area network (VLAN) to the STP reservation instance in a forwarding state based on the extended access control table item; the received first ERPS protocol message is sent to a processor in the STP reservation instance; wherein the control VLAN is associated with the STP control instance; and the processor maps the received first ERPS protocol message from the STP reservation instance to the STP control instance, and sends the received first ERPS protocol message to an ERPS protocol stack.