浏览全部资源
扫码关注微信
面向HDFS的密钥资源控制机制
HDFS-oriented cryptographic key resource control mechanism
- 通信学报 2022年43卷第9期 页码:27-41
- 作者机构:
1. 中国科学院信息工程研究所,北京 100093
2. 中国科学院大学网络空间安全学院,北京 100049
3. 中国信息通信研究院,北京 100191
4. 中国科学技术大学网络空间安全学院,安徽 合肥 230027
- 作者简介:
[ "金伟(1994- ),女,北京人,中国科学院信息工程研究所博士生,主要研究方向为大数据访问控制与密钥管理" ]
[ "李凤华(1966- ),男,湖北浠水人,博士,中国科学院信息工程研究所研究员、博士生导师,主要研究方向为网络与系统安全、信息保护、隐私计算" ]
[ "余铭洁(1998- ),男,江西景德镇人,中国科学技术大学博士生,主要研究方向为大数据访问控制" ]
[ "郭云川(1977− ),男,四川营山人,博士,中国科学院信息工程研究所正研级高级工程师、博士生导师,主要研究方向为访问控制、形式化方法" ]
[ "周紫妍(1998- ),女,河北秦皇岛人,中国科学院信息工程研究所博士生,主要研究方向为访问控制" ]
[ "房梁(1989- ),男,山西太原人,博士,中国科学院信息工程研究所副研究员,主要研究方向为信息安全、访问控制" ]
- 基金信息:国家自然科学基金资助项目(U1836203);国家自然科学基金资助项目(61872441);国家重点研发计划基金资助项目(2018YFB2100400);中国科学院青年创新促进会人才基金资助项目(2021154)
DOI:10.11959/j.issn.1000-436x.2022165
中图分类号: TP302-
网络出版日期:2022-09,
纸质出版日期:2022-09-25
- 稿件说明:
移动端阅览
金伟, 李凤华, 余铭洁, 等. 面向HDFS的密钥资源控制机制[J]. 通信学报, 2022,43(9):27-41.
Wei JIN, Fenghua LI, Mingjie YU, et al. HDFS-oriented cryptographic key resource control mechanism[J]. Journal on communications, 2022, 43(9): 27-41.
金伟, 李凤华, 余铭洁, 等. 面向HDFS的密钥资源控制机制[J]. 通信学报, 2022,43(9):27-41. DOI: 10.11959/j.issn.1000-436x.2022165.
Wei JIN, Fenghua LI, Mingjie YU, et al. HDFS-oriented cryptographic key resource control mechanism[J]. Journal on communications, 2022, 43(9): 27-41. DOI: 10.11959/j.issn.1000-436x.2022165.
摘要
大数据环境呈现多用户跨网交叉访问、多服务协同计算、数据跨服务流动、海量文件管控复杂的特点,现有密钥资源控制模型和机制不完全适用于大数据场景。针对大数据环境的密钥资源控制、操作语义归一化描述、细粒度访问控制的需求,从密钥资源控制的场景要素及属性出发,通过映射面向网络空间的访问控制(CoAC)模型,提出了面向HDFS的密钥资源控制机制;然后,给出了面向HDFS的密钥资源控制管理机制(CKCM),包括管理子模型和管理支撑模型,并用 Z 语言形式化地描述了管理模型中的管理函数和管理方法;最后,基于XACML实现CKCM系统,实现HDFS中密钥及文件资源的细粒度安全访问控制。
Abstract
The big data environment presents the characteristics of multi-user cross-network cross-access
multi-service collaborative computing
cross-service data flow
and complex management of massive files.The existing access control models and mechanisms are not fully applicable for big data scenarios.In response to the needs of fine-grained access control and multi-service strategy normalization for cryptographic data in the big data environment
starting from the scene elements and attributes of access control
the HDFS-oriented CKCM was proposed by mapping the cyberspace-oriented access control (CoAC) model.Subsequently
a fine-grained access control management model for HDFS was proposed
including management sub-models and management supporting models.The Z-notation was used to formally describe the management functions and management methods in the management model.Finally
the CKCM system was implemented based on XACML to realize fine-grained secure access control for managing file and secret keys in HDFS.
关键词
Keywords
references
李凤华 , 王彦超 , 殷丽华 , 等 . 面向网络空间的访问控制模型 [J]. 通信学报 , 2016 , 37 ( 5 ): 9 - 20 .
LI F H , WANG Y C , YIN L H , et al . Novel cyberspace-oriented access control model [J]. Journal on Communications , 2016 , 37 ( 5 ): 9 - 20 .
COLOMBO P , FERRARI E . Access control in the era of big data:state of the art and research directions [C]// Proceedings of the 23rd ACM on Symposium on Access Control Models and Technologies . New York:ACM Press , 2018 : 185 - 192 .
ULUSOY H , COLOMBO P , FERRARI E , et al . GuardMR:fine-grained security policy enforcement for MapReduce systems [C]// Proceedings of the 10th ACM Symposium on Information,Computer and Communications Security . New York:ACM Press , 2015 : 285 - 296 .
ULUSOY H , KANTARCIOGLU M , PATTUK E , et al . Vigiles:fine-grained access control for MapReduce systems [C]// Proceedings of 2014 IEEE International Congress on Big Data . Piscataway:IEEE Press , 2014 : 40 - 47 .
GUPTA M , PATWA F , SANDHU R . POSTER:access control model for the hadoop ecosystem [C]// Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies . New York:ACM Press , 2017 : 125 - 127 .
GUPTA M , PATWA F , SANDHU R . Object-tagged RBAC model for the Hadoop ecosystem [C]// Data and Applications Security and Privacy (DBSec) . Berlin:Springer , 2017 : 63 - 81 .
SANDHU R S , COYNE E J , FEINSTEIN H L , et al . Role-based access control models [J]. Computer , 1996 , 29 ( 2 ): 38 - 47 .
GUPTA M , PATWA F , SANDHU R . An attribute-based access control model for secure big data processing in Hadoop ecosystem [C]// Proceedings of the 3rd ACM Workshop on Attribute-Based Access Control . New York:ACM Press , 2018 : 13 - 24 .
AWAYSHEH F M , ALAZAB M , GUPTA M , et al . Next-generation big data federation access control:a reference model [J]. Future Generation Computer Systems , 2020 , 108 : 726 - 741 .
GUPTA M , PATWA F , BENSON J , et al . Multi-layer authorization framework for a representative Hadoop ecosystem deployment [C]// Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies . New York:ACM Press , 2017 : 183 - 190 .
UGOBAME U U , SCHNEIDER K A , HOSSEINZADEH K S , et al . Blockchain access control ecosystem for big data security [C]// Proceedings of 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber,Physical and Social Computing (CPSCom) and IEEE Smart Data . Piscataway:IEEE Press , 2018 : 1373 - 1378 .
HU V C , FERRAIOLO D , KUHN R , et al . Guide to attribute based access control (ABAC) definition and considerations [R]. 2014 .
MELL P , SHOOK J , HARANG R , et al . Linear time algorithms to restrict insider access using multi-policy access control systems [J]. Journal of Wireless Mobile Networks,Ubiquitous Computing,and Dependable Applications , 2017 , 8 ( 1 ): 4 - 25 .
SANDHU R , PARK J . Usage control:a vision for next generation access control [C]// Computer Network Security . Berlin:Springer , 2003 : 17 - 31 .
BALDI G , DIAZ-TELLEZ Y , DIMITRAKOS T , et al . Session-dependent usage control for big data [J]. Journal of Internet Services and Information Security , 2020 , 10 ( 3 ): 76 - 92 .
OASIS Open . OASIS eXtensible access control markup language (XACML) TC version 3.0 [EB ] . 2013 .
PREMKAMAL P K , PASUPULETI S K , ALPHONSE P J A . A new verifiable outsourced ciphertext-policy attribute based encryption for big data privacy and access control in cloud [J]. Journal of Ambient Intelligence and Humanized Computing , 2019 , 10 ( 7 ): 2693 - 2707 .
KAPIL G , AGRAWAL A , ATTAALLAH A , et al . Attribute based honey encryption algorithm for securing big data:Hadoop distributed file system perspective [J]. PeerJ Computer Science , 2020 ,6:e259.
SHAFAGH H , BURKHALTER L , RATNASAMY S , et al . Droplet:decentralized authorization and access control for encrypted data streams [C]// Proceedings of the 29th USENIX Conference on Security Symposium . Berkeley:USENIX Association , 2020 : 2469 - 2486 .
金伟 , 余铭洁 , 李凤华 , 等 . 支持高并发的Hadoop高性能加密方法研究 [J]. 通信学报 , 2019 , 40 ( 12 ): 29 - 40 .
JIN W , YU M J , LI F H , et al . High-performance and high-concurrency encryption scheme for Hadoop platform [J]. Journal on Communications , 2019 , 40 ( 12 ): 29 - 40 .
李凤华 , 陈天柱 , 王震 , 等 . 复杂网络环境下跨网访问控制机制 [J]. 通信学报 , 2018 , 39 ( 2 ): 1 - 10 .
LI F H , CHEN T Z , WANG Z , et al . Cross-network access control mechanism for complex network environment [J]. Journal on Commu-nications , 2018 , 39 ( 2 ): 1 - 10 .
DÖRNYEI Z . Motivational strategies in the language classroom [M]. Cambridge : Cambridge University Press , 2001 .
0
浏览量
427
下载量
0
CSCD
- 网络PDF下载
- XML下载
- Meta-XML下载
- BibTeX下载
- Endnote下载
- RefMan 下载
- NoteExpress下载
- NoteFirst下载
关联资源
相关文章
相关作者
相关机构
AI问答
鸿云智能
中文
- 技术支持由北京北大方正电子有限公司提供 京ICP备09064830号-19
京公网安备11010802024621 - 本系统建议在Chrome、 IE9+ 以上版本浏览器阅读本站内容,360浏览器请切换至极速模式
- Cookies帮助我们提供服务并提供个性化体验。使用本网站,即表示您同意我们使用Cookies
- 总访问量:151733 今日访问量:2