基于任务和角色的加密CAD模型的访问控制研究
|
摘要
随着网络与CAD技术的迅速发展和不断广泛应用,产品数据安全已经成为一个新的研究领域,而协同环境中共享CAD模型的数据安全对于产品的开发和全生命周期管理显得尤其重要。其中现在广泛应用的技术有CAD模型的信息隐藏、数字水印和访问控制技术,而访问控制技术则是其中的关键技术。在产品全生命周期管理中,由于人员和模型的复杂性,需要有良好的访问控制机制来保证数据访问的安全性。但是现今CAD系统只在数据文件层面上设置用户角色与访问权限,没有针对CAD模型本身的安全机制。
针对此问题,本文首先分析了现有的访问控制模型,并提出了一个专门针对CAD模型的基于任务和角色的模型加密的访问控制模型,本模型除了继承了传统的基于角色的访问控制模型和基于任务的访问控制模型外,还对用户角色赋予关系URA、角色任务赋予关系RTA、任务权限赋予关系TPA等关系进行实际研究。在研究任务和权限的时候添加的任务状态图和权限状态图。使其实现了权限与角色的动态调整和动态激活。与传统的访问控制模型相比,它除具有基于角色的访问控制模型和基于任务的访问控制模型的优点(如支持职责分离原则、最小特权原则、数据抽象原则)外,还支持权限动态更新以及模型的保密性等优点。在对模型加密的算法上,选择用DES加密和解密,由于DES的加解密主要由密钥构成,所以在模型中,还增加一个密钥生成和管理体制。同时本文还对提出的模型的理论和技术难点做了研究。
在模型的实际应用中,本文结合现今比较流行的SolidWorks软件,利用SolidWorks的二次开发技术为基础,将模型的部分功能做成一个插件,并结合数据库为主要存储工具来实现模型的功能。
With the rapid development and widespread application of the Internet and CAD technology, product data security has become a new field of research. Sharing CAD model in collaborative environment of data security and product full life-cycle management is particularly important. Information hiding, digital watermarking and access control are now widely used in CAD technology. Especially, access control is the key technology of these. In the product life cycle management, the complexity of staff and the model particularly need to have a good access control mechanisms to ensure the security of data access. However, the current CAD system uses only in the data file level set user role and access, not give the CAD model of its own security mechanisms.
Address the issue here, the paper firstly analyzes the existing access control model and then proposes a specific CAD model based on the Task and Role model encrypted access control model, the model inherits the traditional Role-based access control model and Task-based access control model. Secondly it gives User-Roles Assignment (URA), Roles-Task Assignment (RTA), Task-Permission Assignment (TPA), and other relations in actual research. To achieve the permission of dynamic activation and dynamic adjustment, the model adds the task and permission of state manager. In contrast to traditional access control model, the model not only has strengths of role-based access control model and task-based access control model, such as support for the principle of separation of duties, the smallest privileges principle, data abstraction principles, but also supports the permission dynamically updated and model encrypted. In the model encryption algorithm, we choose DES. For the DES encryption key is a major problem in the model, we need to set up a key management system. This paper also makes research on the theory and technical difficulties of model.
In the practical application of the model, we use SolidWorks software. With SolidWorks API, we have made a plug-in feature, and use database as the storage tools.
针对此问题,本文首先分析了现有的访问控制模型,并提出了一个专门针对CAD模型的基于任务和角色的模型加密的访问控制模型,本模型除了继承了传统的基于角色的访问控制模型和基于任务的访问控制模型外,还对用户角色赋予关系URA、角色任务赋予关系RTA、任务权限赋予关系TPA等关系进行实际研究。在研究任务和权限的时候添加的任务状态图和权限状态图。使其实现了权限与角色的动态调整和动态激活。与传统的访问控制模型相比,它除具有基于角色的访问控制模型和基于任务的访问控制模型的优点(如支持职责分离原则、最小特权原则、数据抽象原则)外,还支持权限动态更新以及模型的保密性等优点。在对模型加密的算法上,选择用DES加密和解密,由于DES的加解密主要由密钥构成,所以在模型中,还增加一个密钥生成和管理体制。同时本文还对提出的模型的理论和技术难点做了研究。
在模型的实际应用中,本文结合现今比较流行的SolidWorks软件,利用SolidWorks的二次开发技术为基础,将模型的部分功能做成一个插件,并结合数据库为主要存储工具来实现模型的功能。
With the rapid development and widespread application of the Internet and CAD technology, product data security has become a new field of research. Sharing CAD model in collaborative environment of data security and product full life-cycle management is particularly important. Information hiding, digital watermarking and access control are now widely used in CAD technology. Especially, access control is the key technology of these. In the product life cycle management, the complexity of staff and the model particularly need to have a good access control mechanisms to ensure the security of data access. However, the current CAD system uses only in the data file level set user role and access, not give the CAD model of its own security mechanisms.
Address the issue here, the paper firstly analyzes the existing access control model and then proposes a specific CAD model based on the Task and Role model encrypted access control model, the model inherits the traditional Role-based access control model and Task-based access control model. Secondly it gives User-Roles Assignment (URA), Roles-Task Assignment (RTA), Task-Permission Assignment (TPA), and other relations in actual research. To achieve the permission of dynamic activation and dynamic adjustment, the model adds the task and permission of state manager. In contrast to traditional access control model, the model not only has strengths of role-based access control model and task-based access control model, such as support for the principle of separation of duties, the smallest privileges principle, data abstraction principles, but also supports the permission dynamically updated and model encrypted. In the model encryption algorithm, we choose DES. For the DES encryption key is a major problem in the model, we need to set up a key management system. This paper also makes research on the theory and technical difficulties of model.
In the practical application of the model, we use SolidWorks software. With SolidWorks API, we have made a plug-in feature, and use database as the storage tools.
引文
[1] HongHai Shen,Prasun Dewan. Access Control for Collaborative Environments[C]. Proceedings of the 1992 ACM conference on Computer-supported cooperative work, 1992:51-58
[2] W. Keith Edwards. Policies and roles in collaborative applications[C]. Proceedings of the 1996 ACM conference on Computer-supported cooperative work, 1996:11-20
[3] Adrian Bullock, PSteve Benford. An access control framework for multi-user collaborative environments[C]. Proceedings of the international ACM SIGGROUP conference on Supporting group work, 1999:140-149
[4] Shyamsundar N, Gadh R. Internet-based Collaborative Product Design with Assembly Features and Virtual Design Spaces[J]. Computer-Aided Design, 2001, 33(9):637~651
[5] Gunnar Stevens, Volker Wulf .A New Dimension in Access Control: Studying Maintenance Engineering Across Organizational Boundaries[C]. Proceedings of the 2002 ACM conference on Computer supported cooperative work, 2002:196-205
[6] William Tolone, Gail-Joon Ahn, Tanusree Pai, Seng-Phil Hong. Access Control in Collaborative Systems [J]. ACM Computing Surveys, 2005,37(1):29~41
[7] Van der Hoeven A J, ten Bosch O, van Leuken R, vander Wolf P. A Flexible Access Control Mechanism for CAD Frameworks[C]. Proceedings of the conference on European design automation conference, IEEE Computer Society Press, 1994:188-193
[8] Fang CH, Peng W, Ye XZ, Sanyuan Zhang. Multi-level access control for collaborative CAD[C]. Proceedings of the 9th International Conference on Computer Supported Cooperative Work in Design 2005(CSCWD2005), Coventry, United Kingdom, 2005,(1):643~648
[9] Ravi Sandhu, Edward J Coyne, Hal L Feinstein. Role-based Access Control Model[J].IEEE Computer,1996,29(2):38-47
[10]Ravi Sandhu,Venkata Bhamidipati,Qamar Munawer.The ARBAC97 Model for Role-Based Administration of Roles[J].ACM Transactions on Information and System Security,1999,2(1):105-135
[11]Sandhu.R,Munawer.Q.The RRA97 Model for Role-based Administration of Role Hierarchies[C].Proceedings of the third ACM workshop on Role-based access control,1998:13-21
[12]Sandhu.R Munawer.Q.The ARBAC99 Model for Administration of Roles[C].Proceedings of Computer Security Applications Conference,1999:229-238
[13]Elisa Bertino,Piero.TRBAC:A Temporal Role-Based Access Control Model[J].ACM Transactions on Information and System Security,2001,4(3):191-223
[14]Matthew J.Moyer,Mustaque Ahamad.Generalized Role-Based Access Control[C].Proceedings of the The 21st International Conference on Distributed Computing Systems,2001:391-398
[15]裘炅,谭建荣,张树有,马晨华.应用角色访问控制的工作流动态授权模型[J].计算机辅助设计与图形学报,2004,16(7):992-998
[16]王小明,赵宗涛,郝克刚.工作流系统带权角色与周期时间访问控制模型[J].软件学报,2003,14(11):1841-1848
[17]许峰,赖海光,黄皓,谢立.面向服务的角色访问控制技术研究[J].计算机学报,2005,28(4):686-693
[18]刘婷婷,张友良.扩展的基于角色访问控制模型的设计[J].计算机辅助设与图形学报,2004,16(6):838-844
[19]邓集波,洪帆.基于任务的访问控制模型[J].软件学报,2003,14(1):76-82
[20]尹建伟,徐争前,冯志林,陈刚,董金祥.增强权限约束支持的基于任务访问控制模型[J].计算机辅助设计与图形学报,2006,18(1):143-149
[21]Oh S,Park S.Task-role-based access control model[J].Information System,2002,28(6):533-562
[22]Fang Yin,Yuqing Sun,Peng Pan,Liang Feng,Qiuliang Xu.Efficient Role Hierarchy Management for T-RBAC Model[C].Pervasive Computing and Applications,2006 1st International Symposium on Aug,2006:1-6
[23]George Coulouris,Jean Dollimore,Marcus Roberts.Role and task-based access control in the PerDiS groupware platform[C].Proceedings of the third ACM workshop on Role-based access control,1998:115-121
[24]方萃浩,叶修梓,彭维,张引.协同环境下CAD模型的多层次动态安全访问控制[J].软件学报,2007,18(9):2295-2305
[25]蒋鹏,康锐,履川.RSMTL-CAD框架中的访问控制机制研究[J].计算机工程与应用,2005,(05):124-126
[26]Sandhu,R.S,Coyne,E.J,Feinstein,H.L,Youman,C.E.Role-based access control:a multi-dimensional view[C].Computer Security Applications Conference,1994:54-62
[27]Sejong Oh,Seog Park,Enterprise model as a basis of administration on role-based access control[C].The Proceedings of the Third International Symposium on Cooperative Database Systems for Advanced Applications,2001:150-158
[28]Ferraiolo.D,Kuhn.R,Sandhu,R.S.RBAC Standard Rationale:Comments on "A Critique of the ANSI Standard on Role-Based Access Control"[J].Security & Privacy,IEEE,2007,5(6):51-53
[29]Thomas R K,Sandhu R S.Task-Based Authorization Controls(TBAC):A family of Models for active and enterprise-oriented authorization management[C].Proceedings of the IFIP WG11.3 Workshop on Database Security,Lake Tahoe,California,1997:166-181
[30]严悍,张宏,许满武.基于角色访问控制对象建模及实现[J].计算机学报,2000,23(10):1064-1069
[31]Sejong Oh,Sandhu R S.A Model for Role Administration Using Organization Structure[C].Proceedings of the seventh ACM symposium on Access control models and technologies,2002:155-162
[32]Sandhu.R.S,Samarati P.Access Control:Principles and Practice[J].IEEE Communications Magazine,1994,32(9):40-48
[33]SolidWorks公司.官方认证培训教程SolidWorks API二次开发.机械工业出 版社,2005.
[34]杨秋伟,洪帆,杨木祥,朱贤.基于角色访问控制管理模型的安全性分析[J].软件学报,2006,17(8):1804-1810
[35]王连强,张剑,吕述望,刘振华.一种基于密码的层次访问控制方案及其分析[J].计算机工程与应用,2005,(33):7-10
[36]林闯,封富君,李俊山.新型网络环境下的访问控制技术[J].软件学报,2007,18(4):955-966
[36]刘焕平,胡铭曾,方滨兴,杨义先.基于单向函数的动态密钥分存方案[J].软件学报,2002,13(5):1009-1012
[38]蒙杨,卿斯汉,刘克龙.等级加密体制中的密钥管理研究[J].软件学报,2001,12(8):1147-1153
[39]Bruce Schneier.Applied Cryptography:Protocols,Algorithms,and Source Code in.John Wiley & Sons.2001
[40]孙淑玲.应用密码学.清华大学出版社,2004.
[2] W. Keith Edwards. Policies and roles in collaborative applications[C]. Proceedings of the 1996 ACM conference on Computer-supported cooperative work, 1996:11-20
[3] Adrian Bullock, PSteve Benford. An access control framework for multi-user collaborative environments[C]. Proceedings of the international ACM SIGGROUP conference on Supporting group work, 1999:140-149
[4] Shyamsundar N, Gadh R. Internet-based Collaborative Product Design with Assembly Features and Virtual Design Spaces[J]. Computer-Aided Design, 2001, 33(9):637~651
[5] Gunnar Stevens, Volker Wulf .A New Dimension in Access Control: Studying Maintenance Engineering Across Organizational Boundaries[C]. Proceedings of the 2002 ACM conference on Computer supported cooperative work, 2002:196-205
[6] William Tolone, Gail-Joon Ahn, Tanusree Pai, Seng-Phil Hong. Access Control in Collaborative Systems [J]. ACM Computing Surveys, 2005,37(1):29~41
[7] Van der Hoeven A J, ten Bosch O, van Leuken R, vander Wolf P. A Flexible Access Control Mechanism for CAD Frameworks[C]. Proceedings of the conference on European design automation conference, IEEE Computer Society Press, 1994:188-193
[8] Fang CH, Peng W, Ye XZ, Sanyuan Zhang. Multi-level access control for collaborative CAD[C]. Proceedings of the 9th International Conference on Computer Supported Cooperative Work in Design 2005(CSCWD2005), Coventry, United Kingdom, 2005,(1):643~648
[9] Ravi Sandhu, Edward J Coyne, Hal L Feinstein. Role-based Access Control Model[J].IEEE Computer,1996,29(2):38-47
[10]Ravi Sandhu,Venkata Bhamidipati,Qamar Munawer.The ARBAC97 Model for Role-Based Administration of Roles[J].ACM Transactions on Information and System Security,1999,2(1):105-135
[11]Sandhu.R,Munawer.Q.The RRA97 Model for Role-based Administration of Role Hierarchies[C].Proceedings of the third ACM workshop on Role-based access control,1998:13-21
[12]Sandhu.R Munawer.Q.The ARBAC99 Model for Administration of Roles[C].Proceedings of Computer Security Applications Conference,1999:229-238
[13]Elisa Bertino,Piero.TRBAC:A Temporal Role-Based Access Control Model[J].ACM Transactions on Information and System Security,2001,4(3):191-223
[14]Matthew J.Moyer,Mustaque Ahamad.Generalized Role-Based Access Control[C].Proceedings of the The 21st International Conference on Distributed Computing Systems,2001:391-398
[15]裘炅,谭建荣,张树有,马晨华.应用角色访问控制的工作流动态授权模型[J].计算机辅助设计与图形学报,2004,16(7):992-998
[16]王小明,赵宗涛,郝克刚.工作流系统带权角色与周期时间访问控制模型[J].软件学报,2003,14(11):1841-1848
[17]许峰,赖海光,黄皓,谢立.面向服务的角色访问控制技术研究[J].计算机学报,2005,28(4):686-693
[18]刘婷婷,张友良.扩展的基于角色访问控制模型的设计[J].计算机辅助设与图形学报,2004,16(6):838-844
[19]邓集波,洪帆.基于任务的访问控制模型[J].软件学报,2003,14(1):76-82
[20]尹建伟,徐争前,冯志林,陈刚,董金祥.增强权限约束支持的基于任务访问控制模型[J].计算机辅助设计与图形学报,2006,18(1):143-149
[21]Oh S,Park S.Task-role-based access control model[J].Information System,2002,28(6):533-562
[22]Fang Yin,Yuqing Sun,Peng Pan,Liang Feng,Qiuliang Xu.Efficient Role Hierarchy Management for T-RBAC Model[C].Pervasive Computing and Applications,2006 1st International Symposium on Aug,2006:1-6
[23]George Coulouris,Jean Dollimore,Marcus Roberts.Role and task-based access control in the PerDiS groupware platform[C].Proceedings of the third ACM workshop on Role-based access control,1998:115-121
[24]方萃浩,叶修梓,彭维,张引.协同环境下CAD模型的多层次动态安全访问控制[J].软件学报,2007,18(9):2295-2305
[25]蒋鹏,康锐,履川.RSMTL-CAD框架中的访问控制机制研究[J].计算机工程与应用,2005,(05):124-126
[26]Sandhu,R.S,Coyne,E.J,Feinstein,H.L,Youman,C.E.Role-based access control:a multi-dimensional view[C].Computer Security Applications Conference,1994:54-62
[27]Sejong Oh,Seog Park,Enterprise model as a basis of administration on role-based access control[C].The Proceedings of the Third International Symposium on Cooperative Database Systems for Advanced Applications,2001:150-158
[28]Ferraiolo.D,Kuhn.R,Sandhu,R.S.RBAC Standard Rationale:Comments on "A Critique of the ANSI Standard on Role-Based Access Control"[J].Security & Privacy,IEEE,2007,5(6):51-53
[29]Thomas R K,Sandhu R S.Task-Based Authorization Controls(TBAC):A family of Models for active and enterprise-oriented authorization management[C].Proceedings of the IFIP WG11.3 Workshop on Database Security,Lake Tahoe,California,1997:166-181
[30]严悍,张宏,许满武.基于角色访问控制对象建模及实现[J].计算机学报,2000,23(10):1064-1069
[31]Sejong Oh,Sandhu R S.A Model for Role Administration Using Organization Structure[C].Proceedings of the seventh ACM symposium on Access control models and technologies,2002:155-162
[32]Sandhu.R.S,Samarati P.Access Control:Principles and Practice[J].IEEE Communications Magazine,1994,32(9):40-48
[33]SolidWorks公司.官方认证培训教程SolidWorks API二次开发.机械工业出 版社,2005.
[34]杨秋伟,洪帆,杨木祥,朱贤.基于角色访问控制管理模型的安全性分析[J].软件学报,2006,17(8):1804-1810
[35]王连强,张剑,吕述望,刘振华.一种基于密码的层次访问控制方案及其分析[J].计算机工程与应用,2005,(33):7-10
[36]林闯,封富君,李俊山.新型网络环境下的访问控制技术[J].软件学报,2007,18(4):955-966
[36]刘焕平,胡铭曾,方滨兴,杨义先.基于单向函数的动态密钥分存方案[J].软件学报,2002,13(5):1009-1012
[38]蒙杨,卿斯汉,刘克龙.等级加密体制中的密钥管理研究[J].软件学报,2001,12(8):1147-1153
[39]Bruce Schneier.Applied Cryptography:Protocols,Algorithms,and Source Code in.John Wiley & Sons.2001
[40]孙淑玲.应用密码学.清华大学出版社,2004.