With the development and popularity of Internet, information technology has been applied to numerous fields such as social economy, politics, military and personal life. Information security problems mainly includes disclosure, loss and tampering with occurring during information storage, process, application and transmission. Whether consciously, the various information security problems are tremendous threats to network system and make a higher requirement of information security. To deal with these problems, access control technology, as an import part of information security, is introduced and applied.Nowadays, the study of attribute-based access control(ABAC) has been a hotspot in access control domain for its fine grain advantage. It’s mainly applied by means of attribute-based encryption(ABE). The hierarchical relationship of attributes which makes access control policy more flexible and effective is often neglected in current attribute-based encryption schemes. To satisfy the need of attribute hierarchy for attribute-based encryption and make up for the shortcoming of the description ability of access control structure and logical operation in access control policy, this paper proposes two hierarchical ciphertext-policy attribute-based encryption schemes(CP-HABE), and gives their application in a real-world systems.The concrete results are as follows:1. Combining hierarchical identity-based encryption(HIBE) and ciphertext-policy attribute-based encryption(CP-ABE), we put forward a CP-HABE scheme(SS-CP-HABE) suitable for single attribute set. We give the security proof based on decisional l-BDHE assumption in standard model. Compared with current algorithm in access control structure design, storage efficiency, computation efficiency as well as privacy preserving, the scheme improves formal definition of current algorithm, adds the description of access control structure and introduces attribute anonymization operation.2. Furthermore, bringing in linear integer secret sharing(LISS), we also propose a CP-HABE scheme(MS-CP-HABE) that can be used for multiple attribute set. The scheme constructs access control policy by LISS matrix with attribute path set. We achieve logical operations among access control policies according to given logic operation rules. Moreover, the security proof is proposed based on decisional l-BDHE assumption in formal model Compared with other schemes in storage efficiency, computation efficiency, attribute hierarchy and logical operations of access control policy, the scheme improves the efficiency of storage and computation, achieves attribute hierarchy truly and simplifies access control rules. In addition, it can do logical operations among access control policies, which makes the design of access control more flexible.3. We apply our schemes to civil aviation information system. We design a hierarchical attribute-based access control scheme by introducing hierarchical relationship between attributes and introduce concrete structure and definition of HABAC suitable for civil aviation. Also, we give some implementation of critical modules in civil aviation information system. |