多域环境下授权凭证链隐私保护研究

Aiming at the privacy controllability requirement of sensitive credentials in the open environment, we will study the unique privacy preserving principles and models theoretically to satisfy the multiple relevant parties' authorization rules and explore the means of achieving methodologically. First of all, in this project, we propose the sensitive credential formal model and management model which are suitable for cross domain resource-sharing environment. Secondly, the attribute credential chain's SADL(sensitive assertion description language) and their semantics verification technology will be researched. Moreover, we can provide the formal deduction-based credential chain synthesis framework and privacy policy conflict resolution algorithm. After that, the technologies of privacy preserving decision engine will be studied, including the search algorithm for applicative sensitive credentials in credential chain, efficient deduction algorithm for sensitive credentials, caching algorithm for deduction intermediate results, cache update algorithm and performance evaluation model of decision engine. Finally, we will analyze and validate these technologies by experiments. Through the implementation of this project, we can establish the theoretical basis of credentials' privacy preserving in multi-domain environment and achieve a critical technical breakthroughs. This work, which reflects the trend in the field of information security and combines the latest achievements of the privacy preserving technology and distributed authorization technology, is not only a high value academic project, but also a critical technology of distributed security infrastructure, meanwhile, our research has great practical value for the mediator-free electronic business systems and information service systems under rapidly expanding.

本项目针对开放式环境下的敏感属性凭证受控使用需求，在理论上研究满足凭证链各相关方授权规则的安全原理和模型，并在方法上探索其实现手段。研究内容主要包括：提出适用于多域资源共享环境下的敏感属性凭证形式化模型和管理模型；研究适用的凭证链敏感断言描述语言及其语义验证技术；研究基于逻辑推演的形式化凭证链合成框架和隐私策略冲突消解算法；研究高效隐私保护判定引擎的关键技术，包括针对凭证链中特定敏感凭证的查找算法、包含敏感凭证的高效凭证链推演算法、推演中间结果的缓存算法、缓存更新算法和判定引擎性能评估模型，并通过实验进行性能分析和功能验证。本项目的研究工作结合了隐私保护和分布式授权技术的最新成果，体现了信息安全领域的发展趋势，具有很高的学术起点，同时也是分布式安全基础设施的核心关键技术，对于当前迅猛发展的自组式电子商务及信息服务平台而言，具有非常高的实用价值。

本项目针对开放式环境下的隐私受控使用场景开展研究，以非结构化文本文件和结构化文档两类重要的文件资源访问为主要研究对象，从原理模型和受控使用关键技术两个方面开展较为系统和深入的研究，取得了一系列研究成果，具体表现在：（1）提出和完善了多域环境下满足多相关方授权规则的隐私保护理论框架，提出了适用于多域分布式资源共享环境下的隐私控制形式化模型和管理模型；（2）在关键技术层面，设计并实现了敏感标记嵌入引擎、敏感标记信息检测技术、隐私码字选择方法等一系列关键算法和技术，研发了软件应用系统和专用硬件设备，并将研究成果实际应用于重大工程。截止2016年12月31日，项目组共发表学术论文7篇（其中EI检索论文4篇），申请专利6项，获得软件著作权2项。通过本项目的培养，培养博士研究生2名，硕士研究生3名。综上所述，本项目的研究工作是可以广泛应用于分布式安全基础设施的核心关键技术，能够大幅度提升我国信息服务平台的安全性，具有非常高的实用价值。