ImageVerifierCode 换一换
格式:PDF , 页数:55 ,大小:594.80KB ,
资源ID:736525      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-736525.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(ETSI TR 118 516-2016 oneM2M Study of Authorization Architecture for Supporting Heterogeneous Access Control Policies (V2 0 0 oneM2M TR-0016 version 2 0 0)《支持异构访问控制策略的授权体系结构的研究(V2 0_1.pdf)为本站会员(diecharacter305)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

ETSI TR 118 516-2016 oneM2M Study of Authorization Architecture for Supporting Heterogeneous Access Control Policies (V2 0 0 oneM2M TR-0016 version 2 0 0)《支持异构访问控制策略的授权体系结构的研究(V2 0_1.pdf

1、 ETSI TR 118 516 V2.0.0 (2016-09) oneM2M; Study of Authorization Architecture for Supporting Heterogeneous Access Control Policies (oneM2M TR-0016 version 2.0.0) TECHNICAL REPORT ETSI ETSI TR 118 516 V2.0.0 (2016-09) 2oneM2M TR-0016 version 2.0.0Reference DTR/oneM2M-000016 Keywords authorization, Io

2、T, M2M ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded f

3、rom: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or pe

4、rceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to re

5、vision or change of status. Information on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/Com

6、miteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written

7、 authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2016. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM a

8、nd LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TR 118 516 V2.0.0 (2016-09) 3oneM2M TR-0016 version 2.0.0Contents Intellectual Property Rights

9、 5g3Foreword . 5g31 Scope 6g32 References 6g32.1 Normative references . 6g32.2 Informative references 6g33 Definitions and abbreviations . 7g33.1 Definitions 7g33.2 Abbreviations . 7g34 Conventions 7g35 Overview of authorization system 7g35.1 High level authorization architecture . 7g35.2 Generic au

10、thorization procedure 9g36 Detailed design of authorization architecture . 10g36.1 Self-contained authorization . 10g36.2 Distributed authorization 10g36.2.1 Distributed authorization use cases . 10g36.2.1.1 M2M gateway make access control decisions on behalf of m2m devices 10g36.2.2 Proposal 1: Usi

11、ng resource-based approach to implement distributed authorization . 11g36.2.2.1 Introduction . 11g36.2.2.2 Resources 11g36.2.2.2.1 Resource type authorization 11g36.2.2.2.2 Resource type policyDecisionPoint . 13g36.2.2.2.3 Resource type policyRetrievalPoint 13g36.2.2.2.4 Resource type policyInformat

12、ionPoint 13g36.2.2.3 Procedures . 13g36.2.2.3.1 Introduction . 13g36.2.2.3.2 Create 13g36.2.2.3.3 Retrieve . 14g36.2.2.3.4 Update . 14g36.2.2.3.5 Delete 15g36.2.2.3.6 Retrieve 15g36.2.2.3.7 Retrieve . 16g36.2.2.3.8 Retrieve . 17g36.3 Message between authorization components 18g36.3.1 Proposal 1: Ext

13、ending XACML and SAML for exchanging message between authorization components . 18g36.3.1.1 Messages between PEP and PDP 18g36.3.1.1.1 Introduction of XACML element and element . 18g36.3.1.1.2 Using XACML element 19g36.3.1.1.3 Using XACML element 21g36.3.1.2 Messages between PDP and PIP . 22g36.3.1.

14、2.1 Introduction of SAML . 22g36.3.1.2.2 Using SAML element 22g36.3.1.2.3 Using SAML element . 23g36.4 Implementing Role Based Access Control . 24g36.4.1 Introduction of Role Based Access Control 24g36.4.2 General procedure of user-role assignment and role use 25g36.4.3 Solutions of implementing Rol

15、e Based Access Control . 26g36.4.3.1 Proposal 1: Solution of supporting Role Based Access Control . 26g36.4.3.1.1 Role Based Access Control architecture 26g36.4.3.1.2 Role token structure . 27g36.4.3.1.3 Resource type role . 28g36.4.3.1.4 Role Based Access Control procedure without using role tokens

16、 . 30g3ETSI ETSI TR 118 516 V2.0.0 (2016-09) 4oneM2M TR-0016 version 2.0.06.4.3.1.5 Role Based Access Control procedure using role tokens 32g36.5 Implementing Attribute Based Access Control 34g36.5.1 Introduction of Attribute Based Access Control . 34g36.5.2 General procedure of Attribute Based Acce

17、ss Control . 35g36.5.3 Solutions of implementing Attribute Based Access Control 37g37 Supporting user specified access control policies 37g37.1 Issues 37g37.2 Solutions . 37g37.2.1 Proposal 1: Solution of supporting heterogeneous access control policies . 37g37.2.1.1 Introduction . 37g37.2.1.2 Redef

18、ined resource type accessControlPolicy 37g37.2.1.3 Generic procedure of evaluating heterogeneous access control policies 38g38 Investigating existing access control policy languages and proposals . 39g38.1 Proposal 1: Using XACML 39g38.1.1 Introduction. 39g38.1.2 Detailed descriptions. 40g38.1.3 Eva

19、luation . 42g38.2 Evaluation of oneM2M access control rule 43g38.2.1 Introduction. 43g38.2.2 Application scenario description . 43g38.2.3 Access control rules and evaluation 44g38.2.4 Conclusion 45g38.3 Proposal of new access control rule format 45g38.3.1 Introduction. 45g38.3.2 Rule format . 45g38.

20、3.2.1 Introduction . 45g38.3.2.2 accessControlResources . 45g38.3.2.3 permittedAttributes 46g38.3.2.4 permittedChildResources 46g38.3.3 Evaluation of the proposed oneM2M access control rule . 46g38.3.4 Conclusion 47g39 Privacy protection architecture using Privacy Policy Manager (PPM) 47g39.1 Introd

21、uction 47g39.2 Relationship between components of PPM and oneM2M 47g39.3 Privacy Policy Management in oneM2M architecture . 48g39.3.0 Introduction. 48g39.3.1 Actor . 48g39.3.2 Management flow in PPM architecture 49g39.3.2.1 Join to a M2M platform 49g39.3.2.2 Subscription to an ASPs service . 50g39.3

22、.2.3 Request for personal data to the M2M platform . 51g310 Conclusions 53g3Annex A: Bibliography 54g3History 55g3ETSI ETSI TR 118 516 V2.0.0 (2016-09) 5oneM2M TR-0016 version 2.0.0Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to

23、ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is avai

24、lable from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR

25、000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Report (TR) has been produced by ETSI Partnership Project oneM2M (oneM2M). ETSI ETSI TR 118 516 V2.0.0 (2016-09) 6oneM2M TR-0016 version 2.0.01 Scope The pr

26、esent document provides technical solutions for oneM2M authorization architecture, authorization procedures and access control policies. The present document also gives evaluations of these proposed technical solutions. ETSI TS 118 103 i.2 only defines a high level authorization architecture that de

27、scribes its major components and general authorization procedure. The objective of the present document is to provide candidate security solutions related to authorization architecture, authorization procedures and access control policies. The present document provides security solutions in the foll

28、owing three aspects: Detailed design of authorization architecture: This part investigates the interfaces among authorization components (e.g. procedures and parameters), how these components could be distributed in different oneM2M entities (i.e. different CSEs), and how to implement Role Based Acc

29、ess Control (RBAC) and token based access control. Supporting user specified access control policies: This part investigates how the oneM2M authorization system could be an extensible system that can support user-defined access control mechanisms and/or access control policy languages. Investigating

30、 existing access control policy languages: This part investigates if some standardized access control policy languages could become oneM2M recommended access control policy description languages. 2 References 2.1 Normative references References are either specific (identified by date of publication

31、and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. Referenced documents which are not found to be publicly available in the e

32、xpected location might be found at https:/docbox.etsi.org/Reference/. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are necessary for the application of the present document

33、. Not applicable. 2.2 Informative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document

34、 (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are not necessary for the application of the present document but they assist the user wit

35、h regard to a particular subject area. i.1 ETSI TS 118 101: “oneM2M; Functional Architecture (oneM2M TS-0001)“. i.2 ETSI TS 118 103: “oneM2M; Security Solutions (oneM2M TS-0003)“. i.3 ANSI American national standard for information technology - role based access control. ANSI INCITS 359-2004, Februa

36、ry 2004. ETSI ETSI TR 118 516 V2.0.0 (2016-09) 7oneM2M TR-0016 version 2.0.0i.4 NIST Special Publication 800-162: “Guide to Attribute Based Access Control (ABAC) Definition and Considerations“. i.5 OASIS Standard: “eXtensible Access Control Markup Language (XACML)“, Version 3.0, 22 January 2013. i.6

37、 OASIS Standard: “Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML)“ V2.0. i.7 oneM2M Drafting Rules. NOTE: Available at http:/www.onem2m.org/images/files/oneM2M-Drafting-Rules.pdf. i.8 ETSI TS 118 111: “oneM2M; Common Terminology (oneM2M TS-0011)“. i.9 ETSI TR 118 501

38、: “oneM2M; Use Case collection (oneM2M TR-0001)“. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the terms and definitions given in ETSI TS 118 111 i.8 apply. 3.2 Abbreviations For the purposes of the present document, the abbreviations given in ETSI TS 118

39、 111 i.8 apply. 4 Conventions The key words “Shall“, “Shall not“, “May“, “Need not“, “Should“, “Should not“ in the present document are to be interpreted as described in the oneM2M Drafting Rules i.7. 5 Overview of authorization system 5.1 High level authorization architecture Figure 5.1-1 provides

40、a high level overview of a generic authorization architecture. This architecture comprises four subcomponents that are described as follows: Policy Enforcement Point (PEP): - PEP intercepts resource access requests, makes access control decision requests, and enforces access control decisions. The P

41、EP coexists with the entity that needs authorization services. Policy Decision Point (PDP): - PDP interacts with the PRP and PIP to get applicable authorization polices and attributes needed to evaluate authorization policies respectively, and then evaluates access requests using authorization polic

42、ies to render an access control decision. The PDP is located in the Authorization service. Policy Retrieval Point (PRP): - PRP obtains applicable authorization policies according to an access control decision request. These applicable policies should be combined in order to get a finial access contr

43、ol decision. The PRP is located in the Authorization service. ETSI ETSI TR 118 516 V2.0.0 (2016-09) 8oneM2M TR-0016 version 2.0.0 Policy Information Point (PIP): - PIP provides attributes that are needed to evaluate authorization policies, for example the IP address of the requester, creation time o

44、f the resource, current time or location information of the requester. The PIP is located in the Authorization service. The Authorization service may comprise any of the subcomponents: PDP, PRP and/or PIP. This means that the subcomponents PEP, PRP, PDP and PIP could be distributed across different

45、nodes. For example the PEP is located in an ASN/MN and the PDP is located in the IN. The present release 1 does not support separation of PRP and PIP on different CSE from PDP. The generic procedure described below is provided for information and to support further extensions, while clause 7 provide

46、s the details of authorization mechanisms in the current release. Figure 5.1-1: Overview of the authorization architecture ETSI ETSI TR 118 516 V2.0.0 (2016-09) 9oneM2M TR-0016 version 2.0.05.2 Generic authorization procedure The generic authorization procedure is shown in figure 5.2-1. Figure 5.2-1

47、: Authorization Procedure Step 001: Mutual authentication (Pre-requisite). Step 002: Access Requester sends an Access Request to the PEP. Step 003: PEP makes an Access Control Decision Request according to the requesters Access Request, and sends the Access Control Decision Request to the PDP. Step

48、004: PDP sends an Access Control Policy Request that is generated based on the Access Control Decision Request to the PRP. Step 005: PRP finds all access control policies applicable to the access request and sends them back to the PDP. When multiple access control polices are involved, the PRP also

49、provides a policy combination algorithm to combine multiple evaluation results into one finial result. Step 006 PDP sends Attribute Request to the PIP, if any attributes are needed to evaluate these access control policies. Step 007: PIP gets requested attributes and sends them back to the PDP. Step 008: PDP evaluates Access Request using access control policies. When there are multiple applicable access control policies, the PEP needs to calculate a final Access Control Decision using the policy combination algorithm. Step 009: PD

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1