本論文將基礎的強制型存取控制機制，推展到雲端企業階層式組織型態中。不只資源取用者機密等級要高，而且取用者在階層式組織中也要高於被取用資源。以一個金鑰轉換中心(KDC)做為初始各個階層與使用者的金鑰分配，並公布組織結構表，之後各個使用者便可藉由組織結構表與雜湊運算的方式進行機密等級與階層式授權金鑰的快速推導。
被授權者必須從兩個層次的機密屬性中得到最後的解密金鑰完成授權。本論文提出一個強化強制型存取控制(MACH)機制，擁有速度極快、強制型與階層式的保護、結構變化少的優點。我們將會與AKL, Lo-Hwang-Liu和蔡佳勳等學者的機制進行比較，我們的機制使用雜湊運算與其他學者所使用的模指數運算在相同安全等級的運算過程中速度差距可達數千倍(BruceSchneier ,1986)，以快速的階層授權結合基礎的強制型存取控制來對企業組織的內部完成資訊分級授權。

This study proposes a basic mandatory access control in cloud hierarchical structure. It considers not only user's secret level higher than that of file but also the hierarchy levels that users belong to. In the proposed system, Key Derivation Center (KDC) was used for making the first initial private keys generation and their distribution for each group. After that, a table called RAI (Relation-And-ID) associated with related parameters is open. Users can used RAI and hash function to derive the keys that been authorized.

The user are authorized by the two levels of secret attributes(naming the user level and the group hierarchy) . This study proposes a mandatory access control for organization of hierarchical structure, delivers a much fast operation in cloud hierarchical organization, and affects less parameters when the hierarchical structure changes. The proposed mechanism is also compared with AKL, Lo-Hwang-Liu, and Chia-Hsun Tsai. Besides differences in dealing with the comparison among the parameters, the procedure, and the various hierarchical structures, our mechanism use the hash function as a core calculation, while the other three researches use the modular exponentiation operation. As indicated in (BruceSchneier ,1986), hash function, in the same security level, is faster than modular exponentiation operation by thousands of times. Therefore, our system can attains both a fast hierarchical authorized and basic mandatory access control to secure the authorized information in most business organization.

目錄	IV
表目錄	VI
圖目錄	VII
第一章　緒論	1
1.1	研究背景	1
1.2	研究動機	2
第二章　相關論文研究	3
2.1	存取控制下的安全模式	3
2.1.1	強制性安全模式(Mandatory access control MAC)	4
2.2	階層式授權相關研究	5
2.2.1	Akl&Taylor等所提機制	5
2.2.2	Lo,Hwang&Liu等人所提機制	7
2.2.3	蔡佳勳所提機制	9
第三章　所提機制	14
3.1	主受體授權模式	15
3.1.1	金鑰推導	15
3.2	群組封建式階層	16
3.2.1	各群組金鑰產生及推導	17
3.3	文件金鑰推導	19
3.4	加入新成員	21
3.5	成員離開	22
第四章　相關研究比較	24
4.1	安全性與效率分析	24
4.1.1	反向攻擊	24
4.1.2	群組內互相攻擊	25
4.1.3	群組聯合攻擊	25
4.2	比較面向說明	25
4.2.1	Akl&Taylor(1983)所提機制	25
4.2.2	Lo, Hwang & Liu(2011)等人所提機制	26
4.2.3	蔡佳勳(2015)所提機制	26
第五章　結論與建議	30
參考文獻	32

表 2-1：機密等級範例	3
表 2-2：Akl&Taylor所提機制符號定義	5
表 2-3：Lo,Hwang&Liu等人所提機制符號定義	7
表 2-4：蔡佳勳所提機制符號定義	9
表 2-5：蔡佳勳的直屬結構表	10
表 3-1：符號名稱定義	14
表 3-2：機密等級(Secret Class Level)(假設有n級)	15
表 3-3：機密等級金鑰推導	16
表 3-4：關係與ID表(RAI表)	17
表 3-5：群組金鑰	18
表 4-1：相關研究之功能比較	27
表 4-2：加入成員與離開成員之比較	28


圖 2-1：蔡佳勳的直屬結構圖	10
圖 3-1：直屬結構圖	17
圖 3-2：成員加入末端節點圖1	21
圖 3-3：成員加入末端節點圖2	21
圖 3-4：成員加入中間節點圖1	22
圖 3-5：成員離開末端節點圖1	22
圖 3-6：成員離開末端節點圖2	23
圖 3-7：成員離開中間節點圖1	23

1.Akl, S. G., & Taylor, P. D. (1983). Cryptographic solution to a problem of access control in a  hierarchy. ACM Transactions on Computer Systems (TOCS), 1(3), 239-248.
2.Lo, J. W., Hwang, M. S., & Liu, C. H. (2011). An efficient key assignment scheme for access control in a large leaf class hierarchy. Information Sciences,181(4), 917-925.
3.Qing-hai, B., & Ying, Z. (2011, July). Study on the access control model. InCross Strait Quad-Regional Radio Science and Wireless Technology Conference (CSQRWC), 2011 (Vol. 1, pp. 830-834). IEEE.
4.Ruj, S. (2014, July). Attribute based access control in clouds: a survey. InSignal Processing and Communications (SPCOM), 2014 International Conference on (pp. 1-6). IEEE.
5.Wang, G., Liu, Q., & Wu, J. (2010, October). Hierarchical attribute-based encryption for fine-grained access control in cloud storage services. InProceedings of the 17th ACM conference on Computer and communications security (pp. 735-737). ACM.
6.Cacic, B. J., & Wei, R. (2007). Improving Indirect Key Management Scheme of Access Hierarchies. IJ Network Security, 4(2), 128-137. 
7.Chen, H. Y. (2004). Efficient time-bound hierarchical key assignment scheme.Knowledge and Data Engineering, IEEE Transactions on, 16(10), 1301-1304. 
8.Denning, D. E., Akl, S. G., Heckman, M., Lunt, T. F., Morgenstern, M., Neumann, P. G., & Schell, R. R. (1987). Views for multilevel database security. Software Engineering, IEEE Transactions on, (2), 129-140. 
9.MacKinnon, S. J., Taylor, P. D., Meijer, H., & Akl, S. G. (1985). An Optimal Algorithm for Assigning Cryptographic. IEEE Transactions on computers,100(34). 
10.Rivest, R. L., Shamir, A., & Adleman, L. (1978). A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2), 120-126. 
11.Wang, Shyh-Yih, and Chi-Sung Laih. "Cryptanalysis of Hwang–Yang scheme for controlling access in large partially ordered hierarchies." Journal of Systems and Software 75.1 (2005): 189-192. 
12.李鴻璋,蔡佳勳. (2015). 簡單快速雲端階層式組織授權之應用. 淡江大學資訊管理學系碩士班學位論文, 1-42.
13.Applied Cryptography-protocols, algorithms, and source code in C.(2nd .ed), Bruce Schneier,1986
14.潘天佑(民101)。資訊安全概論與實務(第三版)。台灣：碁峰。