【作者】 邹琦；

【导师】 胡和平；

【作者基本信息】 华中科技大学 ， 计算机应用技术， 2008， 硕士

【摘要】 信息安全技术在近年内迅速发展,已经初步形成了一套完整的Internet安全解决方案。访问控制对系统资源的安全性至关重要。PKI系统通过方便灵活的密钥和证书管理方式,为用户建立起一个安全的网络运行环境,为访问控制、保密性、完整性、不可抵赖性等安全机制在系统中的实施奠定了基础。在身份认证的基础上,授权管理基础设施PMI给出了以证书的形式实现的独立于具体系统的用户授权和访问控制系统的框架。它与具体应用系统开发和管理无关,简化了具体应用系统的开发和维护,具有更高的灵活性。X.509标准并没有规定任何类型的标准化授权策略,这些都留给了使用PMI的应用系统。通过对移动介质信息安全系统的需求分析,给出了系统的用户授权和访问控制系统的框架,包括请求客户端、执行模块、决策模块、权限验证模块以及LDAP目录服务器等。授权策略是系统有效运转的核心。在对移动介质信息安全系统的用户授权和访问控制系统设计中,着重通过对已有授权策略的分析,结合移动介质信息安全系统自身的特点,设计了满足系统特定需求的访问控制系统的授权策略。授权策略包括属性策略、主体策略、角色层次策略、角色分配策略、目标策略、行为策略及目标访问策略,并用XML加以描述。在策略描述中还着重讨论了各种约束在策略中的实现,加强了对资源访问权限的控制。以设计的策略为基础,采用了PMI权限管理的思想,实现了移动介质信息安全系统的用户授权和访问控制系统。并给出了改进后的访问控制系统设计框架,明确了今后的工作方向。更多还原

【Abstract】 With fast development of information security technology, a whole internet security solution is put forward. Access control system is critical to ensure the security of the system. PKI systems can set up a safe net environment, by the flexible way of managing key and certificate, which becomes the fundament of implementing security mechanism such as access control, confidentiality and integrity. On the basis of authentication, Privilege Management Infrastructure has implemented an independent authorization and access control system in the form of certificate. It is less related to the application system and would simplify practical system development and maintenance, which is more flexible. X.509 standard has not standardized any type of authorization policy, and it leaves this to the system which uses PMI.By analyzing the requirement of Removable Devices Information Anti-leaking System, It presents a framework of access control system based on RPMI which consists of client, access execute function, privilege verification function and certificates database. Privilege policy is critical to system operation. In the design of the access control system, by analyzing existing policy and considering the requirement of the RDIA, it designs an authorization policy to satisfy the basis and special requirement of the system. The policy designed for the system consists of seven sub-policies and they are attribute policy, subject policy, role hierarchy policy, role assignment policy, target policy, action policy and target access policy. It is described by xml. In this policy, it discusses how to describe all kinds of constraints which tighten the screws of access control. Using this policy and considering the PMI design thought, it implements the user authorization and access control system for the removable devices information anti-leaking system in local area network. Besides, it gives a frame of improved system, which shows the further study content.更多还原