【作者】 罗家燕；

【导师】 何大可；

【作者基本信息】 西南交通大学 ， 密码学， 2003， 硕士

【摘要】 基于国际电信联盟ITU X．509证书标准的公钥基础设施(Public Key Infrastructure，简称PKI)在过去几年里已成为电子商务、电子政务等网络应用中不可缺少的安全支撑系统和技术规范。然而伴随着网络应用的不断扩展和深入，仅仅确定用户身份，知道“他是谁”，已不能满足安全系统的要求，还应该提供新的手段进一步确定“他能做什么”来进行权限管理和访问控制。特权管理基础设施(Privilege Management Infrastructure，简称PMI)的概念也就应运而生。 论文的主要部分包括以下章节。第二章介绍电子政务和密码学理论的概念和基础知识。第三章研究和分析PMI的相关标准，基本构成和重要模型，对比PMI与PKI之间的联系与区别。第四章首先分析基于角色访问控制(RBAC)的RBPMI应用需求，然后设计系统总体框架结构，详细阐述其工作流程，并重点研究与设计访问控制机制、授权机制和证书结构。最后讨论证书撤销和更新的机制。第五章是结论。 本文作者在深入了解PMI的相关标准和现有模型的基础上，提出了自己的特权管理模型，实现了访问控制与权限管理的统一。课题是在我国特别是电子政务领域还没有明确的相关规范和统一标准的背景下完成的。因而对于今后这个领域的研究和应用都具有一定的理论价值和实际意义。更多还原

【Abstract】 Public Key Infrastructure (PKI) based on the ITU-T X.509 standard has become an indispensable security supporting system and technical specification for network application such as e-business and e-government in the past few years. However, with the rapid growth of Internet, it is not sufficient merely to authenticate communicating parties, which is to know who you are. Besides to recognize a remote party’s identity, we also need to know what actions they may perform. Thus, we need an authorization mechanism. Privilege Management Infrastructure (PMI) enables authorization after authentication has occurred.This thesis is organized as follows. Chapter 2 introduces the relevant theories of e-government and cryptography. Chapter 3 presents the basic ideas of PKI and PMI, and provides a comparison between them. Based on role-based access control and attribute certificate, an improved PMI model (RBPMI) is proposed in chapter 4. Firstly we summarize the performance-related requirements that RBPMI has to fulfill. Then the architecture and workflow are explicitly described. We emphasize the research and design of access control mechanism, the authorization scheme and the certificate structure. Finally we discuss the mechanisms of certificate revocation and freshness. Chapter 5 presents conclusion and proposes further work.Based on the theory of PMI, this paper gives a revised privilege management model to implement access control and privilege management. It is accomplished under the condition that there aren’t explicit related specifications and standards in our country especially in e-government. It might be helpful to the further research and application in this area.更多还原