【作者】 王飞；

【导师】 徐兰芳；

【作者基本信息】 华中科技大学 ， 计算机软件与理论， 2006， 硕士

【摘要】 公钥基础设施PKI(Public Key Infrastructure)技术在开放的网络环境中提供了身份认证服务。授权管理基础设施PMI(Privilege Management Infrastructure)是PKI在授权管理领域的扩展,它使用属性证书AC(Attribute Certificate)为用户分配权限,目标在于提供用户身份到应用授权的映射,提供与实际处理模式相对应的、与具体应用系统开发和管理无关的授权和访问控制机制。基于角色的访问控制RBAC(Role-based Access Control)通过引入角色的概念实现了用户与访问权限的逻辑分离,具有很好的灵活性,极大地方便了权限管理,被认为是一种比较有效而被广泛应用的访问控制模型。PMI角色模型通过颁发角色说明属性证书和角色分配属性证书分配权限,可以实现RBAC与PMI的结合。针对ARBAC97中管理角色为用户分配常规角色时不易根据用户是否拥有某些特征进行角色分配的问题,提出了引入属性概念的ARBAC扩展模型。在研究PKI/PMI理论的基础上,改进了PMI的角色模型:增加了用户组说明属性证书和用户组分配属性证书以简化应用系统权限的管理;在权限验证者本地增加访问控制策略库实现对资源的访问控制;增加权限验证者本地证书库以提高证书的处理效率。同时给出了PMI框架解决RBAC中角色继承、私有权限、角色委托等问题的方法。最后设计了一个基于PKI身份认证,实现RBAC的PMI安全平台框架,定义了用可扩展标记语言XML(Extensible Markup Language)描述的用于实现权限分配的授权策略的相关语法,着重介绍了授权管理和访问控制的实施过程,可以作为构建PMI系统的参考。更多还原

【Abstract】 In the open network environment, Public Key Infrastructure (PKI) provides identity authentication service. Privilege Management Infrastructure (PMI) is a way of extending PKI to support authorization. PMI uses Attribute Certificates (AC) to assign permissions to users, with the aim of mapping users’identities to permissions and providing authorization and access control mechanisms which are corresponding to practical transaction mode but irrespective of development and management of application system.Role-based Access Control (RBAC) model separates users from permissions logically through the concept of role. Since it is flexible and convenient to manage privileges, RBAC model is regarded as an efficient way to control access and it is widely used. Role model in PMI combines RBAC and PMI through issuing Role Specification Attribute Certificates and Role Assignment Attribute Certificates.An extended model of ARBAC with the concept of feature is proposed to contrapose the difficulty that administrative roles encounter when assigning general roles to users according to their characteristics in ARBAC97 model.Based on the research on the theories of PKI and PMI, we improve role model. User-group Specification Attribute Certificate and User-group Assignment Attribute Certificate are used to simplify the management of permissions. Access control policy depository and local certificate depository are deployed at privilege verifier to restrict the access to resources and enhance certificates query efficiency respectively. Some solutions related to implement RBAC in PMI, such as role hiberarchy, private permission, role delegation etc., are also presented. A secure PMI platform framework is also designed, which realizes RBAC and authentication using PKI. Authorization policy syntax is defined using Extensible Markup Language to assign permissions. We mainly focus on the processes of privilege management and access control, which can be referred to construct PMI systems.更多还原