【作者】 曾瑶；

【导师】 韩臻；

【作者基本信息】 北京交通大学 ， 信息安全， 2008， 硕士

【摘要】 随着办公自动化、电子商务的逐渐深入,政府部门、各单位和企业根据各自的业务需求建立了局域网并开发了各自的应用,而信息化的发展使得这些单域(在同一安全策略管理范围内的局域网)之间实现互连和信息共享的需求越来越迫切。在目前高度动态、异构化、分布式的现代信息系统中,跨越单个管理域的限制,在多个域之间进行安全互操作是一项非常必要的系统需求。然而,原有自主可控的单域网络在与其他网络互连后,如何实现安全可控的开放并保持原有应用的安全,即防止未授权用户访问和使用受保护的资源或服务,实现跨域授权管理,便成为了我们在信息化实施过程中要解决的关键问题之一。本文综合分析了现有的基于授权管理基础设施PMI、属性证书和RBAC的访问控制模型,在公钥基础设施PKI和PMI的基础之上,提出了一种基于角色和属性证书的跨域授权管理系统模型,该模型充分考虑了多域环境下安全策略的制定以及域间的协作,符合分布式系统的实际情况,相比其他分布式授权管理系统模型,具有更强的实用性和安全性。论文详细描述了域内授权管理及域间的角色映射和授权步骤,并从物理结构和逻辑结构两个方面对系统的实现做了详细设计,最后在设定的一个原型环境下对理论模型进行了模拟实现和验证。整个模拟系统的实现具有灵活性、易维护性和可操作性。更多还原

【Abstract】 As the popularization of OA and electronic business, departments in government and corporations have built local area network to develop their own applications according to their business needs. Information technology applications make the demand of interconnection and information-sharing among single-domains (the LANs under the control of a security policy) more and more pressing. Nowadays, dynamic, heterogeneous and distributed information systems call for secure interoperability between multi-domains beyond a single domain management restriction. However, after the independent and self-controlled single-domain network is interconnected with other networks, it’s hard to maintain the security of the original applications whilst keep them controllable (i.e. prevent unauthorized users from accessing and using protected resources and services). In other words, realization of cross-domain authorization management has become one of the key issues to be solved to apply IT.This thesis analyzes existing access control models which are based on PMI Attribute Certificate and RBAC, and then puts forward a distributed cross-domain privilege management model, which is called CD-RBAC. It uses roles and ACs for authorization and the realization of model is based on PKI (Public Key Infrastructure) and PMI (Privilege Management Infrastructure). In this model, constitution of the security policies and inter-domain collaboration in multi-domain environment has been considered. CD-RBAC model is in line with the actual situation in distributed systems, and is more practical and secure than other models. This thesis detailedly describes how to realize authorization management in domain, method of inter-domain role mapping, and authorization steps. Furthermore, the thesis makes a detailed instruction of the realization of the system in two aspects: the physical and logical structure. At last, we simulate and verify the theoretic model in a prototype environment. During the realization of this system, flexibility, maintenance and operability are fully considered.更多还原