摘要
公钥基础设施PKI(Public Key Infrastructure)技术在开放的网络环境中提供了身份认证服务。授权管理基础设施PMI(Privilege Management Infrastructure)是PKI在授权管理领域的扩展,它使用属性证书AC(Attribute Certificate)为用户分配权限,目标在于提供用户身份到应用授权的映射,提供与实际处理模式相对应的、与具体应用系统开发和管理无关的授权和访问控制机制。
基于角色的访问控制RBAC(Role-based Access Control)通过引入角色的概念实现了用户与访问权限的逻辑分离,具有很好的灵活性,极大地方便了权限管理,被认为是一种比较有效而被广泛应用的访问控制模型。PMI角色模型通过颁发角色说明属性证书和角色分配属性证书分配权限,可以实现RBAC与PMI的结合。
针对ARBAC97中管理角色为用户分配常规角色时不易根据用户是否拥有某些特征进行角色分配的问题,提出了引入属性概念的ARBAC扩展模型。
在研究PKI/PMI理论的基础上,改进了PMI的角色模型:增加了用户组说明属性证书和用户组分配属性证书以简化应用系统权限的管理;在权限验证者本地增加访问控制策略库实现对资源的访问控制;增加权限验证者本地证书库以提高证书的处理效率。同时给出了PMI框架解决RBAC中角色继承、私有权限、角色委托等问题的方法。
最后设计了一个基于PKI身份认证,实现RBAC的PMI安全平台框架,定义了用可扩展标记语言XML(Extensible Markup Language)描述的用于实现权限分配的授权策略的相关语法,着重介绍了授权管理和访问控制的实施过程,可以作为构建PMI系统的参考。
In the open network environment, Public Key Infrastructure (PKI) provides identity authentication service. Privilege Management Infrastructure (PMI) is a way of extending PKI to support authorization. PMI uses Attribute Certificates (AC) to assign permissions to users, with the aim of mapping users’identities to permissions and providing authorization and access control mechanisms which are corresponding to practical transaction mode but irrespective of development and management of application system.
Role-based Access Control (RBAC) model separates users from permissions logically through the concept of role. Since it is flexible and convenient to manage privileges, RBAC model is regarded as an efficient way to control access and it is widely used. Role model in PMI combines RBAC and PMI through issuing Role Specification Attribute Certificates and Role Assignment Attribute Certificates.
An extended model of ARBAC with the concept of feature is proposed to contrapose the difficulty that administrative roles encounter when assigning general roles to users according to their characteristics in ARBAC97 model.
Based on the research on the theories of PKI and PMI, we improve role model. User-group Specification Attribute Certificate and User-group Assignment Attribute Certificate are used to simplify the management of permissions. Access control policy depository and local certificate depository are deployed at privilege verifier to restrict the access to resources and enhance certificates query efficiency respectively. Some solutions related to implement RBAC in PMI, such as role hiberarchy, private permission, role delegation etc., are also presented.
A secure PMI platform framework is also designed, which realizes RBAC and authentication using PKI. Authorization policy syntax is defined using Extensible Markup Language to assign permissions. We mainly focus on the processes of privilege management and access control, which can be referred to construct PMI systems.
引文
[1] William T. Polk, Nelson E. Hastings, Ambarish Malpani. Public Key Infrastructures that Satisfy Security Goals. IEEE Internet Computing, 2003, 7(4):60~67
[2] 宁宇鹏,陈昕.PKI技术.第1版.北京:机械工业出版社,2004. 5~7
[3] 谢冬青,冷健.PKI原理与技术.第1版.北京:清华大学出版社,2003. 1~120
[4] 冯瑜瑾,丁志强,罗永红.属性证书:将PKI扩展到授权领域的数字证书.云南大学学报(自然科学版),2003, 25(6A):111~115
[5] David F. Ferraiolo, John F. Barkley, D. Richard Kuhn. A role based access control model and reference implementation within a corporate intranet. ACM Transactions on Information and System Security, 1999, 2(1):34~64
[6] David F. Ferraiolo, Ravi Sandhu, Serban Gavrila et al. Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security (TISSEC), 2001, 4(3):224~274
[7] 洪帆,胡龙斌.基于角色的访问控制在分布式资源互访中的应用.计算机工程与应用,2002, 38(18):163~164
[8] 刘宏月,范九伦,马建峰.访问控制技术研究进展.小型微型计算机系统,2004, 25(1):56~58
[9] 洪帆 , 何绪斌 , 徐智勇 . 基于角色的访问控制 . 小型微型计算机系统 ,2000, 21(2):198~200
[10] Javier Lopez, Antonio Mana, Juan J. Ortega et al. Integrating PMI services in CORBA applications. Computer Standards & Interfaces, 2003, 25(4):391~409
[11] David W. Chadwick. The X.509 Privilege Management Infrastructure. in: Borka Jerman-Blazic, Wolfgang Schneider, Tomaz Klobucar. Proceedings of the NATO Advanced Networking Workshop on Advanced Security Technologies in Networking. Bled, Slovenia: IOS Press, 2003. 15~25
[12] Gail-Joon Ahn, Badrinath Mohan. Secure Information Sharing Using Role-based Delegation. in: Shahram Latifi. Proceedings of the International Conference on Information Technology: Coding and Computing (ITCC'04) Volume 2. NW Washington, DC USA: IEEE Computer Society, 2004. 810~819
[13] Wei Zhou, Christoph Meinel, Vinesh H. Raja. A Framework for Supporting Distributed Access Control Policies. in: R. Ammar, R. Saracco. Proceedings of the 10th IEEE Symposium on Computers and Communications (ISCC 2005). Murcia, Cartagena, Spain: IEEE Computer Society, 2005. 442~447
[14] David W. Chadwick, Alexander Otenko. The PERMIS X.509 Role Based Privilege Management Infrastructure. Future Generation Computer Systems, 2003, 19(2): 277~289
[15] Ravi Sandhu, Edward J Coyne, Hal L Feinstein et al. Role-based access control models. IEEE Computer, 1996, 29(2):38~47
[16] Ravi Sandhu, Venkata Bhamidipati, Qamar Munawer. The ARBAC97 Model for Role-Based Administration of Roles. ACM Transactions on Information and System Security, 1999, 2(1):105~135
[17] 戴祝英,左禾兴.基于角色的访问控制模型分析与系统实现.计算机应用研究,2004, 21(9):173~175
[18] 李辉.计算机安全学.第1版.北京:机械出版社,2005. 30~60
[19] Mary R. Thompson, Abdelilah Essiari, Srilekha Mudumbai. Certificate-based authorization policy in a PKI environment. ACM Transactions on Information and System Security (TISSEC), 2003, 6(4):566~588
[20] Javier Lopez, Antonio Ma?a, Jose A.Montenegro et al. PKI design based on the use of on-line certification authorities. International Journal of Information Security, 2004, 2(2):91~102
[21] Andrew Nash, William Duane, Celia Joseph et al. 公钥基础设施(PKI):实现和管理电子安全.第1版.北京:清华大学出版社,2002. 57~121
[22] R. Penman. An overview of PKI trust models. IEEE Network, 1999, 13(6):38~43
[23] JL Munoz, J. Forne, Juan C. Castro. Evaluation of Certificate Revocation Policies: OCSP vs. Overissued CRL. in: Abdelkader Hameurlain, Rosine Cicchetti, Roland Traunmüller. Proceedings of the 13th International Workshop on Database and Expert Systems Applications. Aix-en-Provence, France: IEEE Computer Society, 2002. 511~515
[24] M. Benantar. The internet public key infrastructure. IBM Systems Journal, 2001, 40(3):648~665
[25] 孟桂娥,董玮文,杨宇航.公钥基础设施PKI的设计.计算机工程,2001, 27(6):111~113
[26] 王永静,谢冬青,陈华.证书撤销机制的分析与设计.计算机应用研究,2004, 21(9):147~149
[27] 余冬梅,赵文来,杨俊秀.PKI中几种证书撤消技术的研究.计算机工程与科学,2004, 26(8):4~6
[28] V. Koutsonikola, A. Vakali. LDAP: Framework, Practices, and Trends. IEEE Internet Computing, 2004, 8(5):66~72
[29] J. Linn, M. Nystrom. Attribute certification: An enabling technology for delegation and role-based controls in distributed environments. in: Charles Youman, Sylvia Osborn. Proc. of the 4th ACM Workshop on RBAC. Fairfax, Virginia, United States: ACM Press, 1999. 121~130
[30] 陈娟娟,胡金柱,谢亚玲.用户群组在RBAC模型中的应用.计算机应用,2003, 23(2): 64~67
[31] 安晓江,李大兴.基于角色的代理模型的实现.计算机工程,2004, 30(10):62~64
[32] 林惠征,蔡敦仁,李长彦.属性凭证运用在代理职权.见:黄明祥.第四届电子化企业经营管理理论暨实务研讨会.彰化:大叶大学,2003. 1~10
[33] 徐震,李斓,冯登国.基于角色的受限委托模型.软件学报,2005, 16(5):970~979
[34] Michael Morrison.XML揭秘—入门?应用?精通.第1版.陆新年.北京:清华大学出版社,2001. 6~43
[35] 陈建红,徐涛.Web数据库与XML应用.第1版.北京:高等出版社,2004. 108~170
[36] 郑芳,程颖,王林平.基于属性证书的RBAC实现模型研究.计算机与数字工程,2005, 33(2):60~63
[37] 赖锦,雷利民.基于RBAC的PMI应用研究.通信技术,2003, 12(12):136~138
[38] 李晏睿,赵政.一种基于PKI/PMI的企业安全框架.计算机工程与设计,2003, 24(12):95~96
[39] 李俊娥 , 王娟 .PKI 与 PMI 联合安全认证系统及其设计 . 计算机应用 ,2002, 22(12):7~10
[40] 安晓江,李大兴.PMI系统中RBAC策略的实现与管理.计算机工程与应用,2004, 40(7):115~117
[41] David W. Chadwick, Alexander Otenko, Ed Ball. Role-Based Access Control With X.509 Attribute Certificates. IEEE Internet Computing, 2003, 7(2):62~69
[42] David W. Chadwick, Alexander Otenko, Ed Ball. RBAC Policies in XML for X.509 Based Privilege Management. in: M.A.Ghonaimy, M.T.El-Hadidi, H.K.Aslan. SEC2002. Cairo Egypt: Kluwer Academic Publishers, 2002. 39~53
[43] 徐晓春,陆松年,杨树堂等.基于XACML的Web服务访问控制模型.计算机工程,2004, 30(5):75~76
[44] Rafae Bhatti, Arif Ghafoor, Elisa Bertino et al. X-GTRBAC: an XML-based policy specification framework and architecture for enterprise-wide access control. ACM Transactions on Information and System Security (TISSEC), 2005, 8(2):187~227