RBAC和X509证书在Web中的应用
|
摘要
随着各种信息电子化和政府上网、电子政务等项目的实施,对Web网页内容的访问控制和内容保密的需求越来越明显。本文探讨了采用X.509的电子证书机制,利用SSL技术,对用户进行强认证,采用X509电子证书的认证系统,是公认可靠的认证机制,其安全性是建立在牢固的数学基础上,经过多年的使用始终没有失效,本文还从系统实施的角度考察了SSL技术所面临的攻击,说明了采用X509证书的SSL技术设计合理,抗攻击性强;同时,利用RBAC的方法,对希望访问某种资源的用户进行基于角色的访问控制,RBAC方法,即基于角色的访问控制方法,这种访问控制方法,是计算机安全专家经过研究多种访问控制方法,包括现在仍普遍使用的自主访问控制和强制访问控制的基础上提出的,这种访问控制方法既能保证集中管理,又能使管理开销降低。通过身份认证和访问控制的方法,可以对内部信息实施有效的保护,并在某国家机关信息系统上实现了这种机制。本文可作为机关、公司上网后,对Web网页内容进行强认证和授权的技术参考。
With the development of digitalization of information and the advance of electronic government, there is an increasing requirement for classified access and content confidential of web pages. This article discusses a method of strong authentication, taking advantage of X509 technologies and SSL mechanism, to offer user identification. The authentication mechanism using X509 certificates is well known robust mechanism to identify communication entities. Its security is based on well founded mathematics theories. After so many year's usage, it still works fine. This article also inspected the attacks that SSL will face, showing that it is well designed and can stand various kinds of attacks. Meanwhile, I introduce RBAC method to fulfill the need for role based access control. The RBAC method, also called Role Based Access Control method, is introduced by security experts after intensive researches over the access control methods including that are widely used nowadays, such as DAC and MAC. It can give administ
rators ability of centralized control as well as reduce the cost of management .Through the adoption of X509 certificate mechanism and RBAC access control, we can effectively protect internal information. A implementation of a hypothesis entity is demonstrated. This article can provide a reference to a schema that deploy authentication and authorization to web pages of entities like government departments, companies.
With the development of digitalization of information and the advance of electronic government, there is an increasing requirement for classified access and content confidential of web pages. This article discusses a method of strong authentication, taking advantage of X509 technologies and SSL mechanism, to offer user identification. The authentication mechanism using X509 certificates is well known robust mechanism to identify communication entities. Its security is based on well founded mathematics theories. After so many year's usage, it still works fine. This article also inspected the attacks that SSL will face, showing that it is well designed and can stand various kinds of attacks. Meanwhile, I introduce RBAC method to fulfill the need for role based access control. The RBAC method, also called Role Based Access Control method, is introduced by security experts after intensive researches over the access control methods including that are widely used nowadays, such as DAC and MAC. It can give administ
rators ability of centralized control as well as reduce the cost of management .Through the adoption of X509 certificate mechanism and RBAC access control, we can effectively protect internal information. A implementation of a hypothesis entity is demonstrated. This article can provide a reference to a schema that deploy authentication and authorization to web pages of entities like government departments, companies.
引文
[1].第11次中国互联网络发展状况统计报告,http://www.cnnic.net.cn,中国互联网信息中心。
[2].中国互联网络发展状况统计报告 (2002/7),http://www.cnnic.net.cn/develst/2002-7/,中国互联网信息中心。
[3].PKI中CA的研究与实现,张舰,周明天。
[4].Carlise Adams Steve Lloyd.公开密钥基础没施——概念、标准和实施(冯登国等译).北京:人民邮电出版社,2001
[5]. Netscape ssl 3.0 specification, http://wp.netscape.com/eng/ss13/, November 1996
[6]. Tim Dierks, Eric Rescorla, The TLS Protocol Version 1.1, draft-ietf-tls-rfc-2246-bis-05, txt, June 2003
[7]. John Barkley, Tony Cincotta, Serban Gavrila, RBAC/Web Release 1.1, http://hissa.ncsl.nist.gov, 1998
[8].查义国,张毓森,在web上实现给予角色的访问控制,计算机研究与发展,第39卷第3期,257-263,2002年3月
[9]. David F. Ferraiolo, Proposed NIST Standard for Role-Based Access Control, http://www.nist.gov, July 2001
[10]. RABI SANDHU, VENKATA BHAMIDIPATI, The ARBAC97 Model for Role-Based Administration of Roles, ACM Transactions on Information and System Security, Vol. 2 No. 1, February 1999
[11].中华人民共和国国家标准GB 17859-1999《计算机信息系统安全保护等级划分准则》
[12].对SSL抵御攻击能力的分析http://www.yesky.com/SoftChannel/72356695560421376/20030716/1714505. shtml
[13]. Peter Gutmann. Key Management and Certificates. University of Auckland, 2001
[14]. Marc Branchaud. A Survey Of Public Key Infrastructures: [Master Thesis]. Montreal: Department of Computer Science, McGill University, 1997
[15]. R. Housley, W. Ford, W. Polk, et al. Internet X. 509 Public Key Infrastructure Certificate and CRL Profile:[RFC 2459], 1999
[16]. C. Adams, S. Farrell. Internet X. 509 Public Key Infrastructure Certificate Management Protocols: [RFC 2510], 1999
[17]. S. Boeyen, T. Howes, P. Richard. InternetX. 509Public Key Infrastructure LDAPv2 Schema: [RFC 2587], 1999
[18]. S. Boeyen, T. Howes, P. Richard. Internet X. 509 Public Key Infrastructure Operational Protocols - LDAPv2: [RFC 2559], 1999
[19]. M. Myers, C. Adams, D. Solo, D. Kemp. Internet X. 509 Certificate Request Message Format: [RFC 2511], 1999
[20]. S. Chokhani, W. Ford. [RFC 2527] Internet X. 509 Public Key Infrastructure Certificate Policy and Certification Practices Framework, March 1999
[21]. R. Housley, W. Polk. [RFC2528] Internet X. 509 Public Key Infrastructure Representation of Key Exchange Algorithm (KEA) Keys in Internet X. 509 Public Key Infrastructure Certificates, March 1999
[22]. M. Myers, R. Ankney, A. Malpani, S. Galperin, C. Adams [RFC 2560] X. 509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP, June 1999
[23].卿斯汉.密码学与计算机网络安全.北京:清华大学出版社广西大学出版社,2001
[24].郝斌《基于角色管理的系统访问控制》,http://www.ibm.com.cn,2001年7月
[2].中国互联网络发展状况统计报告 (2002/7),http://www.cnnic.net.cn/develst/2002-7/,中国互联网信息中心。
[3].PKI中CA的研究与实现,张舰,周明天。
[4].Carlise Adams Steve Lloyd.公开密钥基础没施——概念、标准和实施(冯登国等译).北京:人民邮电出版社,2001
[5]. Netscape ssl 3.0 specification, http://wp.netscape.com/eng/ss13/, November 1996
[6]. Tim Dierks, Eric Rescorla, The TLS Protocol Version 1.1, draft-ietf-tls-rfc-2246-bis-05, txt, June 2003
[7]. John Barkley, Tony Cincotta, Serban Gavrila, RBAC/Web Release 1.1, http://hissa.ncsl.nist.gov, 1998
[8].查义国,张毓森,在web上实现给予角色的访问控制,计算机研究与发展,第39卷第3期,257-263,2002年3月
[9]. David F. Ferraiolo, Proposed NIST Standard for Role-Based Access Control, http://www.nist.gov, July 2001
[10]. RABI SANDHU, VENKATA BHAMIDIPATI, The ARBAC97 Model for Role-Based Administration of Roles, ACM Transactions on Information and System Security, Vol. 2 No. 1, February 1999
[11].中华人民共和国国家标准GB 17859-1999《计算机信息系统安全保护等级划分准则》
[12].对SSL抵御攻击能力的分析http://www.yesky.com/SoftChannel/72356695560421376/20030716/1714505. shtml
[13]. Peter Gutmann. Key Management and Certificates. University of Auckland, 2001
[14]. Marc Branchaud. A Survey Of Public Key Infrastructures: [Master Thesis]. Montreal: Department of Computer Science, McGill University, 1997
[15]. R. Housley, W. Ford, W. Polk, et al. Internet X. 509 Public Key Infrastructure Certificate and CRL Profile:[RFC 2459], 1999
[16]. C. Adams, S. Farrell. Internet X. 509 Public Key Infrastructure Certificate Management Protocols: [RFC 2510], 1999
[17]. S. Boeyen, T. Howes, P. Richard. InternetX. 509Public Key Infrastructure LDAPv2 Schema: [RFC 2587], 1999
[18]. S. Boeyen, T. Howes, P. Richard. Internet X. 509 Public Key Infrastructure Operational Protocols - LDAPv2: [RFC 2559], 1999
[19]. M. Myers, C. Adams, D. Solo, D. Kemp. Internet X. 509 Certificate Request Message Format: [RFC 2511], 1999
[20]. S. Chokhani, W. Ford. [RFC 2527] Internet X. 509 Public Key Infrastructure Certificate Policy and Certification Practices Framework, March 1999
[21]. R. Housley, W. Polk. [RFC2528] Internet X. 509 Public Key Infrastructure Representation of Key Exchange Algorithm (KEA) Keys in Internet X. 509 Public Key Infrastructure Certificates, March 1999
[22]. M. Myers, R. Ankney, A. Malpani, S. Galperin, C. Adams [RFC 2560] X. 509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP, June 1999
[23].卿斯汉.密码学与计算机网络安全.北京:清华大学出版社广西大学出版社,2001
[24].郝斌《基于角色管理的系统访问控制》,http://www.ibm.com.cn,2001年7月