基于角色网格授权机制的研究及其在制造网格中的应用
摘要
网格技术是近年来国际上兴起的一种重要信息技术,它的目标是实现网络虚拟环境上高性能资源的共享和协同合作,消除信息孤岛和资源孤岛。网格的研究和应用成为一个分布应用热点。在任何网络环境中,安全性都是一个非常重要的问题。授权问题是网格安全所涉及的重要问题,也是有待解决的紧迫问题。
通过研究已有的各种网格授权机制和基于角色的授权模型,针对现有授权机制在多域互操作中存在的不足之处,在分析了RBAC和IRBAC模型的基础上,提出了改进的适用于分布式多域互操作模型ICRBAC;然后结合网格环境和ICRBAC模型提出了适用于网格环境的基于角色的授权框架模型G-ICRBAC;接下来对G-ICRBAC框架进行了定义,详细分析和设计了框架的各个部分,给出框架的工作流程。
在实现的过程中采用了基于PKI和LDAP相结合的实现机制。本文详细分析和设计了证书中心、证书库、安全策略管理模块以及本域和外域访问控制管理器等核心模块。在本域访问控制管理器部分采用了用户角色集缓存技术,提高了用户授权决策速度;本域和外域访问控制管理器部分都采用访问请求排队技术,保证了系统的可靠性和可应用性。
最后,在集成G-ICRBAC系统的GlobusToolkit4平台上,实现了制造网格中资源管理系统。这充分表明了该系统的高可用性。
Grid Computing is a new model of infrastructure for the distributed computing.It’s different from the traditional network system. In the Grid environment, all theusers and the resources are dynamic. The trust of each other should be created anddestroyed dynamicly, and should also has nothing to do with the location of theentities, and it breaks the restriction of the traditional sharing and cooperation. InGrid environment, the security schema in each dependent domain has therestriction to the computing resources. And a new resources sharing model which ismore free and more convenient appears with it’s breach. It also resolves theproblems that the traditional network can not resolve. Meanwhile, the features ofthe resources and the services, such as heterogeneousness, dynamic, multi-domainand so on, decide the important of the security schema.
Currently there are a lot of researches on Grid authorization problems, andsome authorization model frames have been proposed. For example, Chadwick andOtenko proposed a policy driven RBAC Privilege Management Infrastructure(Permis) in 2002. Thompson et al. proposed an access control architecture (Akenti)in 1999.Pearlman et al. proposed Community Authorisation Service (CAS) in 2002.Alfieri et al. proposed Virtual Organisation Membership Service (VOMS) in 2003.Some models have centrally managed problems or have interoperability problemsbetween virtual organizations.
Authorization and access control mechanisms in Grid environment havedeficiencies. Based on the analysis of the RBAC model and IRBAC model, thispaper improves RBAC model and proposes CRBAC and ICRBAC model.ICRBAC model which consists of the CRBAC model is more suitable fordistributed multi-domain interoperability issues. Combining the characteristics ofthe Grid environment this paper proposes G-ICRBAC framework. Through thecombination of Globus Toolkit 4 and the framework it realizes a gridauthentication and authorization system, and applies the system to the resourcemanagement system in manufacturing grid.
The works has been done in this paper are as following:
1. CRBAC Model is proposed.
RBAC is a role-based access control model. IRBAC model improves RBAC,and it is mostly used to resolve interoperability issues when IRBAC modeltransforms in the domain’s roles, there may be the following problems: First, itviolates the principle of separation of duties. Secondly, there are circletransformations between domain’s roles.Thirdly, roles between the domains can befreely transformed may bring potential secure problems. These problems willundermine the security strategy in the domain and affect the security of thetransformation between domain’s roles.
Therefore, a classed role-based access control model CRBAC is proposed.The model proposes administrative roles, interoperability administrative roles,in-roles, out-roles and common roles. Administrative roles are responsible for thecompletion of the management in the domain. Interoperability administrative rolesare responsible for the completion of the proxy of the roles between domains. Apartfrom the roles of other categories are known as common roles. The models againstthe problems exist in the transformation between domains’roles.This paperproposed the concept of the interface role, which is definition of the in-role, theout-role. Their mission done strictly limited. ICRBAC is a good model to solve theabove problems. This makes the transformation between domain’s roles simple,flexibility and security.
2. G-ICRBAC is proposed.
Virtual organization needs secure strategy to be localized, and it is difficult toimplement uniformly access control by center. If the distributed control can beimplemented, the virtual organization will form credit domain respectively. Beforeyou implement access inter-domain, you must implement credit authorizationbetween domains. It must have a mechanism that can authorize the out-domain userin-domain access privilege.
ICRBAC model meets the damands of the distributed management, andcrossing domain trust authority. Therefore, according to ICRBAC model. Thispaper designes and implements the grid environment which based on PKIICRBAC model.The framework includes the authentication center, certificationdatabase, domain security strategy management module, the local access control,the remote access control and the audit management components. The extension of this model discusses the environmental information collection process, theprivilege of conferred certificates variable attribute values, access verificationalgorithm and gives examples of the access. This Model can meet the demands ofdistributed management in grid access control. It implements authorizationcrossing domains and roles management inside system. The Model can alsoauthorize different privilege according to the different login environment of user.
3. The paper implements G-ICRBAC system.
During implementation of the system, this paper adopts development platformbased on Linux, using PKI key technologies, LDAP server preserved certificates,developing with C++ language and OpenSSL library. According to each module ofG-ICRBAC framework, this paper implements the main modules of the system.Among these modules,it mainly designes and implements certificate center,certificate database, security strategy management, LAC and RAC model.
Certificate center realizes domain certificates, identity certificate, role proxycertificates, role authenticated certificate, authority granted certificates, accessingcertificates and so on.And it provides authentication, certificates issued andremoved.It’s a firm foundation of realizing of the overall system. Supplyingcertificate classification of different types of certificates to preserve and improvethe speed of retrieval. The local access control used to deal with the requests forlocal resources. During implement, this paper designes two requests queue torespectirly process the requests from local domain and out domain, ensuring theavailability and reliability of the system, meeting the local user requests at first,comparing and analyzing two authorization algorithms, adopting cache technologyfor user roles set which generated by user role in the verification process,improving the speed of the second access. The remote access control used toprocess the requests of out domains.
4. An application in manufacturing grid which based on G-ICRBAC.
On the Globus Toolkit 4 platform which integrates with G-ICRBAC Model,This paper introduces grid application development Model based on G-ICRBACsystem and Web Service developed process by GT4. With the advantage ofdeveloping Grid Service with Java, it implements an application of resourcemanagement system in manufacturing grid.
The design and implementation of resource management system includes register module, security strategy management module and resource managementmodule. Each module is deployed with GridWeb Service.
The application of G-ICRBAC system in manufacturing grid resourcemanagement system illuminates that the reliability, stability and high availability ofthe system.
通过研究已有的各种网格授权机制和基于角色的授权模型,针对现有授权机制在多域互操作中存在的不足之处,在分析了RBAC和IRBAC模型的基础上,提出了改进的适用于分布式多域互操作模型ICRBAC;然后结合网格环境和ICRBAC模型提出了适用于网格环境的基于角色的授权框架模型G-ICRBAC;接下来对G-ICRBAC框架进行了定义,详细分析和设计了框架的各个部分,给出框架的工作流程。
在实现的过程中采用了基于PKI和LDAP相结合的实现机制。本文详细分析和设计了证书中心、证书库、安全策略管理模块以及本域和外域访问控制管理器等核心模块。在本域访问控制管理器部分采用了用户角色集缓存技术,提高了用户授权决策速度;本域和外域访问控制管理器部分都采用访问请求排队技术,保证了系统的可靠性和可应用性。
最后,在集成G-ICRBAC系统的GlobusToolkit4平台上,实现了制造网格中资源管理系统。这充分表明了该系统的高可用性。
Grid Computing is a new model of infrastructure for the distributed computing.It’s different from the traditional network system. In the Grid environment, all theusers and the resources are dynamic. The trust of each other should be created anddestroyed dynamicly, and should also has nothing to do with the location of theentities, and it breaks the restriction of the traditional sharing and cooperation. InGrid environment, the security schema in each dependent domain has therestriction to the computing resources. And a new resources sharing model which ismore free and more convenient appears with it’s breach. It also resolves theproblems that the traditional network can not resolve. Meanwhile, the features ofthe resources and the services, such as heterogeneousness, dynamic, multi-domainand so on, decide the important of the security schema.
Currently there are a lot of researches on Grid authorization problems, andsome authorization model frames have been proposed. For example, Chadwick andOtenko proposed a policy driven RBAC Privilege Management Infrastructure(Permis) in 2002. Thompson et al. proposed an access control architecture (Akenti)in 1999.Pearlman et al. proposed Community Authorisation Service (CAS) in 2002.Alfieri et al. proposed Virtual Organisation Membership Service (VOMS) in 2003.Some models have centrally managed problems or have interoperability problemsbetween virtual organizations.
Authorization and access control mechanisms in Grid environment havedeficiencies. Based on the analysis of the RBAC model and IRBAC model, thispaper improves RBAC model and proposes CRBAC and ICRBAC model.ICRBAC model which consists of the CRBAC model is more suitable fordistributed multi-domain interoperability issues. Combining the characteristics ofthe Grid environment this paper proposes G-ICRBAC framework. Through thecombination of Globus Toolkit 4 and the framework it realizes a gridauthentication and authorization system, and applies the system to the resourcemanagement system in manufacturing grid.
The works has been done in this paper are as following:
1. CRBAC Model is proposed.
RBAC is a role-based access control model. IRBAC model improves RBAC,and it is mostly used to resolve interoperability issues when IRBAC modeltransforms in the domain’s roles, there may be the following problems: First, itviolates the principle of separation of duties. Secondly, there are circletransformations between domain’s roles.Thirdly, roles between the domains can befreely transformed may bring potential secure problems. These problems willundermine the security strategy in the domain and affect the security of thetransformation between domain’s roles.
Therefore, a classed role-based access control model CRBAC is proposed.The model proposes administrative roles, interoperability administrative roles,in-roles, out-roles and common roles. Administrative roles are responsible for thecompletion of the management in the domain. Interoperability administrative rolesare responsible for the completion of the proxy of the roles between domains. Apartfrom the roles of other categories are known as common roles. The models againstthe problems exist in the transformation between domains’roles.This paperproposed the concept of the interface role, which is definition of the in-role, theout-role. Their mission done strictly limited. ICRBAC is a good model to solve theabove problems. This makes the transformation between domain’s roles simple,flexibility and security.
2. G-ICRBAC is proposed.
Virtual organization needs secure strategy to be localized, and it is difficult toimplement uniformly access control by center. If the distributed control can beimplemented, the virtual organization will form credit domain respectively. Beforeyou implement access inter-domain, you must implement credit authorizationbetween domains. It must have a mechanism that can authorize the out-domain userin-domain access privilege.
ICRBAC model meets the damands of the distributed management, andcrossing domain trust authority. Therefore, according to ICRBAC model. Thispaper designes and implements the grid environment which based on PKIICRBAC model.The framework includes the authentication center, certificationdatabase, domain security strategy management module, the local access control,the remote access control and the audit management components. The extension of this model discusses the environmental information collection process, theprivilege of conferred certificates variable attribute values, access verificationalgorithm and gives examples of the access. This Model can meet the demands ofdistributed management in grid access control. It implements authorizationcrossing domains and roles management inside system. The Model can alsoauthorize different privilege according to the different login environment of user.
3. The paper implements G-ICRBAC system.
During implementation of the system, this paper adopts development platformbased on Linux, using PKI key technologies, LDAP server preserved certificates,developing with C++ language and OpenSSL library. According to each module ofG-ICRBAC framework, this paper implements the main modules of the system.Among these modules,it mainly designes and implements certificate center,certificate database, security strategy management, LAC and RAC model.
Certificate center realizes domain certificates, identity certificate, role proxycertificates, role authenticated certificate, authority granted certificates, accessingcertificates and so on.And it provides authentication, certificates issued andremoved.It’s a firm foundation of realizing of the overall system. Supplyingcertificate classification of different types of certificates to preserve and improvethe speed of retrieval. The local access control used to deal with the requests forlocal resources. During implement, this paper designes two requests queue torespectirly process the requests from local domain and out domain, ensuring theavailability and reliability of the system, meeting the local user requests at first,comparing and analyzing two authorization algorithms, adopting cache technologyfor user roles set which generated by user role in the verification process,improving the speed of the second access. The remote access control used toprocess the requests of out domains.
4. An application in manufacturing grid which based on G-ICRBAC.
On the Globus Toolkit 4 platform which integrates with G-ICRBAC Model,This paper introduces grid application development Model based on G-ICRBACsystem and Web Service developed process by GT4. With the advantage ofdeveloping Grid Service with Java, it implements an application of resourcemanagement system in manufacturing grid.
The design and implementation of resource management system includes register module, security strategy management module and resource managementmodule. Each module is deployed with GridWeb Service.
The application of G-ICRBAC system in manufacturing grid resourcemanagement system illuminates that the reliability, stability and high availability ofthe system.
引文
[1]. 徐志伟 冯百明 李伟,《网格计算技术》,电子工业出版社,2004年5月
[2]. Sandhu, R., Coyne, E., Feinstein, H. and Youman, C. (1996) ‘Role-based access controlmodels’,IEEEComputer,Vol.29,No.2.Pp.38–47.
[3]. The Globus Security Team,Globus Toolkit Version 4 ‘Grid Security Infrastructure:AStandardsPerspective’,Version4updatedSeptember12,2005,6~8
[4]. 都志辉 陈渝著, 《网格计算》, 清华大学出版社,2002年10第一次印刷
[5]. Chadwick,D. andOtenko,A. (2002)‘ThePermisX.509role basedprivilege managementinfrastructure’,ProceedingsofSACMAT2002Conference,Monterey,pp.135–140.
[6]. Thompson, M., Johnston, W., Mudumbai, S., Hoo, G., Jackson, K.and Essiari, A. (1999)‘Certificate-based access control for widely distributed resources’, Proceedings of theEighthUsenixSecuritySymposium,Washington,August,pp.215–228.
[7]. Pearlman, L., Welch, V., Foster, I., Kesselman, C. and Tuecke, S. (2002) ‘A communityauthorization service for group collaboration’, Proceedings of the IEEE 3rd InternationalWorkshoponPoliciesforDistributedSystemsandNetworks,Monterey,June,pp.50–59.
[8]. Lorch, M., Adams, D.B., Kafura, D., Koneni, M.S.R., Rathi, A. and Shah, S. (2003) ‘ThePRIMA system for privilege management, authorization and enforcement in gridenvironments’, Proceedings of the 4th International Workshop on Grid Computing,Phoenix,November,pp.109–116.
[9]. Alfieri, R., Cecchini, R., Ciaschini, V., dell’Agnello, L., Frohner, á., Gianoli, A.,L?rentey, K. and Spataro, F. (2003) ‘VOMS, an authorization system for virtualorganizations’, Grid Computing: First European Across Grids Conference, Santiago deCompostela,February,pp.33–40.
[10].Hai Jin. ‘RB-GACA: A RBAC based grid access control architecture’, Int. J. Grid andUtilityComputing,Vol.1,No.1,2005
[11].RFC2459InternetX.509PublicKeyInfrastructure,January1999
[12].Apu Kapadia, Jalal Al-Muhtadi, R.Campbell et al. ‘IRBAC2000: Secure InteroperabilityUsing Dynamic Role Translation In The 1stInternational Conference on InternetComputing’,Monte Carlo Resort, Las Vegas,Nevada, USA.2000.Los Alamitos, CA, USAIEEEComput.Soc.Press,2000.41~47
[13].Jalal Al-Muhtadi, R.Campbell, Apu Kapadia et al. ‘The A-IRBAC2000 Model:Administative Interoperable Role-Base Access Control’. ACM Transactions onInformationandSystemsSecurity,2001,3(2):173~182
[14].Apu Kapadia, Jalal Al-Muhtadi, R. Campbell, et al. ‘IRBAC2000: Secure interoperabilityusing dynamic role translation’,University of Illinois, Technical Report :UIUCDCS-R-2000-2162,2000
[15].D. F. Ferraiolo , R. S. Sandhu , S. Gavrila , et al. ‘Proposed NIST standard for role-basedaccesscontrol’,ACMTrans.InformationandSystemsSecurity,2001,4(3):224~274
[16].J. Crampton. ‘Specifying and enforcing constraints in role2based access control’,In:Proc.8th ACM Symposium on Access Control Models and Technologies. New York :ACMPress,2003.43~50
[17].Ninghui Li, Ziad Bizri, Mahesh V. Tripunitara. ‘On mutually-ex-clusive roles andseparation of duty’. In: Proc. 11th Conf. Computer and Communications Security. NewYork:ACMPress,2004.42~51
[18].Ferraiolo,D .,S andhu,R .S .,Gavrila,S .,Kuhn,R .,and Chandramouli,R .,Proposed NISTStandard forRole-BasedAccessControl’,ACMTransactionson Information and SystemSecurity,Vol.4,No.3,2001:224-274.
[19].徐 松,赵曦滨,顾 明,网格环境下的分布式RBAC 模型框架,计算机工程,第32卷 第六期
[20].Bo Lang, Ian Foster.A Multipolicy Authorization Framework for Grid Security IEEENCA06July24-26,2006
[21].http://www.openldap.org/ Openldap官方站点
[22].Tuecke S,Welch V,Engert D,Pearlman L,Thompson M. RFC 3820, Internet X.509 PublicKeyInfrastructure(PKI)ProxyCertificateProfile[S],2004
[23].Burton S. Kaliski Jr. ‘A Layman's Guide to a Subset of ASN.1’, BER, and DERJune 3,1991
[24].AdyLee.CryptoAPI 培训教程 2002-3-1
[25].Symeon (Simos) Xenitellis.’The Open–source PKI Book: A guide to PKIs andOpen–sourceImplementations1999,2000
[26].MattMessier, JohnViega. Secure Programming Cookbook for C and C++. O'Reilly July2003
[27].RFC2510 Internet X.509 Public Key Infrastructure Certificate ManagementProtocols.NetworkingWorkingGroupFebrury2004.
[28].RFC2585InternetX.509PublicKeyInfrastructureOperationalProtocaols-FTPandHTTP.NetworkWorkingGroupMay1999
[29].Internet X.509 Public Key Infrastructure: Certificate Path Building.PKIX WorkingGroupJanuary.2005
[30].http://www.rsa.org.uk/ RSA算法介绍
[31].http://www.asn-online.org/ ASN标准
[32].http://www.infosecurity.org.cn/ 中国安全信息安全组织
[33].RFC2251,LightweightDirectoryAccessProtocol(V3)轻量目录访问协议(V3)
[34].http://ldap.akbkhome.com/index.php
[35].RFC2252,AttributeSyntaxDefinitions 属性语法定义
[36].RFC1823,TheLDAPApplicationProgramInterfaceLDAP应用程序接口
[37].UTF-8 String Representation of Distinguished Names 分辨名的UTF-8字符串表示法RFC2253
[38].The String Represententation of LDAP Search Filters LDAP 查询过滤器的字符串表示法 RFC2254
[39].A Summary of the X.500(96)User Schema for use with LDAPV3 LDAPV3使用的X.500(96)用户模式总结 RFC2256
[40].TheLDAPDataInterchangeFormat(LDIF)-TechnicalSpecificationLDAP数据交换式(LDIF)-技术规范 RFC2849
[41].陈阳,基于角色访问控制模型的缓存机制研究计, 算机工程, 第32 卷 第12 期
[42].Birali Hakizumwami. 用 Globus Toolkit 4(GT4) 构 建 WEB 服 务 , 原 文 地址 :http://www.onjava.com/pub/a/onjava/2005/10/19/constructing-web-services-with-globus-toolkit.html,中文地址: http://www.matrix.org.cn/resource/article/44/44032_Globus_Toolkit.html
[43].RichardMonson-Haefel著,崔洪斌 王爱民译,《J2EEWebService高级编程》,清华大学出版社,2005 年 4 月
[44].ElliotteRustyHarold著,刘文红 赵伟明译,《Java语言与XML处理教程》,电子工业出版社,2004 年 5 月第一次印刷
[45].RashimMogha,V.V.Preetham著,刘凌译, 《JavaWeb服务编程》, 清华大学出版社,2003年11月第一版
[46].http://www.chinagrid.net/ 中国网格信息中转
[2]. Sandhu, R., Coyne, E., Feinstein, H. and Youman, C. (1996) ‘Role-based access controlmodels’,IEEEComputer,Vol.29,No.2.Pp.38–47.
[3]. The Globus Security Team,Globus Toolkit Version 4 ‘Grid Security Infrastructure:AStandardsPerspective’,Version4updatedSeptember12,2005,6~8
[4]. 都志辉 陈渝著, 《网格计算》, 清华大学出版社,2002年10第一次印刷
[5]. Chadwick,D. andOtenko,A. (2002)‘ThePermisX.509role basedprivilege managementinfrastructure’,ProceedingsofSACMAT2002Conference,Monterey,pp.135–140.
[6]. Thompson, M., Johnston, W., Mudumbai, S., Hoo, G., Jackson, K.and Essiari, A. (1999)‘Certificate-based access control for widely distributed resources’, Proceedings of theEighthUsenixSecuritySymposium,Washington,August,pp.215–228.
[7]. Pearlman, L., Welch, V., Foster, I., Kesselman, C. and Tuecke, S. (2002) ‘A communityauthorization service for group collaboration’, Proceedings of the IEEE 3rd InternationalWorkshoponPoliciesforDistributedSystemsandNetworks,Monterey,June,pp.50–59.
[8]. Lorch, M., Adams, D.B., Kafura, D., Koneni, M.S.R., Rathi, A. and Shah, S. (2003) ‘ThePRIMA system for privilege management, authorization and enforcement in gridenvironments’, Proceedings of the 4th International Workshop on Grid Computing,Phoenix,November,pp.109–116.
[9]. Alfieri, R., Cecchini, R., Ciaschini, V., dell’Agnello, L., Frohner, á., Gianoli, A.,L?rentey, K. and Spataro, F. (2003) ‘VOMS, an authorization system for virtualorganizations’, Grid Computing: First European Across Grids Conference, Santiago deCompostela,February,pp.33–40.
[10].Hai Jin. ‘RB-GACA: A RBAC based grid access control architecture’, Int. J. Grid andUtilityComputing,Vol.1,No.1,2005
[11].RFC2459InternetX.509PublicKeyInfrastructure,January1999
[12].Apu Kapadia, Jalal Al-Muhtadi, R.Campbell et al. ‘IRBAC2000: Secure InteroperabilityUsing Dynamic Role Translation In The 1stInternational Conference on InternetComputing’,Monte Carlo Resort, Las Vegas,Nevada, USA.2000.Los Alamitos, CA, USAIEEEComput.Soc.Press,2000.41~47
[13].Jalal Al-Muhtadi, R.Campbell, Apu Kapadia et al. ‘The A-IRBAC2000 Model:Administative Interoperable Role-Base Access Control’. ACM Transactions onInformationandSystemsSecurity,2001,3(2):173~182
[14].Apu Kapadia, Jalal Al-Muhtadi, R. Campbell, et al. ‘IRBAC2000: Secure interoperabilityusing dynamic role translation’,University of Illinois, Technical Report :UIUCDCS-R-2000-2162,2000
[15].D. F. Ferraiolo , R. S. Sandhu , S. Gavrila , et al. ‘Proposed NIST standard for role-basedaccesscontrol’,ACMTrans.InformationandSystemsSecurity,2001,4(3):224~274
[16].J. Crampton. ‘Specifying and enforcing constraints in role2based access control’,In:Proc.8th ACM Symposium on Access Control Models and Technologies. New York :ACMPress,2003.43~50
[17].Ninghui Li, Ziad Bizri, Mahesh V. Tripunitara. ‘On mutually-ex-clusive roles andseparation of duty’. In: Proc. 11th Conf. Computer and Communications Security. NewYork:ACMPress,2004.42~51
[18].Ferraiolo,D .,S andhu,R .S .,Gavrila,S .,Kuhn,R .,and Chandramouli,R .,Proposed NISTStandard forRole-BasedAccessControl’,ACMTransactionson Information and SystemSecurity,Vol.4,No.3,2001:224-274.
[19].徐 松,赵曦滨,顾 明,网格环境下的分布式RBAC 模型框架,计算机工程,第32卷 第六期
[20].Bo Lang, Ian Foster.A Multipolicy Authorization Framework for Grid Security IEEENCA06July24-26,2006
[21].http://www.openldap.org/ Openldap官方站点
[22].Tuecke S,Welch V,Engert D,Pearlman L,Thompson M. RFC 3820, Internet X.509 PublicKeyInfrastructure(PKI)ProxyCertificateProfile[S],2004
[23].Burton S. Kaliski Jr. ‘A Layman's Guide to a Subset of ASN.1’, BER, and DERJune 3,1991
[24].AdyLee.CryptoAPI 培训教程 2002-3-1
[25].Symeon (Simos) Xenitellis.’The Open–source PKI Book: A guide to PKIs andOpen–sourceImplementations1999,2000
[26].MattMessier, JohnViega. Secure Programming Cookbook for C and C++. O'Reilly July2003
[27].RFC2510 Internet X.509 Public Key Infrastructure Certificate ManagementProtocols.NetworkingWorkingGroupFebrury2004.
[28].RFC2585InternetX.509PublicKeyInfrastructureOperationalProtocaols-FTPandHTTP.NetworkWorkingGroupMay1999
[29].Internet X.509 Public Key Infrastructure: Certificate Path Building.PKIX WorkingGroupJanuary.2005
[30].http://www.rsa.org.uk/ RSA算法介绍
[31].http://www.asn-online.org/ ASN标准
[32].http://www.infosecurity.org.cn/ 中国安全信息安全组织
[33].RFC2251,LightweightDirectoryAccessProtocol(V3)轻量目录访问协议(V3)
[34].http://ldap.akbkhome.com/index.php
[35].RFC2252,AttributeSyntaxDefinitions 属性语法定义
[36].RFC1823,TheLDAPApplicationProgramInterfaceLDAP应用程序接口
[37].UTF-8 String Representation of Distinguished Names 分辨名的UTF-8字符串表示法RFC2253
[38].The String Represententation of LDAP Search Filters LDAP 查询过滤器的字符串表示法 RFC2254
[39].A Summary of the X.500(96)User Schema for use with LDAPV3 LDAPV3使用的X.500(96)用户模式总结 RFC2256
[40].TheLDAPDataInterchangeFormat(LDIF)-TechnicalSpecificationLDAP数据交换式(LDIF)-技术规范 RFC2849
[41].陈阳,基于角色访问控制模型的缓存机制研究计, 算机工程, 第32 卷 第12 期
[42].Birali Hakizumwami. 用 Globus Toolkit 4(GT4) 构 建 WEB 服 务 , 原 文 地址 :http://www.onjava.com/pub/a/onjava/2005/10/19/constructing-web-services-with-globus-toolkit.html,中文地址: http://www.matrix.org.cn/resource/article/44/44032_Globus_Toolkit.html
[43].RichardMonson-Haefel著,崔洪斌 王爱民译,《J2EEWebService高级编程》,清华大学出版社,2005 年 4 月
[44].ElliotteRustyHarold著,刘文红 赵伟明译,《Java语言与XML处理教程》,电子工业出版社,2004 年 5 月第一次印刷
[45].RashimMogha,V.V.Preetham著,刘凌译, 《JavaWeb服务编程》, 清华大学出版社,2003年11月第一版
[46].http://www.chinagrid.net/ 中国网格信息中转