XML安全认证协议及单点登录系统的研究
|
摘要
本文首先介绍了XML的基础知识并在此基础上表述了XML WEB SERVICE体系结构组成,对几种形成标准的XML安全认证协议进行了研究。接着,论文从介绍单点登录的各种标准方法入手,引入了基于SAML的单点登录系统。最后论文指出此系统不够完善的地方,提出了采用PKI机制,通过发放数字证书实现系统的安全通信环境的建立的新的设计方案,给出了新方案的消息交换及处理流程,并在此基础上分析了新系统在性能上有怎样的提高,并对新的单点登录模型讨论了其安全性。
本文得到的主要成果如下:
1.对以XML技术为基础的XML WEB SERVICE体系进行了明确的表述;
2.对SOAP技术的安全性扩展进行了研究,并将XACL应用到一个具体实现中讨论其原理及应用,归纳了SAML体系结构并总结了SAML的工作原理;
3.对自由联盟协议的单点登录系统采用PKI机制进行数字证书的发放以完善其安全的通信环境的建立,给出改进后的系统的消息交换和处理过程,分析新系统的系统性能如何获得优化,并详尽地讨论了对新系统进行安全攻击的不可实现性;
4.对现实中SAML的误解从多方面进行了澄清;
5.提出计算网格中对PKI的应用来解决单点登录问题。
In this paper, it presents the basic knowledge of XML, XML WEB SREVICE system and XML related secure authentication techniques. Then, the paper introduces several standards of Single Sign-on and the scheme of Single Sign-on based on SAML in Liberty Alliance Protocol. Finally, some improvements are proposed and PKI mechanism is applied to provide a secure communication environment. The main contents are:
1. XML WEB SERVICE based on XML technologies are presented thoroughly.
2. The security extension of SOAP is analyzed, XACL is applied in an concrete realization to discuss its principle and application and SAML system frame and its work principle are concluded.
3. PKI is proposed to be applied into the SSO system according to Liberty Alliance. Based on this model, it displays its new message exchange and disposal. The optimizing of system performance is analyzed and the infeasibility of the secure attacks is discussed in details.
4. In many aspects, the misconceptions of SAML are clarified.
5. The adoption of PKI in Grid Computing in order to resolve SSO is presented.
本文得到的主要成果如下:
1.对以XML技术为基础的XML WEB SERVICE体系进行了明确的表述;
2.对SOAP技术的安全性扩展进行了研究,并将XACL应用到一个具体实现中讨论其原理及应用,归纳了SAML体系结构并总结了SAML的工作原理;
3.对自由联盟协议的单点登录系统采用PKI机制进行数字证书的发放以完善其安全的通信环境的建立,给出改进后的系统的消息交换和处理过程,分析新系统的系统性能如何获得优化,并详尽地讨论了对新系统进行安全攻击的不可实现性;
4.对现实中SAML的误解从多方面进行了澄清;
5.提出计算网格中对PKI的应用来解决单点登录问题。
In this paper, it presents the basic knowledge of XML, XML WEB SREVICE system and XML related secure authentication techniques. Then, the paper introduces several standards of Single Sign-on and the scheme of Single Sign-on based on SAML in Liberty Alliance Protocol. Finally, some improvements are proposed and PKI mechanism is applied to provide a secure communication environment. The main contents are:
1. XML WEB SERVICE based on XML technologies are presented thoroughly.
2. The security extension of SOAP is analyzed, XACL is applied in an concrete realization to discuss its principle and application and SAML system frame and its work principle are concluded.
3. PKI is proposed to be applied into the SSO system according to Liberty Alliance. Based on this model, it displays its new message exchange and disposal. The optimizing of system performance is analyzed and the infeasibility of the secure attacks is discussed in details.
4. In many aspects, the misconceptions of SAML are clarified.
5. The adoption of PKI in Grid Computing in order to resolve SSO is presented.
引文
[1] Brain Schaffner."Tools for securing your XML documents". http://xml.apache.org/security/index.html
[2] Tim Bray, Jean Paoli, C. M. Sperberg-McQueen, Eve Maler. "Extensible Markup Language (XML) 1.0Specification (Second Edition) ". W3C. http://www.w3.org/TR/REC-xml
[3] A.Zisman. An Overview of XML. IEE :2000 Computing & Control Engineering Journal, AUGUST 2000, 165-167
[4] Sharon Adler, Anders Berglund, Jeff Caruso etc. "Extensible Stylesheet Language (XSL)".W3C. http://www.w3.org/TR/xsl/
[5] Steve DeRose, Eve Maler, David Orchard. "XML Linking Language(XLink)". W3C. http://www.w3.org/TR/xlink
[6] Roger Wolter." XML Web Services Basics".Microsoft Corporation. http://msdn.microsoft.com/webservices/understanding/webservicebasics/default.aspX
[7] Sangmi Lee,Sunghoon Ko,Geoffrey Fox etc."A Web Service Approach to Universal Accessibility in Collaboration".Community Grid Computing Labs. http://grids.ucs.indiana.edu/ptliupages/publications/icws03.pdf
[8] "The Evolution of UDDI White Paper". Stencil Group Inc. http://www.uddi.org/pubs/the evolution of uddi 20020719.pdf
[9] Donald Eastlake, Joseph Reagle, David Solo."XML-Signature Syntax and Processing". W3C. http://www.w3.org/TR/xmldsig-core/
[10] Satoshi Hada, Michiharu Kudo. "XML Access Control Language:Provisional Authorization for XML Documents". Tokyo Research Laboratory, IBM Research. http://www.trl.ibm.com/projects/xml/xacl/xacl-spec.html
[11] Martin Gudgin, Marc Hadley, Jean-Jacques Moreau, Henrik Frystyk Nielsen."SOAP Version 1.3". W3C. http://www.w3.org/TR/SOAP
[12] Allen Brown, Barbara Fox, Satoshi Hada, etc."SOAP Security Extensions: Digital Signature".W3C http://www.w3.org/TR/SOAP-dsig/
[13] Eve Maler,Prateek Mishra, Rob Philpott,. "Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V1". OASIS. http://www.oasis-open.org/committees/documents.php?wg_abbrev=security
[14] Rion Dutta. "Planning for Single Sign On".E-Sercurity Pvt.Ltd. http://www.mielesecurity.com/Downloads/SSO%20WP.pdf
[15] J. Linn. "RFC 1508--Generic Security Service Application Program ". Network Working Group. http://www.faqs.org/rfcs/rfc1508.html
[16] Philip Carden. "The New Face for Single Sign-on". Network Computing。 http://www.networkcomputing.com/1006/1006f1.html
[17] "Sun One Identity Server Overview".Sun Microsystem. http://wwws.sun.com/software/products/identity_srvr/wp-idsrvr-overview.pdf
[18] Mayank Upadhyay,Ram Marti. "Single Sign-on Using Kerberos in Java". Sun Microsystems, Inc. http://www.w3.org/TR/REC-xml-20001006
[19] Wayne Schroeder."Kerberos/DCE, the Secure Shell, and Practical Internet Security".San Diego Supercomputer Center, San Diego, California, U.S.A.. http://users.sdsc.edu/~schroede/ssh cug.html
[20] Donald Eastlake, Joseph Reagle. "Liberty Architecture Overview Version1.1 " Liberty Alliance Project. http://www.libertyproject.org/
[21] Shashi Kiran, Patricia Lareau, Steve Lloyd. "PKI Basics:A Technical Perspective".PKI Forum's Business Working Group(BWG). http://www.pkiforum.org/pdfs/PKI Basics-A_technical_perspective.pdf
[22] Bart Jacob ."Design an application for grid" .ITSO Redbooks Project Leader, IBM. http://www-106.ibm.com/developerworks/librarv/gr-design.html
[23] 王育民,刘建伟.通信网的安全—理论与技术.西安:西安电子科技大学,2000.
[24] Ann Navarro,Chuck White,Linda Burman著,周生炳,宋浩等译.XML从入门到精通.北京:电子工业出版社,2000.
[25] Elliotte Rusty Harold著,杜大鹏,李善茂,傅烨等译.XML实用大全.中国水利出版社,2000.
[26] 柴晓路、梁宇奇编著.Web Service技术、架构和应用.北京:电子工业出版社,2003.
[2] Tim Bray, Jean Paoli, C. M. Sperberg-McQueen, Eve Maler. "Extensible Markup Language (XML) 1.0Specification (Second Edition) ". W3C. http://www.w3.org/TR/REC-xml
[3] A.Zisman. An Overview of XML. IEE :2000 Computing & Control Engineering Journal, AUGUST 2000, 165-167
[4] Sharon Adler, Anders Berglund, Jeff Caruso etc. "Extensible Stylesheet Language (XSL)".W3C. http://www.w3.org/TR/xsl/
[5] Steve DeRose, Eve Maler, David Orchard. "XML Linking Language(XLink)". W3C. http://www.w3.org/TR/xlink
[6] Roger Wolter." XML Web Services Basics".Microsoft Corporation. http://msdn.microsoft.com/webservices/understanding/webservicebasics/default.aspX
[7] Sangmi Lee,Sunghoon Ko,Geoffrey Fox etc."A Web Service Approach to Universal Accessibility in Collaboration".Community Grid Computing Labs. http://grids.ucs.indiana.edu/ptliupages/publications/icws03.pdf
[8] "The Evolution of UDDI White Paper". Stencil Group Inc. http://www.uddi.org/pubs/the evolution of uddi 20020719.pdf
[9] Donald Eastlake, Joseph Reagle, David Solo."XML-Signature Syntax and Processing". W3C. http://www.w3.org/TR/xmldsig-core/
[10] Satoshi Hada, Michiharu Kudo. "XML Access Control Language:Provisional Authorization for XML Documents". Tokyo Research Laboratory, IBM Research. http://www.trl.ibm.com/projects/xml/xacl/xacl-spec.html
[11] Martin Gudgin, Marc Hadley, Jean-Jacques Moreau, Henrik Frystyk Nielsen."SOAP Version 1.3". W3C. http://www.w3.org/TR/SOAP
[12] Allen Brown, Barbara Fox, Satoshi Hada, etc."SOAP Security Extensions: Digital Signature".W3C http://www.w3.org/TR/SOAP-dsig/
[13] Eve Maler,Prateek Mishra, Rob Philpott,. "Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V1". OASIS. http://www.oasis-open.org/committees/documents.php?wg_abbrev=security
[14] Rion Dutta. "Planning for Single Sign On".E-Sercurity Pvt.Ltd. http://www.mielesecurity.com/Downloads/SSO%20WP.pdf
[15] J. Linn. "RFC 1508--Generic Security Service Application Program ". Network Working Group. http://www.faqs.org/rfcs/rfc1508.html
[16] Philip Carden. "The New Face for Single Sign-on". Network Computing。 http://www.networkcomputing.com/1006/1006f1.html
[17] "Sun One Identity Server Overview".Sun Microsystem. http://wwws.sun.com/software/products/identity_srvr/wp-idsrvr-overview.pdf
[18] Mayank Upadhyay,Ram Marti. "Single Sign-on Using Kerberos in Java". Sun Microsystems, Inc. http://www.w3.org/TR/REC-xml-20001006
[19] Wayne Schroeder."Kerberos/DCE, the Secure Shell, and Practical Internet Security".San Diego Supercomputer Center, San Diego, California, U.S.A.. http://users.sdsc.edu/~schroede/ssh cug.html
[20] Donald Eastlake, Joseph Reagle. "Liberty Architecture Overview Version1.1 " Liberty Alliance Project. http://www.libertyproject.org/
[21] Shashi Kiran, Patricia Lareau, Steve Lloyd. "PKI Basics:A Technical Perspective".PKI Forum's Business Working Group(BWG). http://www.pkiforum.org/pdfs/PKI Basics-A_technical_perspective.pdf
[22] Bart Jacob ."Design an application for grid" .ITSO Redbooks Project Leader, IBM. http://www-106.ibm.com/developerworks/librarv/gr-design.html
[23] 王育民,刘建伟.通信网的安全—理论与技术.西安:西安电子科技大学,2000.
[24] Ann Navarro,Chuck White,Linda Burman著,周生炳,宋浩等译.XML从入门到精通.北京:电子工业出版社,2000.
[25] Elliotte Rusty Harold著,杜大鹏,李善茂,傅烨等译.XML实用大全.中国水利出版社,2000.
[26] 柴晓路、梁宇奇编著.Web Service技术、架构和应用.北京:电子工业出版社,2003.