基于.NET的分布式应用系统访问控制技术研究与实现
|
摘要
随着Intemet的迅速发展,分布式系统的应用日益广泛。一个迫切需要解决的问题是;如何在防火墙、入侵检测系统、操作系统和.NET平台共筑的安全屏障下,防止非法用户进入系统并保证合法用户只能看到权限范围内的数据。当前大多数访问控制实现代价巨大,效率不高,缺乏统一的标准,并且细粒度访问控制的实现比较困难和复杂。
针对以上问题,本文对访问控制的相关理论和技术进行了研究和探讨,主要有;访问控制概念、访问控制框架、访问控制机制、访问控制策略和可扩展访问控制标记语言(eXtensible Access Control Markup Language,XACML),并对授权管理基础设施(Privilege Management Infrastructure,PMI)的概念模型框架、属性证书等进行了研究。
以此为基础,本文设计并实现了一种基于.NET的分布式应用系统访问控制解决方案。本文所做的主要工作有;
1)用XML技术改进了属性证书的编码方式。
2)用XACML语言描述授权与访问控制策略,并在系统总体设计中融入了XACML访问控制决策模型的思想,以便更好地应用到分布式应用系统中。
3)以某品牌汽车4S店信息管理系统为原型,设计了一个基于.NET的分布式应用系统访问控制方案,其具体实现采用PMI安全中间件。
4)设计并实现了独立于具体应用的细粒度访问控制。
5)简化了用户权限管理分配工作,减少管理成本并降低系统复杂度。
实际应用表明,本文所设计的基于.NET的访问控制方案能够较好地解决分布式应用系统中用户权限管理、细粒度访问控制等问题,对提高分布式应用系统的安全性提供了一个新的思路。
With the rapid development of Internet, the distributed application systems are more widely used. There is an urgent problem need to resolve, that under the protection built by Firewall, Intrusion Detection System, Operation System and Microsoft.net platform together, how prevent the unauthorized users access to the system and ensure the authorized users request their permitted data. Huge cost, low efficiency and the lack of unified standards are the major difficulties of the most current access control system. And the implement of fine-grained access ? control is more difficult and complicated.
According to the problems above, the access control theory and techniques are studied and discussed in this paper, including the concept of access control, access control framework, access control policy, access control mechanism and XACML (extensible Access Control Markup Language). And the principle of PMI (Privilege Management Infrastructure) also is studied, including the concepts and Attribute Certificate in detail.
On the basis of the studies above, this paper also designs and implements an access control solution based on the distributed application system of Microsoft.net platform. The main work is listed as follows:
1) Use XML to improve the coding way of attribute certificate.
2) Use XACML language to describe authorization and access control strategy, and integrate the principle of XACML Access Control model into the system design.
3) Use an automobile 4S web application system as prototype, design an access control solution of distributed application systems based on Microsoft.net, which is implemented with a PMI middle-ware.
4) Design and implement the fine-grained access control which is independent of the specific application.
5) Simplify the management of user privilege; reduce the management costs and system complexity.
As the practice of the system shows, the access control solution based on Microsoft.net designed in this paper can be used to resolve the management of user privilege, fine-grained access control and other issues of distributed application system, and provides a new thought for improving the security of distributed application system.
针对以上问题,本文对访问控制的相关理论和技术进行了研究和探讨,主要有;访问控制概念、访问控制框架、访问控制机制、访问控制策略和可扩展访问控制标记语言(eXtensible Access Control Markup Language,XACML),并对授权管理基础设施(Privilege Management Infrastructure,PMI)的概念模型框架、属性证书等进行了研究。
以此为基础,本文设计并实现了一种基于.NET的分布式应用系统访问控制解决方案。本文所做的主要工作有;
1)用XML技术改进了属性证书的编码方式。
2)用XACML语言描述授权与访问控制策略,并在系统总体设计中融入了XACML访问控制决策模型的思想,以便更好地应用到分布式应用系统中。
3)以某品牌汽车4S店信息管理系统为原型,设计了一个基于.NET的分布式应用系统访问控制方案,其具体实现采用PMI安全中间件。
4)设计并实现了独立于具体应用的细粒度访问控制。
5)简化了用户权限管理分配工作,减少管理成本并降低系统复杂度。
实际应用表明,本文所设计的基于.NET的访问控制方案能够较好地解决分布式应用系统中用户权限管理、细粒度访问控制等问题,对提高分布式应用系统的安全性提供了一个新的思路。
With the rapid development of Internet, the distributed application systems are more widely used. There is an urgent problem need to resolve, that under the protection built by Firewall, Intrusion Detection System, Operation System and Microsoft.net platform together, how prevent the unauthorized users access to the system and ensure the authorized users request their permitted data. Huge cost, low efficiency and the lack of unified standards are the major difficulties of the most current access control system. And the implement of fine-grained access ? control is more difficult and complicated.
According to the problems above, the access control theory and techniques are studied and discussed in this paper, including the concept of access control, access control framework, access control policy, access control mechanism and XACML (extensible Access Control Markup Language). And the principle of PMI (Privilege Management Infrastructure) also is studied, including the concepts and Attribute Certificate in detail.
On the basis of the studies above, this paper also designs and implements an access control solution based on the distributed application system of Microsoft.net platform. The main work is listed as follows:
1) Use XML to improve the coding way of attribute certificate.
2) Use XACML language to describe authorization and access control strategy, and integrate the principle of XACML Access Control model into the system design.
3) Use an automobile 4S web application system as prototype, design an access control solution of distributed application systems based on Microsoft.net, which is implemented with a PMI middle-ware.
4) Design and implement the fine-grained access control which is independent of the specific application.
5) Simplify the management of user privilege; reduce the management costs and system complexity.
As the practice of the system shows, the access control solution based on Microsoft.net designed in this paper can be used to resolve the management of user privilege, fine-grained access control and other issues of distributed application system, and provides a new thought for improving the security of distributed application system.
引文
[1]ISO7498-2.Information processing systems-Open System Interconnection-Basic Reference Model-Part 2;Security Architecture[EB/OL].http;//www.iso.org;1989.
[2]J.B.D.Joshi..Digital Government Security Infrastructure Design Challenges[J].Computer,Volume 34,Number 2,Feb,2001;66-72.
[3]张可翔.多域环境卜访问控制模型及其安全策略研究[D].长沙;湖南大学,2006.
[4]陈汇远.计算机信息系统安全技术的研究及其应用[D].北京;铁道科学研究院,2004.
[5]ITU-T Rec X.812 |ISO/IEC 10181-3;Information technology-Open Systems Interconnection-Security frameworks for open systems;Access control Framework[EB/OL].http;//www.iso.org;1995.
[6]ITU-T Recommendation X.509(1997 E);Information Technology- Open Systems Interconnection-The Directory;Authentication Framework[EB/OL].http;//www.iso.org;June 1997.
[7]ITU-T Recommendation X.509;Information Technology-Open Systems Interconnection-The Directory;Public-Key and Attribute Certificate Frameworks[EB/OL].http;//www,info security,org.cn/content/pki-pmi/x509v4.pdf;2001.
[8]The Open Group.Authorization(AZN)API[EB/OL].http;//www.opengroup.org/publications org/publications/catalog/c908.htm;Jane,2000.
[9]D.E Ferraiolo,D.R.Kuhn.Role Based Access Control.15th National Computer Security Conference[EB/OL].http;//csrc.nist.gov/rbac/Role-Based Access Control- 1992.htm 1;1992.
[10]D.W.Chadwick,A.Otenko.The PERMIS X.509 role based privilege management infrastructure[J].Future Generation Computer Systems,Volume 19,Issue 2,February 2003;277-289.
[11]S.Farrell,Baltimore Technologies,R.Housley.An Internet AttribuDe Certificate Profile for Authorization[S].http;//www 3.ietf.org/proceedings/01 mar/I-D/pkix-ac 509prof-O6.txt,2001
[12]OASIS.Extensible Access Control Markup Language Version2.0 OASIS[S].Standard.http;//www.oasis-open.org/xacml;2005.
[13]沈海波,洪帆.访问控制模型研究综述[J].计算机应用研究,2005(6);9-11.
[14]穆美好.用户身份管理和访问控制技术研究[D].西安;西北工业大学,2005.
[15]L Snyder.FormalModels of Capability2based Protection Systems[A].IEEE Transactions on Computers,1981,30(3);172-181.
[16]R.S.Sandhu,E.J.Coyne,H.L.Feinstein,et al.Role-Based Access Control Models[J].Computer,Feb 1996,29(2);38-47.
[17]Eduward Coyne,Srinivas Ganta,Charles Youman.The ARBAC97 Model for Role-Based Administration of Roles;Preliminary Description and Outline[J].Proceedings of Second ACM Workshop on Role-Based Access Control,Faifax,Virginia,1997;1034-1045.
[18]董光宁,卿斯汉,刘克龙.带时间特性的角色授权约束[J].软件学报,2002,13(8);1521-1527.
[19]黄建,卿斯汉,温红子.带时间特性的角色访问控制[J].软什学报,2003,14(11);1944-1954.
[20]Apu Kapadia,Jalal Al-Muhtadi,Roy H.Campbell,et al.IRBAC 2000;Secure Interoperability Using Dynamic Role Translation[R].Technical Report UICTCDCS-R-2000-2162,University of Illinois,2000.
[21]Denker G,Millen J,Miyake Y.Cross-domain access control via PKI[A].Proceedings of the Third International Workshop Access Control on Policies for Distributed Systems and Networks(POLICY'02)[C].IEEE Press,2002;202-205.
[22]C Ellison,B Frantz,B Lampson,et al.SPKI Certificate Theory[S].RFC2693,IETF SPKI Working Group,1999.
[23]林海宁.基于角色的授权管理基础设施PMI的研究与实现[D].成都;电子科技大学,2004.
[24]PMI技术白皮书[EB/OL].吉大正元信息技术文档.http;//www.jit.com.cn/.
[25]Microsofl.Microsofl.NET[EB/OL].http;//www.Microsoft.com/china/net.
[26]Microsoft.Microsoft.NET让新一代因特网变成现实[EB/OL].微软公司白皮书.Microsoft Press.http;//www.Microsofl.com/china/net;2000.
[27]Nathanael P,David Evans..NET Security;Lessons Learned and Missed from Java[A].20th Annual Computer Security Applications Conference(ACSAC'04)[C],IEEE Press,December 6-10,2004Tucson,Arizona.
[28]IBM Corporation.Jikes Research Virtual Machine[EB/OL].http;//www- 124.ibm.com/devloperworkers/oss/jikesrvm/.
[29]刘吴.基于PERMIS PMI刚户授权与访问控制[D].南京;南京理工大学,2006.
[30]D.F.Ferraiolo,D.R.Kuhn.Role Based Access Control[A].15th National Computer Security Conference.[C]http;//csrc.nist.gov/rbac/Role-Based Access Control- 1992.htm 1.
[31]C.A.Argagna.E.XML-based Acess Control Lanuages[J].Information Security Techinacal Report 2004,vlo9,No3;35-46.
[32]徐晓春.基于XACML的Web服务访问控制模型[J].计算机工程2004(7);75-76.
[33]李真.基于XML的PMI系统的研究与设计[D].济南;山东大学硕士学位论文,2005.
[34]David Chadwick.The X.509 Privilege Management Infrastructure[A].Business Briefing;Global Info security 2002.
[35]谷和启.授权管理基础设施PMI技术与应用[EB/OL].赛迪网技术应用区,http;//tech.ccidnet.com/,2006-3.
[36]S.Farrell etc.An Internet Attribute Certificate profile for authorization[S].RFC3281,2002.http;//www.ietf.org/rfclrfc3281.txt.
[37]Darren P Mundy,David Chadwick,Andrew Smith.Comparing the Performance of Abstract Syntax Notation One vs extensible Markup Language[J].Internet Computing Journal,May,2002.
[38]Brad Marshall.LDAP Theory and Management[A].SAGE-AU Conf 2003.http;//quark.humbug.org.au/publications/ldap/ldap-theory.pdf,2003.
[39]M.Wahl,T.Howes,S.Kille.Lightweight Directory Access Protocol[S].RFC 2251.http;//www.ietf.orglrfc/rfc2251.txt,1997.
[40]Michael Donnelly.An Introduction to LDAP[EB/OL].http;//Idapman.org/articles/intxojo_ ldap.html,April.2000.
[41]T.Dierks,C.Allen.The TLS Protocol Version 1.0[S].RFC2246.January 1999.
[2]J.B.D.Joshi..Digital Government Security Infrastructure Design Challenges[J].Computer,Volume 34,Number 2,Feb,2001;66-72.
[3]张可翔.多域环境卜访问控制模型及其安全策略研究[D].长沙;湖南大学,2006.
[4]陈汇远.计算机信息系统安全技术的研究及其应用[D].北京;铁道科学研究院,2004.
[5]ITU-T Rec X.812 |ISO/IEC 10181-3;Information technology-Open Systems Interconnection-Security frameworks for open systems;Access control Framework[EB/OL].http;//www.iso.org;1995.
[6]ITU-T Recommendation X.509(1997 E);Information Technology- Open Systems Interconnection-The Directory;Authentication Framework[EB/OL].http;//www.iso.org;June 1997.
[7]ITU-T Recommendation X.509;Information Technology-Open Systems Interconnection-The Directory;Public-Key and Attribute Certificate Frameworks[EB/OL].http;//www,info security,org.cn/content/pki-pmi/x509v4.pdf;2001.
[8]The Open Group.Authorization(AZN)API[EB/OL].http;//www.opengroup.org/publications org/publications/catalog/c908.htm;Jane,2000.
[9]D.E Ferraiolo,D.R.Kuhn.Role Based Access Control.15th National Computer Security Conference[EB/OL].http;//csrc.nist.gov/rbac/Role-Based Access Control- 1992.htm 1;1992.
[10]D.W.Chadwick,A.Otenko.The PERMIS X.509 role based privilege management infrastructure[J].Future Generation Computer Systems,Volume 19,Issue 2,February 2003;277-289.
[11]S.Farrell,Baltimore Technologies,R.Housley.An Internet AttribuDe Certificate Profile for Authorization[S].http;//www 3.ietf.org/proceedings/01 mar/I-D/pkix-ac 509prof-O6.txt,2001
[12]OASIS.Extensible Access Control Markup Language Version2.0 OASIS[S].Standard.http;//www.oasis-open.org/xacml;2005.
[13]沈海波,洪帆.访问控制模型研究综述[J].计算机应用研究,2005(6);9-11.
[14]穆美好.用户身份管理和访问控制技术研究[D].西安;西北工业大学,2005.
[15]L Snyder.FormalModels of Capability2based Protection Systems[A].IEEE Transactions on Computers,1981,30(3);172-181.
[16]R.S.Sandhu,E.J.Coyne,H.L.Feinstein,et al.Role-Based Access Control Models[J].Computer,Feb 1996,29(2);38-47.
[17]Eduward Coyne,Srinivas Ganta,Charles Youman.The ARBAC97 Model for Role-Based Administration of Roles;Preliminary Description and Outline[J].Proceedings of Second ACM Workshop on Role-Based Access Control,Faifax,Virginia,1997;1034-1045.
[18]董光宁,卿斯汉,刘克龙.带时间特性的角色授权约束[J].软件学报,2002,13(8);1521-1527.
[19]黄建,卿斯汉,温红子.带时间特性的角色访问控制[J].软什学报,2003,14(11);1944-1954.
[20]Apu Kapadia,Jalal Al-Muhtadi,Roy H.Campbell,et al.IRBAC 2000;Secure Interoperability Using Dynamic Role Translation[R].Technical Report UICTCDCS-R-2000-2162,University of Illinois,2000.
[21]Denker G,Millen J,Miyake Y.Cross-domain access control via PKI[A].Proceedings of the Third International Workshop Access Control on Policies for Distributed Systems and Networks(POLICY'02)[C].IEEE Press,2002;202-205.
[22]C Ellison,B Frantz,B Lampson,et al.SPKI Certificate Theory[S].RFC2693,IETF SPKI Working Group,1999.
[23]林海宁.基于角色的授权管理基础设施PMI的研究与实现[D].成都;电子科技大学,2004.
[24]PMI技术白皮书[EB/OL].吉大正元信息技术文档.http;//www.jit.com.cn/.
[25]Microsofl.Microsofl.NET[EB/OL].http;//www.Microsoft.com/china/net.
[26]Microsoft.Microsoft.NET让新一代因特网变成现实[EB/OL].微软公司白皮书.Microsoft Press.http;//www.Microsofl.com/china/net;2000.
[27]Nathanael P,David Evans..NET Security;Lessons Learned and Missed from Java[A].20th Annual Computer Security Applications Conference(ACSAC'04)[C],IEEE Press,December 6-10,2004Tucson,Arizona.
[28]IBM Corporation.Jikes Research Virtual Machine[EB/OL].http;//www- 124.ibm.com/devloperworkers/oss/jikesrvm/.
[29]刘吴.基于PERMIS PMI刚户授权与访问控制[D].南京;南京理工大学,2006.
[30]D.F.Ferraiolo,D.R.Kuhn.Role Based Access Control[A].15th National Computer Security Conference.[C]http;//csrc.nist.gov/rbac/Role-Based Access Control- 1992.htm 1.
[31]C.A.Argagna.E.XML-based Acess Control Lanuages[J].Information Security Techinacal Report 2004,vlo9,No3;35-46.
[32]徐晓春.基于XACML的Web服务访问控制模型[J].计算机工程2004(7);75-76.
[33]李真.基于XML的PMI系统的研究与设计[D].济南;山东大学硕士学位论文,2005.
[34]David Chadwick.The X.509 Privilege Management Infrastructure[A].Business Briefing;Global Info security 2002.
[35]谷和启.授权管理基础设施PMI技术与应用[EB/OL].赛迪网技术应用区,http;//tech.ccidnet.com/,2006-3.
[36]S.Farrell etc.An Internet Attribute Certificate profile for authorization[S].RFC3281,2002.http;//www.ietf.org/rfclrfc3281.txt.
[37]Darren P Mundy,David Chadwick,Andrew Smith.Comparing the Performance of Abstract Syntax Notation One vs extensible Markup Language[J].Internet Computing Journal,May,2002.
[38]Brad Marshall.LDAP Theory and Management[A].SAGE-AU Conf 2003.http;//quark.humbug.org.au/publications/ldap/ldap-theory.pdf,2003.
[39]M.Wahl,T.Howes,S.Kille.Lightweight Directory Access Protocol[S].RFC 2251.http;//www.ietf.orglrfc/rfc2251.txt,1997.
[40]Michael Donnelly.An Introduction to LDAP[EB/OL].http;//Idapman.org/articles/intxojo_ ldap.html,April.2000.
[41]T.Dierks,C.Allen.The TLS Protocol Version 1.0[S].RFC2246.January 1999.