跨域身份鉴别技术研究
|
摘要
信息技术的迅猛发展,特别是互联网技术的普及应用,使得电子政务、电子商务成为当今信息化发展最重要的领域之一。网络上的信息安全是电子政务、电子商务健康持续发展的重要保障。身份鉴别是证实一个声称的身份是否真实有效的过程,是实现网络安全的重要机制之一,是确保企业信息资源只能被合法用户访问的重要保障。跨域身份鉴别是在单域身份鉴别的基础上,实现多域系统之间的单点登录。
Web服务的一个明显优势就是能够在异构环境下实现资源共享和互操作。但随之而来的安全问题,使许多企业首先把Web服务的应用限制在企业内部。导致用户在多个系统上需要拥有多个身份,带来了用户需要记忆多个身份信息、多次登录、密码过度繁殖、密码被非法截获的可能性增加、维护用户个人信息开销大等诸多问题。针对这些问题,用户对支持跨域用户身份管理系统的需求越来越大。身份联合技术提倡用户最好将鉴别信息分散到许多数据库,将一个用户的不同身份形成身份鉴别联合,解决了用户多次登录的麻烦,简化了身份的管理。
本文首先分析了Web服务安全需求和身份鉴别的发展趋势,由此引出了课题研究的内容和意义。然后给出本文涉及到的一些基础知识,主要是Kerberos,PKI和安全断言标记语言。并在此基础上对一种分布式鉴别模型给予了详细的分析和论诉。深入研究了SAML安全声明标记语言,然后基于SAML开发实现了一个支持跨域的身份鉴别系统。
With the rapid development of information technology, especially the widespread application of Internet technology, electronic government and electronic commerce have become the most important development field of information technology. It is important to guarantee information security in the network to electronic government and electronic commerce. Authentication is one of the most important mechanisms to implement network security by protecting our information from unauthorized accesses, which allows each party to a communication to be sure of the identity of the other. Cross-domain authentication is to implement Single Sign On mechanisms on more than one domain which is based on the single domain authentication.
One of apparent merits about Web Service is that it could realize resource sharing and intercourse under heterogeneous environment. But the secure problem following this character makes many enterprises confine Web Service to their inner part. One user who needs to log on varied systems is required to present varied identities, which would lead to many problems such as too many identities needed to remember, log on system too many times, password multiply too much, the risk of passwords being stolen increase and too much work has to be done to maintain the user's identify, etc. In order to solve these problems above, there is a growing requirement for identify management system supporting across domains. And identity federation advocates that users should scatter their verified information around multiple databases and form an identity verification federation in order to free the user of the trouble of logging too many times and simplify the identity management.
Firstly this thesis analyzes the requirement of Web Service security and the developing trend of identity authentication, which lead to research content and sense for the federated identity authentication. Then some basic knowledge will be presented in this thesis, including Kerberos, PKI and SAML. Based on them, distributed model is put forward with detailed analysis and arguments. After that, deeply discussed the SAML, and then develop a real system which can realize the cross-domain identity authentication based SAML.
Web服务的一个明显优势就是能够在异构环境下实现资源共享和互操作。但随之而来的安全问题,使许多企业首先把Web服务的应用限制在企业内部。导致用户在多个系统上需要拥有多个身份,带来了用户需要记忆多个身份信息、多次登录、密码过度繁殖、密码被非法截获的可能性增加、维护用户个人信息开销大等诸多问题。针对这些问题,用户对支持跨域用户身份管理系统的需求越来越大。身份联合技术提倡用户最好将鉴别信息分散到许多数据库,将一个用户的不同身份形成身份鉴别联合,解决了用户多次登录的麻烦,简化了身份的管理。
本文首先分析了Web服务安全需求和身份鉴别的发展趋势,由此引出了课题研究的内容和意义。然后给出本文涉及到的一些基础知识,主要是Kerberos,PKI和安全断言标记语言。并在此基础上对一种分布式鉴别模型给予了详细的分析和论诉。深入研究了SAML安全声明标记语言,然后基于SAML开发实现了一个支持跨域的身份鉴别系统。
With the rapid development of information technology, especially the widespread application of Internet technology, electronic government and electronic commerce have become the most important development field of information technology. It is important to guarantee information security in the network to electronic government and electronic commerce. Authentication is one of the most important mechanisms to implement network security by protecting our information from unauthorized accesses, which allows each party to a communication to be sure of the identity of the other. Cross-domain authentication is to implement Single Sign On mechanisms on more than one domain which is based on the single domain authentication.
One of apparent merits about Web Service is that it could realize resource sharing and intercourse under heterogeneous environment. But the secure problem following this character makes many enterprises confine Web Service to their inner part. One user who needs to log on varied systems is required to present varied identities, which would lead to many problems such as too many identities needed to remember, log on system too many times, password multiply too much, the risk of passwords being stolen increase and too much work has to be done to maintain the user's identify, etc. In order to solve these problems above, there is a growing requirement for identify management system supporting across domains. And identity federation advocates that users should scatter their verified information around multiple databases and form an identity verification federation in order to free the user of the trouble of logging too many times and simplify the identity management.
Firstly this thesis analyzes the requirement of Web Service security and the developing trend of identity authentication, which lead to research content and sense for the federated identity authentication. Then some basic knowledge will be presented in this thesis, including Kerberos, PKI and SAML. Based on them, distributed model is put forward with detailed analysis and arguments. After that, deeply discussed the SAML, and then develop a real system which can realize the cross-domain identity authentication based SAML.
引文
[1]国家信息安全工程技术研究中心编著.电子政务总体设计与技术实现[M].电子工业出版社,2000.
[2]Andreas Pashalidis,Chris J Mitchell.A Taxonomy of Single Sign-on Systems[C]//Proceedings of 8th Australasian Conference on the Information Security and Privacy,ACISR 2003.
[3]Security Assertions Makeup Language(SAML)[EB/OL].http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security.
[4]Liberty Alliance,Identity Federation Framework(ID-FF)& Liberty Web Services Framework(ID-WSF)[EB/OL].http://www.projectliberty.org/specslspecifications.php.
[5]Microsoft Corporation.WS-Federation[EB/OL].http://www.Microsoft.com/china/MSDN/Library/webService/webService/WS-Federation.m spx.
[6]黄伟峰.Web Services的安全性闭.计算机工程与设计,2003,24(6):52-55.
[7]林满山,郭荷清.单点登录技术的现状及发展[J].计算机应用,2004,24(6):248-251.
[8]杨青,怀进鹏,徐橄巍.基于SAML的协同电子商务安全服务系统[J].计算机工程与应用,2282002,14:228-234.
[9]高俊娜,于继万,朱华飞,潘雪增.一种新的SIP SSO机制[[J].计算机应用,2004,24(5):53-56.
[10]毛捍东,张维明.一个基于Web服务的单点登录系统[J].计算机工程与应用,2004,24:18-22.
[11]崔培枝,王朝君,刘海燕.《Kerberos鉴别技术的研究分析》,《计算机与现代化》,2001.5:35-40
[12]http://www.china-pub.com/computerslepookl11861info.htm关于Kerberos技术
[13]王晓刚、卢强华《Kerberos鉴别系统的分析与改进》,《武汉科技学院学报》,Vol.15,NO.5.2002:95-98
[14]王国兵,杨建沾,谢贵.《Kerberos协议的改进》,《武汉大学学报(自然科学版)》Vol.45,No.3.1999:307-310
[15]李巍、李伟琴《网络用户鉴别系统Kerberos的原理与应用》,《微型计算机》NO.3,Vol.17.1997:1-5
[16]CarlisleAdams,Steve Lloyd,公开密钥基础设施一概念、标准和实施,北京人民邮电出版社,2001
[17]关振胜.公钥基础设施PK工与鉴别机构CA,北京:电子上业出版社,2002
[18]谢冬青,冷健PKI原理与技术.北京,清华大学出版社,2004
[19]邓劲生,徐捷,王鸿谷.鉴别中心构建的关键技术及实现.计算机上程,26卷,174页
[20]X.509标准,http://www.edifact.standards.com.cn
[21]Security and Privacy Considerations for the OASIS Security Assertion.2002-08-19
[22]Assertions and Protocol for the OASIS Security Assertion Markup Language.2002-08-19
[23]Bindings and Profiles forthe OASIS Security Assertion Markup Language.2002-08-19
[24]Jon Byous.Single Sign-on Simplicity with SAML An Overview of Single Sign-on Capability Based on the Security Assertions Markup Language(SAML)Specification.httpa/java.aun.coxn.2002-OS
[25]Security Assertion Markup Language A Standards Approach to Authorization and Web Single Sign-on.http::lw4v4v.rsaaecurity.corn.2001
[26]Getting Started With XML Security.Httpa://wwvv.fijhiesch.com.2002-08-07
[27]Nicole Harris.Liberty Alliance Profile.2003-03-10
[28]Liberty Profiles Alliance Project Licensing Administrator.Liberty Bindings and Specification.Version 1.1.http:/:/www.projectliberty.org 2003-01-15
[29]Liberty Context Alliance Project licensing Administrator.Liberty Authentication Specification.Versionl.1 http://www.projectlibertv.org.2002-07-11
[30]Kohl J,Neuman C.RFC1510-1993,The Kerberos Network Authentication Service[S].1993.
[31]孙蓝蓉 徐春光。网络和分布式系统中的鉴别[J]计算机研究与发展,1998
[32]KJ Biba.Integrity Considerations for Secure Computer Systems[R].Technical Report ESD-TR-76-372,ESD/AFSC,Hanscom AFB,Bedford,Mass,1977.Also MITRE MTR-3153.
[33]Web Services Federation Language(WS-Federation)version1.0[EB/OL].http://www2106.ibm.corn/developerworks/library/ws-fed/,2003207.
[34]WS-Federation:Active Requestor Profile version 1.0[EB/OL].http://msdn.microsoft.com /ws/2003/07/ws-active-profile/,2003207.
[35]WS-Federation:Passive Requestor Profile version 1.0[EB/OL].http://msdn.microsoft.com /ws/2003/07/ws2passive2profile/,2003207.
[36]Web Services Security(WS-Security)version 1.0[EB/OL].http://www.oasis2open.org/committees/wws/,2002204.
[37]Web Services Policy Framework(WS-Policy)v1.1[EB/OL].http://www2106.ibm.com /developerworks/library/ws-polfram/,2003205.
[38]Web Services Trust Language(WS-Trust)v1.0[EB/OL].http://www2106.ibm.com /developerworks/library/ws-trust/,2002212.
[39]Web Services Secure Conversation(WS-SecureConversation)v1.0[EB/OL].http://www2106.ibm.com/developerworks/library/ws-secon/,2002212.
[40]Simple Object Access Protocol(SOAP)v1.1[EB /OL].http://www.w3.org/TR/2000/NOTE2SOAP220000508,2000205.
[41]Web Services Metadata Exchange(WS-MetadataExchange)[EB/OL].http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-metadataexchange.pdf,2004201.
[42]黄伟峰.Web Services的安全性[J].计算机工程与设计.2003,24(6):52-55
[43][43]李东,周晓宇.SOAP及其对Web服务的影响[J].计算机工程与应用.2002,38(12):78-81.
[44]吴旭超,王黎译.WEB服务安全性高级编程[M].北京:清华大学出版社.2003
[44]丙雄健,王忠民.UDDI的原理与实现[J].计算机工程与设计,2005,26(6):1602-1605.
[45]IBM Corporation.Web Services概述[EB/OL].http://www.cit.fudan.edu.cn/webservices/0004/Cour;e}df/chapter01.pdf
[2]Andreas Pashalidis,Chris J Mitchell.A Taxonomy of Single Sign-on Systems[C]//Proceedings of 8th Australasian Conference on the Information Security and Privacy,ACISR 2003.
[3]Security Assertions Makeup Language(SAML)[EB/OL].http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security.
[4]Liberty Alliance,Identity Federation Framework(ID-FF)& Liberty Web Services Framework(ID-WSF)[EB/OL].http://www.projectliberty.org/specslspecifications.php.
[5]Microsoft Corporation.WS-Federation[EB/OL].http://www.Microsoft.com/china/MSDN/Library/webService/webService/WS-Federation.m spx.
[6]黄伟峰.Web Services的安全性闭.计算机工程与设计,2003,24(6):52-55.
[7]林满山,郭荷清.单点登录技术的现状及发展[J].计算机应用,2004,24(6):248-251.
[8]杨青,怀进鹏,徐橄巍.基于SAML的协同电子商务安全服务系统[J].计算机工程与应用,2282002,14:228-234.
[9]高俊娜,于继万,朱华飞,潘雪增.一种新的SIP SSO机制[[J].计算机应用,2004,24(5):53-56.
[10]毛捍东,张维明.一个基于Web服务的单点登录系统[J].计算机工程与应用,2004,24:18-22.
[11]崔培枝,王朝君,刘海燕.《Kerberos鉴别技术的研究分析》,《计算机与现代化》,2001.5:35-40
[12]http://www.china-pub.com/computerslepookl11861info.htm关于Kerberos技术
[13]王晓刚、卢强华《Kerberos鉴别系统的分析与改进》,《武汉科技学院学报》,Vol.15,NO.5.2002:95-98
[14]王国兵,杨建沾,谢贵.《Kerberos协议的改进》,《武汉大学学报(自然科学版)》Vol.45,No.3.1999:307-310
[15]李巍、李伟琴《网络用户鉴别系统Kerberos的原理与应用》,《微型计算机》NO.3,Vol.17.1997:1-5
[16]CarlisleAdams,Steve Lloyd,公开密钥基础设施一概念、标准和实施,北京人民邮电出版社,2001
[17]关振胜.公钥基础设施PK工与鉴别机构CA,北京:电子上业出版社,2002
[18]谢冬青,冷健PKI原理与技术.北京,清华大学出版社,2004
[19]邓劲生,徐捷,王鸿谷.鉴别中心构建的关键技术及实现.计算机上程,26卷,174页
[20]X.509标准,http://www.edifact.standards.com.cn
[21]Security and Privacy Considerations for the OASIS Security Assertion.2002-08-19
[22]Assertions and Protocol for the OASIS Security Assertion Markup Language.2002-08-19
[23]Bindings and Profiles forthe OASIS Security Assertion Markup Language.2002-08-19
[24]Jon Byous.Single Sign-on Simplicity with SAML An Overview of Single Sign-on Capability Based on the Security Assertions Markup Language(SAML)Specification.httpa/java.aun.coxn.2002-OS
[25]Security Assertion Markup Language A Standards Approach to Authorization and Web Single Sign-on.http::lw4v4v.rsaaecurity.corn.2001
[26]Getting Started With XML Security.Httpa://wwvv.fijhiesch.com.2002-08-07
[27]Nicole Harris.Liberty Alliance Profile.2003-03-10
[28]Liberty Profiles Alliance Project Licensing Administrator.Liberty Bindings and Specification.Version 1.1.http:/:/www.projectliberty.org 2003-01-15
[29]Liberty Context Alliance Project licensing Administrator.Liberty Authentication Specification.Versionl.1 http://www.projectlibertv.org.2002-07-11
[30]Kohl J,Neuman C.RFC1510-1993,The Kerberos Network Authentication Service[S].1993.
[31]孙蓝蓉 徐春光。网络和分布式系统中的鉴别[J]计算机研究与发展,1998
[32]KJ Biba.Integrity Considerations for Secure Computer Systems[R].Technical Report ESD-TR-76-372,ESD/AFSC,Hanscom AFB,Bedford,Mass,1977.Also MITRE MTR-3153.
[33]Web Services Federation Language(WS-Federation)version1.0[EB/OL].http://www2106.ibm.corn/developerworks/library/ws-fed/,2003207.
[34]WS-Federation:Active Requestor Profile version 1.0[EB/OL].http://msdn.microsoft.com /ws/2003/07/ws-active-profile/,2003207.
[35]WS-Federation:Passive Requestor Profile version 1.0[EB/OL].http://msdn.microsoft.com /ws/2003/07/ws2passive2profile/,2003207.
[36]Web Services Security(WS-Security)version 1.0[EB/OL].http://www.oasis2open.org/committees/wws/,2002204.
[37]Web Services Policy Framework(WS-Policy)v1.1[EB/OL].http://www2106.ibm.com /developerworks/library/ws-polfram/,2003205.
[38]Web Services Trust Language(WS-Trust)v1.0[EB/OL].http://www2106.ibm.com /developerworks/library/ws-trust/,2002212.
[39]Web Services Secure Conversation(WS-SecureConversation)v1.0[EB/OL].http://www2106.ibm.com/developerworks/library/ws-secon/,2002212.
[40]Simple Object Access Protocol(SOAP)v1.1[EB /OL].http://www.w3.org/TR/2000/NOTE2SOAP220000508,2000205.
[41]Web Services Metadata Exchange(WS-MetadataExchange)[EB/OL].http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-metadataexchange.pdf,2004201.
[42]黄伟峰.Web Services的安全性[J].计算机工程与设计.2003,24(6):52-55
[43][43]李东,周晓宇.SOAP及其对Web服务的影响[J].计算机工程与应用.2002,38(12):78-81.
[44]吴旭超,王黎译.WEB服务安全性高级编程[M].北京:清华大学出版社.2003
[44]丙雄健,王忠民.UDDI的原理与实现[J].计算机工程与设计,2005,26(6):1602-1605.
[45]IBM Corporation.Web Services概述[EB/OL].http://www.cit.fudan.edu.cn/webservices/0004/Cour;e}df/chapter01.pdf