企业级PKI身份认证和访问控制研究
|
摘要
随着计算机技术、网络技术以及通信技术的发展和应用,企业信息化已成为企业实现可持续化发展和提高市场竞争力的重要保障。由于计算机网络和信息系统的开放性和脆弱性,为企业管理服务的信息系统客观地存在着已知的或潜在的安全威胁,这些安全威胁将不可避免地延伸到企业的正常运营、生产及销售等经营活动,甚至威胁到企业的生存。
企业信息安全问题呈现出许多新特点,如主体的复杂化、安全信息的不完整性、安全度量的相对化、安全需求的个性化和安全措施的自适性等。传统的身份认证及访问控制技术和手段已难以解决异构协同环境中应用系统的安全问题,根本原因在于身份的可伪造性、环境的动态变化以及控制的离散性。本文以提出的任务化角色访问控制模型和企业级PKI/PMI身份认证框架为基础,结合企业层次化的组织架构,提出了一个适合企业异构系统环境中统一身份认证及逐级授权管理框架。
本文的具体成果如下:
①设计了任务化角色授权模型,该工作在基于角色授权的访问控制基础上完成,并增加了对企业组织层次以及工作任务分发的支持。
②设计并实现了企业级的PKI身份证书和PMI属性证书的信任授权原型系统,为企业在复杂异构环境下实现了信任管理核心运行机制,通过符合Web Service规范的接口提供服务。
③设计了一个任务化角色授权的信任管理框架。在应用上下文一致性检查的任务管理框架的基础上,结合企业级PKI系统的身份认证技术并增加了任务化角色授权机制来实现信任管理框架。
With computer technology, network technology and communication technology development and application of information technology has become a business enterprise to achieve sustainable development and improve the market competitiveness of the important safeguards. As computer networks and information systems openness and vulnerability for enterprise information management services is the existence of an objective system known or potential security threats, these security threats will inevitably extend to the normal operation of enterprises, producing and marketing , and other business activities, and even a threat to the survival of enterprises.
Enterprise information security has many new features, such as the complexity of the main security information, with the integrity of the relative safety measure, the security needs of the individual and security measures, such as self-adaptive. Traditional authentication and access control technologies and means have been difficult to resolve heterogeneous collaborative environment Application System security issues, the fundamental reason is that identity can be forged, the environment and the dynamic changes of discrete control. In this paper the task of the role access control model and enterprise-class PKI / PMI authentication framework, the level of enterprises with the organization, raised a heterogeneous system suited to the business environment in uniform identity authentication and management framework levels mandate.
The concrete results of this paper are as follows:
①design of the tasks mandated role model, the work authorized in role-based access control based on the completion and increased levels of business organizations and the support of distributed tasks.
②designed and implemented enterprise-class identity certificates and PKI certificate PMI attribute the trust authorized prototype system for enterprises in complex heterogeneous environments under the trust management of the core operating mechanism, through the Web Service to provide a standardized interface services.
③designed a task mandated role of the trust management framework. Check consistency in the application of contextual framework for the management tasks on the basis of combining enterprise-class identity authentication system PKI technology and to increase the role of the task of licensing mechanism to achieve trust management framework.
企业信息安全问题呈现出许多新特点,如主体的复杂化、安全信息的不完整性、安全度量的相对化、安全需求的个性化和安全措施的自适性等。传统的身份认证及访问控制技术和手段已难以解决异构协同环境中应用系统的安全问题,根本原因在于身份的可伪造性、环境的动态变化以及控制的离散性。本文以提出的任务化角色访问控制模型和企业级PKI/PMI身份认证框架为基础,结合企业层次化的组织架构,提出了一个适合企业异构系统环境中统一身份认证及逐级授权管理框架。
本文的具体成果如下:
①设计了任务化角色授权模型,该工作在基于角色授权的访问控制基础上完成,并增加了对企业组织层次以及工作任务分发的支持。
②设计并实现了企业级的PKI身份证书和PMI属性证书的信任授权原型系统,为企业在复杂异构环境下实现了信任管理核心运行机制,通过符合Web Service规范的接口提供服务。
③设计了一个任务化角色授权的信任管理框架。在应用上下文一致性检查的任务管理框架的基础上,结合企业级PKI系统的身份认证技术并增加了任务化角色授权机制来实现信任管理框架。
With computer technology, network technology and communication technology development and application of information technology has become a business enterprise to achieve sustainable development and improve the market competitiveness of the important safeguards. As computer networks and information systems openness and vulnerability for enterprise information management services is the existence of an objective system known or potential security threats, these security threats will inevitably extend to the normal operation of enterprises, producing and marketing , and other business activities, and even a threat to the survival of enterprises.
Enterprise information security has many new features, such as the complexity of the main security information, with the integrity of the relative safety measure, the security needs of the individual and security measures, such as self-adaptive. Traditional authentication and access control technologies and means have been difficult to resolve heterogeneous collaborative environment Application System security issues, the fundamental reason is that identity can be forged, the environment and the dynamic changes of discrete control. In this paper the task of the role access control model and enterprise-class PKI / PMI authentication framework, the level of enterprises with the organization, raised a heterogeneous system suited to the business environment in uniform identity authentication and management framework levels mandate.
The concrete results of this paper are as follows:
①design of the tasks mandated role model, the work authorized in role-based access control based on the completion and increased levels of business organizations and the support of distributed tasks.
②designed and implemented enterprise-class identity certificates and PKI certificate PMI attribute the trust authorized prototype system for enterprises in complex heterogeneous environments under the trust management of the core operating mechanism, through the Web Service to provide a standardized interface services.
③designed a task mandated role of the trust management framework. Check consistency in the application of contextual framework for the management tasks on the basis of combining enterprise-class identity authentication system PKI technology and to increase the role of the task of licensing mechanism to achieve trust management framework.
引文
[1] William Stallings. 潇湘工作室. 网络安全要素-应用与标准. 人民邮电出版社, 2000. 11
[2] 蔡乐才, 张仕斌. 应用密码学. 中国电力出版社, 2005. 2
[3] NASHA. 张玉清. 公钥基础设施(PKI). 清华大学出版社, 2002. 12
[4] 方勇. 信息系统安全导论. 电子工业出版社, 2003. 4
[5] 公安部公共信息网络安全检查局. 计算机信息系统安全保护等级划分准则. 中华人民共和国国家标准 GB/T 17859, 1999
[6] 吴世忠. 我国 PKI/CA 发展现状问题及前景展望. 信息安全与通信保密, 2001. 5
[7] 卢震宇, 戴英侠, 胡艳. 分布式认证系统互联信任路径构建分析和实现. 计算机工程与应用, 2002, (10):155-158
[8] 范玉顺, 黄双喜, 赵大哲. 企业信息化整体解决方案. 科学出版社, 2005. 6
[9] 奥古斯特-威廉·谢尔. 陈戎. 企业管理的计算机化. 上海科学技术文献出版社, 1994. 6
[10] 张根保, 陈友玲. 企业信息化. 机械工业出版社, 1999. 5
[11] 国家经贸委信息中心. 全国企业信息化建设现状和“十五” 规划情况调查报告. http://www. chinabbc. com. cn/news/news. asp?newsid=20041211167835&classid=, 2002. 2
[12] 张庆平, 郑辉. Web Service 认证体系的分析与实现. 计算机应用, 2003. 4
[13] 吕曦, 王化文. Web Service 的架构与协议. 计算机应用, 2002. 12
[14] 马亮, 顾明. 基于角色的工作流系统访问控制模型. 小型微型计算机系统, 2006, 27(4)
[15] 李庆华, 王小兵, 王多强. Web 服务基于代理和角色的访问控制模型研究. 计算机工程与科学, 2006, (12)
[16] 薛伟, 怀进鹏. 基于角色的访问控制模型的扩充和实现机制研究. 计算机研究与发展, 2003, 40(11)
[17] 徐日佳, 赵敬中. 一种改进的 RBAC 模型的研究与应用. 微机发展, 2005, (08)
[18] OpenLDAP org. http://www. openldap. org/doc/admin22/, 2004. 8
[19] S Chokhani. Internet X. 509 Public Key Infrastructure Certificate Policy and Certification Practices Framework. RFC 2527,1999
[20] R Housley. Internet X. 509 Public Key Infrastructure Certificate and CRL Profile,RFC 2459, 1999
[21] S Boeyen P Richard P Richard. Internet X. 509 Public Key Infrastructure LDAPv2Schema. RFC 2587, l999
[22] C Adams. Internet X. 509 Public Key Infrastructure Qualifled Certificates Profile. RFC 3039, 2001
[23] S Santesson. Internet X. 509 Public Key Infrastructure Certificate Managemem Protocols. RFC 25l0, 1999
[24] M Myers. X. 509 Internet Public Key Infrastructure Online Certificate Status Protocol—OCSP. RFC 2560, 1999
[25] M Myers, et al, et al. Internet X. 509 Certificate Request Message Format. RFC 2511, 1999
[26] D Ferraiolo, J Cugini, D R Kuhn. Role based access control. IEEE Computer Society Press, 1995
[27] LAMPSON B. Protection. In Proceedings of the 5th Symposium on Information Sciences and Systems. Princeton, 1974, 5:437–443.
[28] Bell DE, Lapadula LJ. Secure Computer Systems: Mathematical Foundations. Bedford: The Mitre Corporation, 1973, 1
[29] 戴国忠, 须德, 乔颖. 一种基于角色访问控制(RBAC)的新模型及其实现机制. 计算机研究与发展, 2000, (01)
[30] An Internet Attribute Certificate Profile for Authorization (RFC 3281)
[31] Martin Fowler, David Rice, Matthew Foemmel, Edward Hieatt, Robert Mee, Randy Stafford . Patterns of Enterprise Application Architecture. Pearson Education, 2002. 11
[32] 美国国防部. 计算机系统可信赖性评估标准(TCSEC), 1982
[33] 张传华, 李建华, 张彤. 基于 PMI 的 MAC 模式访问控制策略研究. 计算机学报, 2005, (20A)
[34] 张宏, 贺也平, 石志国. 基于周期时间限制的自主访问控制委托模型. 中国科技信息,2006, 29(8 期)
[35] 刘枫, 阚忠良. 基于PKI 的网络传输中电子印章的研究. 自动化技术与应用, 2004, 23(3)
[36] 王萍, 钟元生. 基于风险的PKI交叉认证模型研究. 计算机工程与应用, 2006, 42(28)
[37] 胡和平, 陈茜, 路松峰. 一种基于PKI的企业级安全电子邮件的体系结构. 网络安全技术与应用, 2005, (5)
[38] Joan Daemen, Vincent Rijmen. The Design of Rijindael:AES-the Advanced Encryption Standard. the US National Institute of Standards and Technology (NIST), 1997. 1
[39] Whitfield Diffie, Martin E Hellman. New directions in cryptography[J]. IEEE Trans on Information Theory, 1976, IT-22(6):644
[40] Rivest R L, Shamir A, Adleman L. A Method for obtaining Digital Signatures and Public-key Cryptosystem[J]. Comm ACM, 1978, 21(2):120-126
[2] 蔡乐才, 张仕斌. 应用密码学. 中国电力出版社, 2005. 2
[3] NASHA. 张玉清. 公钥基础设施(PKI). 清华大学出版社, 2002. 12
[4] 方勇. 信息系统安全导论. 电子工业出版社, 2003. 4
[5] 公安部公共信息网络安全检查局. 计算机信息系统安全保护等级划分准则. 中华人民共和国国家标准 GB/T 17859, 1999
[6] 吴世忠. 我国 PKI/CA 发展现状问题及前景展望. 信息安全与通信保密, 2001. 5
[7] 卢震宇, 戴英侠, 胡艳. 分布式认证系统互联信任路径构建分析和实现. 计算机工程与应用, 2002, (10):155-158
[8] 范玉顺, 黄双喜, 赵大哲. 企业信息化整体解决方案. 科学出版社, 2005. 6
[9] 奥古斯特-威廉·谢尔. 陈戎. 企业管理的计算机化. 上海科学技术文献出版社, 1994. 6
[10] 张根保, 陈友玲. 企业信息化. 机械工业出版社, 1999. 5
[11] 国家经贸委信息中心. 全国企业信息化建设现状和“十五” 规划情况调查报告. http://www. chinabbc. com. cn/news/news. asp?newsid=20041211167835&classid=, 2002. 2
[12] 张庆平, 郑辉. Web Service 认证体系的分析与实现. 计算机应用, 2003. 4
[13] 吕曦, 王化文. Web Service 的架构与协议. 计算机应用, 2002. 12
[14] 马亮, 顾明. 基于角色的工作流系统访问控制模型. 小型微型计算机系统, 2006, 27(4)
[15] 李庆华, 王小兵, 王多强. Web 服务基于代理和角色的访问控制模型研究. 计算机工程与科学, 2006, (12)
[16] 薛伟, 怀进鹏. 基于角色的访问控制模型的扩充和实现机制研究. 计算机研究与发展, 2003, 40(11)
[17] 徐日佳, 赵敬中. 一种改进的 RBAC 模型的研究与应用. 微机发展, 2005, (08)
[18] OpenLDAP org. http://www. openldap. org/doc/admin22/, 2004. 8
[19] S Chokhani. Internet X. 509 Public Key Infrastructure Certificate Policy and Certification Practices Framework. RFC 2527,1999
[20] R Housley. Internet X. 509 Public Key Infrastructure Certificate and CRL Profile,RFC 2459, 1999
[21] S Boeyen P Richard P Richard. Internet X. 509 Public Key Infrastructure LDAPv2Schema. RFC 2587, l999
[22] C Adams. Internet X. 509 Public Key Infrastructure Qualifled Certificates Profile. RFC 3039, 2001
[23] S Santesson. Internet X. 509 Public Key Infrastructure Certificate Managemem Protocols. RFC 25l0, 1999
[24] M Myers. X. 509 Internet Public Key Infrastructure Online Certificate Status Protocol—OCSP. RFC 2560, 1999
[25] M Myers, et al, et al. Internet X. 509 Certificate Request Message Format. RFC 2511, 1999
[26] D Ferraiolo, J Cugini, D R Kuhn. Role based access control. IEEE Computer Society Press, 1995
[27] LAMPSON B. Protection. In Proceedings of the 5th Symposium on Information Sciences and Systems. Princeton, 1974, 5:437–443.
[28] Bell DE, Lapadula LJ. Secure Computer Systems: Mathematical Foundations. Bedford: The Mitre Corporation, 1973, 1
[29] 戴国忠, 须德, 乔颖. 一种基于角色访问控制(RBAC)的新模型及其实现机制. 计算机研究与发展, 2000, (01)
[30] An Internet Attribute Certificate Profile for Authorization (RFC 3281)
[31] Martin Fowler, David Rice, Matthew Foemmel, Edward Hieatt, Robert Mee, Randy Stafford . Patterns of Enterprise Application Architecture. Pearson Education, 2002. 11
[32] 美国国防部. 计算机系统可信赖性评估标准(TCSEC), 1982
[33] 张传华, 李建华, 张彤. 基于 PMI 的 MAC 模式访问控制策略研究. 计算机学报, 2005, (20A)
[34] 张宏, 贺也平, 石志国. 基于周期时间限制的自主访问控制委托模型. 中国科技信息,2006, 29(8 期)
[35] 刘枫, 阚忠良. 基于PKI 的网络传输中电子印章的研究. 自动化技术与应用, 2004, 23(3)
[36] 王萍, 钟元生. 基于风险的PKI交叉认证模型研究. 计算机工程与应用, 2006, 42(28)
[37] 胡和平, 陈茜, 路松峰. 一种基于PKI的企业级安全电子邮件的体系结构. 网络安全技术与应用, 2005, (5)
[38] Joan Daemen, Vincent Rijmen. The Design of Rijindael:AES-the Advanced Encryption Standard. the US National Institute of Standards and Technology (NIST), 1997. 1
[39] Whitfield Diffie, Martin E Hellman. New directions in cryptography[J]. IEEE Trans on Information Theory, 1976, IT-22(6):644
[40] Rivest R L, Shamir A, Adleman L. A Method for obtaining Digital Signatures and Public-key Cryptosystem[J]. Comm ACM, 1978, 21(2):120-126