授权管理基础设施PMI的研究及原型设计与实现
|
摘要
随着Internet的普及,网络应用尤其是电子商务和电子政务开始成为重要的网上活动,网络安全因其在网络应用中的重要性,日益成为一个不容忽视的问题。人们需要在网络中为用户提供身份鉴别和权限信息,以保证网络交互的安全。PKI (Public Key Infrastructures公钥基础设施)以密码学为理论基础,提供身份鉴别、机密性、完整性和不可否认性服务,成为网络应用中信任和授权的源泉。PKI以身份证书为载体,同时记录用户的身份信息和权限信息。然而在PKI的实际应用过程中,人们发现身份和权限有很多不同的属性,尤其在有效期上,权限由于不同的环境会经常变化,而身份则相对固定。将二者绑定到一个证书上不仅不利于对身份和权限的有效管理,而且需要频繁更新证书,给签证机关带来很大的工作量。鉴于以X.509v3为基础的PKI系统中上述身份持久性与用户权限短暂性之间的矛盾日益显著,2000年X.509v4协议提出授权管理基础设施PMI的概念。PMI分离了X.509v3标准中PKI的权限管理功能,提供更为严格、方便和高效的访问控制机制,是一种基于PKI系统之上的、实现访问权限管理的体系。
本文分析了X.509v4的PMI基本框架,在此基础上建立了基于角色委托机制的PMI模型,提出了PMI原型设计方案,并讨论了架构中证书管理、角色管理和策略管理的一些关键问题。最后在参考PKI系统基础上,实现了一个原型PMI——Mini PMI,并对其性能进行了简单分析。
XML作为一种元语言,具有平台无关性、自描述性等重要特征,正成为网络应用不可或缺的数据表示方式。XML可以根据需要定制,使之符合特定要求。目前XML安全性的研究也正如火如荼。本文探讨了安全XML技术在PMI系统中的应用,所设计的PMI系统完全基于XML格式,包括策略、日志以及证书等,使之可以与网络服务框架有机地结合起来,从而保证安全可信网络服务的效率。
With the development of Internet, network applications especially E-Business and E-Government become very popular in Internet. Because of its importance in the network applications, network security increasingly becomes a big problem we cannot ignore. To guarantee the security of network actions, we should provide and discriminate information of identity and authorization for users. PKI ( Public Key Infrastructures) , which is based on cryptography and provide authentication, confidentiality, integrity and non-repudiation, turns into the source of authentication and authorization in Internet. PKI records people's identities and privileges into public key certificate. In PKI system, however, we can find that identities and privileges have different attributes, especially in period of validity. Privileges often update in different condition while identities remain fixed in duration. Binding these two things to one certificate not only impair the efficiency of management of identities and privileges, but also bring much workload to CA(Certification Authority) for frequent updates of the certificate. Because the contradiction between permanent authentication identity and changeable authority attributes mentioned above in PKI (based on X.509v3) becomes more and more evident, PMI (Privilege Management Infrastructures) concept is brought in
X.509v4 in 2000. PMI separates the management function of privileges in the X.509v3 and offers a more strict, convenient and efficient access mechanism. PMI, based on PKI, realizes a management system of access privileges.
Based on analyzing the framework of PMI in X.509v4, a model based on role-based delegation mechanism is presented. The design of prototype PMI, some key problems such as certificate management, role management and policy management are discussed in the
thesis. Finally, the implement of a PMI system-Mini PMI
is realized with the reference of PKI system, as well as its performance analyzing.
XML, as a meta-language, is becoming the necessary data description in network applications as its platform-independence and self- description. XML can be customized on demand to fit for special requirement. The design of PMI system we done and its major modules, such as policy, log and certificate are conforming to XML formats. Thus we can combine it to network service framework and guarantee the efficiency of network service security and trust.
本文分析了X.509v4的PMI基本框架,在此基础上建立了基于角色委托机制的PMI模型,提出了PMI原型设计方案,并讨论了架构中证书管理、角色管理和策略管理的一些关键问题。最后在参考PKI系统基础上,实现了一个原型PMI——Mini PMI,并对其性能进行了简单分析。
XML作为一种元语言,具有平台无关性、自描述性等重要特征,正成为网络应用不可或缺的数据表示方式。XML可以根据需要定制,使之符合特定要求。目前XML安全性的研究也正如火如荼。本文探讨了安全XML技术在PMI系统中的应用,所设计的PMI系统完全基于XML格式,包括策略、日志以及证书等,使之可以与网络服务框架有机地结合起来,从而保证安全可信网络服务的效率。
With the development of Internet, network applications especially E-Business and E-Government become very popular in Internet. Because of its importance in the network applications, network security increasingly becomes a big problem we cannot ignore. To guarantee the security of network actions, we should provide and discriminate information of identity and authorization for users. PKI ( Public Key Infrastructures) , which is based on cryptography and provide authentication, confidentiality, integrity and non-repudiation, turns into the source of authentication and authorization in Internet. PKI records people's identities and privileges into public key certificate. In PKI system, however, we can find that identities and privileges have different attributes, especially in period of validity. Privileges often update in different condition while identities remain fixed in duration. Binding these two things to one certificate not only impair the efficiency of management of identities and privileges, but also bring much workload to CA(Certification Authority) for frequent updates of the certificate. Because the contradiction between permanent authentication identity and changeable authority attributes mentioned above in PKI (based on X.509v3) becomes more and more evident, PMI (Privilege Management Infrastructures) concept is brought in
X.509v4 in 2000. PMI separates the management function of privileges in the X.509v3 and offers a more strict, convenient and efficient access mechanism. PMI, based on PKI, realizes a management system of access privileges.
Based on analyzing the framework of PMI in X.509v4, a model based on role-based delegation mechanism is presented. The design of prototype PMI, some key problems such as certificate management, role management and policy management are discussed in the
thesis. Finally, the implement of a PMI system-Mini PMI
is realized with the reference of PKI system, as well as its performance analyzing.
XML, as a meta-language, is becoming the necessary data description in network applications as its platform-independence and self- description. XML can be customized on demand to fit for special requirement. The design of PMI system we done and its major modules, such as policy, log and certificate are conforming to XML formats. Thus we can combine it to network service framework and guarantee the efficiency of network service security and trust.
引文
·[1] ITU, Information Technology-Open system interconnection-The Directory: Public-key And Attribute Certificate Frameworks, ITU-T Recommendation X. 509, ITU, 2000
·[2] ITU, Information Technology-Open system interconnection-THE DIRECTORY: AUTHENTICATION FRAMEWORK, ITU-T Recommendation X.509, ITU, 1997
·[3] X.500 Editing Meeting, Copenhagen, 21-28 October 1999
·[4] Housley. R, Ford.W, Polk. W, etc., Internet X. 509 Public Key Infrastructure Certificate and CRL Profile, RFC 2459, IETF, 1999
·[5] C. Adams, S. Farrell, Internet X. 509 Public Key Infrastructure Certificate Management Protocols, RFC 2510, IETF, 1999
·[6] Sharon Boeyen,"X.509 4th edition: Overview of PKI &PMI Frameworks(Entrust Inc.)" http ://www.entrust. com/resources/pdf/509_overview, pdf (2000)
·[7] Sharon Boeyen, X.509 4th edition :X.509 (2000): What's new? (Entrust, Inc.), http ://www.entrust.com/resou rces/pdf/509_new.pdf(2000)
·[8] D. W. Chadwick "An X. 509 Role Based Privilege Management Infrastructure", Business Briefing-Global InfoSecurity 2002, World Markets Research Centre Ltd, ISBN: 1-903150-52-3, Oct 2001. On accompanying CD-ROM Reference Library/03.pdf
·[9] D. W. Chadwick, A. Otenko. "RBAC Policies in XML for X. 509 Based Privilege Management", accepted for SEC2002, Egypt, May 2002
·[10] Toni Nyknen, Attribute Certificates in X. 509, http://www.tcm.hut.fi/Opinnot/Tik-110.501/2000/papers/abstract_nykanen.html
·[11] D. W. Chadwick, O. Otenko, ISI, University of Salford, Salford, M5 4WT, The PERMIS X.509 Role Based Privilege Management Infrastructure, http://sec.isi.salford.ac.uk/download/SACMATfinal.pdf
·[12] The PERMIS Consortium, The PERMIS Project, Permis COMPA v0_6 ENG.ppt
·[13] PrivilEge and Role Management Infrastructure Standards validation, PERMIS presentation v1 ENG. ppt
·[14] [permis-10] A quick architectural overview, http://servizi.comune.bologna.it/mailing/archivi/progetti/permis/msg00002.html
·[15] Baltimore: SelectAccess Product Overview, http://www.baltimore.com
·[16] PKI based elsecurity, http://www.baltimore.com/pki-booklet.pdf
·[17] Tivoli SecureWay Authorization, http://www.simc-inc.org/archive9900/FebOO/clark/sld001.htm
·[18] http://www.tivoli.com
·[19] Security Solutions, http://www-3.ibm.com/security/index.shtml
·[20] IBM mainframe adds advanced security features http ://www. ibm. com/news/us/2002/03/256.html
·[21] Authentication &Authorization Complementary Solutions for Securing the Digital Enterprise, BioNetrix & Netegrity-Complementary Solutions For Securing the Digital Enterprise, netegrity.pdf
·[22] http://www.rsasecurity.com/products/cleartrust/index.html
·[23] Public-Key Infrastructure-The VeriSign Difference, http://www.verisign.com
·[24] Entrust GetAccess: Features&Benefits, http://www.entrust.com/getaccess/features.htm
·[25] Entrust' XML Strategy for Authorization, Entrust Inc. http://www.entrust.com
·[26] Web Services Trust and XML Security Standards, Entrust Inc. http://www.entrust.com
·[27] Mark Glaser, SAML Looks to Allay XML Security Concerns http://dcb.sun.com/practices/webservices/overviews/overview_saml.jsp
·[28] James Kobielus, Simplification, not XML, is the key to PKI success, http://www.nwfu sion. com/columnists/2001/0507kobielus. html
·[29] http://www.epicentric.com/news/news/press_releases_2000/12_04_0 O.jsp
·[30] Bruce Weiner, IBM Tivoli Access Manager for e-business v3.8 AuthMark Perfo rma nce,http://www.mindcraft.com/whitepapers/pd38/pd38.html
·[31] Bruce Weiner, Securant ClearTrust Version 4.2 AuthMark Login Performance, http://www.mindcraft.com/whitepapers/ct/ct42. html
·[32] Bruce Weiner, Baltimore Technologies SelectAccess 3.1 AuthMark Performance, http://www.mindcraft.com/whitepapers/sa31/sa31.html
·[33] Portals: The evolution of Extranet Access Management, http://www.entrust.com/resources/pdf/hurwitz_portals.pdf
·[34] Entrust Unveils U.S. Government Blueprint to Link National Security and E-Government Initiatives, http://www.entrust.com/news/files/11_08_01_774.htm
·[35] SDN. 801: ACCESS CONTROL CONCEPT AND MECHANISMS, National Security Agency,USA
·[36] http://www.sse.ie
·[37] J. Pjrvi, XML Encoding of SPKI Certificates, http://www.ietf.org/internet-drafts/draft-orri-spki-xml-cert-struc-00.txt
·[38] 谭寒生,佘堃,周明天,X.509v4的改进,电子学会第八届青年学术年会2002CIEYC,2002.7;
·[39] 谭寒生,张舰,谭兴烈,PMI与PKI模型关系研究,计算机应用Vol.22增刊,86-88,2002.8;
·[40] 谭寒生,周明天,基于角色委托的PMI系统的设计与实现,电子科技大学研究生学报,2002年No.16;
·[41] 严悍,张宏,许满武,基于角色访问控制对象建模及实现,计算机学报2000.10
·[42] 乔颖.须德,戴国忠,一种基于角色访问控制的新模型及其实现机制,计算机研究与发展,2000.1
·[43] 蔡菁,基于角色的多层应用系统安全控制,计算机工程与应用,2001.14
·[44] 邓集波,洪帆,基于任务的访问控制模型,软件学报,2003 Vol.14 No.1.76-82
·[2] ITU, Information Technology-Open system interconnection-THE DIRECTORY: AUTHENTICATION FRAMEWORK, ITU-T Recommendation X.509, ITU, 1997
·[3] X.500 Editing Meeting, Copenhagen, 21-28 October 1999
·[4] Housley. R, Ford.W, Polk. W, etc., Internet X. 509 Public Key Infrastructure Certificate and CRL Profile, RFC 2459, IETF, 1999
·[5] C. Adams, S. Farrell, Internet X. 509 Public Key Infrastructure Certificate Management Protocols, RFC 2510, IETF, 1999
·[6] Sharon Boeyen,"X.509 4th edition: Overview of PKI &PMI Frameworks(Entrust Inc.)" http ://www.entrust. com/resources/pdf/509_overview, pdf (2000)
·[7] Sharon Boeyen, X.509 4th edition :X.509 (2000): What's new? (Entrust, Inc.), http ://www.entrust.com/resou rces/pdf/509_new.pdf(2000)
·[8] D. W. Chadwick "An X. 509 Role Based Privilege Management Infrastructure", Business Briefing-Global InfoSecurity 2002, World Markets Research Centre Ltd, ISBN: 1-903150-52-3, Oct 2001. On accompanying CD-ROM Reference Library/03.pdf
·[9] D. W. Chadwick, A. Otenko. "RBAC Policies in XML for X. 509 Based Privilege Management", accepted for SEC2002, Egypt, May 2002
·[10] Toni Nyknen, Attribute Certificates in X. 509, http://www.tcm.hut.fi/Opinnot/Tik-110.501/2000/papers/abstract_nykanen.html
·[11] D. W. Chadwick, O. Otenko, ISI, University of Salford, Salford, M5 4WT, The PERMIS X.509 Role Based Privilege Management Infrastructure, http://sec.isi.salford.ac.uk/download/SACMATfinal.pdf
·[12] The PERMIS Consortium, The PERMIS Project, Permis COMPA v0_6 ENG.ppt
·[13] PrivilEge and Role Management Infrastructure Standards validation, PERMIS presentation v1 ENG. ppt
·[14] [permis-10] A quick architectural overview, http://servizi.comune.bologna.it/mailing/archivi/progetti/permis/msg00002.html
·[15] Baltimore: SelectAccess Product Overview, http://www.baltimore.com
·[16] PKI based elsecurity, http://www.baltimore.com/pki-booklet.pdf
·[17] Tivoli SecureWay Authorization, http://www.simc-inc.org/archive9900/FebOO/clark/sld001.htm
·[18] http://www.tivoli.com
·[19] Security Solutions, http://www-3.ibm.com/security/index.shtml
·[20] IBM mainframe adds advanced security features http ://www. ibm. com/news/us/2002/03/256.html
·[21] Authentication &Authorization Complementary Solutions for Securing the Digital Enterprise, BioNetrix & Netegrity-Complementary Solutions For Securing the Digital Enterprise, netegrity.pdf
·[22] http://www.rsasecurity.com/products/cleartrust/index.html
·[23] Public-Key Infrastructure-The VeriSign Difference, http://www.verisign.com
·[24] Entrust GetAccess: Features&Benefits, http://www.entrust.com/getaccess/features.htm
·[25] Entrust' XML Strategy for Authorization, Entrust Inc. http://www.entrust.com
·[26] Web Services Trust and XML Security Standards, Entrust Inc. http://www.entrust.com
·[27] Mark Glaser, SAML Looks to Allay XML Security Concerns http://dcb.sun.com/practices/webservices/overviews/overview_saml.jsp
·[28] James Kobielus, Simplification, not XML, is the key to PKI success, http://www.nwfu sion. com/columnists/2001/0507kobielus. html
·[29] http://www.epicentric.com/news/news/press_releases_2000/12_04_0 O.jsp
·[30] Bruce Weiner, IBM Tivoli Access Manager for e-business v3.8 AuthMark Perfo rma nce,http://www.mindcraft.com/whitepapers/pd38/pd38.html
·[31] Bruce Weiner, Securant ClearTrust Version 4.2 AuthMark Login Performance, http://www.mindcraft.com/whitepapers/ct/ct42. html
·[32] Bruce Weiner, Baltimore Technologies SelectAccess 3.1 AuthMark Performance, http://www.mindcraft.com/whitepapers/sa31/sa31.html
·[33] Portals: The evolution of Extranet Access Management, http://www.entrust.com/resources/pdf/hurwitz_portals.pdf
·[34] Entrust Unveils U.S. Government Blueprint to Link National Security and E-Government Initiatives, http://www.entrust.com/news/files/11_08_01_774.htm
·[35] SDN. 801: ACCESS CONTROL CONCEPT AND MECHANISMS, National Security Agency,USA
·[36] http://www.sse.ie
·[37] J. Pjrvi, XML Encoding of SPKI Certificates, http://www.ietf.org/internet-drafts/draft-orri-spki-xml-cert-struc-00.txt
·[38] 谭寒生,佘堃,周明天,X.509v4的改进,电子学会第八届青年学术年会2002CIEYC,2002.7;
·[39] 谭寒生,张舰,谭兴烈,PMI与PKI模型关系研究,计算机应用Vol.22增刊,86-88,2002.8;
·[40] 谭寒生,周明天,基于角色委托的PMI系统的设计与实现,电子科技大学研究生学报,2002年No.16;
·[41] 严悍,张宏,许满武,基于角色访问控制对象建模及实现,计算机学报2000.10
·[42] 乔颖.须德,戴国忠,一种基于角色访问控制的新模型及其实现机制,计算机研究与发展,2000.1
·[43] 蔡菁,基于角色的多层应用系统安全控制,计算机工程与应用,2001.14
·[44] 邓集波,洪帆,基于任务的访问控制模型,软件学报,2003 Vol.14 No.1.76-82