PMI异种访问策略下资源共享的研究
摘要
随着信息时代的来临,网络安全已经是人们日益关注的焦点。公开密钥基础设施(PUBLIC KEY INFRASTRUCTURE,简称PKI)是目前网络安全建设的基础与核心,是有效进行电子政务、电子商务安全实施的基本保障。但随着网络中资源种类越来越多,用户角色越来越复杂,人们迫切需要一种更加细粒度化的访问控制技术。而PKI系统中身份和权限不分离,如果一个人同时兼有多种角色,拥有多个权限,就可能拥有多个身份证书。这样,既不利于系统的开发和重用,也不利于系统安全方面的管理。因此,授权管理基础设施PMI应运而生。目前,对PMI技术的研究正成为信息安全领域的热点。其中,授权策略缺乏统一的标准,系统效率不高是研究中遇到的主要问题。
轻量级目录访问协议(LDAP)是用于访问X.500的目录服务的,它不会产生目录访问协议(DAP)访问X.500时所需的资源要求。LDAP特别针对那些简单管理程序和浏览器程序,它提供对X.500目录进行简单的读/写交互式访问,同时也是对DAP本身的一种补充。LDAP所采纳的通用模型是客户端针对服务器进行协议操作。在这个模型中,客户端发送协议请求给服务器,描述所需的操作。接着服务器负责在目录中实施所必须的操作。在完成必要的操作之后,服务器返回一个带有结果或出错信息的回应给请求服务的客户。在LDAP的第一版本和第二版本中,并没有说明协议服务器如何提供其它服务器参照给客户机。为了改善性能和分配操作,LDAP第3版允许服务器返回给客户机关于其它服务器的参照,因此服务器减轻了联系其它服务器的工作,改善了操作性能。
访问控制是针对越权使用资源的防御措施。基本目标是为了限制访问主体(用户、进程、服务等)对访问客体(文件、系统等)的访问权限,从而使计算机系统在合法范围内使用;决定用户能做什么,也决定代表一定用户利益的程序能做什么。企业环境中的访问控制策略一般有三种:自主型访问控制方法、强制型访问控制方法和基于角色的访问控制方法(RBAC)。其中,自主式太弱,强制式太强,二者工作量大,不便于管理。基于角色的访问控制方法是目前公认的解决大型企业的统一资源访问控制的有效方法。其显著的两大特征是:1.减小授权管理的复杂性,降低管理开销;2.灵活地支持企业的安全策略,并对企业的变化有很大的伸缩性。
全文在介绍PMI、LDAP、RBAC三种技术的基础上,分析了目前的这三项技术的特点、优势以及当前的大部分应用都集中于RBAC,而跨越多种访问策略的研究较少的现状,介绍了应用LDAP的PMI系统目前资源共享的方式,在应用这三项技术的基础上提出了针对安全部门与普通部门(采用异种访问控制策略)资源共享的技术策略方案,该方案中,引进了目前较为通用的授权机制的树型结构,并在该结构的设计中,对于较大规模的PMI系统,提出了“单叉枝树”树型结构的改进方案,该方案以应急为目标,通过建立“单叉枝”的存储备用结构和系统更新时“单叉”树型结构的调整,克服了以往的模型系统更新过程中的效率问题。对于访问过程,通过对“角色”和“用户”多对多的对应关系的分析,提出了对于采用基于用户的访问控制策略的PMI系统为透明的“虚角色”的概念,并阐述了通过双方的LDAP进行认证来建立、应用“虚角色”的方式方法。把该项技术应用于采用异种访问控制策略的PMI系统的资源共享中,可以使资源共享的各方不必改变各自的访问控制策略,而可以进行较为方便的合作。
本文通过对于上述技术的进一步细化分析,通过针对其安全性要求较高的应用特点模拟实现,使该项技术成功应用于异种访问控制策略下的PMI系统,使采用不同访问策略的PMI系统可以更加方便安全地进行资源的共享,从而共同合作,完成项目的开发。
With the coming of information age, network security has caught our attentions. Public Key Infrastructures(PKI) are considered as the core and foundation for network security, which ensure the security of the transmission and exchange during the process of electrical commerece or government affair. With the kinds of resources becoming more and more abundant and the users' roles more and more complex, we are strongly in need of a fine-grained access control technology. In the traditional PKIs, identity and privilege are not disjunction. If a person has many roles and holds many privileges, he may hold many PKCs. Neither is good for the system's development and reuses, nor for its safe and expedient administrations. So then, Privilege Management Infrastructure(PMI) emerges as the times require. And now PMI has become the hot research direction in information security field. But lack of standard in privilege policy and inefficiency are the main questions.
Lightweight Directory Access Protocol is used to visit the directory access protocol of X.500. It won't produce the resource demands when DAP visits X.500. LDAP, directed at those simple controller programs and explorer .programs, supplies X.500 directory with simple mutual access between reading and writing. At the same time, it is also a kind of supplement for itself. LDAP adopts current model which is a protocol action from client to server. In this model, protocol demands which describe the needed action are conveyed to server by client. Then, the server does action in directory. After this action, server returns an outcome or an answer with mistake information to the client which needs service. In the first and the second versions, LDAP didn't indicate that how other server references are given by protocol server to client. For improving capabilities and assigining actions, LDAP the third version permits that server returns other server references to the client. In this way, the work conneting other servers has been reduced, and the capabilities have been improved.
Access control is a defence measure against overstepping using resources. The basic goal is to limit access privilege from access subject (client, process and service, etc.) to access object (document, system, etc), so that computer system can be used legally. It's also decided that what the program can do. There are three access control strategies in business firms. They are discretionary access control, mandatory access control and RBAC. However, DAC is too weak and MAC is too powerful. These two strategies are too complex to be managed conveniently. Nowadays, RBAC is regarded as an effective way, which can resolve the problem how an enterprise accesses and controls unit resources. There are two remarkable characters, 1.reduce the complexity of authorization management and the spending of management; 2.flexibly support the security strategy of enterprise and well fit the changes of enterprise.
This article introduces PMI, LDAP and RBAC; then analyzes their features, advantages and actualities that most of the applications focus on RBAC and there is little study on different access strategies. This article introduce the resource sharing fashion of PMI system appling LDAP. Based on these three technologies ,Put forward the scheme applied to resource sharing of security department and common department. In this scheme, introduce the privilege tree and Single Branch Tree applied to large PMI system. Single Branch Tree aim at emergency,and improve the efficiency through creat and adjust Single Branch Tree. Put forward the "empty role" which is clatify to PMI system appling access strategy based on user,through the analysis of user and role and expatiate how to create and apply it through attest LDAP of both sides. Appling this thchnology to PMI systems which adopt different access strategy can make them cooperate safely and both sides needn't change strategy.
This article make this technology apply to PMI systems which adopt different access strategy through more analysis and simulation implement aimming at applications that require upper safety; and make PMI system using different access strategies share the resources much safer and more convenient. Then work jointly and develop the project.
轻量级目录访问协议(LDAP)是用于访问X.500的目录服务的,它不会产生目录访问协议(DAP)访问X.500时所需的资源要求。LDAP特别针对那些简单管理程序和浏览器程序,它提供对X.500目录进行简单的读/写交互式访问,同时也是对DAP本身的一种补充。LDAP所采纳的通用模型是客户端针对服务器进行协议操作。在这个模型中,客户端发送协议请求给服务器,描述所需的操作。接着服务器负责在目录中实施所必须的操作。在完成必要的操作之后,服务器返回一个带有结果或出错信息的回应给请求服务的客户。在LDAP的第一版本和第二版本中,并没有说明协议服务器如何提供其它服务器参照给客户机。为了改善性能和分配操作,LDAP第3版允许服务器返回给客户机关于其它服务器的参照,因此服务器减轻了联系其它服务器的工作,改善了操作性能。
访问控制是针对越权使用资源的防御措施。基本目标是为了限制访问主体(用户、进程、服务等)对访问客体(文件、系统等)的访问权限,从而使计算机系统在合法范围内使用;决定用户能做什么,也决定代表一定用户利益的程序能做什么。企业环境中的访问控制策略一般有三种:自主型访问控制方法、强制型访问控制方法和基于角色的访问控制方法(RBAC)。其中,自主式太弱,强制式太强,二者工作量大,不便于管理。基于角色的访问控制方法是目前公认的解决大型企业的统一资源访问控制的有效方法。其显著的两大特征是:1.减小授权管理的复杂性,降低管理开销;2.灵活地支持企业的安全策略,并对企业的变化有很大的伸缩性。
全文在介绍PMI、LDAP、RBAC三种技术的基础上,分析了目前的这三项技术的特点、优势以及当前的大部分应用都集中于RBAC,而跨越多种访问策略的研究较少的现状,介绍了应用LDAP的PMI系统目前资源共享的方式,在应用这三项技术的基础上提出了针对安全部门与普通部门(采用异种访问控制策略)资源共享的技术策略方案,该方案中,引进了目前较为通用的授权机制的树型结构,并在该结构的设计中,对于较大规模的PMI系统,提出了“单叉枝树”树型结构的改进方案,该方案以应急为目标,通过建立“单叉枝”的存储备用结构和系统更新时“单叉”树型结构的调整,克服了以往的模型系统更新过程中的效率问题。对于访问过程,通过对“角色”和“用户”多对多的对应关系的分析,提出了对于采用基于用户的访问控制策略的PMI系统为透明的“虚角色”的概念,并阐述了通过双方的LDAP进行认证来建立、应用“虚角色”的方式方法。把该项技术应用于采用异种访问控制策略的PMI系统的资源共享中,可以使资源共享的各方不必改变各自的访问控制策略,而可以进行较为方便的合作。
本文通过对于上述技术的进一步细化分析,通过针对其安全性要求较高的应用特点模拟实现,使该项技术成功应用于异种访问控制策略下的PMI系统,使采用不同访问策略的PMI系统可以更加方便安全地进行资源的共享,从而共同合作,完成项目的开发。
With the coming of information age, network security has caught our attentions. Public Key Infrastructures(PKI) are considered as the core and foundation for network security, which ensure the security of the transmission and exchange during the process of electrical commerece or government affair. With the kinds of resources becoming more and more abundant and the users' roles more and more complex, we are strongly in need of a fine-grained access control technology. In the traditional PKIs, identity and privilege are not disjunction. If a person has many roles and holds many privileges, he may hold many PKCs. Neither is good for the system's development and reuses, nor for its safe and expedient administrations. So then, Privilege Management Infrastructure(PMI) emerges as the times require. And now PMI has become the hot research direction in information security field. But lack of standard in privilege policy and inefficiency are the main questions.
Lightweight Directory Access Protocol is used to visit the directory access protocol of X.500. It won't produce the resource demands when DAP visits X.500. LDAP, directed at those simple controller programs and explorer .programs, supplies X.500 directory with simple mutual access between reading and writing. At the same time, it is also a kind of supplement for itself. LDAP adopts current model which is a protocol action from client to server. In this model, protocol demands which describe the needed action are conveyed to server by client. Then, the server does action in directory. After this action, server returns an outcome or an answer with mistake information to the client which needs service. In the first and the second versions, LDAP didn't indicate that how other server references are given by protocol server to client. For improving capabilities and assigining actions, LDAP the third version permits that server returns other server references to the client. In this way, the work conneting other servers has been reduced, and the capabilities have been improved.
Access control is a defence measure against overstepping using resources. The basic goal is to limit access privilege from access subject (client, process and service, etc.) to access object (document, system, etc), so that computer system can be used legally. It's also decided that what the program can do. There are three access control strategies in business firms. They are discretionary access control, mandatory access control and RBAC. However, DAC is too weak and MAC is too powerful. These two strategies are too complex to be managed conveniently. Nowadays, RBAC is regarded as an effective way, which can resolve the problem how an enterprise accesses and controls unit resources. There are two remarkable characters, 1.reduce the complexity of authorization management and the spending of management; 2.flexibly support the security strategy of enterprise and well fit the changes of enterprise.
This article introduces PMI, LDAP and RBAC; then analyzes their features, advantages and actualities that most of the applications focus on RBAC and there is little study on different access strategies. This article introduce the resource sharing fashion of PMI system appling LDAP. Based on these three technologies ,Put forward the scheme applied to resource sharing of security department and common department. In this scheme, introduce the privilege tree and Single Branch Tree applied to large PMI system. Single Branch Tree aim at emergency,and improve the efficiency through creat and adjust Single Branch Tree. Put forward the "empty role" which is clatify to PMI system appling access strategy based on user,through the analysis of user and role and expatiate how to create and apply it through attest LDAP of both sides. Appling this thchnology to PMI systems which adopt different access strategy can make them cooperate safely and both sides needn't change strategy.
This article make this technology apply to PMI systems which adopt different access strategy through more analysis and simulation implement aimming at applications that require upper safety; and make PMI system using different access strategies share the resources much safer and more convenient. Then work jointly and develop the project.
引文
[1] 张锦.基于LDAP和EJB的RBAC模型的实现,计算机应用,2003(12) 131-134
[2]. D.W.Chadwick,A.Otenko University of salford RBAC POLICIES IN XML FOR X.509 BASED PRIVILEGE MANAGEMENT
[3] 关勇,余韶华,基于PKI的RPMI系统的设计与实现[J],计算机工程 2004年第30卷21期 38-40
[4] 冷健,谢冬青,达到B级安全的PMI系统的研究[J] 计算机应用研究 2005年 第4期 47-49
[5] 徐晓春,卢松年,杨树堂.基于 XACML 的 web 服务访问控制模型[J].计算机工程,2004年3月第30卷5期
[6] 许长枫,刘爱江,何大可.基于属性证书的PMI及其在电子政务安全中的应用[J],计算机应用研究。2004,(1)
[7] 赖锦,雷利民.基于 RBAC 的 PMI 应用研究[J].通信技术 2003(12):136-138
[8] 冯登国.网络安全管理与技术[M],北京,科学出版社 2003.9
[9] 苏丹 X.509v4中基于角色的PMI应用[J] 高性能计算技术,2004 (2) 58-60
[10] 李小标 权限管理与访问技术 北京邮电大学硕士论文.2003
[11] 冯士宏 基于属性证书的角色访问控制系统的研究 山东大学硕士论文
[12] 安小江,李大兴 PMI系统中 RBAC 策略的实现与管理[J] 计算机工程与应用 2004 (7)
[13] 谭寒生 授权管理基础设施 PMI 的研究及原型设计与实现 电子科技大学硕士论文.2003
[14] 李宴睿,赵政一种基于 PKI/PMI的企业安全架构[J].计算机工程与设计,2003,24 (12) 95-96
[15] 宁宇鹏 也谈网络安全—网络计算带来的思考[EB/OL].http://www-900.ibm.com/developerworks/cn/security/se-thinkweb/index.shtm 1.
[16] S.Farrell, R.Housley. an Internet Attribute Certificate Profile for Authorization. April 2002. RFC 3281
[17] 薛伟,怀金鹏.基于角色的访问控制模型的扩充和实现机制研究[J].计算机研究与发展,2003,11,1635-1642
[18] Ravi S.Sandhu , Pierangela Samarati. Access Control Principles and Practice. [J] IEEE Communication Magazine. Sept. 1994.40-48
[19] 王琨月.PKI 推动力是应用, [EB/OL] 2004 (4) http://www.zdnet.com.cn/eweek/products/story/0,3800005539,39236074,00.htm
[20] 柴胜,冯铁,王云霄等.基于属性证书的权限管理平台 GoAeeessPMI[J].计算机工程与应用.2004,(14) 123-125
[21] .D.W.Chadwick, A.Otenko , The PERMISX.509 ROLE BASED PRIVILEGE MANAGEMENT INFRASTRUCTURE. [C] New York :ACM Press.2002
[22] 徐升华,陈思华.关系数据库系统中基于角色的存取控制 计算机与现代化,2005 No.4:73-75
[23] 刘军,肖军模,张磊.网络信息安全技术讲座(二).军事通信技术,2003,24(1):68-74
[24] 阙喜戎,孙锐等.信息安全原理及应用.北京大学出版社.2003.7
[25] information processing systems - open system interconnection - specification of abstract synatax notation one (ASN. 1), international organization for standardization, internation standard 8824,December 1987.[S]
[26] information processing systems - open system interconnection - specification of basic encoding rules for abstract notation one (ASN. 1), international organization for standardization, internation standard 8825, December 1987.[S]
[27] ITU-T RECOMMENDATION X.509|ISO/IEC 9594-8: "INFORMATION TECHNOLOGY- OPEN SYSTEMS INTERCONNECTION-THE DIRECTORY : PUBLIC-KEY AND ATTRIBUTE CERTIFICATE FRAMEWORKS" [EB/OL]May 3, 2001 http://www-t.zhwin.ch/it/ksy/bllock08/ITU/X509 3thEditionDraftV8.pdf
[28] Gail-Joon Ahn, Ravi Sandhu, etc.Injecting RBAC to Secure a Web-based Workflow System. Proceedings of the fifthACM workshop on Role-based access control[C]. New York:ACM press 2000
[30] 周立力,基于WEB的分布式数据库查询。山东大学硕士论文.2003
[31] Joon S.Park, Gail-Joon Ahn, Ravi Sandhu.Role-based access control on web using LDAP. [C]USA:Kluwer Academic Publishers.2001
[32] T.Dierks and C.Allen. The TLS Protocol Vision 1.0 [S] RFC2246,January 1999
[33] 彭煜玮,梁意文,李涛.使用LDAP在 WEB 环境中实现RBAC 的方法[J]。计算机工程.2004,(4):130-132
[34] 高敏航,龚检,基于 LDAP 目录服务的PKI证书库研究与设计,计算机工程.2000,10,164-167
[35] Netscape Communication Crop,Lightweight Directory Access Protocl (v3).RFC 2251. 1997
[36] Netscape Communication Crop, LDAPv3 Attriubute Syntax Definitions. RFC 2252,1997
[37] Netscape Communication Crop UTF-8,String Representation of Distinguished Names. Rfc 2253. 1997Netscape Communication CropThe String Representation of LDAP Search Filters. RFC 2254.1997
[38] E.Stokes. Access Control Model for LDAP. 10 RFC 2257 March 2000
[39] Wahl M,Howers T, Kille S.Lightweight Directory Access Protocol (v3), RFC2251,Dec 1997
[40] Barker P.KIlle S. The COSINE and Internet X.500 Schema.RFC1274 IETF 1991.12
[41] C.Adams,S.Farrell,Internet X.509 Public Key Infrastructure Ceritificate Ma-Nagament Protocols, Request for Comments 2510,March 1999
[42] DW Chadwich.Internet X.509 Public Key Infrastructure LDAP Schema and Syntaxes for PKIs and PMIs[S].2001-11
[43] IBM JNDI LDAP Provider Programming Guide[S] www.ibm.com
[44]Sandhu R ,Coyne E J,FeinStein H L, et alRole-based Access Control Models.IEEE Computee,1996
[2]. D.W.Chadwick,A.Otenko University of salford RBAC POLICIES IN XML FOR X.509 BASED PRIVILEGE MANAGEMENT
[3] 关勇,余韶华,基于PKI的RPMI系统的设计与实现[J],计算机工程 2004年第30卷21期 38-40
[4] 冷健,谢冬青,达到B级安全的PMI系统的研究[J] 计算机应用研究 2005年 第4期 47-49
[5] 徐晓春,卢松年,杨树堂.基于 XACML 的 web 服务访问控制模型[J].计算机工程,2004年3月第30卷5期
[6] 许长枫,刘爱江,何大可.基于属性证书的PMI及其在电子政务安全中的应用[J],计算机应用研究。2004,(1)
[7] 赖锦,雷利民.基于 RBAC 的 PMI 应用研究[J].通信技术 2003(12):136-138
[8] 冯登国.网络安全管理与技术[M],北京,科学出版社 2003.9
[9] 苏丹 X.509v4中基于角色的PMI应用[J] 高性能计算技术,2004 (2) 58-60
[10] 李小标 权限管理与访问技术 北京邮电大学硕士论文.2003
[11] 冯士宏 基于属性证书的角色访问控制系统的研究 山东大学硕士论文
[12] 安小江,李大兴 PMI系统中 RBAC 策略的实现与管理[J] 计算机工程与应用 2004 (7)
[13] 谭寒生 授权管理基础设施 PMI 的研究及原型设计与实现 电子科技大学硕士论文.2003
[14] 李宴睿,赵政一种基于 PKI/PMI的企业安全架构[J].计算机工程与设计,2003,24 (12) 95-96
[15] 宁宇鹏 也谈网络安全—网络计算带来的思考[EB/OL].http://www-900.ibm.com/developerworks/cn/security/se-thinkweb/index.shtm 1.
[16] S.Farrell, R.Housley. an Internet Attribute Certificate Profile for Authorization. April 2002. RFC 3281
[17] 薛伟,怀金鹏.基于角色的访问控制模型的扩充和实现机制研究[J].计算机研究与发展,2003,11,1635-1642
[18] Ravi S.Sandhu , Pierangela Samarati. Access Control Principles and Practice. [J] IEEE Communication Magazine. Sept. 1994.40-48
[19] 王琨月.PKI 推动力是应用, [EB/OL] 2004 (4) http://www.zdnet.com.cn/eweek/products/story/0,3800005539,39236074,00.htm
[20] 柴胜,冯铁,王云霄等.基于属性证书的权限管理平台 GoAeeessPMI[J].计算机工程与应用.2004,(14) 123-125
[21] .D.W.Chadwick, A.Otenko , The PERMISX.509 ROLE BASED PRIVILEGE MANAGEMENT INFRASTRUCTURE. [C] New York :ACM Press.2002
[22] 徐升华,陈思华.关系数据库系统中基于角色的存取控制 计算机与现代化,2005 No.4:73-75
[23] 刘军,肖军模,张磊.网络信息安全技术讲座(二).军事通信技术,2003,24(1):68-74
[24] 阙喜戎,孙锐等.信息安全原理及应用.北京大学出版社.2003.7
[25] information processing systems - open system interconnection - specification of abstract synatax notation one (ASN. 1), international organization for standardization, internation standard 8824,December 1987.[S]
[26] information processing systems - open system interconnection - specification of basic encoding rules for abstract notation one (ASN. 1), international organization for standardization, internation standard 8825, December 1987.[S]
[27] ITU-T RECOMMENDATION X.509|ISO/IEC 9594-8: "INFORMATION TECHNOLOGY- OPEN SYSTEMS INTERCONNECTION-THE DIRECTORY : PUBLIC-KEY AND ATTRIBUTE CERTIFICATE FRAMEWORKS" [EB/OL]May 3, 2001 http://www-t.zhwin.ch/it/ksy/bllock08/ITU/X509 3thEditionDraftV8.pdf
[28] Gail-Joon Ahn, Ravi Sandhu, etc.Injecting RBAC to Secure a Web-based Workflow System. Proceedings of the fifthACM workshop on Role-based access control[C]. New York:ACM press 2000
[30] 周立力,基于WEB的分布式数据库查询。山东大学硕士论文.2003
[31] Joon S.Park, Gail-Joon Ahn, Ravi Sandhu.Role-based access control on web using LDAP. [C]USA:Kluwer Academic Publishers.2001
[32] T.Dierks and C.Allen. The TLS Protocol Vision 1.0 [S] RFC2246,January 1999
[33] 彭煜玮,梁意文,李涛.使用LDAP在 WEB 环境中实现RBAC 的方法[J]。计算机工程.2004,(4):130-132
[34] 高敏航,龚检,基于 LDAP 目录服务的PKI证书库研究与设计,计算机工程.2000,10,164-167
[35] Netscape Communication Crop,Lightweight Directory Access Protocl (v3).RFC 2251. 1997
[36] Netscape Communication Crop, LDAPv3 Attriubute Syntax Definitions. RFC 2252,1997
[37] Netscape Communication Crop UTF-8,String Representation of Distinguished Names. Rfc 2253. 1997Netscape Communication CropThe String Representation of LDAP Search Filters. RFC 2254.1997
[38] E.Stokes. Access Control Model for LDAP. 10 RFC 2257 March 2000
[39] Wahl M,Howers T, Kille S.Lightweight Directory Access Protocol (v3), RFC2251,Dec 1997
[40] Barker P.KIlle S. The COSINE and Internet X.500 Schema.RFC1274 IETF 1991.12
[41] C.Adams,S.Farrell,Internet X.509 Public Key Infrastructure Ceritificate Ma-Nagament Protocols, Request for Comments 2510,March 1999
[42] DW Chadwich.Internet X.509 Public Key Infrastructure LDAP Schema and Syntaxes for PKIs and PMIs[S].2001-11
[43] IBM JNDI LDAP Provider Programming Guide[S] www.ibm.com
[44]Sandhu R ,Coyne E J,FeinStein H L, et alRole-based Access Control Models.IEEE Computee,1996