Research On Key Technologies Of Policy-Based Access Control

The access control technology, widely applied to various security protections, is significant to guarantee the security of information system. The existing access control technology is much deficient on the flexibility, adaptability and the integrated control of session because of its limitation of the restrictive conditions configured for access session and the execution mechanism. Therefore, it is extremely important to develop a new access control mechanism not only for theory but also in practice.To improve the insufficiency of the old access control technology and support multi-policy, a Policy-Based Access Control Model (PBAC) was produced in this article, which is composed of two models, the fundamental model and the extension model. A completely different and innovative technology, reconstructed-object describing technology, is used in the fundamental model to uniformly manage the conversation entities that strengthens the adaptive capacity of PBAC. Furthermore, in this model, the authorization for session subject has been cancelled, the basic access control pattern in which the system restraints sessions based on the authorization of subject has been changed, and an attribute description related to session, realizing the comprehensive restraint management of session attribute, has been integrated. In addition, this model has changed the mode of current models which depict access control policy indirectly by authorization configured on the session entities, formulated a kind of independent policy description and management mechanism, making the management of access control policy more agile and enhancing the ability of multi-policy supporting.Based on that fundamental model, an extension model has been produced. The logic characteristics of its entities and actions have been dissertated in this article. And it has also discussed the rules for logic relationship description, the management mechanism, and the influence of the grouping relation, the inheritance relation, and the restraint and dependency relations among conversation factors on the access control management mechanism as well in the extension model. The management mechanism of PBAC using in mobile agent system is introduced.In order to improve the usability, flexibility and consistency of policy, an XML-Based Access Control Policy Language (XBACPL) has been developed. On the basis elements of entities and actions etc., the essential policies together with its classification and description have been constructed. Integrated with meta-modeling theory, the article has proposed a meta-policy management mechanism of XBACPL, established the logic relationships among access control policies, and described all related algorithms of XBACPL with which the requirements of usability consistency have been defended.Combined with the characteristic of mobile agent system, the article has introduced a application model about PBAC. At the same, the article creates a policy-based framework for network security. In this framework an application prototype of PBAC is programmed for access control of network. The prototype contains a configuration management tool for access control entities, attributes and policies. The network data packets are filtered on network driving layer whose execution is according to the policies. It is so significant that the prototype validates the flexibility, adaptability, and multi-policy support of PBAC.In conclusion, some theoretic and practical achievements obtained from this study will provide a substantial foundation for further policy-based application research.