Research On Access Control Methods In Extended Organization PKI Networks

The development of Internet technology is so rapid. In order to solve its security problem, many countries do security research on it for many years. A set of entire Internet security plan i.e. the public key infrastructure (PKI) technology has formed. Because networks characters dynamic, vast and extended, to fit the PKI to the character of networks, so the interconnection of PKI networks becomes a hot points in research, also the research on access control of extended organization PKI networks is paid a lot of attention. The related theory, technology, analysis and experiment of access control in extended organization PKI networks are developed and researched around this theme. Main innovative contributions are as follows.1. Many organizations process their internal business with PKI, but most businesses have industrial partnerships with other businesses, they want to process B2B business by connecting PKIs in different enterprises. Combined with the latest computer theory and technology, the thesis focuses on how to design a secure access control mechanism in extended organization PKI networks based on Web Service. The secure access control mechanism has integrated the PKI, the role-based access control, the X.509v4 PMI, and the XML security technology, and can realize the authorization and authentication in extended organization PKI networks. The thesis describe the access control structure based on Web service and deals with the realization procedure and realization algorithm to manage access in extended enterprises PKI networks, and at the same time lays a foundation to the successive chapters' research.2. PKI is a key technology to ensure networks security. But the current PKI products lack of convenience in cooperation, application deploys and system maintenance, and these shortcomings constrain the application of PKI. After introducing, discussing the Web service, and XML security key technologies, Web service is integrated with mature security architectures PKI. And a new Web service layer security model is proposed, and its security and characteristics are described. Then paper focuseson the implementation of the security services sublayer——XKMS. The systemarchitecture, realization of server side, realization of client side are described in detail. The client characters universal, wieldy, light weight and maintenance easy. It is profitable to popularize PKI.3. X.509v4 PMI supports RBAC that insulates user with privilege by role and can simplify the authorization management of the system. But in a large system, the role structure is complex, and the RBAC described in paper can not meet the need of practical. A temporal role-based administration of authorization model is proposed. The model expands the definition of permissions in RBAC, it is very profitable to partition and inherit public privilege, department privilege, private privilege. The model adds temporal constraint in permissions inheritance also, i.e. only the permissions owned by the role that meets time requirement can be inherited. The model not only benefits from permissions update frequently, but also corresponding to the number of posts in reality, and it is easy to understand and operate.4. A trust evaluation model behaviors based (BBTEM) that evaluates trust relationship among market participators by measuring participators' behavior and computing trust levels of participators quantificationally in P2P computing is proposed. The trading scale parameter is designed in direct experience to evaluate the user behaviors, which can prevent participators from cheating in large-scale transaction by accumulating trust value in small-scale successful transactions. And a friend concept is adopted in recommendation experience that can restrain cooperating cheats. Set the initial trust value correctly, and prevent the bad reputation user to register again from punishing etc. Theory and experiment all proves that the model is reasonable and objective.5. PMI is used to perform access control to resource in an E-commerce or E-government system. Our system is realized based on Web service. With the ever-increasing need for secure transaction, the need for systems that offer a wide variety of QoS (quality-of-service) features is also growing. As adopting standard protocol and the procedure to pack and unpack the message, the performance of Web service is somewhat low. In order to improve the QoS of PMI system, a cache is proposed. In a PMI system, when verifying a user's privilege, a frequent operation to access AC in LDAP server is executed. In this procedure, much additional time is taken on transferring the information through networks, and this will probably bring a bottleneck to the PMI system. To solve this problem, we developed an AC cache mechanism, we realized the cache mechanism, then design the cache updating algorithm, an improved decision tree algorithm to guarantee the hit ratio. The simulations results show that the response performance of the PMI is improved.6. In an opening system, the trade parties probably cheat each other, so the user's trust degree should be considered. In order to improve the QoS of PMI system further, after the AC has been cached, a cache that is based on RBAC and trust is designed. How to design the cache is described in detail. The algorithm to query role permission in cache and to add records in cache is dealt with. The policy to update cache is introduced also. The research shows that the response time can be improved effectively.