Research On Certificate And Trust Based Access Control In Multi-domain Environments

Along with the computer application popularization as well as network time oncoming, the normal access and the reasonable protection to the information become more and more important. Through the access control technology, people guarante that the information is accessed legally and normally. Information security technology in the multi-domain environments has gradually become the hot spot in access control researches in recent years, and access control technology based on trust and certificate is an effective method in addressing the problem of information security in multi-domain environments. Although many scholars have done massive research work in multi-domain environments access control technology, and have yielded plenty of results, there are still some problems not addressed worthing the further research.Using PKI and PMI in a business will enabled it to address the authentication and authorization issues and achieve the overall security policy. An application-based enterprise information system access control model which integrates PKI and PMI is brought forward. Presentations are given about the system architecture, certificates structure, model structure and the procedure of implementation. The corresponding instance and analyse are also given.In multi-domain environments, trust assessment and trust transmission are very important research topics. Many scholars in this field conducted in-depth research and made a large number of research achievements. However, the calculation of trust and the depth control of trust transmission have not been addressed well yet. Some researches are done to the above-mentioned issues existing in trust management system. The trust assessment plan proposed is proved to be a feasible plan by data simulation. The trust transmission and depth control of trust transmission proposed contain strong usability and the flexibility, and they are also simple to be applied.An authorization delegation model based on weighted directed graph is presented. The problems of permissions delivery, cyclic authorization and conflict authorization in authorization delegation model are discussed and addressed. The spread of access permission according to the confidence is limited through the calculation of the transfer function, as well as constraints are imposed using the confidence threshold method. To the confliction conditions in authorization, the information is shared according to the level of its sensitivity, the corresponding control and selections are made. Algorithm has the features of simplicity and greater flexibility.In multi-domain enviroments, nodes are free to join in a domain or leave it. Whether a node interacts with others or not is determined by itself. The relationships between nodes are variable. To a certain node, a new node in the domain is not trustable enough to ensure its security. We can get a trust value by trust calculation between nodes in the domain and then we can improve the efficient of trust-chain searching by judging the trust value and cut off the redundant trust path. The algorithms of forward trust-chain searching, backward trust-chain searching and forward and backward trust-chain searching are given and the corresponding simulating experiments and analyse are also done.In a multi-domain environment, trust management and trust negotiation through the use of digital certificates are effective methods of access control decisions. Digital certificates often contain sensitive attributes and need to be protected. Trust management does not take the protection of sensitive properties in digital certificate into account.Trust negotiation use the digital certificate as a whole one. All of the information in the digital certificate will be exposed or none of it is to be exposed. However, in some certain environments, selectively exposing of some sensitive attributes in the certificates is necessary. To address this problem, a scheme to protect the sensitive properties in certificates is presented, and the application and realization of the scheme is shown through a typical concrete example.