Research And Prototype Implement Of Privilege Management Infrastructure (PMI)

With the development of Internet, network applications especially E-Business and E-Government become very popular in Internet. Because of its importance in the network applications, network security increasingly becomes a big problem we cannot ignore. To guarantee the security of network actions, we should provide and discriminate information of identity and authorization for users. PKI ( Public Key Infrastructures) , which is based on cryptography and provide authentication, confidentiality, integrity and non-repudiation, turns into the source of authentication and authorization in Internet. PKI records people's identities and privileges into public key certificate. In PKI system, however, we can find that identities and privileges have different attributes, especially in period of validity. Privileges often update in different condition while identities remain fixed in duration. Binding these two things to one certificate not only impair the efficiency of management of identities and privileges, but also bring much workload to CA(Certification Authority) for frequent updates of the certificate. Because the contradiction between permanent authentication identity and changeable authority attributes mentioned above in PKI (based on X.509v3) becomes more and more evident, PMI (Privilege Management Infrastructures) concept is brought inX.509v4 in 2000. PMI separates the management function of privileges in the X.509v3 and offers a more strict, convenient and efficient access mechanism. PMI, based on PKI, realizes a management system of access privileges.Based on analyzing the framework of PMI in X.509v4, a model based on role-based delegation mechanism is presented. The design of prototype PMI, some key problems such as certificate management, role management and policy management are discussed in thethesis. Finally, the implement of a PMI system-Mini PMIis realized with the reference of PKI system, as well as its performance analyzing.XML, as a meta-language, is becoming the necessary data description in network applications as its platform-independence and self- description. XML can be customized on demand to fit for special requirement. The design of PMI system we done and its major modules, such as policy, log and certificate are conforming to XML formats. Thus we can combine it to network service framework and guarantee the efficiency of network service security and trust.