| With the rapid development and prevalence of Internet, more and more internet-based application systems come to existence. Against this background, the security of Internet becomes increasingly important. The former lax internet-oriented security practice fails to guarantee the security of the data. As a result, Public Key Institution (PKI) is proved to be the reliable system for encryption of data, which also draws attention of the commercial society. SSL (Secure Sockets Layer), a widely used security protocol in the net, can provide security guarantee for Internet communications. Since SSL became industrial standard for security protocols, it has been applied in many circumstances. The application of SSL is not confined to the following systems, S/HTTP,S/MIME, SSL-Telnet,SSL-SMTP,SSL-POP3. People even based the development of the systems of E-commerce and E-government on SSL. Given the importance of SSL, it is necessary to analyze it.SSL, with the application of PKI and X509, a kind of digital certificate guarantee technology, aims at ensuring the confidentiality and completeness of information transmission, but it can't ensure the fending off all junk information. SSL, usually in the form of Web Server, is mainly used in point-to-point information transmission to provide confidential, reliable transmission channels for two information entities. SSL is an Internet-based security protocol that can guarantee confidentiality. It is laid on the dependable transport layer and has nothing to do with specific protocols of application layers. Encryption algorism, consultations on communications secret key and the authentication of server are all done by SSL automatically. After SSL connection is created, the application layer doesn't need to do anything because all the data will be encrypted by SSL automatically. It provides an interface similar to TCP to the protocol of application layer. To the developer of the application layer, SSL is completely transparent. SSL socket can be used to replace the traditional TCP socket. With the application of SSL, HTTP protocol is called HTTPS and LDAP is called LDAPS. SSL protocol guarantees data security between two communicating applications (a client and a server), but it is only designed for basic identity authentication. To restrict the rights of the user, we need to do extra work in the application of SSL. ACL is a successful example. PMI (Privilege Management Infrastructure) is a better solution to the problem of the restriction of the user's rights. PMI makes it clear for the users what they are allowed to do by Attribute Certificate. PMI, an important component of National Information Security Structure(NISI), aims at providing authorization management service to the users and application. To be specific, it has the abilities to map the user with his certain right. In addition, it also provides authorization and visit control mechanism consistent with actually applied processing model and irrelevant to the development and management of application systems. PMI helps to simplify the procedure of the development and maintenance of application systems. PMI incorporates the information of the rights with Attribute Certificate, so the management of lifecycle of rights is realized through the management of Attribute Certificate. The process of application, issuance, nullification and validation for Attribute Certificate is also the process of application, issuance, nullification and validation for rights. With the use of Attribute Certificate, the management of rights no longer depends on concrete application. Furthermore, the use of Attribute Certificate is also favorable to the distributed application. PMI is the expansion and extension PKI. The standard for Attribute Certificate is 509 V4. The standard for identity certificate is X509 V3. The coordinated use of two certificates can form a complete security system which helps to solve all security problems in internet application. PKI can tell who the user is while PMI proves what kind of rights the user has and how...
|
PDF Full Text Request