Privilege Management Of IBE System Based On Trust Service

Authentication and privilege management are two important aspects to guarantee network security.Nowadays, there are two major authentication technologies:PKI and IBE. PKI binds the user's public key with identity information through certificate which needs a trusted third-party certification organization CA. The IBE which canceled the third-party certification organization uses user's identity as the public key directly. Compared with PKI, IBE is low-cost in building, high security and high efficiency. So it is an inevitable trend of the promotion of IBE.However, PKI not only supports the key management, but also provides the security services of authenticity, confidentiality, integrity and accountability. IBE is only able to provide key management and digital signature. To improve the services of IBE, an IBE system based on trust service is presented firstly in this paper.The IBE system based on trust service includes four parts:key management, identity management, cross-domain interoperability and privilege management. Key management is in charge of the generation and distribution of users'private keys and regular replacement of keys, as to the PKG of IBE. Identity management is in charge of the management of user's registry, the generation of user's unified identity and verification of user's identity. Cross-domain interoperability is in charge of the user's identity transfer and cross-domain authorization to achieve the user's communication from different trustworthy domains. Privilege management provides the mapping from user's identity to application authorization for users in IBE trusted domains. Four parts communicate with each other with tight coupling approach and trust each other which form a trusted domain.This paper focuses on the research and design of privilege management of IBE system based on trust service. The IBE system based on trust service provides the user's authentication. However, the problems of which services can be accessed by the trusted users and how to access these services should be resolved by privilege management. Privilege management is a security policy provided by trusted system while users of this trusted system submit their requests for accessing specific service. It is mainly used to ensure the trusted users of the system can access the services and resources of the trusted domain and refine the system's security granularity. In addition, privilege management is responsible for the management of registered services, and also it is one of the support system of accountability.The privilege management of IBE system based on trust service consists of four modules: service registration module, privilege assignment module, access control module and centralized audit module.Service registration module is in charge of service registration and opening and the division of authority zone for services which have been opened. It is responsible for service to registry a unified identity by centralized service management approach and gets service's private key from key management according the service's identity. Service registration module divide different authority zones for service according to the different services and set different threshold for the authority zones.Privilege assignment module is in charge of the assigning privilege value to a role and assigning roles to users. Also, it maintains tables of role-privilege-value and user-role. It assigns different privilege values to roles according to the roles'rights. Users'roles are assigned by the way of trust inheritance. As to users who already have a role, according to user's trust degree, it has the privilege to grant a low-level role of the same inherit system to other trusted users.Access control module is in charge of the processing of the user's access request. It calculates the value of user's privilege according to user's access request and makes access decision by comparing the value of user's privilege with threshold of target service area. If and only if the value of user's privilege is greater or equal to threshold, the user can access the target service.Centralized audit module is in charge of recording all acts of users to prevent wrong behavior of administrators from abnormal privilege management in order to provide the basis for accountability.Specifically, there are four contributions in this paper.Firstly, it improves privilege management of IBE system, and designs a new privilege management scheme for IBE system. Although privilege management infrastructure has been improved, the PMI is designed based on PKI and the management for privilege is based on attribute certificate. If we applied the PMI into IBE system, the IBE system has to establish the Attribute Authority which will lose the intrinsic advantages of IBE. The privilege management of IBE system based on trust service can provide effective privilege management for trust users under the intrinsic advantages of IBE.Secondly, the privilege management model based on trust service is designed by the RBAC technology and proposes an improved RBAC model with the threshold idea. In the improved model the service is divided into different privilege zones, a threshold is set to every privilege zone, the trusted sources assign a privilege value for a role and while making access decision, you just only compare the privilege value to the threshold.Thirdly, the privilege management model uses the trust inherited method to assign the users'roles making the assignment of users'roles more efficient and more practical. The model calculates every user's trust degree and the user with certain credibility can assign the roles that inherited from its own role to other trust users.Lastly, centralized audit module of privilege management model ensures the safe operation of the system and provides the basis for accountability.