| Along with the rapid development of Internet technology and distributed computing ability, development of social economy, scientific and cultural are strengthened, making the enterprise division, also strengthening dynamic collaboration, and the business process often cross the organization boundary. The business cooperation between enterprises are becoming more and more frequent, a wide range of resource sharing becomes a kind trend. At the same time, the number of users in the network increases rapidly, the network security and safety of large-scale users between fields and scopes of sharing of resources become the problem that must be solved. And identify of cross-realm and authorization is one important measure of the guarantee the safety of the resource sharing.At present, the identification of users in network environment adopts the user name and password, and the position of user is often confined in one enterprise or one web site. Because logical processing and business rules of each enterprise are not identical, and the authorization mechanism of concrete realization and define are different, a user in one enterprise need to register again if he wants to be the valid user of another enterprise, and the cross access control lack a universal flexible way. In the traditional access control, role-based access control with its outstanding advantages of RBAC makes the system administrator can divide different roles according to department and security policy and to perform specific tasks, so it has been widely used. However, with the inflation of users, the role model of distribution and management make the role and authority management to be bulkiness trivial and , also not very good at the application of cross-realm access in opening network.Aiming at the limitations of the application of traditional access control model in new generation credible Internet environment, such as the inefficiency in user-role assignment and the difficulty in cross-domain access control, a universal attribute-based access control framework is proposed, it takes a unified method to dispose the attributes of users, resources, operations and running context, simplifying the complex way of permissions determination in traditional RBAC and other access control modes, thus enhancing the versatility and flexibility of access control system. At the same time, authentication based on attribute certificates is applied in cross-domain access, policy evaluation and evaluation algorithm are also discussed. It can dynamically implement resource management and access control for users from different domains. In addition, the mechanism of the running context make the model is more suitable to apply in complex and dynamic Internet environment.Research in this thesis comes from a sub-project named " Access control service based on trust mechanism", undertaken by Chongqing University ,which is a component of national science and technology plan project--" New generation of Internet security and network services can be trusted" leaded by national development and reform commission. The tested results indicate that ABAC for the project can support trust negotiation and dynamic access control in the system of secure multicast, network safety measurement and security BBS system. And it can dynamic implement resource management and access control based on the different demands from users, having better flexibility and expansibility. |
PDF Full Text Request