Study And Realization Of Access Decision Control Function Based On PMI Attribute Certificate Privilege

With the management of certificates, the Public Key Infrastructures(PKI), which is based on the Public Key System, provides service of authentication, confidentiality, integrity and nonrepudiation for application. With the rapid development of technology of network security and its application everywhere , the requirment for security and finely concretely access control has become more and more important. Privilege Management Infrastructures(PMI), which has solved the confilict between the long-term identity and the short-term authorization in PKI certificate, offers an access control mechanism which is more restrict, efficient and convenient. As a logic extension of PKI, PMI required valid identity authentication provided by PKI. However, it is based on the Role-based Access Control(RBAC) technology, and takes the attribute certificate as the authorization carrier, providing service both on authorization management and finely concretely access control for users and applications.Some technology related to the PKI and the PMI was discussed in this paper. On the basis of PKI Certificate System , a PMI System based on the RBAC technology was constructed. The establishment of access control policy with XML, the attribute certificate, the distribution of authorization, the organization infrastructure and realization of the Access Control Decision Function(ADF) and the Access Control Enforcement Funtion(AEF) were analyzed. This paper focused on the ADF in PMI is , that is, how to decide to response yes or no according to access control policy and the user's attribute certificate, after the AEF has submits the user's public key certificate and the access request. The realization of ADF contains Policy Parsing, Credential Providing, Access Decision. It is stored authorised roles with hierarchy level, which provides credential acquiring service when policy parse finished, indexed by its SOA'DN, and stored access rules for access decision consist of target domains, authorised roles and time constrains corresponded to the indexed action name that can be executed in the access control policy.