Research On Authentication And Authorization Based On PKI & PMI

In the open network environment, Public Key Infrastructure (PKI) provides identity authentication service. Privilege Management Infrastructure (PMI) is a way of extending PKI to support authorization. PMI uses Attribute Certificates (AC) to assign permissions to users, with the aim of mapping users'identities to permissions and providing authorization and access control mechanisms which are corresponding to practical transaction mode but irrespective of development and management of application system.Role-based Access Control (RBAC) model separates users from permissions logically through the concept of role. Since it is flexible and convenient to manage privileges, RBAC model is regarded as an efficient way to control access and it is widely used. Role model in PMI combines RBAC and PMI through issuing Role Specification Attribute Certificates and Role Assignment Attribute Certificates.An extended model of ARBAC with the concept of feature is proposed to contrapose the difficulty that administrative roles encounter when assigning general roles to users according to their characteristics in ARBAC97 model.Based on the research on the theories of PKI and PMI, we improve role model. User-group Specification Attribute Certificate and User-group Assignment Attribute Certificate are used to simplify the management of permissions. Access control policy depository and local certificate depository are deployed at privilege verifier to restrict the access to resources and enhance certificates query efficiency respectively. Some solutions related to implement RBAC in PMI, such as role hiberarchy, private permission, role delegation etc., are also presented. A secure PMI platform framework is also designed, which realizes RBAC and authentication using PKI. Authorization policy syntax is defined using Extensible Markup Language to assign permissions. We mainly focus on the processes of privilege management and access control, which can be referred to construct PMI systems.