The Research Of Security Framework In ASCMS Based On Authentication, Authorization And Responsibility Identification

To meet the continuously change of the market rapidly and keep a sustained competition power, products should be passed to the customers who most need in them the shortest time, with the best quality and lowest cost. Meanwhile, for the fast response to the change of the external environment, numerous enterprises set up their own agile supply chain management system in abundance using Internet. At present, the security issue of ASCMS has been becoming one of the key factors of affecting the business competition.This thesis focuses on designing a more safe security framework, which aims at the development present status and existence security problems of ASCMS. The main contribution of this security framework is Authentication based on certificate, Access Control based on domain and Responsibility Identification, which helps to enhance the security of entire Enterprise ASCMS, and speed up the reconfiguration of Supply Chain System. This theme comes from the project of "Automobile Parts Network Manufacturing Platform (APNM)", which supported by State Development and Reform Commission to revitalize the old industrial base in Northeast. This thesis is divided into several parts as follows:This thesis starts by discussing Supply chain management. Supply chain management system is a dynamic network, comprising suppliers, manufacturers, transporters and sellers. It is a typical distributed system, which is able to be reconstructed rapidly with the formation of Dynamic Alliance and adjusted with the disintegration of Dynamic Alliance. For the ASCMS's complexity and dynamic nature, studies of its security issues are rare, no matter in domestic or foreign works. However, security issue is a key to achieve the real application for ASCMS. Therefore, it is as the main research content of this thesis, namely, we construct safety architecture of ASCMS based on the Certification Authority and the Responsibility, and does the simulation design to the Auto Parts Network Manufacture platform System.Currently, although the application of domestic Supply Chain System is still at the start stage, after China entering into the World Trade Organization (WTO), it becomes more and more important. Many domestic scholars have made extensive studies in this area. The security of ASCMS mainly manifests in: trust, authorization, responsibility and data security. According to these four aspects, we propose a security framework and the corresponding solutions, which are: (1) to provide a unified system integration platform, (2) Authentication, (3) Access Control (including Authorization and Access Control), (4) Responsibility Identify and Security Audit.Therefore, we design a security framework of ASCMS. In this paper, we respectively introduce the relevant theory of Authentication, Access Control and responsibility Indentify, and complete the application of these three technologies in our security framework. Authentication is mainly used to validate the authenticity of the information sender identity, including the authentication and identification of the senders and receivers. The basic methods of Identity Authentication are Authentication based on password, Kerberos Authentication, Authentication based on Digital Certificate and Biometrics. Authentication, Integrity validation and Non-Repudiation are as three main purposes of Authentication. In ASCMS we use PKI (Public Key Infrastructure) and bidirectional certificate authentication based on SSL to achieve the certification, which can help us to realize the Identity Authentication and Non-Repudiation. Meanwhile, the communication process is encrypted, which ensures the integrity validation of data. Access Control (Access Control) is such a technology that permits or restricts the access capacity and scope explicitly by some way. Through the access control services, the access to critical resources can be restricted, which helps to prevent the intrusion of unauthorized users or devastation caused by legitimate users'inadvertent operation. In the APNM system, different enterprises, different sectors, and different employees have different access privileges to different resources, and therefore it requires a powerful access control model to manage various access privileges to different records in the same table. In the traditional access control mode, it designates a privilege as a user or a role's operating privilege to an object, which is impossible to deal with such a large number of objects, users and roles. In this thesis, combining with role-based access control model, we import a concept called domain, which helps us cast off the limit of system framework and make the division of the access control scope more flexible. Domain is an abstract organizational unit in APNM Platform System. A domain can be a project, a group, or any administrative department (department or enterprise). By the domain, we can establish the multi-layered access control strategy, which makes the design of the access control more flexible, maintains the mandate small number and meets the minimum user privileges granted and the transparent access control strategy in APNM Platform System.Responsibility is a very important feature of information security. A system should be able to carry out on a number of sensitive records prepared for tracing and identifying the relevant responsible person. Currently responsibilities are achieved by the Security Audit. Security Audit not only helps to monitor the network user activities from internal and external, identify , record, store and analyze the relevant information of activities related to security, warn and make the response to emergency, but also provides an important basis for subsequent processing and evidence for network crime and breach acts through recording the system's incident. The APNM Platform is based on J2EE architecture, and it is deployed on theWeblogic8.0 server; the background data maintenance uses the Oracle database. We draw supports from the function of Audit Procedure provided by Weblogic8.0 combined with Oracle's Audit function to achieve the Audit in ASCMS, namely responsibility.Finally, by using the J2EE and EJB technology, we realize the ASCMS security framework proposed in this thesis and complete the testing of the framework, and prove its validity and effectiveness. The detail realization of identity in Agile Supply Chain Management system: it realizes bidirectional authentication between client and server through credible third-party certification institution, by the use of the third-party SSL certificate authentication protocol. It guarantees identity authenticity of the login users and servers. The detail realization of Access Control: By introducing the concept of a domain, the user access control is more granular, which ensures that different users have different access control privileges and information can not be accessed by unauthorized third-party. The realization of Responsibility and Security Audit: Weblogic8.0 audits information, and records not only all of the authentication activities, but also all users'operations and information of access to the modules of the system. Each record keeps the execution time of the incident so that users can not deny. Oracle 9i Audit View records the users'operations to the database, including the database session ID, the client detailed information, the timestamps and so on, by which users can not deny. Combined Weblogic8.0 Audit Information with Oracle 9i Audit View Information, it can confirm that when users visit applications, visit which modules of the system, when access database, which operations are done to the database and the time is identical. As users are unable to deny, it achieve the system's responsibility.