Research And Implementation On Cross-Domain Authorization Management

As the popularization of OA and electronic business, departments in government and corporations have built local area network to develop their own applications according to their business needs. Information technology applications make the demand of interconnection and information-sharing among single-domains (the LANs under the control of a security policy) more and more pressing. Nowadays, dynamic, heterogeneous and distributed information systems call for secure interoperability between multi-domains beyond a single domain management restriction. However, after the independent and self-controlled single-domain network is interconnected with other networks, it's hard to maintain the security of the original applications whilst keep them controllable (i.e. prevent unauthorized users from accessing and using protected resources and services). In other words, realization of cross-domain authorization management has become one of the key issues to be solved to apply IT.This thesis analyzes existing access control models which are based on PMI Attribute Certificate and RBAC, and then puts forward a distributed cross-domain privilege management model, which is called CD-RBAC. It uses roles and ACs for authorization and the realization of model is based on PKI (Public Key Infrastructure) and PMI (Privilege Management Infrastructure). In this model, constitution of the security policies and inter-domain collaboration in multi-domain environment has been considered. CD-RBAC model is in line with the actual situation in distributed systems, and is more practical and secure than other models. This thesis detailedly describes how to realize authorization management in domain, method of inter-domain role mapping, and authorization steps. Furthermore, the thesis makes a detailed instruction of the realization of the system in two aspects: the physical and logical structure. At last, we simulate and verify the theoretic model in a prototype environment. During the realization of this system, flexibility, maintenance and operability are fully considered.