Research And Design On A Role-Based Access Control PMI System

With the development of information technology, the importance of network has the relation with people's daily life. On one side, the network can provide us information-sharing, expedient communication; on the other hand, the network also faces the security problem. So the security problem of network has been the most important part of information industry. What is more, identity authentication and privilege management are critical to network security. On one hand, the applications such as e-commerce, e-government, e-bank etc. need to be authenticated and one the other hand we also need to confirm whether the entity has the privilege to access target resource what is also access control of users. In 1980s,the American scholars brought out the public key infrastructure(PKI), and the PKI technology has became the necessary supporting secure system in e-government, e-commerce, and enterprise network. However, as the network resource is more and more abundant, only depending on the PKI cannot resolve the problem of accessing control of resource. So in 2001, ITU-T brought out X.509 V4, and this is the first time to standardize Privilege Management Infrastructure (PMI).PKI/PMI is the considered for virtual society secure basis. In X.509 V4, it describes PMI as a scheme for PKI and privilege management. Discretionary Access Control and Mandatory Access Control are two main access control models in past few days. Now the role-based access control model can support hierarchical structure, static duty separation, the least privilege set and so on. This model bands up the users and privileges through roles, so that it can reduce the complexity of access control. ITU-T has brought up X.509 V4, in that document, it describes the PMI model, and it uses attribute certificate as the extension of public key certificate. In that case, the research of attribute certificate and role-based access PMI model is needed hardly.The purpose of our research is to bring up a PKI-based and role-based privilege management module, and its implement, so in this way we prove that the role-based access control PMI module is an effective solution. In 1980s, the American scholar brought up the definition of PKI, and in 2001 ITU-T published the X.509 V4 standard. In 2003, ANSI published the "Role-based Access Control Standard". In 2002, David W Chadwick from Salford University brought forward role-based PMI- An X.509 Role-based Privilege Management Infrastructure. Nowadays, the foreign PMI products are Secure Transaction Platform fro Entrust, Attribute Certificate Server from Baltimore Technology, Secureway from IBM and so on.In this paper, the author researched the PKI/PMI technology, and built a model of role-based access control PMI model. In such a model, we parse the attribute certificate into two types: the role specification cert and the role assignment cert. So it can reduce the complexity of certificate management. The author also brought up a role-based access control PMI system for enterprise.This paper mainly contains these contents: the PKI basement theory, such as specification, security servings, etc. the PMI basement theory, such as PMI specification, PMI components, PMI models and so on; the role-based access control theory, such as the entity specification and operations; and the author also brought up a role-base access control PMI model, the components of this model, the attribute certificate and authentication processing procedure are also described.