| With the rapid development of network, the application of internet has already influenced every aspect of our lives. The network brought the huge convenience to us while it brings some latent unsafe factor to our lives. The development of the network accelerates the widely application of electronic commerce,and the security gradually gains people's attentions.As an excellent secure communication protocol, SSL (Secure socket layer) protocol is based on the C/S structure and protects data of application layer, and has been currently applied in network. As a most widely used secure electronic transactions protocol, SSL encrypts communication data with secret key negotiation in the SSL handshake protocol. Although SSL has more than ten years histories, there are still some defects of access control applications in the handsake protocol.As for the flaws of the SSL protocol in the access control applications, the traditional access control mechanisms on SSL protocol have defects in authorization. To solve this problem, we have studied the following three subject matters:Firstly, the goal of this thesis is to design a SSL protocol based on PMI attribute certificate. PMI (Privilge Management Infrastructure) comes from PKI (Public Key Infrastructure). PKI is used to provide strong authentication and PMI is used to provide flexible authorization. Similar to identity certificate, the attribute certificate binds the attributes such as group membership, role, or other authorization information associated with the certificate. According to the analysis of the binding manner between attribute certificate and identity certificate, this paper uses the free binding manner to design modified protocol. We mainly consider modification to the handshake protocol, that the server requests the client's certificate by adding an attribute certificate of client. At the same time, after the server has verified the identity certificate of the client, server verifies client's attribute certificate. If the authorization doesn't meet server's request, client won't access. These make the server information is better protected and enhance security of the original SSL protocol. Attribute certificate is handed over to the management of PMI, and authorized management is more flexible.Secondly, the thesis analyses the design using the BAN logic. The BAN logic is a simple and practical formal analysis method, which can deduce the certifiable result and find the majority of security flaws and redundancy. Formal analysis shows that the modified protocol is a feasible secure solution which completes the subject's exchange of attribute information without damaging the secure objectives of original SSL protocol.Finally, a secure system based on the modified protocol is implemented in this paper, including two functional components: identification management and privilege management. The system has a high security using certification technology based on PKI and PMI. |
PDF Full Text Request