Design And Implement An IBE System With Permission Management

Credible certification technology is the core of modern information security. As an important issue, after several decades of academic discussions and practice, there are gradually formed two major technology systems. One is PKI (Public Key Infrastructure), the other is IBE (Identity Based Encryption). Credible certification technology is the basis confidence-building of e-commerce, e-government and other electronic transactions activities.The different characteristics of PKI and IBE decision them to apply to different areas of electronic trading applications. The key property of PKI system is all individuals. Therefore, PKI is more applicable to the area of electronic commerce. There is a direct relationship between the key holder and the key security and economic interests. In IBE system the user's public key is the identity of the user, and PKG distribute the private key to user. In IBE key management is classified centralized management, so all the key in system can be replaced regularly. Evidently, compared with the PKI, IBE more applicable to e-government field which have a strict grading authority and require data can be replaced regularly.Although compared to the traditional PKI system, IBE system has a better nature, but in practical application it has encountered problems, such as identity management, authorization management, key management, identity mobile, and other issues. In this paper, these issues put forward a new proposal - IBE system based on trust service, introduced the system architecture and working mechanism of it.To resolve the existing problems in IBE, I have proposed IBE system based on trust services to improve the IBE system. Based on trust services IBE system consists of four components: regular replacement of key management mechanism, unified identity of logo management mechanism, centralized audit of permission management mechanism, cross-domain interconnection modules management mechanism. I compared the new proposal with PKI system and point out the superiority of the new in this papaer.Permission management module is an important component of IBE system based on trust services. It is the secure basic of this system. Permission management consists of three parts, they are services registration sub-module, grant permission sub-module and audit sub-module. According to this paper, I design and implement a RBAC-based grant permission module. Role-based access control (RBAC) is a model which is widely used in large-scale internet application to decrease safety management cost and complexity at present.It has been accepted by ANSI because it can control permissions more effectively, supply more flexibility and extension by introducing the concept of role to separate users and permissions.The primary function of services registration sub-module is regist a legal service when it is opened; remove a service from service table and servce-threshold table when it is expired.The primary function of grant permission sub-module is divide roles and the degree of roles; distribute permission to users; maintain role table, role-permissions table and user-role table. Permission management consists of four part, they are source of authority (SOA), role holder, permissions verifier and roles. The setting of role should follow the least privilege, separation of duty, quota restrictions and time restrictions principle. Beside,this thesis brings forth a role delegation solution which realizes a role delegation without any change of user's role information or creating a temporary role. Trust inheritance algorithm is the core algorithm of this part. It shuole solve tow problems, one is to determine the current user can apply which roles, the other is how to achieve co-authorized.The primary function of audit sub-module is record system information, user information, and error messages. System administrator can inquire system operation through audit log. When someone uses service illegaly, administrator can also find the user ID. This module can ensure the security of the IBE system.The permission management module which designed and implemented in this paper has a lot of advantages. This module provides a complete, safe and convenient permission service to users. It can ensure users access system resources security. It can manage roles and users in the system conveniently by setting roles level. It can also commission roles to other users. This system more applicable to e-government field which have a strict grading authority and require data can be replaced regularly.At present, PKI system in the area of electronic commerce has been widely applied. But IBE also exist a lot of problems to be solved. Research IBE and the key quertion of IBE is very meaningful and there are still have a lot of things to be done.