| Traditional PKI(Based on X.509 Standard Public-Key Infrastructure)can solve the problems of Identity Authentication, Data confidentiality ,Data Integrity and Non-Repudiation, but can't efficiently solve the problem of Distributed Netware Access Control. Besides, X.509 relies heavily on the use of central third-party certification authorities to provide trust when distributing public keys to principals. using global namespace trying to bind the real user Information. This is actually hard to implemented, lack of flexibility and hard to implemented in the distributed environment.SPKI/SDSI(Simple Public Key Infrastructure and Simple Distributed Security Infrastructure) was developed in 2000 to remedy shortcomings in the existing ID certificate definitions:X.509 and PGP .The main purpose is to overcome the traditional PKI's incomplete and unnecessary of complicated problems. The researchers aimed to provide a public key architecture that is efficient,complete,natural and intuitive. Their primary focus is to create a PKI that can be readily used to create secure distributed systems according to the administrator's desired security policy. To that end, authorization was build into SPKI/SDSI as a central component.The main character of SPKI/SDSI are as follow. Use Public key or itself or its cryptographic hash as the ID, instead of using the global name space. In SPKI, the principal (the identity) is associated with the public key, not the person. Use Local name space instead of global name space, and flexible to use group. Trust can be delegated by using the authorization certification. Every key can sign the certification, that mean everyone is equal, don't need trusted third party.In this paper, against on the current models lacking of the control of delegation depth, we give a concept of trust delegation value, then we present a distributed access control module called Trust Delegation Value Based SPKI/SDSI, which can highly improve the control degree of access depth and flexible to reduce the length of trust chain searching. According to this model, we give an improved name closure algorithm, in which we add the Trust Delegation Value to both adapt to the name certification and auth certification. This algorithm is oriented to the Object, searching for the certification chain that are related to the trust. So is a good way to use in distributed environment. We later illuminate the usage of TDVB-SPKI/SDSI with a typical example at end.Based on the TDVB-SPKI/SDSI model, we designed a Web Secure Access Control System. In this system, user can login by using the common browser with a plug-in. Web server cheats all of the available resource as objects. User with the right authority can got the resource in the distributed network through the uniform interface. Combined the existing X.509 PKI with the SPKI/SDSI with the regular of less modification. By using both PKI together we can on the one hand reduce the difficult of searching the certification chain of SPKI/SDSI, on the other hand solve the PKI's shortcoming of applied in the distributed environment.We at last give the detail design of the web system including the Web client and the Web server. Give a complete package of SPKI/SDSI, which is the basis package of the next development. Finally, give an application of an campus resource by using the designed system. |
PDF Full Text Request