Trusted Access The Process Of Authentication And Authorization Model Design And Application

The traditional network takes mainly some precautions network security strategies, and it builds a security barrier at the boundaries of protected network by using technologies of firewall, intrusion detection and virtual private network. This preventive approach is relatively passive and can not resist attacks of variant virus and Trojan, which leads to the result of increasing cost, management difficulties and being impossible to defend effectively. The main reason for this situation is that traditional network security focuses on peripheral block and neglects the safety test of the access terminal itself. The fact demonstrates that majority of attacks are due to insecurity caused by the access terminal, which is the source of insecurity cases. In order to effectively solve the problem of terminal security, the Trusted Computing Group (TCG) puts forward the concept of Trusted Network Connect (TNC) in 2004. After the concept is proposed, the industrial community gives strong advocacy and the academic gives a high degree of concern. However, TNC study presently still exists the phenomenon that the theory lags behind the technology. As a mean of network security access technology, TNC study still has some shortages in architecture and other aspects.The thesis detailedly studies the current network security access technology and trusted computing technology, then mainly analyzes and discusses the following aspects of problems in the access process of trusted network:(1) For the problem that information exchange lacks security protocol support in the process of trusted access between client and server, the thesis designs the trusted access authentication protocol, which can ensure secure transmission of messages and achieve the trustworthiness authentication of the each other between communication parties at the same time, then it also overcomes the problem of the one-way trustworthiness evaluation in TNC architecture.(2) Trusted access network of the terminal exists coarse granularity of access control, and has not distinguished the trustworthiness grade level of the access terminal, and have implemented authorized access decision of hierarchical trusted, because of which, the thesis proposes a trusted authorization model, TA-RBAC, which combines with trusted computing technology and access control mechanism, and the model achieves a dynamic, fine-grained trusted authorization process while ensuring secure access to network terminals. It further puts forward a specific assessment method of user authentication trusted-degree as terms of the authorization, and the method provides solutions of distinguishing trusted-level of network terminal.(3) After the terminal accesses network, the network lacks of security protection. So the thesis introduces real-time monitoring mechanism for access terminals in the application framework proposed. The mechanism requires to periodically evaluate current authentication trusted-degree for access terminal within the prescribed time, which is considered as a basis of periodical authorized decision for access terminal. In the application framework designed in thesis, it integrates the trusted access authentication scheme with trusted authorization model, and realizes the security protection in the whole process of terminal access network at the same time.(4) Using TPM-Emulator, jTSS software to construct experimental platform, the thesis tests and implements part function of the trusted access authentication of application framework proposed in thesis.