Access Control System Based On Divide And Rule

With the development of Internet, network applications especially E-Business and E-Government become very popular in Internet. Because of its importance in the network application, network security increasingly becomes a serious problem we cannot ignore. To guarantee the security of network actions, we should provide a severe access control. Now, the traditional method of access control seems too simple to work efficiently. Today, the research of access control focus on Role Based Access Control application model of Partition Rule Based Access Control mostly, a few implementation of PRBAC limit to PKI authorization. Compared with the traditional access control, the prime advantage of RBAC is that it is only required to manage privilege for role instead of user. But in E-Government and military affairs we should partition the information much more strictly. For example, we can partition the information into several classifications such as secret,top secret and so on. The DOD of USA put forward a new Access Control technology named Partition Rule Based Access Control (PRBAC). PRBAC uses the SPIF (Security Policy Information file) to describe the security policy and rule, and uses the X.509 public key certificate to take the authorization information of users, and uses the security label to denote the sensitivity of object. It determines functions according to the access control of standard, and decides whether to give access privilege by comparing the authorization of users and security label of objects according to the security policy which is defined in SPIF. It can control the objects according to the classification. This characteristic fit the requirement of access control of E-Government and military affairs very much. However, a PRBAC only using X.509 public key certificate and the method of PKI authorization, may have many restrictions and bugs. For example, in the standard of X.509v4, the period of validity of the attribute certificate is short, it can avoid the problem of managing CRL. And only have the method of PKI...