Font Size: a A A

Research On Role-Based Inter-Domain Access Control Model

Posted on:2012-09-30Degree:MasterType:Thesis
Country:ChinaCandidate:L L ZhongFull Text:PDF
GTID:2218330368479463Subject:Computer software and theory
Abstract/Summary:PDF Full Text Request
The advent of the information age has brought about great changes into information sharing. Resource sharing in a single domain has been unable to meet users' demands. Therefore, inter-domain access was born as required. Single Sign-On (SSO) is a specialized form of software authentication that enables a user to authenticate once and gain access to the resources of multiple software systems. Users can avoid some troubles by it when they access resources inter-domain, such as multiple logins as well as multiple accounts management. Shibboleth is a new generation of SSO implementations which provides users with secure and reliable identity authentication mechanism.Access control is an important technology to protect the security of information resources, and the inter-domain access puts forward higher requirement for access control. IRBAC2000 was proposed based on the classical RBAC model. It's a policy framework that facilitates the secure interoperability between two domains. This policy framework works by defining a set of associations between the local and foreign role hierarchies, so that the RBAC model is extended to multi-domain environment, and improves the security of inter-domain access. In this paper, we study the basic idea of IRBAC2000, and analyze its shortages. For the existing shortages the main works of this paper are described as follows:Firstly, this paper analyzes the primary causes that led to role conflict association and violation of Static Separation of Duty principle. And the roles' hierarchical relationships are analyzed as well, according to the roles' hierarchical, a sequence method and a comparison method of role hierarchical relationships, a quick extraction method of role mapping set are proposed. On this basis, an inter-domain conflict association global detection algorithm and an inter-domain static mutex roles global detection algorithm are proposed.Secondly, this paper proposes a model named Centralized Role Association Access Control Model (C-IRBAC), in order to solve the problems in IRBAC2000 model better. In addition to the application of detection algorithms mentioned above, this model defines private role set and private permission set to avoid the error authorization of sensitive permissions. To solve role infiltration and covert promotion problems, inter-domain role shuttle rules are constructed. And for the problems caused by role changes, a series of role change principles are laid down.Finally, C-IRBAC model is applied into Shibboleth SSO system. In the paper, Feasibility analysis on this application is made at first, and then the role set, permission set, role relationship and the correspondence between roles and permissions are described in a unified way using XML, that provides a uniform access control model to Shibboleth and enhance the security of Shibboleth SSO system as well.
Keywords/Search Tags:Single Sign-On, Role-Based Access Control Model, IRBAC2000, Role Association, C-IRBAC, Shibboleth
PDF Full Text Request
Related items