Research On Key Technologies Of Authorization Management Oriented To Classified Protection

With continuous development of classified security protection, how to realize secure interconnection, intercommunication and interoperation among classified information systems is becoming a hotspot. As an effective supportive technology to address these problems, authorization management has been a critical issue and urgently need for classified protection, which has great research significance.Based on accurately analysing the requirement of authorization management oriented to classified protection, this dissertation has explored much on establishment of authorization management model, authorization framework and authorization policy oriented to classified protection. The main works are as follows:(1) A classified protection oriented authorization management model called CPOAMM is proposed. Combining the RBAC authorization ideology with the information flow control based on security label ideology, a classified protection oriented authorization management model called CPOAMM is proposed. CPOAMM is described formally and the correctness and security of it has been analysed and validated. The CPOAMM can apply to the requirement of information flow control during user privilege control, which lays a solid foundiation for the implementation of authorization management for information systems in classified protection environment.(2) An authorization framework based on CPOAMM is put forward. The dissertation explores the implementation framework based on CPOAMM, gives the structural design and function description of its key groupwares. And this dissertation also explores three key technologies for cross classified systems: a role mapping algorithm for fine grain permission control, a security label translation algorithm based on policy for security labels'transition among different classified systems, and a security protocol for policy negotiation.(3) A classified protection oriented authorization management policy set is built. The dissertation explores the authorization policy constitution, policy classes and policy content. This dissertation also defines a policy mode, and based on the policy mode, describing the policy set formally. Also, a policy pretreatment method is put forward to advance the policy matching efficiency. These work set up a policy foundation for the implementment of authorization management for information systems in classified protection environment.(4) A key authorization management module is designed and realized. Based on the prototype of"resource management oriented cross domains authentication and multi-level privilege management system", authorization request management module, policy management module and cross-classified modules are designed and realized.