中国科学院软件研究所机构知识库
Advanced  
ISCAS OpenIR  > 基础软件国家工程研究中心  > 学位论文
题名:
动态协同环境下基于角色的授权管理关键技术研究
作者: 刘伟
答辩日期: 2008-05-30
导师: 孙玉芳 ; 贺也平
专业: 计算机软件与理论
授予单位: 中国科学院研究生院
授予地点: 中国科学院软件研究所
学位: 博士
关键词: 动态协同 ; 基于角色的访问控制 ; 委托 ; 互操作 ; 隐式授权
其他题名: Research on Key Technologies of Role Based Authorization Management in Dynamic Collaborative Environments
部门归属: 基础软件国家工程研究中心
摘要: 随着互联网技术的发展以及社会分工的不断细化,越来越多的组织为了共同的目标联合起来协同工作。这种动态协同环境给授权管理提出新的挑战。基于角色的访问控制适用于大型组织的授权管理已经成为研究人员的共识,通过两种方式实施灵活授权,包括委托和互操作。本文扩展基于角色的访问控制,对动态协同环境下实施基于角色授权管理的关键技术展开研究,取得以下主要成果:在基于委托方式的授权管理方面,分析现有基于角色的委托模型,发现存在两类缺陷:首先,委托者无法限制委托权限的使用方式,可能造成权限的非法滥用和恶意扩散;其次,使用二元信任描述委托操作,不支持重复委托和受控委托。提出基于规则的细粒度委托限制框架实施严格的委托限制,分为条件委托和受控使用,保证委托者能够控制委托权限的使用方式。提出基于信任级别的可控委托模型,引入多级信任描述委托关系,支持多重委托,增加委托的可控性、灵活性和可扩展性。在基于互操作方式的授权管理方面,基于角色交叉映射的自组互操作方案存在安全性和隐私性的缺陷。提出基于信任度的自组安全互操作方法,引入信任度描述自治域和用户正确参与协作的程度,自治域的不公正推荐和用户的恶意操作降低其信任度,影响协作域的授权决策。自组互操作中资源查找是授权的前提条件。分析现有方案中授权集合的缺陷,使用向量描述授权策略,增强授权的灵活性;提出支持隐私保护的路径发现方法,利用同态加密机制和安全两方计算保护用户的访问路径,提高授权的隐私性。在动态协同环境下灵活授权可能带来安全风险,管理员无法明确授权是否包含其他权限。本文对最新的管理模型UARBAC实施隐式授权分析,发现其中存在的定义缺陷和实施缺陷,修正定义缺陷并给出基于贪心算法的可行实施方案,帮助管理用户实施最小授权。本文的研究成果解决了动态协同环境下授权管理的一些关键技术问题,为实施灵活授权,授权安全性判定等问题的进一步研究奠定一定的理论和实践基础,为开发适应动态协同环境的授权系统提供重要参考。
英文摘要: With the rapid development of Internet technology, coalition among autonomous domains has recently become important in both military and commercial areas. Authorization management in dynamic collaborative environments is a challenging open problem. Role-Based Access Control (RBAC) has received considerable attention as a promising alternative to traditional access controls. Researchers have proposed two mechanisms for flexible authorization, including delegation and interoperation. In this dissertation, we extend RBAC and focus on the key technologies of role-based authorization management in dynamic collaborative environments. In the area of delegation-based authorization, we analyze existing role-based delegation models and find two kinds of drawbacks. Firstly, the usage of delegative permissions could not be restricted, which cause permission abuse and illegal diffuseness. We propose a rule based fine-grained delegation constraint framework. The framework separates constraints into conditional delegation and restricted usage, enforcing constraints before and after delegative operations respectively. Secondly, binary trust relationship in delegation is described and multiple delegations could not be supported. We present a multi-level trust based controllable delegation model. Trust level of roles is defined by resource owners based on their responsibilities, which enhanced flexibility and scalability of delegative operations. Secure interoperation solutions for ad-hoc collaboration were proposed based on cross mappings between roles. We analyze the current implementation and find both security and privacy shortages. A trustworthiness-based ad-hoc secure interoperation method is proposed to enhance security, in which trustworthiness is introduced to describe the probability of proper collaboration. Experimental results show that this method can effectively resist cheating and malicious actions. Resource discovery is another important issue in ad-hoc collaboration. We use vectors in authorization policy and propose privacy preserving access path discovery method, which is based on the combination of homomorphic cryptosystem and secure two-party computation. We prove that our method is secure and improve the privacy of authorization. In dynamic collaborative environments, authorization might bring risk to security management. Administrator could not confirm whether an authorization imply other permissions. The latest role-based administrative model UARBAC defines the conditions of administrative operations and has significant advantages over other models. Due to hierarchical relationships, operations of UARBAC could result in offering unknown permissions. By analyzing implicit authorization, we find two definition flaws and an implementation flaw. We correct definitions of administrative operations and give a feasible solution for achieving least role assignment. In summary, the proposed achievements of this dissertation are helpful to the further exploration of flexible and secure authorization management in dynamic coalition, and are useful for the future implementation of an authorization system.
内容类型: 学位论文
URI标识: http://ir.iscas.ac.cn/handle/311060/7120
Appears in Collections:基础软件国家工程研究中心_学位论文

Files in This Item:
File Name/ File Size Content Type Version Access License
10001_200418015029032刘伟_paper.doc(3526KB)----限制开放-- 联系获取全文

Recommended Citation:
刘伟. 动态协同环境下基于角色的授权管理关键技术研究[D]. 中国科学院软件研究所. 中国科学院研究生院. 2008-05-30.
Service
Recommend this item
Sava as my favorate item
Show this item's statistics
Export Endnote File
Google Scholar
Similar articles in Google Scholar
[刘伟]'s Articles
CSDL cross search
Similar articles in CSDL Cross Search
[刘伟]‘s Articles
Related Copyright Policies
Null
Social Bookmarking
Add to CiteULike Add to Connotea Add to Del.icio.us Add to Digg Add to Reddit
所有评论 (0)
暂无评论
 
评注功能仅针对注册用户开放,请您登录
您对该条目有什么异议,请填写以下表单,管理员会尽快联系您。
内 容:
Email:  *
单位:
验证码:   刷新
您在IR的使用过程中有什么好的想法或者建议可以反馈给我们。
标 题:
 *
内 容:
Email:  *
验证码:   刷新

Items in IR are protected by copyright, with all rights reserved, unless otherwise indicated.

 

 

Valid XHTML 1.0!
Copyright © 2007-2017  中国科学院软件研究所 - Feedback
Powered by CSpace