Using Attribute Certificates for Role-Based Privilege Management

• Main Author: 彭玉伃�u
• Other Authors: 黃景彰
• Format: Others
• Language: zh-TW
• Online Access: http://ndltd.ncl.edu.tw/handle/30934437311614322840

碩士 === 國立交通大學 === 管理學院碩士在職專班資訊管理組 === 93 === Access control is the function of deciding whether a user is permitted to use or change information contents in information systems. Based on the concept of attribute certificate, Privilege Management Infrastructures (PMI) is a framework for access control. Extended from PKI (Public-key Infrastructure), PMI is comparatively new. Role-Based Access Control (RBAC) has been paid much attention in recent years. RBAC reflects the needs for implementing separation of duties and other security policies in organizations. Using a combination of PMI and RBAC, the author of thesis presents a role-based privilege management model. The proposed model works as a framework for practicing PMI. In the proposed model an X-509 attribute certificate does not necessarily include all information for access control. Part of the information is role related. The information about role assignment is either written into an extension field named acceptablePrivilegePolicies or is written into a new extension field. Therefore, user privileges are verified when a user starts a role. Accordingly, the proposed approach broadens applications of the X.509 based attribute certificate. Because XML has been widely considered as a standard for data exchange among various Internet application systems nowadays, this thesis utilizes an XML encoding rule for ASN.1 (XER), to encode an attribute certificate and uses an XML-based language, named XACML, to design a set of RBAC security policies. A verification procedure is also proposed; therefore, the research result of this thesis is ready for real-world applications.