跳到主要內容

臺灣博碩士論文加值系統

(18.97.14.84) 您好!臺灣時間:2025/01/20 10:35
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

: 
twitterline
研究生:林千代
研究生(外文):Chien-tai Lin
論文名稱:可攜性RBAC資訊系統架構之研究
論文名稱(外文):A Study of Role-based Access Control with Portable Key Management
指導教授:薛夙珍薛夙珍引用關係
指導教授(外文):Sue-Chen Hsueh
學位類別:碩士
校院名稱:朝陽科技大學
系所名稱:資訊管理系碩士班
學門:電算機學門
學類:電算機一般學類
論文種類:學術論文
論文出版年:2003
畢業學年度:91
語文別:中文
論文頁數:147
中文關鍵詞:角色存取控制角色為基礎的存取控制(RBAC)金鑰管理
外文關鍵詞:Key ManagementRole-based Access ControlAccess ControlRole
相關次數:
  • 被引用被引用:15
  • 點閱點閱:401
  • 評分評分:
  • 下載下載:46
  • 收藏至我的研究室書目清單書目收藏:0
企業電子化應用趨勢,讓員工隨時隨地可藉由網路存取公司資訊。然而,在網路的開放性架構下,企業內部資訊易遭受非法入侵與不當的擷取。因此,為企業制訂安全有效的資訊存取管理機制是重要的研究議題。Sandhu等提出以角色為基礎的存取控制(Role-based Access Control, RBAC),並廣泛應用於各種資訊系統中。本論文運用RBAC概念,以資訊系統存取的安全控管與金鑰管理機制為研究主題。
RBAC運用角色來維護使用者與角色、角色與權限之間的關係,讓使用者與存取權限之間以間接互動關係運作,讓資訊系統能提供合理的資訊給使用者,其具有角色指派關聯、角色繼承、職務分工、最低基本執行權限、資料抽象化與單位間的條件限制等特性。本論文為企業規劃設計了RBAC資訊系統架構,透過授權憑證及具有權限控管之角色金鑰提示來控管資訊的存取,以改善目前以身份代碼及通行碼為基礎登入系統的模式,避免可能因洩露通行碼而使非法者可憑此身份執行與角色相關的職權。
由於透過線上處理資訊,必須對資訊傳輸的安全有所防護,所以論文中除了探討權限之合理配置外,亦對資訊傳輸安全議題中金鑰管理機制的設計作了研究。目前對金鑰管理所採用的方式,多數是將金鑰儲存在磁片或智慧卡等媒體中由合法持有人自行保管,或是將金鑰存放在金鑰持有人的電腦設備中。這樣的金鑰管理模式可能因人為或儲存設備因素,而造成危害或產生不便。因此,以EKE(Encrypted Key Exchange)通訊協定作為基礎,設計具可攜性的安全金鑰管理機制。所設計的金鑰傳輸方法,採將私密金鑰存放於遠端伺服器的方式,持有人透過所設計的安全傳輸機制來下載由伺服器統籌保管維護的金鑰。這樣的機制,不但能提供具可攜性及可追蹤性的線上下載機制,亦簡化金鑰交換通訊協定的反覆檢驗程序,降低遺失遭竊的風險。
希望所提出的研究成果,不但能強化企業內資訊資源的有效控管,更能兼具個人金鑰管理之安全性及可攜性。
Enterprises nowadays allow employers to access corporate information via Internet so that tasks can be done without being limited by office hours. Such an advantage could be cancelled out because, on public networks like Internet, the internal information is vulnerable to be improperly accessed. Thus, the provision of a secure and effective access control scheme, such as Role-based Access Control (RBAC), becomes a very critical issue. Guided by the principle of RBAC, this thesis aims to provide secure and controlled access, and effective key management of corporate information systems.
RBAC uses roles to bridge users and permission. Permission to access certain resources is authorized only to the user who is associated with certain role. RBAC is multi-faceted with characteristics like user-role/permission-role assignments, role hierarchy, separation of duties, least privilege, data abstraction, and so on. In this thesis, we propose a framework of RBAC information system that effectively control the access by using certificates and role-keys. Therefore, illegal use or unauthorized access due to revelation of passwords in the login-based systems can be avoided.
In addition to the authority administration, we also investigate the key management issue, the essential element used for security protection in online information processing. Usually, the private keys are stored in diskettes or smart cards that are held by the legal owners, or in the key-holders’ computers. However, the easy management might suffer from lost of keys and damage of storage devices. Hence, based on the Encrypt Key Exchange protocol, we propose a portable and secure key management mechanism. The password-encrypted private keys are stored in a remote server. The owner may download the protected keys from the server through the secure communication channel. The proposed method not only provides a portable and traceable downloading mechanism, but also simplifies the repeated checking process in key exchange protocols.
摘要………………….…….…….….…..….…………..….………..…. I
Abstract……..…..….…….….……………………....……..……..…… III
誌謝….….…….…….….……..………..….…………..….………..…. V
目錄….…………….…….…….….……..……….……………………. VI
表目錄……..………….…….…….….……..…………….…………… IX
圖目錄……………..….……………………….….……..…………..… X
第一章、 緒 論…….…………….….……….……..….……..……… 1
第一節、 研究背景……………….…….………...….……..…….. 1
第二節、 研究動機………..…………………………….….…….. 3
第三節、 研究目的………..…………………………….……..….. 8
第四節、 研究範圍……………….………….…..…..…………..…. 10
第五節、 研究步驟………….…………………………..…….……. 13
第六節、 論文架構.....…….……………………..…..…….….……. 15
第二章、 文獻探討….….………………………....……….………… 16
第一節、 存取控制…………….……………..……..….………… 17
一、 存取控制矩陣……….……….……….…………..…….. 17
二、 存取控制串列法………….…….………...….…………. 18
三、 能力串列法………….…………………………………... 20
四、 以角色為基礎存取控制………………………………… 21
第二節、 存取控制政策……….…….……………..……………... 34
一、 自由裁量存取控制政策………….………………….…. 34
二、 強制型存取控制政策………………………………..…. 35
三、 角色為基礎的存取控制政策…………..……..……….. 35
第三節、 證書的管理…………….………………………….……. 38
一、 證書的應用………..………..…………………………… 38
二、 證書的結合……..…………………..…………………… 40
三、 “Access Control with Role Attribute Certificate” 之職務憑證……..…………………..……………………….. 45
第四節、 金鑰的管理………………………...…………………..... 48
一、 儲存設備……………………..…………………….……. 49
二、 金鑰的傳送…………………………….………………... 51
第五節、 小結……….…..……..………….……………….….…… 65
第三章、 執行具可攜性RBAC資訊系統架構….…………………. 66
第一節、 可攜性RBAC資訊系統架構…….….…………..…….. 66
一、 參與個體與憑證書及金鑰之應用……...….……..…….. 66
二、 RBAC資訊系統架構………………….……….……..…. 72
三、 RBAC系統的執行.……….…….……………………....… 92
第二節、 分析與討論……………………………..………….……. 106
第三節、 小結………….….……………………………...….…..… 110
第四章、 可攜式祕密金鑰管理……….………………….…………. 112
第一節、 簡介.…….………………………………...…….….……. 112
第二節、 前後關聯法………...……………………..…….………. 115
第三節、 三代關聯法………….……………………..……………. 122
第四節、 分析與討論…………….………………………….….…. 128
第五節、 小結………………………………………….………..…. 132
第五章、 結 論..……………..……….….………………….…...….. 133
第一節、 研究限制…………………………………..………….…. 133
第二節、 研究貢獻………………….……………………………... 135
第三節、 未來研究方向.……..…………….……………...……… 137
參考文獻……………..…………..……………………………………. 141
[1]施淵仁(1999),「具流程管理機制之工作存取權限控制模型之研究」,碩士論文,元智大學電機暨資訊工程研究所。
[2]劉興華(1999),「執行權管制系統的理論性架構設計」,博士論文,國立交通大學資訊管理研究所,新竹。
[3]吳國禎(1999),「數位證書在電子商務安全之應用」,博士論文,國立交通大學資訊管理研究所,新竹。
[4]朱建逹(2000),「建立於公開金鑰基礎建設的單一簽入系統」,碩士論文,國立交通大學資訊科學研究所,新竹。
[5]賴溪松、韓亮、張真誠(1995),近代密碼學及其應用,松崗書局,台北。
[6]樊國楨、陳祥輝、蔡敦仁(2002),「資料庫濫用軌跡塑模」,網頁 http://www.ascc.net/nl/90/1711/02.txt。
[7]行政院國科會科學技術資料中心,「標準與規範」,資通安全資訊網,網頁http://ics.stic.gov.tw/Standard/index.php。
[8]Ravi Sandhu, (2002) “Password-Enabled Public-Key Infrastructure (PKI) and Role-Based Access Control (RBAC) on the Secure Identity Appliance,” 第十二屆國家資訊安全會議專題演講,台中。
[9]Willian Stallings(2000), Cryptography and Network Security: Principles and Practice, 2nd Edition, Prentice Hall International, Inc.
[10]Radia Perlman and Charlie Kaufman (February 1999), “Secure Password-Based Protocol for Downloading a Private Key,” Network and Distributed System Security Symposium, San Diego, California.
[11]Ravi Sandhu (February 1996), Edward J. Coyne, Hal L. Feinstein and C. E. Youman, “Role-based Access Control Models,” IEEE Computer, Vol. 29, No. 2, pp. 38-47.
[12]David Ferraiolo and John Barkley (November 1997), “Specifying and Managing Role-Based Access Control within a Corporate Intranet,” Proceedings of the Second ACM Workshop on Role-based Access Control.
[13]Joon S. Park and Ravi Sandhu (October 1999), “RBAC on the Web by Smart Certificates,” Proceedings of the Fourth ACM Workshop on Role-based Access Control.
[14]Joon S. Park and Ravi Sandhu (October 1999), “Smart Certificates: Extending X.509 for Secure Attribute Services on the Web,” Proceedings of 22nd National Information Systems Security Conference, Crystal City, VA.
[15]Jing-Jang Hwang, Kou-Chen Wu and Duen-Ren Liu(2000), “Access Control with Role Attribute Certificates,” Computer Standards & Interfaces, Vol. 22, pp. 43-53.
[16]Joon S. Park and Ravi Sandhu(2000), “Binding Identities and Attributes Using Digitally Signed Certificates,” Proceedings of the 16th Annual Computer Security Applications Conference , New Orleans, Louisiana, USA, pp. 120-127. Gail-Joon Ahn(2000), “Role-based Access Control in DCOM,” Journal of Systems Architecture, Vol. 46, No. 13, pp. 1175-1184.
[18]Reinhardt. A. Botha and Jan. H. Eloff(2001), “ Separation of Duties for Access Control Enforcement in Workflow Environments,” IBM System Journal, Vol. 40, No. 3, pp. 666-682.
[19]S. Bellovin and M. Merritt (May 1992), “Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks,” Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, California.
[20]S. Bellovin and M. Merritt(1994), “Augmented Encrypted Key Exchange: a Password-Based Protocol Secure Against Dictionary Attacks and Password File Compromise,” AT&T Bell Laboratories Technical Report.
[21]D. Jablon (October 1996), “Strong Password-Only Authenticated Key Exchange,” ACM Computer Communications Review.
[22]D. Jablon(June 1997), “Extended Password Protocols Immune to Dictionary Attack, ” Proceedings of the WETICE ’97 Enterprise Security Workshop.
[23]R. Lee and J. Israel(October 1994), “Understanding the Role of Identification and Authentication in NetWare 4,” Novell Application Notes.
[24]Hung-Yu Lin and Lein Harn (1995), “Authentication Protocols for Personal Communication System,” Proceedings of the Conference on Application, Computer Communication, Cambridge, Massachusetts, United States, pp. 256-261.
[25]David F. Ferraiolo, Ravi Sandhu, Serban Gavrila, D. Richard Kuhn and Ramaswamy Chandramouli (August 2001), “ Proposed NIST Standard for Role-based Access Control,” ACM Transactions on Information and Systems Security, Vol. 4, No. 3, pp. 1-51.
[26]Trent Jaeger and Atul Prakash (December 1996), “Requirements of Role-Based Access Control for Collaborative Systems,” Proceedings of the first ACM workshop on Role-Based Access Control.
[27]John Barkley, Konstantin Beznosov and Jinny Uppal (October 1999), “Supporting Relationships in Access Control Using Role Based Access Control,” Proceedings of the fourth ACM workshop on Role-Based Access Control.
[28]Najam Perwaiz and Ian Sommerville (May 2001), “Structured Management of Role-Permission Relationships,” Proceedings of the sixth ACM Symposium on Access Control Models and Technologies.
[29]Walt Yao, Ken Moody and Jean Bacon (May 2001), “A Model of OASIS Role-Based Access Control and its Support for Active Security,” Proceedings of the sixth ACM Symposium on Access Control Models and Technologies.
[30]Longhua Zhang, Gail-Joon Ahn and Bei-Tseng Chu (May 2001), “A Rule-Based Framework for Role-Based Delegation,” Proceedings of the sixth ACM Symposium on Access Control Models and Technologies.
[31]Gail-Joon Ahn and Michael E. Shin(2001), “Role-Based Authorization Constraints Specification Using Object Constraint Language,” Proceedings of the tenth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises.
[32]FIPS PUB 186-2 (January 2000), Digital Signature Standard (DSS), NIST, http://www.itl.nist.gov/fipspubs/by-num.htm.
[33]E. B. Fernandez and J. C. Hawkins (November 2001), “Determining Role Rights from Use Cases,” Proceedings of the 8th ACM conference on Computer and Communications Security.
[34]Simon Fong and Chan Se-Leng (April 2000), “Modeling Personnel and Roles for Electronic Commerce Retail,” Proceedings of the 2000 ACM SIGCPR conference on Computer Personnel Research.
[35]Albert Levi and M. Ufuk Caglayan (October 1999), “Verification of Classical Certificates via Nested Certificates and Nested Certificate Paths,” Eight International Conference on Computer Communications and Networks (ICCCN ’99), Boston, MA, USA.
http://mercan.cmpe.boun.edu.tr/~levi/ic3n99al.pdf
[36]Albert Levi and Cetin Kaya Koc (June 2001), “Reducing Certificate Revocation Cost using NPKI,” Trusted Information, The new Decade Challenge, IFIPTCII 16th Internation Conference on Information Security, Bostion MA, pp. 51-59.
[37]Tuomas Aura (1999), “Distributed Access-Rights Management with Delegation Certificates,” Secure Internet Programming: Security Issues for Distributed and Mobile Objects, Springer, volume 1603, series LNCS, pp.211-235.
[38]Mary Ellen Zurko, Rich Simon and Tom Sanfilippo (May 1999), “A User-Centered, Modular Authorization Serveice Built on an RBAC Foundation,” Proceedings of the 1999 IEEE Symposium on Security and Privacy, Oakland, California.
[39]Chang. N. Zhang and Cungang Yang (August 2001), “An Object-Oriented RBAC Model for Distributed System,” Working IEEE/IFIP Conference on Software Architecture (WICSA'01), Amsterdam, The Netherlands, p.24.
[40]Chang. N. Zhang and Cungang Yang (May 1999), “Specification and Enforcement of Object-Oriented RBAC Model,” Proceedings of the 1999 IEEE Symposium on Security and Privacy, Oakland, California.
[41]Edward C. Cheng (1999), “An Object-Oriented Organizational Model to Support Dynamic Role-Based Access Control in Electronic Commerce Applications,” Proceedings of the 32nd Hawaii International Conference on System Sciences, pp. 1-9.
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top