資訊系統須能夠判定使用者是否有權限使用或更動某一項資訊資源，稱為執行權管制，在網際網路的應用愈來愈廣泛時，使用者如何適當地被授權，及如何提供應用系統執行權管制服務等議題將愈加重要。授權管理基礎建設(Privilege Management Infrastructure)是植基於屬性憑證，提供執行權管制服務的架構，但相較於公開金鑰基礎建設目前已有甚多的應用及討論，授權管理基礎建設則尚在起步階段。
以角色為基礎的執行權管制(Role Based Access Control)為近年來較受重視及應用的一種執行權管制機制，它反映了組織的角色功能，符合組織的資訊安全政策，因此，本論文結合PMI與RBAC理論機制，設計了一個以角色為基礎的授權管理模型，以作為組織於實行授權管理基礎建設的運作架構；另外， X.509憑證標準第四版定義的屬性憑證並無法完全承載以角色為基礎的授權管理所需要的授權管制資訊，本論文提出了利用屬性憑證的acceptablePrivilegePolicies擴充欄位及自訂擴充欄位等二種方法來支援RBAC，將使用者於啟動角色及執行權限時所需的授權資訊均承載於屬性憑證，可增加屬性憑證的應用性。
最後，有鑑於XML已普遍被認為為目前網際網路應用系統間資料格式交換的標準，本論文採用ASN.1的XML編碼規則(XER)標示屬性憑證，以XACML政策語言設計RBAC授權管理規則，並說明採用XML屬性憑證及授權管理規則的權限驗證流程，以期透過XML可使屬性憑證能於網際網路上更廣泛的應用。

Access control is the function of deciding whether a user is permitted to use or change information contents in information systems. Based on the concept of attribute certificate, Privilege Management Infrastructures (PMI) is a framework for access control. Extended from PKI (Public-key Infrastructure), PMI is comparatively new.
Role-Based Access Control (RBAC) has been paid much attention in recent years. RBAC reflects the needs for implementing separation of duties and other security policies in organizations. Using a combination of PMI and RBAC, the author of thesis presents a role-based privilege management model. The proposed model works as a framework for practicing PMI. In the proposed model an X-509 attribute certificate does not necessarily include all information for access control. Part of the information is role related. The information about role assignment is either written into an extension field named acceptablePrivilegePolicies or is written into a new extension field. Therefore, user privileges are verified when a user starts a role. Accordingly, the proposed approach broadens applications of the X.509 based attribute certificate.
Because XML has been widely considered as a standard for data exchange among various Internet application systems nowadays, this thesis utilizes an XML encoding rule for ASN.1 (XER), to encode an attribute certificate and uses an XML-based language, named XACML, to design a set of RBAC security policies. A verification procedure is also proposed; therefore, the research result of this thesis is ready for real-world applications.

中文摘要 i
Abstract iii
誌謝 v
目錄 vi
圖目錄 viii
表目錄 xi
第一章 緒論 1
1.1 研究動機 1
1.2 研究目的 2
1.3 研究方法 2
1.4 論文章節概述 3
第二章 文獻探討 4
2.1 授權管理基礎建設簡介 4
2.2 憑證運作架構 6
2.2.1 公開金鑰憑證運作架構 6
2.2.2 屬性憑證運作架構 10
2.3 屬性憑證格式剖繪 16
2.4 以角色為基礎的執行權管制 18
2.5 屬性憑證的應用實例－PERMIS計畫 24
2.6 XML 25
2.6.1 XER 26
2.6.2 XACML 28
2.7 小結 32
第三章　以角色為基礎的授權管理模型設計 33
3.1 模型說明 33
3.2 授權管理基礎建設類型 40
3.3 案例 42
3.4 本模型優點 46
第四章 運用屬性憑證承載RBAC授權資訊 49
4.1 RBAC授權資訊 49
4.2 屬性憑證的內容 51
4.3 使用屬性憑證擴充欄位承載授權政策 53
4.3.1 acceptablePrivilegePolicies擴充欄位 53
4.3.2 自訂屬性憑證擴充欄位 55
4.4 小結 58
第五章 以XML標示屬性憑證與授權管理規則 59
5.1 XML屬性憑證及綱要文件 59
5.2 XACML授權管理規則 61
5.3 案例設計 65
第六章 結論與建議 69
參考文獻 71
附錄一 XML屬性憑證綱要文件 74
附錄二 以XACML政策語言設計之RBAC授權管理規則 79

[1] 劉敦仁，吳美玉，李旭登及黎尚青，網際網路病歷資訊之安全管理：角色存取控制機制之建置，醫療資訊雜誌第十一期，民國89年6月。
[2] 邱榮輝,PKI技術與應用發展,http://www.pki-pma.org.tw/。
[3] 劉興華，執行權管制系統的理論性架構設計，國立交通大學博士論文，民國88年。
[4] 吳國禎，數位證書在電子商務安全之應用，國立交通大學資訊管理研究所，博士論文，民國87年。
[5] 洪仲璽，網際網路安全與公開金鑰基礎建設，國立成功大學資訊工程學系。
[6] 黃景彰，資訊安全－電子商務之基礎，華泰文化事業公司，2001年。
[7] PKI小百科，亞洲公開金鑰基礎建設論壇－中華台北推動委員會， http://www.pki.org.tw/
[8] ITU Recommendation X.509, Information technology – Open systems interconnection –The Directory: Public-Key and attribute certificate frameworks, 2000/03, Telecommunication Standardization Sector or ITU.
[9] S. Farrell and R. Housley, “An Internet Attribute Certificate Profile for Authorization”, RFC 3281, April 2002.
[10] ETSI TR 102 044：”Electronic Signatures and Infrastructures (ESI); Requirements for role and attribute certificates”, December 2002.
[11] Zoltan Nochta, Peter Ebinger and Sebastian Abeck, ”PAMINA: A Certificate Based Privilege Management System”, Network and Distributed System Security Symposium Conference Proceedings, 2002.
[12] Rich Baker, Leon Gommans, Andrew Mcnab, Mardus Lorch, Lavanya Ramakrishnan, Krishna Sankar and Mary R.Thompson, “Conceptual Grid Authorization Framework and Classification”, May 15, 2003.
[13] Lorch, M., Adams, D. B., Kafura, D., Koneni, M. S. R, Rathi, A., Shah, S. , “The PRIMA System for Privilege Management,Authorization and Enforcement in Grid Environments”, Department of Computer Science, Virginia Tech, 2003.
[14] Rolf Oppliger, Gunther Pernul and Christine Strauss, “Using Attribute Certificates to Implement Role-based Authorization and Access Controls”.
[15] David W. Chadwick, Alexander Otenko, and Edward Ball,“Role-Based Access Control With X.509 Attribute Certificate”,IEEE Internet Computing, March•April,2003。.
[16] Ravi Sandhu, Edward Coyne, Hal Feinstein and Charles Youman, “Role-Based Access Control Models”, IEEE Computer, Volume 29, Number 2 / February 1996.
[17] David F. Ferraiolo, Ravi Sandhu, Serban Gavrila, D. Richard Kuhn and Ramaswamy Chandramouli ,“Proposed NIST Standard for Role-Based Access Control”, ACM Transactions on Information and Systems Security, Volume 4, Number 3 / August 2001.
[18] Chadwick, D.W., Otenko, A. “RBAC Policies in XML for X.509 Based Privilege Management” to be presented at IFIP SEC 2002, Egypt, May 2002
[19] Takeshi Imamura and Hiroshi Maruyama, “Mapping between ASN.1 and XML”, IEEE, 2001.
[20] Darren P Mundy, David Chadwick and Andrew Smith, “Comparing the Performance of Abstract Syntax Notation One(ASN.1) vs eXtensible Markup Language(XML)”, in proceedings of the Terena Networking Conference 2003, Zagreb, Croatia, 19-22nd May 2003.
[21] X. Orri and J.M. Mas, Octalis SA, ”SPKI-XML Certificate Structure”, 2001/9.
[22] Hoylen Sue, “XER – A Bridge between ASN.1 and XML”, DSTC Pty Ltd.
[23] ITU-T Recommendation X.693 │ISO/IEC 8825-4:2002, Information technology – ASN.1 encoding rules: XML encoding Rules (XER), 2002.
[24] John Larmouth, “The emergence of ASN.1 as an XML schema notation”, 2003.
[25] “A Brief Introduction to XACML”, http://www.oasis-open.org/, 2003.
[26] eXtensible Access Control Markrp Language(XACML) Version 1.1, http://www.oasis-open.org/, 2003.
[27] XACML Profile for Role Based Access Control, http://www.oasis-open.org /, 2004.
[28] “Sun’s XACML Implementation Programmer’s Guide for Version 1.1”, http://sunxacml.sourceforge.net/guide.html, Nov 5, 2003.