智能与分布计算实验室
  多自治域环境中使用控制模型的应用研究
姓名 刘垣
论文答辩日期 2008.06.05
论文提交日期 2008.06.11
论文级别 硕士
中文题名 多自治域环境中使用控制模型的应用研究
英文题名 Research on Application of Usage Control Model in Multi-Domain Enviroment
导师1 李瑞轩
导师2
中文关键词 访问控制;使用控制;自治域;电子政务
英文关键词 Access Control;Usage Control;Autonomy Domain;e-Government
中文文摘 随着网络技术的成熟和信息技术的发展,分布式环境中的跨自治域访问不仅成为一种需求而且已经成为可能。多域间的跨域访问提供了一种分布式的资源共享的方式,从而提高了资源的利用率。由于传统的访问控制模型仅仅关注于授权过程,用户一经授权便可不受限制的使用资源,对资源的使用过程缺乏灵活性、动态性和细粒度的有效控制,不利于对资源的安全保护。而被称为下一代访问控制模型的使用控制(UCON)模型不仅包含了传统访问控制模型,而且还包含了数字版权管理、信任管理等方面,涵盖了现代商务和信息系统需求中的安全和隐私这两个重要的问题,对访问控制技术和网络安全技术产生了巨大的推进作用。 在分析了目前常用的几种访问控制技术及存在的问题的基础上,引入了使用控制模型,并以集合谓词论为工具综合分析了该模型的工作机制、逻辑描述和体系结构。通过分析分布式环境对访问控制的安全需求,利用映射机制构建基于使用控制的多域互操作模型MDUCON,并给出其形式化定义和对各组成部分建模,对属性、条件、职责三大模块在域间交互过程中存在的问题进行探讨并给出解决方案。 此外,从电子政务应用环境出发,分析了电子政务环境下的安全需求和对访问控制的特殊需要,分析了传统访问控制模型的不足。将使用控制模型UCON的特点融入到电子政务系统中,分析了MDUCON模型应用到电子政务环境中的可行性和应用前景。最后给出模型对该领域应用的关键技术和实现步骤,讨论了应用中存在的实际问题。最后,在湖北省电子政务统一权限管理平台上,开发了一个基于MDUCON的多自治域访问控制原型系统,定义了域间互操作的规则和冲突解决方案,体现了UCON核心模型的特色,实现了MDUCON模型的多域扩展功能。
英文文摘 With the maturity of network technology and development of information technology, multi-domain interoperation in distributed environment is not only a necessary but also possible. Multi-domain interoperation provides a method to resource sharing to enhance the rate of using resource. As traditional access control model only pays attention to authorization step, the user can unlimited use the resource when he is authorized, that lacks agility , dynamic and granule control, go against to protect resource. Go by the name of next generation access control model, usage control (UCON) model encompasses traditional access control, trust management, and digital rights management and becomes the next generation of access control. It solves the security and privacy issues in the modem commerce and information system and makes a great drive to the access control technology and the network security. The usage control model was introduced and several kinds of traditional access control technology and the subsistent problems were analyse, based on them, the theory of predicate and collection to analysis the work mechanism, logic description and architecture of this model were used. With analysis the security requirement of distributed environment to access control, this thesis uses mapping policy to construct multi-domain interoperation model named MDUCON based on usage control. Formally define this model and modeling its components, The problems of three modules: attribute, condition and duty, when sharing data and interoperating in distributed systems, are explored and the solution is given. In addition, As the experience of the e-Government project,it introduces the system and security requirements of e-Government, points out the application status and shortage of the traditional access control model, and fusion the features of UCON with it, and then studies the feasibility and bright prospect of applying MDUCON to e-Government. Finally, the main aspects and steps to UCON are put forward, and the characteristics of UCON which includes integration, security, reality and feasibility are discussed. Lastly, A prototype system about multi-autonomous domain is developed based on the project which is an e-Government rights management platform in Hubei province. The rules for interoperating between domains and solution for conflicting are defined.The characteristics of the UCON basic model and its expansion in multi-domain are implemented in this thesis.