臺灣人文及社會科學引文索引資料庫系統

:::

詳目顯示

回上一頁
第 1 筆 / 總合 1 筆   第一頁 上一頁 下一頁 最後一頁
/1
題名:執行權管制系統的理論性架構設計
作者:劉興華
作者(外文):Liu Hsing-Hua
校院名稱:國立交通大學
系所名稱:資訊管理所
指導教授:黃景彰
張克章
學位類別:博士
出版日期:1999
主題關鍵詞:執行權管制RBAC理論模式職務屬性憑證簽證機構RBAC授權管制中心access controlrole-based access control (RBAC)role attribute certification authorityRBAC authorization controller
原始連結:連回原系統網址new window
相關次數:
  • 被引用次數被引用次數:期刊(0) 博士論文(0) 專書(0) 專書論文(0)
  • 排除自我引用排除自我引用:0
  • 共同引用共同引用:0
  • 點閱點閱:23
網際網路的快速發展之下,企業目前面臨的挑戰,是在龐大而複雜的網路下應用新的資訊科技來建立商業行為模式。如何於此環境下提高企業整體的競爭力,確保資訊網路的安全性無疑是重要的考慮因素,而資訊系統中的執行權管制(Access Control)便提供了防護資訊安全的功能。又,網際世界(Internet/Intranet)下資訊系統所屬的資訊資源在執行權的管制與防護上,必須從一新的角度來思考。根據這個前提,我們提出於企業資訊網路下發展執行權管制系統的設計構想﹔系統的發展目標,是希望能夠讓企業經營者本身根據組織的安全政策,來制定資訊資源的執行權管制政策與機制,並實際地運作於系統的流程之中。我們的設計也涵蓋了執行權管制使用資訊的防護機制。
國際標準組織所制定的ISO/IEC 10181-3文件,提供了執行權管制系統的設計藍本。本研究在設計資訊系統內部的執行權管制上,包括了﹕執行權管制模組的功能元件、各功能模組之間訊息互換的協定、核判管制權限的種類與來源、以及執行權管制機制本身安全的防護,均遵守此一標準的規範。
本文以「RBAC(Role-Based Access Control)理論模式」作為設計執行權管制系統的理論核心。在這個理論的規範下,企業的內部控制與部分的稽核程序可以得到事前的防範。做法上,本研究設置了職務屬性憑證簽證機構與RBAC授權管制中心作為分散網路環境下的兩個授權管制伺服器。其中,職務屬性憑證簽證機構負責核發員工的職務屬性憑證,作為使用者工作執行權管制與身份確認的證明﹔RBAC授權管制中心是一個集中式的授權管制資料庫,負責儲存事先所規劃的授權管制資訊,而這些資訊是經由企業的經營者或其指定的安全管理者透過設計的介面所提供的功能,將企業內部的安全政策轉換為可查核驗證的授權管制資訊。我們做這樣的設計,是要強調在企業資訊網路下執行權管制系統的設計觀念,應該將資訊資源的授權管制資訊採用「分權」的概念來設定,以達到相互制衡的目的﹔而授權查核的實施則採「集權」式的概念加以管制,以確保企業所屬資訊資源的安全。
本文所提出執行權管制政策的防護機制設計,是以DAC與RBAC兩個執行權管制政策作為系統設計的範例,我們以單向函數的特性來保護執行權管制機制本身的安全性,使得系統的授權管制資訊無法被任意的竄改。我們的設計理念,是在企業資訊網路環境下,提供現代企業的經營者管制資訊資源的一個新典範。
Access control is essential for the security of information systems in the Internet/Intranet environment. Most research in this area is engineering-oriented in nature, proposing solutions to part of the whole system. In this dissertation, the author intends to adopt a broader and systematic view, introducing a theoretical design.
A framework for access control systems has, indeed, defined in the ISO/IEC 10181-3 document. Following this standard, the theoretical design in this dissertation includes these: (1) functional descriptions of access control modules, (2) protocols for information exchange between communicating modules, (3) classification of access privileges, (4) verification of authorization, and (5) mechanisms for protecting access control information.
Role-based Access Control (RBAC) is the kernel theory of this design. Based upon this theory, security policies defined for internal control and auditing procedures can be implemented. In addition, the author adds into systems two trusted third parties─Role Attribute Certification Authority (RACA) and RBAC Authorization Controller. RACA, which is optional for real systems implementation, issues role attribute certificates to convey role information of users. And the RBAC Authorization Controller is responsible for a centralized database which stores information, either about rule-based policies or about identity-based policies. As a result of the design, authorization of operations is based on security policies and well-managed access control information.
The author further presents a mechanism for protecting access control information demanded by DAC (Discretionary Access Control) or RBAC security policies. This mechanism uses encryption/decryption and Morton sequences to keep access control information confidential.
1. 吳國禎、黃景彰,1997「現代企業網路中使用者識別與存取授權之整合設計」,中山管理評論,第五卷,第四期 ﹕ 779-796頁。new window
2. 邱榮輝、許瑞哲、李中銘,1996「多重角色之存取控制策略」,第六屆全國資訊安全會議,93-98頁。
3. 鄭東仁、黃景彰、王丕承,1993「一個安全控制系統的概觀」,第三屆全國資訊安全會議,A2-3.1-3.15。
4. 羅景源 、 樊國楨 、 黃景彰,1997「公開金鑰管理組織運作架構」,第七屆全國資訊安全會議,15-22頁。
5. Abrams, M. D., Jajodia, S., and Podell, H. J. (1995), Information Security﹕ An Integrated Collection of Essays, (Essay 27), IEEE Computer Society Press, Los Alamitos, California.
6. Ashley, P., and Vandenwauver, M. (1999), Practical Intranet Security﹕ review of the state of art and available technologies, Kluwer Academic Publishers, Boston.
7. Barkley, J. (1995), “Role-based Access Controls,” http﹕//waltz.ncsl.nist.gov/rbac/rbac/paper.
8. Barkley, J. (1997), “Comparing Simple Role Based Access Control Models and Access Control Lists,” National Institute of Standards and Technology, Aug.11.
9. Bertino, E., Jajodia, S., and Samarati, P. (1995), “Database Security﹕ Research and Practice, “ Information Systems, 20(7), 537-556.
10. Branchaud, M., A Survey of Public-Key Infrastructures, Department of Computer Science, McGill University, Montreal, March 1997.
11. Branstad, D. (1996), “An Introduction to the Public Key Infrastructure, Trusted Information Systems, “ Data Security Letter, Sep, (74), pp. 1-6.
12. Castano, S., Fugini, M. G., Martella, G., and Samarati, P (1995), Database Security, ACM Press, Addison-Wesley Publishing.
13. Castano, S., Martella, G. and Samarati, P. (1997), “Analysis, comparison and design of role-based security specifications,” Data and Knowledge Engineering, 21, 31-55.
14. Chen, F., and Sandhu, R. S. (1996), “Constraints for Role-Based Access Control,” ACM RBAC Workshop, MD, 21-29.
15. Chokani, S. (1994), “Toward National Public Key Infrastructure,” IEEE Commuications, Sep. pp. 43-55.
16. Denning, D. E. (1976), “A lattice model of secure information flow,” Communications of ACM, 11(5), pp. 236-243.
17. Denning, D. E. (1982), Cryptography and Data Security, Addison-Wesley, Reading, MA.
18. Ferraiolo, D. and Gugini, J. and Kuhn, D. R. (1995), “Role Based Access Control﹕ Features and Motivations,” Annual Computer Security Applications Conference. IEEE Computer Society Press.
19. Ferraiolo, D., and Barkley, J. (1997), “Specifying and Managing Role-Based Access Control within a Corporate Intranet,” Second ACM Workshop on Role-Based Access Control.
20. Ferraiolo, D. F., Barkley, J. F., and Kuhn, D. R. (1999), “A Role Based Access Control Model and Reference Implementation within a Corporate Intranet,” ACM Transcations on Information Systems Security, Feb. 1(2), pp. 12-41.new window
21. Giuri, L., Iglio, P., and Bordone, F. U. (1996), “A Formal Model For Role-based Access Control with Constraints,” Proceedings of IEEE Computer Security Foundations Workshop 9, IEEE Press, Piscataway, N. J. June pp.136-145.
22. Giuri, L. (1995), “A New Model for Role-based Access Control,” In Proceedings of 11th Annual Computer Security Application Conference, New Orleans, LA, Dec. pp. 13-15.
23. Gligor, V. G., Gavrila, S. I., and Ferraiolo, D. (1998), “On the Formal Definition of Separation-of-Duty Policies and their Composition,” Proceedings of IEEE Symposium on Security and Privacy, pp. 172-183.
24. Guttman, B., and Bagwill, R. (1997), Internet Security Policy﹕ A TECHNICAL GUIDE, National Institute of Standards and Technology Special Publication, pp. 800-849(draft).
25. Hoffman, D. L., Novak, T. P., and Peralta, M. (1999), “Building Conssumer Trust Online,” Communications of the ACM, Apr. 42(4), pp. 80-85.
26. Hsu, Y. K., and Seymour, S. T. (1998), “An Intranet Security Framework Based on Short-Lived Certificates,” IEEE Internet Computing, Mar-Apr, pp. 73-78.
27. Hwang, J. J., Shao, B. M., and Wang, P. C. (1992), “A new access control method using prime factorization,” The Computer Journal, 35(1), pp. 16-20.new window
28. ISO/IEC 10181-2 (1996), Information technology─Open Systems Interconnection─Security Framework for Open Systems﹕ Authentication Framework.
29. ISO/IEC 10181-3 (1996), Information technology─Open Systems Interconnection─Security Framework for Open Systems﹕ Access Control Framework.
30. ITU-T Q15/7 and ISO/IEC JTC 1/SC 21/WG 4 (1996), “Collaborative Editing Meeting on the Directory,” Final Text of Draft Amendments DAM 4 to ISO/IEC 9594-2, DAM 2 to ISO/IEC 9594-6, DAM 1 to ISO/IEC 9594-8 on Certificate Extensions.new window
31. ITU-T Recommendation X.509 (ISO/IEC 9594-8), (1997), “Information technology─Open Systems Interconnection─The Directory﹕ Authentication Framework”.
32. Jone, V., Ching, N., and Winslett, M. (1995), “Credentials for Privacy and Interoperation,” In Proceedings of the Workshop on New Security Paradigms, pp. 92-100.
33. Kapidzic, N. (1998), “Creating Security Applications Based on The Global Certificate Management System,” Computers and Security, 17, pp. 507-515.
34. King, C. (1997), “Building a Corporate Public Key Infrastructure,“ Computer Security Journal,ⅩⅢ(2), pp. 13-24.
35. Lindup, K. (1996), “The Role of Information Security in Corporate Governance,” Computers and Security, 15, pp. 477-485.
36. Morton, G. M. (1966), “A computer oriented geodetic database and a new technique in file sequencing,” IBM Canada Ltd.
37. Niven, I., and Zuckerman, H. S. (1980), An Introduction to the Theory of Numbers. Wiley, New York.
38. Neuman, C. and Theodore, T. (1994), “Kerberos﹕ An Authentication Service for Computer Networks,” IEEE Communications Magazine, 32(9), 33-38.
39. Nurminen, M. I. and Torvinen, V. (1996), “Role-based Interpretation of ISs,” Turku Centre for Computer Science (TUCS) Technical Report, No. 9, May.
40. Parker, T. A. (1992), A Secure European System for Applications in a Multi-vendor Environment (The SESAME Project), Associated Services Division, ICL, 26th March. (http﹕//www.engarde.com/~mcn/sunrise/sesame.html).
41. Ken, P. (1998), PCWEEK online, (http﹕//www.zdnet.com/pcweek/stories/printme/0,4235,375261,00.html).
42. Pfleeger, C. P. (1995), Security in Computing, Second Edition, Prentice-Hall International, Inc.
43. RSA Data Security Inc., RSA Labs FAQ 3.0 on Cryptography, http﹕//www.rsa.com.
44. Robbins, (1991), Management 3rd. Prentice-Hall International.
45. Sivana et al (1995), Database Security. ACM Press
46. Sandhu, R. S. (1993), “Lattice-based Access Control Models,” Computers, Nov. 26(11), pp. 9-19.
47. Sandhu, R. S., and Samarati, P. (1994), ”Access Control﹕ Principles and Practice,” IEEE Communications. Magazine, Sep. pp. 40-48.
48. Sandhu, R. S., Coyne, E. J., Feinstein, H. L., and Youman C. E. (1994), ”Role-based Access Control﹕ A Multi-Dimensional View,” Proceedings Of Computer Security Application Conf, Orlando, Florida, Dec. 5-9, 54-62.
49. Sandhu, R. S., and Coyne, E. J. (1996), “Role-based Access Control Models,” IEEE Computer, Feb. pp. 38-47.
50. Seamons, K. E., and Winsborough, W. (1999), “Internet Credential Acceptance Policies,” http﹕//www.transarc.com/~winsboro/papers/CAP.html.
51. Simon, R., and Zurko, M. E. (1997), “Separation of Duty in Role-Based Environments,” Proceedings, ACM Conference on Computer Security Foundations Workshop, June 10-12, 183-194.
52. Simon, R., and Zurko, M. E. (1997), “Adage﹕ An architecture for distributed authorization,” Technical report, Open Group Research Institute.
53. Sivana et al. (1995), Database Security, ACM Press.
54. Smith, C. L., Coyne, E. J., and Youman, C. E. (1996), “A Marketing Survey of Civil Federal Government Organizations to Determine the Need for a Role-Based Access Control (RBAC) Security Product Technical Report,“ SETA Small Business Innovation Research (SBIR).
55. Strack, H.K., and Lam, Y. (1993), “Context-Dependent Access Control in Distributed Systems,” IFIP/SEC93, 9th International Computer Security Symposium and Exhibition, Toronto, Canada, ELSEVIER Science Publishers.
56. Thomas, R. and Sandhu, R. S. (1994), “Conceptual Foundations for a Model of Task-based Authorization,” Proceedings of IEEE Computer Security Foundations Workshop 7, IEEE Press, Piscataway, N. J., June. pp. 66-79.
57. Vandenwauver, M (1996), “The SESAME Home Page,” http﹕//www.esat.kuleuven.ac.be/cosic/sesame/.
58. Wilson, S. (1997), “Certificates and trust in electronic commerce,” Information Management and Computer Security, 5(5), pp. 175-187.
59. Zahar, T. and Shun-Wu, C. (1997), “A Role-based Access Control for Intranet Security,” IEEE Internet Computing, Sep-Oct, 24-34.
 
 
 
 
第一頁 上一頁 下一頁 最後一頁 top
:::
無相關博士論文
 
無相關書籍
 
無相關著作
 
無相關點閱
 
QR Code
QRCODE

臺灣人文及社會科學引文索引資料庫

目前上線人數:510(臺灣:502,外國:8) / 本年度總使用人次:2658005 / 訪客人次(自102年09月):68457836
國家圖書館著作權聲明 Copyright © 2013 All rights reserved.
本館地址: 100201臺北市中山南路20號. 本館地圖及交通資訊
總機:(02)23619132.最佳瀏覽解析度為1024x768以上