【作者】 谈潘攀；

【导师】 刘宏；

【作者基本信息】 湖南师范大学 ， 计算机应用技术， 2008， 硕士

【摘要】 信息家电的安全问题主要包括身份认证,权限管理,访问控制,审计跟踪等方面。但是目前信息家电的标准还未规范,已有的各类标准缺乏兼容性,安全作为其中的一个研究内容更是没有得到统一,授权管理和访问控制机制作为安全研究的必不可少的内容,研究意义十分重要。本研究就是在这种背景下进行的,提出一个通用可行的信息家电授权访问控制机制。力图使研究的标准与具体的产品分离,以达到更大的兼容性。本文在信息家电安全体系结构下,结合XACML访问控制模型和PMI授权管理基础设施,进一步深入的分析研究了分布式信息家电访问控制,提出了适合信息家电的IXPMI分布授权访问控制的体系结构,讨论了该结构下的系统工作流程。由于信息家电分布式的特性,文章采用本地嵌入式数据库和远程LDAP目录服务器存储结合的存储方案,以存储IXPMI系统的中相关信息,如:用户信息,角色信息,角色层次信息,信息家电设备相关信息,属性证书等。为了达到系统的一致性,兼容性和可扩展性,本文利用XML语言来描述信息家电的IAIDL文件,属性证书。基于条件的角色对象访问控制策略是依据MAC,DAC,RBAC,OBAC的优缺点并结合XACML语言的特点提出的。同时利用RBAC的层次模型划分了信息家电用户角色层次,确定了信息家电的访问控制粒度。并且提出了“方法域”这一概念来尽可能的减少信息家电访问控制策略。最后在linux平台+SunXacml 1.2+Eclipse的系统环境下完成对访问控制策略,规则,条件等的实现。更多还原

【Abstract】 The security of information appliances mainly includes the identity authentication, the privilige management, the access control ,the audit trail and so on. However, the standard of information appliance has not set down, and all kinds of arisen standards are lack of compatibility. The security, which is a content of the research of information appliance, has not been unified. The research of the authorization management and the access control as the important part of the information appliance’ s security make sense weightly. The present research aims to make the standard studying part from concrete products to reach bigger compatibility, and bring forward a feasible universal distributed authorization access control mechanism of information appliances .By integrating the XACML access control model with PMI , this paper analyses and researches the access control of distributed information appliances ulteriorly on the ground of the information appliance’ s security framework , and puts forword the IXPMI distributed authorization access control architecture for the appliance. Furthermore , it disscusses the system ’ s working flow in the architecture.Because of the distributed trait of the appliance, a storage scheme is introduced to store the information such as users, roles, role’ s hierarchy, infomation appliances and the like via combining the local-storage of embedded Databases with the remote storage For the sake of system’ s consistency and compatibility and expansibility, IAIDL files and attribute certificates are described by XML.The role-object access control policy based on conditions is advanced , which depends on advantages and disadvantages of MAC, DAC, RBAC, OBAC and characteristics of XACML language. At the same time , RBAC hierarchy model is utilized to partition user’ s role hierarchy and the proper granularity of the information appliance access control is ascertained and the conception of method field is brought forward to reduce policy at full steam. In the end, this paper accomplishes access control policies, rules, conditions of information appliances on the system environment of linux+SunXacml1.2+Eclipse.更多还原