標題: | 針對減輕管理負擔之條件式角色存取控制設計 Design of Condition-aware Role-based Access Control to Relax Management Overheads |
作者: | 張宗堯 Chang, Tsung-Yao 黃育綸 Huang, Yu-Lun 電控工程研究所 |
關鍵字: | 安全;存取控制;環境察覺;授權;條件式;Security;Access Control;Context Aware;Authorization;Condition |
公開日期: | 2008 |
摘要: | 存取控制的基本概念在於讓管理者能簡單、直覺並有效率的進行授權。傳統的存取控制著重於轉換使用者的身分到相對應的權限,但隨著資訊系統普遍性的發展,許多應用將會牽涉到使用者所處的環境背景,僅僅根據使用者的身分來進行授權顯得在安全性和實用性上有些不足,因此在這個研究中,我們提出一個存取控制模型,可以在進行授權時將使用者背景因素納入,透過延伸角色式存取控制(RBAC)的概念為基礎,我們加入了條件要素來限制權限的給予,使用者必須同時擁有認可的身分和符合指定的條件來獲得要求的權限,並且,我們透過將條件區分成動態得和靜態的,用不同的方式來做處理,使用者提供靜態的條件給系統來直接取得權限,系統再根據安全策略的需要去確認動態的條件,已達到減少角色數目和複雜度,以及減低反覆更新使用者屬性的成本,除此之外,在某些應用中,使用者甚至不需要進行身分確認,透過我們提出的模型,可以直接根據其擁有的條件來取得權限。結合以上幾點的改進,來達到紓解管理負擔以及使得授權更為直覺的目的。 The basic concept of an access control model intends to make the authorization simple and efficient. Conventional access control mechanisms discuss the mappings of user identities to certain permissions. With the evolution of ubiquitous computing technologies, applications have become context-aware and can interact with the context information in addition to the user identities. In this research, we propose a distinctive access control model that cooperates with context information. Our model is extended from the Role-base Access Control (RBAC) by adding a new component called "Condition", which is comprised of context information and user operations. Conditions can be treated as constraints or criteria when assigning roles and permissions to users. Different from the other models, the proposed model partitions conditions into immutable and mutable conditions, and manages different types of conditions in different ways. Users need to provide immutable conditions to obtain permissions from an access control system, while the system checks mutable conditions without user involvements. Compared with the existing models, such a design can reduce the number of roles defined in the system. By reducing the number of roles and the times required to obtain and check the conditions, we show that our model can reduce more authorization and management overhead than the existing models. |
URI: | http://140.113.39.130/cdrfb3/record/nctu/#GT079612601 http://hdl.handle.net/11536/41919 |
顯示於類別: | 畢業論文 |