植基於屬性憑證之授權管理基礎架構

Abstract

公開金鑰基礎建設（Public Key Infrastructure, PKI）是以公開金鑰密碼學技術為基礎而衍生的架構，以解決網路使用者身分鑑別的問題；「授權管理基礎建設」（Privilege Management Infrastructure, PMI），X.509v4中對PMI定義為「一種能夠支援權限管理，而用以支持廣泛的授權服務（簽發及管理屬性憑證），並與公開金鑰基礎建設相關連的基礎建設」，而PMI是在PKI的基礎上解決使用者授權控管的問題。 本研究主要是在網路環境運作架構中解決組織資源存取權限控管問題，我們以空軍總部架構為範例，運用屬性憑證（Attribute certificates, AC）設計整體授權管理架構，而授權連結的體係是以「業務」為主體，而不是以階層式的設計建置PMI，憑證的授權運作是由業務憑證管理中心執行（Independent Business Certificates Unit, IBCU）。授權模式區分組織內部及外部，組織內部的授權管理是基於職位（Role）為主體的模式，經由職位的指派而間接賦予相對映的權限；組織外部則以是用戶端（Client）為主體，經授權管理者直接賦予資源存取權限。 此授權模式架構的設計可彈性的配合組織架構而修改，以職位指派間接賦予工作權限，在管理上獨立授權作業，可有效的提昇組織資源管理的安全性，運用屬性憑證區分授權管理作業與資源管理作業，分工明確可以提昇授權管理的運作效能，以達成一致性的身分鑑別及資源執行權限控管，使組織PMI更完整。

Public Key Infrastructure, a framework derived from the Public Key Cryptography technology, is to solve the problem of the authentication among network users. Privilege Management Infrastructure is defined in X.509v4 as「The infrastructure able to support the management of privileges in support of a comprehensive authorization service and in relationship with a public key infrastructure.」 So PMI is designed to solve the problem of user privilege management on the basic of PKI.

This study is focused on solving the problem of the management of accessing organization resource privilege among the framework of networks operation, using Attribute Certificates to design the CAFHQ management framework of whole organization privilege.The object of privilege chain is「Independent business」, not hierarchy PMI structure. IBCU, Independent Business Certificates Unit, controls the operation of certificates privilege. The models of privilege management are divided into interior and exterior—the interior model is basic on the Role, and the exterior model is basic on the Client.

According to different organizations, the designs of privilege frameworks can be revised resiliently. Giving the privilege indirectly by assigning roles and exercising the operation independently in management can efficiently improve the security of organization’s resource management. The clear division of labor can advance the efficiency of privilege management. Through this, the unity of user identification and resource access control can be achieved, and make the PMI of organization more perfect.