數位證書在電子商務安全之應用

Abstract

日常生活中我們都擁有一些證件，它們可以用來作為個人身分、經歷、參與活動，或是個人能力、資格的證明。在電腦網路的環境中，我們也可以用數位化的資料結構來模擬這些紙張型式的證件，並以這些數位化的證書來支援類似紙張證件所提供的身分識別以及授權管理服務。 本論文延伸ITU-T的X.509身分識別模型，以討論如何利用X.509數位證書來建立企業內部及企業之間的數位證書的應用。論文中以職務為基礎的執行權管制(Role-Based Access Control，簡稱RBAC)、以及電子資料交換來源方授權確認(Verification of Authorization at Source，簡稱VAS)為例，說明X.509證書在企業電子商務環境的應用。在第一個應用中以數位證書承載證書主體的職務指派資訊來輔助執行權管制，可以整合身分識別和執行權管制兩種安全服務，減少向集中式伺服器取得授權資訊的通訊需求。第二個應用則可以提供電子文件的收方確認文件所代表的交易內容是經過寄方合法授權，而且我們設計的查驗機制也和企業內部控制，以及企業間的電子資料交換系統做了完善的結合。這樣的討論，除了擴展數位證書的應用範疇，也可以說是把X.509標準的身分識別功能，提昇到了企業授權管理的層次。

In real life, paper-based credentials can prove individuals’ identities, experiences, participation in activities, capabilities or professions. In computer networks, identity authentication and authorization management are as important as they are in real world, thus digital credentials which mimic the paper counterparts should be provided to support these security services. In this dissertation, we extend the ITU-T recommended X.509 authentication framework to discuss the applications of X.509 certificates, specifically public-key certificates and attribute certificates, in business network environments. The presented applications include Role-Based Access Control (RBAC), and verification of electronic documents’ authorization at source. The first application of digital credential in RBAC can effectively streamline identity authentication and authorization validation. The second application can help assuring the received electronic document was legally created within the originating enterprise, and the proposed mechanism also integrates well with business internal control and EDI systems. Our work expands the application scope of digital credentials and raises the authentication function of the X.509 standard to the level of authorization management.