建立於公開金鑰基礎建設的單一簽入系統

Abstract

在分散式作業環境中, 所有的資訊均曝露在公開的網路上, 這些資訊可能是一 些交易過程或者是使用者的密碼. 此外, 通訊雙方的身份也有遭到偽裝的隱憂. 為了 解決這方面的問題, Kerberos 認證服務與 SESAME 認證服務等系統均致力於相關方面的研 究. 在一個異質性系統環境中, 所有主機的系統類型和登入方式不盡相同. 使用者要登入 不同的主機, 必須使用不同組的帳號密碼. 在每一次輸入重要資訊的過程中, 這些資訊很有 可能遭到截取而洩漏出去. ``單一簽入''這個解決方案就是要減少登入程序的繁瑣. 在本論文中, 我們研究一些重要的認證服務, 並且提出一個類似的系統, 整合了公開金鑰 基礎建設與單一簽入, 讓使用者以智慧卡登入系統, 當使用不同的服務時, 不需要再重新輸入 帳號密碼; 而系統採用``角色為主存取控制''來管理權限, 使得權限在管理上更有彈性.

In a distributed environment, all information are exposed in the public networks. Some of the information are perhaps transactions and some are users' passwords. Besides, the identities of communicating parties are also under the danger of being masqueraded. A lot of research, such as Kerberos and SESAME, have been devoted to solve these problems. In a heterogeneous environment, all computer hosts are not the same machine type and all login procedures are not the same. When a user is going to login into different computers, he has to use different pairs of identity and password. During the procedure of login, these information might be intercepted resulting in a leakage. ``Single Sign-On'' is the solution to reduce the complexity of the login procedure. In this paper, we not only investigated two representative authentication services but also proposed a similar scheme, which is integrated with PKI and Single Sign-On. Our scheme works as following: the user logins once using a Smart Card and uses different services without entering password again. We adopt ``Role-Based Access Control'' to manage privilege, and that results more flexibility in management.