標題: | X.509v4屬性憑證的應用與實作 Application and Implementation of X.509v4 Attribute Certificate |
作者: | 魏鼎洋 葉義雄 資訊科學與工程研究所 |
關鍵字: | 屬性憑證;授權管理基礎建設;Attribute Certificate;Privilege Management Infrastructure;X.509v4 |
公開日期: | 2004 |
摘要: | 本篇論文基於解決網路身分憑證在授權應用上的困境,討論X.509v4屬性憑證在這方面的應用與相關實作。屬性憑證乃是一種短期的憑證,與身分憑證不同的是,屬性憑證上並無公開金鑰的記載。屬性憑證乃是利用身分與權限的結合,來表示屬性憑證持有人所被允許的權限。因此,屬性憑證必須與身分憑證一起使用。
在屬性憑證的應用方面,X.509v4規格中定義「權限管理基礎建設」( Privilege Management Infrastructure,簡稱PMI架構 )。為一種能夠支援權限管理,而用以支持廣泛的授權服務,並大多與公開金鑰基礎建設搭配使用的基礎建設。同時X.509v4也提出四種PMI模型,以提供各種更具彈性的屬性憑證應用。
在屬性憑證的實作方面,先介紹各個實作相關的知識與工具,接著説明如何實作出一個屬性憑證。除了屬性憑證的實作外,我也實作PMI架構下的Attribute Authority伺服器與Privilege Verifier伺服器。模擬客戶端向Attribute Authority伺服器要求屬性憑證以及向Privilege Verifier伺服器要求資源存取的行為。 There is a predicament about authorization using identity certificate in the network. In this paper, we discuss the application and related implementation of X.509v4 attribute certificate on for solving the predicament. The attribute certificate is a kind of short-term certificate. The main different from identity certificate is no public key on the attribute certificate. An attribute certificate is used to bind a set of attributes to its holder. The attributes are the privileges which holder is allowed for. Therefore, the attribute certificate must be used together with identity certificate. In application of the attribute certificate, it defines Privilege Management Infrastructure (PMI) in X.509v4 specification. PMI can support privilege management and authorization, and almost cooperate with PKI. X.509v4 proposes four kinds of PMI models to offer various kinds of more flexible applications of attribute certificate. In implementation of attribute certificate, I will introduce relevant knowledge and tools in advance and then show how to sign an attribute certificate. Except the implementation of attribute certificate, I also implement simple Attribute Authority server and Privilege Verifier server in PMI. Try to simulate two kinds of scenarios about client, requesting Attribute Authority server for the attribute certificate and requesting Privilege Verifier server for resources. |
URI: | http://140.113.39.130/cdrfb3/record/nctu/#GT009217601 http://hdl.handle.net/11536/74057 |
Appears in Collections: | Thesis |