A Study of Role-based Access Control with Portable Key Management

• Main Authors: Chien-tai Lin, 林千代
• Other Authors: Sue-Chen Hsueh
• Format: Others
• Language: zh-TW
• Published: 2003
• Online Access: http://ndltd.ncl.edu.tw/handle/95902134358455058597

碩士 === 朝陽科技大學 === 資訊管理系碩士班 === 91 === Enterprises nowadays allow employers to access corporate information via Internet so that tasks can be done without being limited by office hours. Such an advantage could be cancelled out because, on public networks like Internet, the internal information is vulnerable to be improperly accessed. Thus, the provision of a secure and effective access control scheme, such as Role-based Access Control (RBAC), becomes a very critical issue. Guided by the principle of RBAC, this thesis aims to provide secure and controlled access, and effective key management of corporate information systems. RBAC uses roles to bridge users and permission. Permission to access certain resources is authorized only to the user who is associated with certain role. RBAC is multi-faceted with characteristics like user-role/permission-role assignments, role hierarchy, separation of duties, least privilege, data abstraction, and so on. In this thesis, we propose a framework of RBAC information system that effectively control the access by using certificates and role-keys. Therefore, illegal use or unauthorized access due to revelation of passwords in the login-based systems can be avoided. In addition to the authority administration, we also investigate the key management issue, the essential element used for security protection in online information processing. Usually, the private keys are stored in diskettes or smart cards that are held by the legal owners, or in the key-holders’ computers. However, the easy management might suffer from lost of keys and damage of storage devices. Hence, based on the Encrypt Key Exchange protocol, we propose a portable and secure key management mechanism. The password-encrypted private keys are stored in a remote server. The owner may download the protected keys from the server through the secure communication channel. The proposed method not only provides a portable and traceable downloading mechanism, but also simplifies the repeated checking process in key exchange protocols.