200244:100026788(2002)0420063206RBAC,(,100080):Intranet,,(RBAC)LPKI,X.509RBAC,X.509RBAC,,L:;;X.509;;:TP393:AaAnRBACModelUsingDigitalCertificatesZHANGDa2jiang,QIANHua2lin(ComputerNetworkInformationCenter,CASBeijing100080,China)Abstract:Role2basedaccesscontrolisaneffectiveapproachtoimplementpowerfulac2cesscontrolforIntranetresourcesharetokeepunauthorizedeventfromhappening.BasedonthePKIanddirectoryserviceofenterprise,wepromptamethodtouseX.509certificateandattributecertificatetoimplementRBACeasilyandflexibly.WeanalyzetheproblemofsecurityandflexibilitycausedbyonlyusingX.509certificatetoimple2mentRBAC,promptthedesignofcombinedattributecertificateandgivetheimplemen2tationmethodofroleassignment,permissionassignmentandrolehierarchy.Keywords:RBAC;role;X.509certificate;attributecertificate;directoryserviceIntranet,L,L,,L(IdentityBased),öL,,,ö,,LL(Role2BasedAccessControl,RBAC)Intranet[1].RBAC,,,1L,,;L22(1)L,L,LRBAC,2,,,L,La:2000208214:863(86323062ZD208).:(1972-),,.©1995-2005TsinghuaTongfangOpticalDiscCo.,Ltd.Allrightsreserved.RBAC,LRBAC,LL,L1RBACRBACRBACLRBAC,(AccessControlTable)[2]LX.509,PKI(PublicKeyInfrastructure),RBACC2RBAC(CertificateachievedRBAC)LX.509C2RBAC;;X.509RBACL1X.5092X.509C2RBACX.509LX.509PKI[3],(Public2KeyCertificate)LX.509(2),(CertificateAu2thority,CA),(subject)LX.509v3,L,(RBAC),,L,,X.509(CertificateRevocationLists,CRL)C2RBACL,X.509(,)L,L,,,L,L,,CRLLCRLL,,X.509LX.509(short2livedCertificate)[4],(),,CRL,L,X.509,:X.509,(AttributeCertificate)[5]L2,L(AttributeAuthori24620024©1995-2005TsinghuaTongfangOpticalDiscCo.,Ltd.Allrightsreserved.ty),,L,LX.509,X.509,L,X.509L,L,L,,,,L3LX.509L(RoleAuthority,RA)1,,RoleCert1L2RoleCert2,RoleCert1,L,L,,L,L,,,L(4),(ResourceOwner,RO)L,RO,L,,L343C-RBACC2RBAC,X.509::()X.509;:()();:()()L,L5L,X.509LX.509,,,L,LRBACL3.1RBACX.509,L,,,LL,,564RBAC©1995-2005TsinghuaTongfangOpticalDiscCo.,Ltd.Allrightsreserved.5LPKIL(self2assigned)CA,LX.509CACA,PKI,,6L63.2L(RO)(,,RO1,RO2),,(Mexclusive)L,7L7dn:role=accountant,category=rbac,ou=...,o=...,c=...role=accountantMexclusive=tellerobjectclass=role6620024©1995-2005TsinghuaTongfangOpticalDiscCo.,Ltd.Allrightsreserved.dn:role=teller,category=rbac,ou=...,o=...,c=...role=tellerMexclusive=accountantobjectclass=roleRO1accountant,RO2teller,,role=teller,category=rbac,ou=...,o=...,c=...LMexclusive=accountant,,,,L3.38,LL,L,L,L,,L8,,LRBACL,A,B,AB,B,ZBZB,;B,,,,L,,8,:dn:role=supervisor,category=rbac,ou=...,o=...,c=...role=supervisorsubrole=testengineer,analysengineerobjectclass=roledn:role=testengineer,category=rbac,ou=...,o=...,c=...role=testengineersubrole=engineerobjectclass=roledn:role=engineer,category=rbac,ou=...,o=...,c=...role=engineerobjectclass=role(supervisor),(engineer)Lsupervisor,(subrole)testengi2neeranalysengineer;,testengineeranalysengineer,testengineersubroleengineer,L,,L764RBAC©1995-2005TsinghuaTongfangOpticalDiscCo.,Ltd.Allrightsreserved.4X.509RBAC,PKI,Intranet,LRBACL:[1]RaviSSandhu,EdwardJCoyne,HalLFeinstein,CharlesEYouman.Role2basedaccesscontrolmodels[J].IEEEComputer,1996,29(2):38-47.[2]ZahirTari,Shun2WuChan.Arole2basedaccesscontrolforintranetsecurity[J].IEEEInternetComputing,1997,1(5):24-34.[3]JalalFeghhi,JalilFeghhi,PeterWilliams.DigitalCertificates:AppliedInternetSecurity[M].Ad2dison2Wesley,1999.[4]Yung2KaoHsu,SeymourSP.Anintranetsecurityframeworkbasedonshort2livedcertificates[J].IEEEInternetComputing,1998,2(2):73-79.[5]FarrellS,HousleyR.Aninternetattributecertificateprofileforauthorization[R].InternetEngi2neeringTaskForceDraft,workinprogress,1999.(62)2)L,;,,;,,,L3),,L4.,,;,2,,,L:[1].[A].21[C].:,1997.16-24.[2].[M].:,1998.[3].[M].:,1995[4].[J].,1998,3:31-35.[5]SeidersDF.Trendsandcyclesinhousingproduction[J].BusinessEconomics,1997,(7):12-16.[6].[M].:,1997.[7],,.[M].:,1997.[8].[M].:,1998.8620024©1995-2005TsinghuaTongfangOpticalDiscCo.,Ltd.Allrightsreserved.