A Study of the PMI-based XML Access Control Model in Consideration of the Features of the Public Organization

공공기관의 특성을 고려한 PMI기반의 XML 접근제어 모델에 관한 연구

  • Published : 2006.12.31

Abstract

The local public organizations, to secure the Confidentiality, Integrity, Authentication and Non-Repudiation of cyber administrative environment is giving it a try to consolidate the official documents among them by standardizing all the documents into XML formats together with the establishment of the GPKI(Government Public Key Infrastructure). The Authentication System based on the PKI(Public Key Infrastructure) used by the GPKI, however, provides only the simple User Authentication and thus it results in the difficulty in managing the position, task, role information of various users required under the applied task environment of public organizations. It also has a limitation of not supporting the detailed access control with respect to the XML-based public documents.In order to solve these issues, this study has analyzed the security problems of Authentication and access control system used by the public organizations and has drawn the means of troubleshoot based on the analysis results through the scenario and most importantly it suggests the access control model applied with PMI and SAML and XACML to solve the located problem.

Keywords

References

  1. 강명희, 'PMI : Privilege Management Infrastructure 개요', 퓨처시스템 Technical Report, June 2002
  2. 김봉환, 김기수, 원유재 'RBAC을 이용한 PMI기반 권한관리, 한국정보처리학회', 정보처리학회지, Vol.10, No.2(2003)
  3. 심완보, 박석 '애드호크러시 조직의 특성을 고려한 역할기반모델'. 한국정보보호학회, 정보보호학회지, 12(4), 2002. 8
  4. 진승헌, 최대선 '속성인증기술과 PMI', 한국 정보보호학회, 정보보호학회지, Vol.10, No.4 (2000)
  5. 추경균, '정부의 행정전자서명인증체계(GPKI) 활성화 및 발전방안', 정보보호학회 논문지, 2004. 4
  6. 한국전산원, 'e-비즈니스 보안인증을 위한통 합접근관리방안 연구', 연구용역보고서, 2003. 10
  7. Ahn, G. and R. Sandhu, 'Role-based Authorization Constraints Specification', ACM Transactions on Information and System Security, November 2000
  8. Ahn, G., R. Sandhu., M. Kang, and J. Park, 'Injecting RBAC to secure a Web based workflow system', In Proceedings of 5th ACM Workshop on Role-Based Access Control, July 2000
  9. Ferraiolo, D., J. Cugini, and D. RKuhn. 'Role Based Access Control : Features and Motivations', In Annual Computer Security Applications Conference, IEEE Computer Society Press, 1995
  10. Hang, L., G. Ahn, and B. Chu, 'A Rule- Based Framework for Role-Based Delegation', In Proceedings of ACM Symposium on Access Control Models and Technologies, May 2001
  11. ITU-T, 'ITU-T Recommendation X.509. Information Technology : Open Systems Interconnection - The Directory : Public - Key And Attribute Certificate Frameworks', ITU-T, 2000
  12. Markus Lorch, 'First Experiences Using XACML for Access Control in Distributed Systems', ACM Workshop on XML Security, 2003
  13. M. Thompson, W. Johnston, S. Mudumbai, G. Hoo, K. Jackson, and A. Essiari. 'Certificate- based Access Control for Widely Distributed Resources', In Proceedings of the 8th USENIX Security Symposium, August 1999
  14. Park, J., Ahn, G., and R. Sandhu, 'RBAC on the Web using LDAP', In Proceedings of the 15th IFIP WG 11.3 Working Conference on Database and Application Security, July 2001
  15. Park, J., R. Sandhu, and G. Ahn., 'Rolebased Access Control on the Web', ACM Transactions on Information and System Security, February 2001
  16. S. Farrell and R. Housley, 'An Internet Attribute Certificate Profile for Authorization', PKIX WorkingGroup, June 2001
  17. Sandhu. R., 'Role-hierarchies and Constraints for lattice-based access control', In Proceedings of 4th Enropean Symposium on Research in Computer Security, 1996
  18. Sandhu, R., E. J. Coyne, H. L. Feinstein, and C. E. Youman, 'Role Based Access. Control Model', IEEE Computer, February 1996