Author: |
林華鵬 Hua-peng Lin |
---|---|
Thesis Title: |
在聯合身份管理系統中,一個可自動調整之強一致性演算法 A Self-Adaptive and Efficient Algorithm to Achieve Strong Consistency in Federated Identity Management Systems |
Advisor: |
查士朝
Shi-Cho Cha |
Committee: |
莊裕澤
Yuh-Jzer Joung 賴源正 Yuan-Cheng Lai 羅乃維 Nai-Wei Lo |
Degree: |
碩士 Master |
Department: |
管理學院 - 資訊管理系 Department of Information Management |
Thesis Publication Year: | 2008 |
Graduation Academic Year: | 96 |
Language: | 中文 |
Pages: | 67 |
Keywords (in Chinese): | 聯合身份管理 、存取控制 、強一致性 、身份管理 |
Keywords (in other languages): | Federated Identity Management, Access Control, Strong Consistency, Identity Management |
Reference times: | Clicks: 385 Downloads: 0 |
Share: |
School Collection Retrieve National Library Collection Retrieve Error Report |
近年來因為跨組織的服務需求愈來愈常見,所以在不同組織間能夠無縫地存取彼此的資源就變得相當重要。聯合身份管理(Federated Identity Management,FIM)系統目前多半採用票證的方法,並依票證內的屬性做存取控制判斷。它可以讓服務提供者(Service Provider,SP)與身份提供者(Identity Provider,IDP)兩者之間能無縫的溝通,並存取彼此的資源。若系統是基於屬性資訊來做存取控制判斷的話,就可能導致因為資訊不一致而造成錯誤的存取控制判斷,以致於讓某些使用者未經過授權而去存取不應該存取的資源。
雖然過去有憑證註銷清單(Certificate Revocation List,CRL)或線上憑證狀態協定(Online Certificate Status Protocol,OCSP)等機制來得知票證的有效性,但多半只針對票證本身,而並非針對票證中的屬性。因此,若要達成票證資料與使用者實際資料的一致性,而在每次屬性更新都要重發票證,則會造成資源的浪費。
雖然在分散式系統領域已有許多方法可被用來做到一制性,但不同的方法在不同的屬性集大小與不同的使用者特性下,會有不同網路流量需求之表現。本文著重在達到強一致性的情形,而提出了一個「可自動調整之強一致性演算法」(Self-Adaptive algorithm to achieve Strong Consistency,SASC),該演算法會在滿足強一致性的情況下,自動的判斷並選擇出最適合且成本最低的方法。最後利用程式簡單的來模擬各個方法以及SASC演算法所需要花費的成本,而在模擬的結果可以發現,SASC演算法會比只使用單一方法效能來得好。
In recent years, Federated Identity Management (FIM) systems play an important role to allow users can access resources between service provider (SP) and identity provider (IDP) seamlessly. In this case, service providers in current FIM systems usually decide whether or not to allow the requests based on the attributes in tickets issued by trusted identity providers. Obviously, if FIM systems can not keep the consistency between the information in a ticket and the information in a person’s IDP, it may incur to make wrong privilege decision.
Although we can use some mechanisms such as Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP) to invalidate tickets, CRL and OCSP also may incur heavy network overhead to reissue whole tickets when attributes in the tickets are modified.
In light of this, we propose a Self-Adaptive algorithm to achieve Strong Consistency (SASC) between the information in a ticket and the associated IDP. While there are several schemes in traditional distributed system area to achieve data consistency, our SASC can adapt itself to choose the best scheme that use smallest bandwidth based on the characteristics of network topology and access patterns about the data.
[1] Anderson, A., SAML 2.0 profile of XACML 2.0 version 2 OASIS standard.http://docs.oasis-open.org/xacml/2.0/access control-xacml-2.0-saml-profile-spec-os.pdf., 2005.
[2] Bajaj, S., Della-Libera, G., Dixon, B., Dusche, M., Hondo, M., Hur, M., Kaler, C.,Lockhart, H., Maruyama, H., Nadalin, A., Nagaratnam, N., Nash, A., Prafullchandra, H., Shewchuk, J., Web services federation language (WS-Federation) specication version 1.0., 2003.
[3] Basney, J., Freeman, T., Scavo, T., Siebenlist, F., Welch, V., Ananthakrishnan, R., Baker, B., Goode, M., Keahey, K., Barton, T., Identity federation and attribute-based authorization through the globus toolkit, shibboleth, gridshib, and myproxy., Proceedings of the 5th Annual PKI R&D Workshop., 2006.
[4] Carmody, S., Shibboleth overview and requirement. Shibboleth working group overview and requirements document shibboleth working group. http://shibboleth.internet2.edu/docs/draft-internet2-shibboleth-requirements-01.html., 2001.
[5] Carr., D.F., What’s federated identity management eweek.com enterprise news and review, eweek.com,.http://www.eweek.com/article2/0,4149,1378436,00.asp., 2003.
[6] Cha, S.C., Huang, J.W., Lin, H.P., Wang, M.G., XPIPAL: A markup language to realize federated identity management. Proceedings of the 2nd International Conference for Internet Technology and Secure Transactions, London, UK pages 61–68, 2007.
[7] Daniel, W.D., Uncommons maths. https://uncommonsmaths. dev.java.net/, 2007.
[8] Essiari, A., Mudumbai, S., Thompson, M.R., Certicate-based authorization policy in a PKI environment., ACM Trans. Inf. Syst. Secur. 6, pages 566–588, 2003.
[9] Filip, W., Hinton, H., Hippenstiel, H.P., Hollin, M., Neucom, R., Weeden, S., Westman, J., Buecker, A., Federated identity management and web services security with IBM tivoli security solutions. http://www.redbooks.ibm.com/redbooks/pdfs/sg246394.pdf., 2005.
[10] Housley, R., Ford, W., Polk, W., Solo, D., Internet x.509 public key infrastructure certificate and certificate revocation list (CRL) profle., RFC 3280, 2002.
[11] Hughes, J., Philpott, R., Maler, E., Ragouzis, N., Security assertion markup language (SAML) v2.0 technical overview oasis working draft,. http://www.oasisopen.org/committees/download.php/20645/sstc-samltech-overview-2, 2006.
[12] John, P., Shibboleth and SAML: at last, a viable global standard for resource access management, New Review of Information Networking Vol. 10, No. 2. pages 147-160, 2005.
[13] Jonathan, T., Yuzo, K., Liberty ID-WSF Web Services Framework
Overview http://www.projectliberty.org/liberty/content/download/889/6243/file/liberty-idwsf-overview-v2.0.pdf., 2006.
[14] Kellomaki, S., Lockhart, R., Liberty ID-SIS Personal Profile Service Specification version1.1, Specification of Liberty Alliance Project, Liberty Alliance Project., 2005.
[15] Lockhart, H., Moses, T., Rissanen, E., XACML v3.0 administrative policy version 1.0 oasis working draft. OASIS, 2007.
[16] Luis-Mariz, J., The Liberty View of Digital Identity., Liberty Alliance Project. http://internetng.dit.upm.es/ponencias-jing/2004/LibertyView.pdf., 2004.
[17] Moss, T., extensible access control markup language (XACML) version 2.0 OASIS standard, OASIS,. http://docs.oasisopen. org/xacml/2.0/access control-xacml-2.0-core-specos.pdf., 2005.
[18] Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C., X.509 internet public key infrastructure online certificate status protocol-ocsp., RFC 2560, 1999.
[19] Nakae, M., Covington, M.J., Sandhu, R., Zhang, X., A usagebased authorization framework for collaborative computing systems., SACMAT ’06: Proceedings of the eleventh ACM symposium on Access control models and technologies, New York, NY, USA, ACM, pages 180–189, 2006.
[20] Neilson, C., Triantafillou, P., Achieving strong consistency in a distributed file system. Software Engineering 23, pages 35–55, 1997.
[21] Neuman, C., Kohl, J., The kerberos network authentication service(v5)., RFC 1510, 1993.
[22] Sibal, S., Rodriguez, P., Spread: scalable platform for reliable and ecient automated distribution., Proceedings. of the 9th international World Wide Web conference on Computer networks : the international journal of computer and telecommunications netowrking, Amsterdam, The Netherlands, The Netherlands, North-Holland Publishing Co., pages 33–49, 2000.
[23] Sinn, R., Software security technologies : A programmatic approach. Thomas Course Technology, 2008.
[24] Tanenbaum, A.S., van Steen, M., Distributed systems: Principles and paradigms. Prentice-Hall, Inc., 2002.
[25] Vullings, E., Daiziel, J., Mams and middleware: The easily solved authentication, authorisation, identity, single-sign-on, federation, trust, security, digital rights and automated access policy cluster of problems., EDUCAUSE 2005., 2005.
[26] Wason ,T., Kemp, J., Thompson, P., Hodges, J., Liberty idff architecture overview draft of liberty alliance project. http://www.projectliberty.org/specs/draft-libertyidff-arch-overview-1.2-errata-v1.0.pdf., 2005.