Basic Search / Detailed Display

Author: 林華鵬
Hua-peng Lin
Thesis Title: 在聯合身份管理系統中,一個可自動調整之強一致性演算法
A Self-Adaptive and Efficient Algorithm to Achieve Strong Consistency in Federated Identity Management Systems
Advisor: 查士朝
Shi-Cho Cha
Committee: 莊裕澤
Yuh-Jzer Joung
賴源正
Yuan-Cheng Lai
羅乃維
Nai-Wei Lo
Degree: 碩士
Master
Department: 管理學院 - 資訊管理系
Department of Information Management
Thesis Publication Year: 2008
Graduation Academic Year: 96
Language: 中文
Pages: 67
Keywords (in Chinese): 聯合身份管理存取控制強一致性身份管理
Keywords (in other languages): Federated Identity Management, Access Control, Strong Consistency, Identity Management
Reference times: Clicks: 385Downloads: 0
Share:
School Collection Retrieve National Library Collection Retrieve Error Report
  • 近年來因為跨組織的服務需求愈來愈常見,所以在不同組織間能夠無縫地存取彼此的資源就變得相當重要。聯合身份管理(Federated Identity Management,FIM)系統目前多半採用票證的方法,並依票證內的屬性做存取控制判斷。它可以讓服務提供者(Service Provider,SP)與身份提供者(Identity Provider,IDP)兩者之間能無縫的溝通,並存取彼此的資源。若系統是基於屬性資訊來做存取控制判斷的話,就可能導致因為資訊不一致而造成錯誤的存取控制判斷,以致於讓某些使用者未經過授權而去存取不應該存取的資源。

    雖然過去有憑證註銷清單(Certificate Revocation List,CRL)或線上憑證狀態協定(Online Certificate Status Protocol,OCSP)等機制來得知票證的有效性,但多半只針對票證本身,而並非針對票證中的屬性。因此,若要達成票證資料與使用者實際資料的一致性,而在每次屬性更新都要重發票證,則會造成資源的浪費。

    雖然在分散式系統領域已有許多方法可被用來做到一制性,但不同的方法在不同的屬性集大小與不同的使用者特性下,會有不同網路流量需求之表現。本文著重在達到強一致性的情形,而提出了一個「可自動調整之強一致性演算法」(Self-Adaptive algorithm to achieve Strong Consistency,SASC),該演算法會在滿足強一致性的情況下,自動的判斷並選擇出最適合且成本最低的方法。最後利用程式簡單的來模擬各個方法以及SASC演算法所需要花費的成本,而在模擬的結果可以發現,SASC演算法會比只使用單一方法效能來得好。


    In recent years, Federated Identity Management (FIM) systems play an important role to allow users can access resources between service provider (SP) and identity provider (IDP) seamlessly. In this case, service providers in current FIM systems usually decide whether or not to allow the requests based on the attributes in tickets issued by trusted identity providers. Obviously, if FIM systems can not keep the consistency between the information in a ticket and the information in a person’s IDP, it may incur to make wrong privilege decision.

    Although we can use some mechanisms such as Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP) to invalidate tickets, CRL and OCSP also may incur heavy network overhead to reissue whole tickets when attributes in the tickets are modified.

    In light of this, we propose a Self-Adaptive algorithm to achieve Strong Consistency (SASC) between the information in a ticket and the associated IDP. While there are several schemes in traditional distributed system area to achieve data consistency, our SASC can adapt itself to choose the best scheme that use smallest bandwidth based on the characteristics of network topology and access patterns about the data.

    摘要 I Abstract III 誌謝 IV 目錄 V 圖目錄 VII 表目錄 VIII 第一章 緒論 1 1.1 研究背景 1 1.2 研究動機 3 1.3 研究目的與貢獻 4 1.4 章節簡介 5 2.1 聯合身份管理相關標準 6 2.1.1 SAML(Security Assertion Markup Language)和XACML(eXtensible Access Control Markup Language) 6 2.1.2 自由聯盟(Liberty Alliance) 10 2.1.3 Shibboleth與GridShib 13 2.1.4 聯合身份管理相關標準小結 17 2.2 憑證註銷清單和線上憑證狀態協定相關標準 18 2.2.1 憑證註銷清單(Certificate Revocation List,CRL) 18 2.2.2 線上憑證狀態通訊協定(Online Certificate Status Protocol,OCSP) 22 2.2.3 憑證註銷清單與線上憑證狀態通訊協定相關技術小結 23 2.3 達到強一致性相關技術 24 2.3.1 一致性層級 24 2.3.2 在分散式系統環境下達到強一致性相關技術 25 第三章 在聯合身份管理下達到強一致性的基本方法 28 3.1 符號定義 28 3.2 基本方法 28 3.3 分析方法與成本比較 32 第四章 可自動調整之強一致性演算法(Self-Adaptive and to achieve Strong Consistency algorithm) 38 4.1 各方法間的臨界值 38 4.2 SASC演算法 40 第五章 模擬 42 5.1 實驗一:固定N及SA大小,依據歷史的請求次數做平均並產生下個階段新的λ’之值,並分析判斷λ’如何影響各方法的網路流量成本之花費。 43 5.2 實驗二:固定λ’及SA大小,調整N觀察對於網路流量成本的影響 45 5.3 實驗三:固定λ’及N大小,調整SA觀察對於網路流量成本的影響 46 5.4 實驗結果探討 48 6.1 結論 49 6.2 未來研究方向與建議 50 附錄 56 實驗一數據 56 實驗二數據 57 實驗三數據 58

    [1] Anderson, A., SAML 2.0 profile of XACML 2.0 version 2 OASIS standard.http://docs.oasis-open.org/xacml/2.0/access control-xacml-2.0-saml-profile-spec-os.pdf., 2005.
    [2] Bajaj, S., Della-Libera, G., Dixon, B., Dusche, M., Hondo, M., Hur, M., Kaler, C.,Lockhart, H., Maruyama, H., Nadalin, A., Nagaratnam, N., Nash, A., Prafullchandra, H., Shewchuk, J., Web services federation language (WS-Federation) specication version 1.0., 2003.
    [3] Basney, J., Freeman, T., Scavo, T., Siebenlist, F., Welch, V., Ananthakrishnan, R., Baker, B., Goode, M., Keahey, K., Barton, T., Identity federation and attribute-based authorization through the globus toolkit, shibboleth, gridshib, and myproxy., Proceedings of the 5th Annual PKI R&D Workshop., 2006.
    [4] Carmody, S., Shibboleth overview and requirement. Shibboleth working group overview and requirements document shibboleth working group. http://shibboleth.internet2.edu/docs/draft-internet2-shibboleth-requirements-01.html., 2001.
    [5] Carr., D.F., What’s federated identity management eweek.com enterprise news and review, eweek.com,.http://www.eweek.com/article2/0,4149,1378436,00.asp., 2003.
    [6] Cha, S.C., Huang, J.W., Lin, H.P., Wang, M.G., XPIPAL: A markup language to realize federated identity management. Proceedings of the 2nd International Conference for Internet Technology and Secure Transactions, London, UK pages 61–68, 2007.
    [7] Daniel, W.D., Uncommons maths. https://uncommonsmaths. dev.java.net/, 2007.
    [8] Essiari, A., Mudumbai, S., Thompson, M.R., Certicate-based authorization policy in a PKI environment., ACM Trans. Inf. Syst. Secur. 6, pages 566–588, 2003.
    [9] Filip, W., Hinton, H., Hippenstiel, H.P., Hollin, M., Neucom, R., Weeden, S., Westman, J., Buecker, A., Federated identity management and web services security with IBM tivoli security solutions. http://www.redbooks.ibm.com/redbooks/pdfs/sg246394.pdf., 2005.
    [10] Housley, R., Ford, W., Polk, W., Solo, D., Internet x.509 public key infrastructure certificate and certificate revocation list (CRL) profle., RFC 3280, 2002.
    [11] Hughes, J., Philpott, R., Maler, E., Ragouzis, N., Security assertion markup language (SAML) v2.0 technical overview oasis working draft,. http://www.oasisopen.org/committees/download.php/20645/sstc-samltech-overview-2, 2006.
    [12] John, P., Shibboleth and SAML: at last, a viable global standard for resource access management, New Review of Information Networking Vol. 10, No. 2. pages 147-160, 2005.
    [13] Jonathan, T., Yuzo, K., Liberty ID-WSF Web Services Framework
    Overview http://www.projectliberty.org/liberty/content/download/889/6243/file/liberty-idwsf-overview-v2.0.pdf., 2006.
    [14] Kellomaki, S., Lockhart, R., Liberty ID-SIS Personal Profile Service Specification version1.1, Specification of Liberty Alliance Project, Liberty Alliance Project., 2005.
    [15] Lockhart, H., Moses, T., Rissanen, E., XACML v3.0 administrative policy version 1.0 oasis working draft. OASIS, 2007.
    [16] Luis-Mariz, J., The Liberty View of Digital Identity., Liberty Alliance Project. http://internetng.dit.upm.es/ponencias-jing/2004/LibertyView.pdf., 2004.
    [17] Moss, T., extensible access control markup language (XACML) version 2.0 OASIS standard, OASIS,. http://docs.oasisopen. org/xacml/2.0/access control-xacml-2.0-core-specos.pdf., 2005.
    [18] Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C., X.509 internet public key infrastructure online certificate status protocol-ocsp., RFC 2560, 1999.
    [19] Nakae, M., Covington, M.J., Sandhu, R., Zhang, X., A usagebased authorization framework for collaborative computing systems., SACMAT ’06: Proceedings of the eleventh ACM symposium on Access control models and technologies, New York, NY, USA, ACM, pages 180–189, 2006.
    [20] Neilson, C., Triantafillou, P., Achieving strong consistency in a distributed file system. Software Engineering 23, pages 35–55, 1997.
    [21] Neuman, C., Kohl, J., The kerberos network authentication service(v5)., RFC 1510, 1993.
    [22] Sibal, S., Rodriguez, P., Spread: scalable platform for reliable and ecient automated distribution., Proceedings. of the 9th international World Wide Web conference on Computer networks : the international journal of computer and telecommunications netowrking, Amsterdam, The Netherlands, The Netherlands, North-Holland Publishing Co., pages 33–49, 2000.
    [23] Sinn, R., Software security technologies : A programmatic approach. Thomas Course Technology, 2008.
    [24] Tanenbaum, A.S., van Steen, M., Distributed systems: Principles and paradigms. Prentice-Hall, Inc., 2002.
    [25] Vullings, E., Daiziel, J., Mams and middleware: The easily solved authentication, authorisation, identity, single-sign-on, federation, trust, security, digital rights and automated access policy cluster of problems., EDUCAUSE 2005., 2005.
    [26] Wason ,T., Kemp, J., Thompson, P., Hodges, J., Liberty idff architecture overview draft of liberty alliance project. http://www.projectliberty.org/specs/draft-libertyidff-arch-overview-1.2-errata-v1.0.pdf., 2005.

    無法下載圖示 Full text public date 2013/07/23 (Intranet public)
    Full text public date This full text is not authorized to be published. (Internet public)
    Full text public date This full text is not authorized to be published. (National library)
    QR CODE