分布式环境下统一身份认证系统的设计与实现
Design and Realization of Unified Identity Authentication System Based on the Distributed Environment
【中文摘要】 随着信息技术的日益发展,各种基于互联网的应用系统不断被开发出来。由于各个应用系统均有一套自己的安全策略和用户认证的方法,当用户面对多个系统时,需要多次验证身份。统一身份认证系统能够将多个不同应用系统的用户进行集中的管理、认证,用户进行一次认证,即可访问各个系统,较大的提高了用户的使用体验和安全性。论文在分析了国内外现有的几种统一身份认证的实现机制特点的基础上,从中型企业的资源管理项目身份认证管理的需求出发,提出了一个基于分布式环境下的统一身份认证的模型。本模型将基于用户代理的安全信任链机制引入到身份认证的过程中,通过用户代理的建立和代理证书的认证,有效减少认证服务器的负担,提高整个统一身份认证系统的安全性。为了更好的管理权限,本模型采用基于RBAC模型的权限管理方式,相对于传统的权限管理采用的用户—权限的紧密联系的方式,其用户—角色—权限的结构能够将用户与权限分离,有效提高了管理的灵活性和安全性;安全证书是身份认证的一个关键,本模型中使用了基于X.509格式的安全证书;鉴于LDAP的对查询操作的优化,以及较高的安全性,模型中采用LDAP目录服务来存储和管理安全证书。在本次企业资源计划的项目中,为了更好的实现身份认证管理模块,引入信任链机制,使得用户登录的次数减少,用户的认证信息输入确认只发生在中心的认证服务器上,用户密码不会经过第三方应用服务器,这样极高的减少了用户密码泄密的可能性,而且认证服务器的负载可以依据任务量较为均衡的分布在其他的服务结点上。随着统一身份认证系统的逐步完善,该系统将在企业资源计划的项目应用中发挥重要的作用。
【英文摘要】 With the increasing development of information technology,a variety of Internet-based applications have been developed.As every application system has its own set of security policy and user authentication method.When a user wants to access to a number of systems,he needs to verify his identity for many times.The Unified Identity Authentication System centralized manages users belong to different systems,the user only needs to verify once,then he can visit every application system. It's more convenient for the user and improves the security level.In this paper,we analyze some existing mechanism of Unified Identity Authentication,and consider the requirements of the User management module of an enterprise resource planning project.This paper introduces a Unified Identity Authentication model based on the Distributed Environment.A safety trust chain based on user proxy is used in this model,by using user proxy and proxy certificate,it lightens the burden of certification authentication server effectively,and improves the security level of the Unified Identity System.In view of the traditional privilege management which couples user and privilege directly,we design the privilege management module based on RBAC model which has a user-role-privilege approach. This approach effectively improves the flexibility and security.Safety certificate is a key to the system,and then we use the X.509 standard which has been proved very safe.This model uses LDAP repositories of authentication information that can improve the performance of query operations and security level.In the medium-sized enterprise resource planning project,we use the safety trust chain to achieve a better performance of identity management module.The user only needs to verify once and the user's identity information are only transported to the certificate authentication server.So it reduces the possibility of losing password.And the burden of the certificate authentication server can be distributed averagely among the other servers.With the gradual perfection of the Unified Identity Authentication system,it will play an important role in the project.
【中文关键词】 统一身份认证; 安全证书; 用户代理; 安全信任链
【英文关键词】 Unified Identity Authentication; Safety Certificate; User Proxy; Safety trust chain
