导　　师： 唐韶华

学科专业： 081001

授予学位： 博士

作　　者： ;

机构地区： 华南理工大学

摘　　要： 随着Internet技术的发展，跨安全自治域进行资源共享和协同工作的开放、分布式计算模式越来越普遍，如P2P网络、网格计算和普适计算等，如何在这样的计算环境中为协作主体建立信任关系成为一个重要问题。自动信任协商（Automated TrustNegotiation，简称ATN）是一种在陌生主体间通过数字证书和访问控制策略的交互披露，逐渐为各方建立信任关系的方法，是分布式环境中跨域信任关系建立和访问控制的最有前景的方法之一。 虽然对ATN技术的研究已颇具成果，ATN的应用领域也不断扩展，但ATN技术中仍存在一些亟待解决的问题，包括：各种不同的ATN系统使用各自不同的符号系统，影响了协商者之间的跨域互操作；ATN的访问控制策略对资源的保护至关重要，如何保证访问控制策略满足用户的安全目标？现有的ATN系统大都没有考虑协商信息的语义，造成协商的不完备，使一些可能成功的协商以失败告终；最后，如何确保ATN的安全性及对协商者隐私的保护？本文针对以上这些问题，提出一种基于本体的自动信任协商方法，并对自动信任协商的安全性进行了形式化分析与验证。 论文的主要研究工作包括以下几个方面： 1/)提出基于本体的自动信任协商的抽象模型和体系结构框架。将ATN的基本组成及其相互关系定义为一个共享本体——ATN本体，使来自不同安全自治域的协商者对协商交互信息建立一个共同的理解，提高跨域协商的语义互操作性，并用描述逻辑SHOIN/(D/)对ATN本体进行了形式化表示。 2/)在ATN本体被描述逻辑形式化表示的基础上，提出一种借助描述逻辑推理对协商者访问控制策略的安全特性进行分析的方法，以确保访问控制策略满足策略制定者的安全目标。研究了协商者的访问控制策略及其安全特性，包括安全性、有效性以及角色包含，到描述逻辑公理的映射方法；对安全特性的分析不仅针对现有的策略进行，还考虑了策略在限制规则控制下发生变化的情况；为了使描述逻辑的“开放世界”推理适用于策略分析，对策略知识库引入了“封闭世界”的解释方法；除了给出策略分析的结论外，还利用描述逻辑的非标准化推理，对分析结果进行了解释，以帮助策略制定者理解策略及对策略进行修改。 3/)提出一种语义相关协商策略（Semantically Relevant Negotiation Strategy，简称SRNS），在协商过程中只释放那些和协商目标语义相关的证书和访问控制策略。SRNS是语义完备的，利用ATN本体定义的语义信息，能保证只要一个协商在语义上是可能成功的，SRNS就一定能找到一个成功的协商序列。由于委托授权关系在ATN本体中被定义为属性的语义，SRNS能以处理属性语义一致的方式处理属性委托，而现有的ATN协商策略大多没有考虑对委托的处理。此外，SRNS通过使用属性确认策略（Attribute Acknowledgement Policy，简称ACK策略）的方法，保护协商者的隐私，避免敏感信息的泄露。本文对SRNS的完备性、终止性、相关性及高效性进行了分析，并将SRNS与其他主要协商策略进行了比较，实现了基于SRNS的协商系统，并对系统性能进行了分析。 4/)借鉴安全协议的形式化分析与验证方法，提出一种用进程代数Applied Pi演算为ATN及其攻击模型建模的方案，将自动信任协商过程表示为两个协商者进程的并发组合，将ATN的安全性形式化为Applied Pi演算的观察等价性（Observational Equivalence）。和其他形式化自动信任协商过程的方法不同，本文对ATN采取的是一种静态描述，不需明确定义协商者的行为和动态的授权决定，一个协商者对应的进程就是对其拥有的证书及授权策略建模。借助安全协议的自动分析工具ProVerif，实现了对ATN安全性的自动分析。 With the development of Internet, sharing resources and conducting business trans-actions across security domains in open distributed computing, like peer-to-peer network,grid computing and ubiquitous computing, have becoming more and more perversive.How to establish mutual trust between collaborative principals in such an environmentbecomes an important problem. Automated trust negotiation /(ATN/) is an approach toestablishing mutual trust between two strangers by iterative disclosure of the credentialsand access control policies. ATN has becoming one of the most promising approach toestablishing trust and access control in distributed environment. Although ATN has been thoroughly studied, and the application of it has beenexpanded to many felds, there are still some problems in ATN research need to be solved.These problems include: diferent ATN systems using various notations negatively afectinteroperability across heterogeneous domains; Access control policy is of vital importantin the protection of resources from unauthorized access. How to analyze access controlpolicy against security objectives is a critical task; The semantics of ATN componentsare not considered by most existing ATN systems. These ATN systems are not completesince the negotiation may fail in some cases where it would succeed if the semantics areexploited; Finally, how to verify that the ATN system is safe and can protect the privacyof negotiations. To solve the above-mentioned problems, an ontology-based approach toautomated trust negotiation is proposed, and the formal security verifcation of the ATNsystem is performed. The main work and novelties are listed as follows: 1/) The abstract model and architecture of ontology-based ATN are proposed. ATNcomponents and their relationships are defned as a shard ontology, called ATN on-tology. ATN ontology helps to build a common understanding of ATN componentsacross domains and facilitate the semantic interoperability among negotiators. TheDescription Logic /(DL/) SHOIN/(D/) is exploited to formalize the ATN ontology. 2/) Since ATN ontology is formalized by Description Logic, an approach to analyzingthe security properties of negotiators’ access control policies by DL reasoning is pro- posed. Security analysis will insure policy makers that their security objectives aresatisfed. ATN access control policies and their security properties including safety,availability and role containment are mapped to DL axioms. Security propertiesare analyzed not only for the current policies but also for policies changing in termsof the restriction rules of policy. Closed world assumptions are added to policyknowledge base so as to make the open world reasoning of the Description Logicsuitable for policy verifcation. Besides presenting analysis result, explanations ofthe result are extracted by using non-standard inference services of the DescriptionLogic. These explanations are useful for policy makers to understand the efect ofpolicies and construct policies that satisfy the security objectives. 3/) A semantically relevant negotiation strategy /(SRNS/) is proposed which disclosesonly credentials and access control policies that are semantically relevant to thenegotiation target. By exploring the semantics provided by ATN ontology, SRNS iscomplete semantically since SRNS can fnd a successful negotiation sequence when-ever the success of the negotiation is semantically possible. Since the relationshipsamong attributes formed by delegations are defned in ATN ontology, SRNS cansupport attribute delegations which are not considered by most existing negotia-tion strategies. Meanwhile SRNS can protect sensitive attributes of negotiators byenforcing the attribute acknowledge policies /(ACK/). The properties of negotiationstrategies including completeness, termination, relevance and efciency are analyzedfor SRNS and the comparison of SRNS with other major negotiation strategies ismade. A negotiation system using SRNS is implemented and the performance ofthe implementation is evaluated. 4/) Using the specifcation and analysis techniques for security protocols, a novelformalization of ATN system and its attacking model in the Applied Pi calculusis proposed. The automated trust negotiation process is modeled as the parallelcomposition of two processes corresponding to two negotiators, while the securityrequirement of ATN system is formalized by observational equivalence of the Ap-plied Pi calculus. In contrast to other formalizations of ATN process, our modelingof ATN is a static specifcation. The behaviors of negotiators and dynamic autho- rization decisions need not be modeled specifcally. The process corresponding toa negotiator is just the formalization of his credentials and authorization policies.With the assistance of an automatic protocol analyzer, ProVerif, the security ofATN system is analyzed automatically.

关 键 词： 自动信任协商 本体 安全性 描述逻辑 语义 演算

分 类 号： [TP393.08]

领　　域： [自动化与计算机技术] [自动化与计算机技术]