分散式多層級單一登入系統

Abstract

有鑑於資訊服務大量的電子化，資訊來源、內容及安全需求差異越來越複雜，使用者存取網路資源的認證問題更需要去重視。大量的帳號密碼是網路角色管理的一大障礙，使用者為了方便，使用較簡單或重複的密碼去進行不同服務的認證，進而變成網路安全的漏洞。單一登入（single sign-on）系統是有效解決此問題的方式之一。 透過各服務與認證系統建立的關聯性，單一登入系統可以讓使用者藉由一次認證來存取多個服務的資源。但單一登入系統仍有單點攻擊（single point attack）、無法隨網路服務特性調整的安全機制、缺乏統一標準等問題存在。此研究提出一個改良的單一登入模型：分散式多層級單一登入模型（distributed multi-level SSO model）。此認證模型擁有分散式結構，用來降低單點攻擊的風險性，並且提供安全層級的客製化調整，用來提供每個網路服務最適合的安全認證流程。我們也希望這個改良的模型可以作為單一登入統一標準的參考。 從安全層級客製化這個概念，我們延伸出一個多重操作環境的構想，命名為服務內網路角色管理（intra-service identity management）。讓使用者對某個網路服務訂定安全層級之外，也可以設定不同的角色來享有差異化的使用環境，每個環境擁有獨立的資源限制及操作權限。服務內網路角色管理可以提供使用者對於一個網路服務有更直覺及主動的使用經驗。

As more and more information services have been provided via Internet, the requirements of information resource, content and security have become more and more complicated. The authentication process that users used to access Web resources needs even more attention. Nowadays, every user often has large number of accounts and passwords and for their own convenience, they tend to set simple or repeated passwords for multiple Web services with different security requirements, which makes Internet environment vulnerable. Therefore, single sign-on (SSO) system has been proposed to solve this problem effectively. SSO system allows users to access multiple services with only one authentication process. However, SSO system still has some problems, such as vulnerability of single point attack, same security mechanism for all kinds of services and lack of unified standard…etc. In this thesis, we proposed a modified SSO model called distributed multi-level SSO (DMLSSO) model to solve the known issues of current SSO system. The model has distributed architecture, which can be used for reducing the risk of single point attach and providing customized security layering for different sorts of Web services. We also hope our modified model can serve as the standard model for SSO. In addition to bringing modifications to current SSO system, we further propose a brand new Web surfing concept. Extended from customized security layering, we propose that one Web service can have multiple operation environments for their users, and we called this concept intra-service identity management. According to the security level that users choose, service providers can present different environment to different users. Every environment has independent resource and permission, which makes intra-service identity management capable of providing more intuitive and active user experience.