Publications-Theses

題名 AAA架構下情境感知存取控制政策之設計與應用
Context-aware access control for the AAA architecture
作者 劉安妮
Liu, Annie
貢獻者 劉文卿
劉安妮
Liu, Annie
關鍵詞 情境知覺
AAA架構
存取控制政策
無線網路安全
Context-aware
AAA Architecture
Access control policy
Wireless security
日期 2005
上傳時間 18-Sep-2009 14:29:45 (UTC+8)
摘要 隨著無線網路環境的普及,越來越多行動工作者可以透過隨身的手持設備進行網路漫遊,即時地存取不同的服務。另外亦可以經由公司的虛擬專有網路來存取企業內部資料、電子郵件及其它應用程式。不論是針對企業或是網路服務業者而言,為了要能夠確保網路環境上的安全性,眾多的行動工作者在進行漫遊時,身分必須被驗證,進而才能被授予各項服務的存取權。此外,還必需根據使用者服務使用的情況進行計費,來提升服務提供者的收益。
因此在無線區域網路中,結合一套認證、授權、計費的架構(Authentication, Authorization, Accounting Architecture, AAA
Architecture),使得網路服務業者能夠有效地來管理龐大行動工作者的跨網路漫遊服務。

本研究提出一個以情境知覺運算(context-aware computing)為基礎的AAA架構。以情境來設計資源存取政策,因此系統偵測到行動工作者情境上的改變,根據已定義好的存取政策,動態地進行身分驗證及調整授權服務,最後再依不同的服務使用等級、連線時間與網路使用量等來計費。本論文以漫遊服務與企業虛擬專有網路為例,說明在此架構下如何針對不同的情境進行身分認證、與服務授權。
With the popularity of the Wireless LAN, mobile workers are able to access various services or resources with seamless roaming, as well as mobile VPN, just via their handheld devices. Not only for the corporations but the Internet Service Providers(ISP), a secure and trusted remote access is required. User identity should be authenticated in advance, and the service providers grant or deny mobile users the access to resources according to their statuses.
Besides, a usage-based accounting and billing is crucial to provide commercialized services within WLAN, and to benefit those service providers. As a result, a AAA architecture designed for coordinating the authentication, authorization and accounting between different administrative networks is required with urgent need.

The objective of this research is to provide a context-aware based AAA architecture which adopts context as the design principle to define access control policies. So the system can detect the changing contexts of mobile workers, re-authenticate user identity, adjust dynamically service permissions in the light of context-based access control policies, and bill the user taking into account the contexts efficiently. In this research, we take examples of roaming services and VPN to describe how the architecture works.
參考文獻 Abowd, G. D., Dey, A. K., Brown, P. J., Davies, N., Smith, M. and Steggles, P.
1999. Towards a better understanding of context and context-awareness. In HUC
`99: Proceedings of the 1st international symposium on handheld and ubiquitous
computing (pp. 304{307). London, UK: Springer-Verlag.
Chen, H., Finin, T., Joshi, A., Kagal, L., Perich, F. and Chakraborty, D. Intelligent
agents meet the semantic web in smart spaces. IEEE Internet Computing, 8(6),
69{79, 2004.
Chong, S. K., Krishnaswamy, S. and Loke, S. W. 2005. A context-aware approach to
conserving energy in wireless sensor networks. In PERCOMW `05: Proceedings
of the third ieee international conference on pervasive computing and communica-
tions workshops (PERCOMW`05) (pp. 401{405). Washington, DC, USA: IEEE
Computer Society.
Dey, A. K. 2000. Providing architectural support for building context-aware applications.
Unpublished doctoral dissertation, Georgia Institute of Technology.
Ferraiolo, D. and Kuhn, R. 1992. Role based access control. In 15th national computer
security conference.
Gwizdka, J. 2000. What`s in the context? In Position paper for CHI 2000 workshop
on the what, who, where, when, why and how of context-awareness.
JÄahnert, J. Problem statement: Metering and accounting in the full-IP 4G environ-
ment. Lecture Notes in Computer Science, 2816, 298-307, 2003.
Laat, C. de, Gross, G., Gommans, L., Vollbrecht, J. and Spence, D. Generic AAA
architecture. Request for Comments: 2903, 2000.
Metz, C. AAA protocols: Authentication, authorization, and accounting for the Inter-
net. IEEE Internet Computing, 3(6), 75{79, 1999.
Most¶efaoui, G. K. and Br¶ezillon, P. A generic framework for context-based distributed
authorizations. Lecture Notes in Computer Science, 2680, 204-217, 2003.
Most¶efaoui, G. K. and Br¶ezillon, P. 2004. Modeling context-based security policies
with contextual graphs. In 2nd IEEE conference on pervasive computing and
communications workshops (PERCOMW`04).
Mostefaoui, G. K., Pasquier-Rocha, J. and Brezillon, P. 2004. Context-aware comput-
ing: A guide for the pervasive computing community. In ICPS `04: Proceedings
of the the IEEE/ACS international conference on pervasive services (ICPS`04)
(pp. 39{48). Washington, DC, USA: IEEE Computer Society.
Prasad, N. R., Alam, M. and Ruggieri, M. Light-weight AAA infrastructure for mobility
support across heterogeneous networks. Wireless Personal Communications: An
International Journal, 29(3-4), 205{219, 2004.
Sandhu, R. and Samarati, P. Access control: Principle and practice. IEEE Communi-
cations Magazine, 32(9), 40{48, 1994.
Sandhu, R. and Samarati, P. Authentication, access control, and audit. ACM Com-
puting Surveys (CSUR), 28(1), 241{243, 1996.
Schilit, B., Adams, N. and Want, R. 1994. Context-aware computing applications. In
IEEE workshop on mobile computing systems and applications. Santa Cruz, CA,
US.
Schilit, W. N. 1995. A system architecture for context-aware mobile computing. Un-
published doctoral dissertation, COLUMBIA UNIVERSITY.
Zseby, T., Zander, S. and Carle, G. Policy-based accounting. Request for Comments:
3334, 2002.
描述 碩士
國立政治大學
資訊管理研究所
93356026
94
資料來源 http://thesis.lib.nccu.edu.tw/record/#G0093356026
資料類型 thesis
dc.contributor.advisor 劉文卿zh_TW
dc.contributor.author (Authors) 劉安妮zh_TW
dc.contributor.author (Authors) Liu, Annieen_US
dc.creator (作者) 劉安妮zh_TW
dc.creator (作者) Liu, Annieen_US
dc.date (日期) 2005en_US
dc.date.accessioned 18-Sep-2009 14:29:45 (UTC+8)-
dc.date.available 18-Sep-2009 14:29:45 (UTC+8)-
dc.date.issued (上傳時間) 18-Sep-2009 14:29:45 (UTC+8)-
dc.identifier (Other Identifiers) G0093356026en_US
dc.identifier.uri (URI) https://nccur.lib.nccu.edu.tw/handle/140.119/35227-
dc.description (描述) 碩士zh_TW
dc.description (描述) 國立政治大學zh_TW
dc.description (描述) 資訊管理研究所zh_TW
dc.description (描述) 93356026zh_TW
dc.description (描述) 94zh_TW
dc.description.abstract (摘要) 隨著無線網路環境的普及,越來越多行動工作者可以透過隨身的手持設備進行網路漫遊,即時地存取不同的服務。另外亦可以經由公司的虛擬專有網路來存取企業內部資料、電子郵件及其它應用程式。不論是針對企業或是網路服務業者而言,為了要能夠確保網路環境上的安全性,眾多的行動工作者在進行漫遊時,身分必須被驗證,進而才能被授予各項服務的存取權。此外,還必需根據使用者服務使用的情況進行計費,來提升服務提供者的收益。
因此在無線區域網路中,結合一套認證、授權、計費的架構(Authentication, Authorization, Accounting Architecture, AAA
Architecture),使得網路服務業者能夠有效地來管理龐大行動工作者的跨網路漫遊服務。

本研究提出一個以情境知覺運算(context-aware computing)為基礎的AAA架構。以情境來設計資源存取政策,因此系統偵測到行動工作者情境上的改變,根據已定義好的存取政策,動態地進行身分驗證及調整授權服務,最後再依不同的服務使用等級、連線時間與網路使用量等來計費。本論文以漫遊服務與企業虛擬專有網路為例,說明在此架構下如何針對不同的情境進行身分認證、與服務授權。
zh_TW
dc.description.abstract (摘要) With the popularity of the Wireless LAN, mobile workers are able to access various services or resources with seamless roaming, as well as mobile VPN, just via their handheld devices. Not only for the corporations but the Internet Service Providers(ISP), a secure and trusted remote access is required. User identity should be authenticated in advance, and the service providers grant or deny mobile users the access to resources according to their statuses.
Besides, a usage-based accounting and billing is crucial to provide commercialized services within WLAN, and to benefit those service providers. As a result, a AAA architecture designed for coordinating the authentication, authorization and accounting between different administrative networks is required with urgent need.

The objective of this research is to provide a context-aware based AAA architecture which adopts context as the design principle to define access control policies. So the system can detect the changing contexts of mobile workers, re-authenticate user identity, adjust dynamically service permissions in the light of context-based access control policies, and bill the user taking into account the contexts efficiently. In this research, we take examples of roaming services and VPN to describe how the architecture works.
en_US
dc.description.tableofcontents 摘要 I
ABSTRACT II
致謝 III
目錄 V
圖目錄 VI
表目錄 VII
第一章 緒論 1
1.1 研究背景 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 研究動機 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 研究目的 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.4 研究程序 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
第二章 文獻探討 6
2.1 情境感知 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2 AAA架構 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2.1 組成元件 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2.2 AAA協定  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.3 存取控制政策 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
第三章 研究方法 13
3.1 理論基礎與假設 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.1.1行動式網路 (mobile network) . . . . . . . . . . . . . . . . . 15
3.1.2系統動態因子(system dynamics) . . . . . . . . . . . . . . . . . 15
3.1.3驗證、授權予計價相關屬性(AAA attributes) . . . . . . . . . . . . . . 16
3.1.4 情境桿之存取政策(context-aware access control policy) . . . . . . 17
3.2 系統特性 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.3 系統架構 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.4 架構元件 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.4.1 情境偵測服務 . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.4.2 情境處理器 . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.5 運作流程 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
第四章 存取控制政策設計 32
4.1 情境模型設計 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
4.1.1 目標 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
4.1.2 評估許可與個人設定 . . . . . . . . . . . . . . . . . . . . . . . . 38
4.2 政策實作 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
第五章 結論 43
5.1 結論 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
參考文獻 46
附錄A Ontology詳細內容 49
zh_TW
dc.format.extent 50470 bytes-
dc.format.extent 389615 bytes-
dc.format.extent 228947 bytes-
dc.format.extent 27199 bytes-
dc.format.extent 468053 bytes-
dc.format.extent 411811 bytes-
dc.format.extent 831625 bytes-
dc.format.extent 1023993 bytes-
dc.format.extent 814973 bytes-
dc.format.extent 614050 bytes-
dc.format.extent 95295 bytes-
dc.format.extent 599756 bytes-
dc.format.mimetype application/pdf-
dc.format.mimetype application/pdf-
dc.format.mimetype application/pdf-
dc.format.mimetype application/pdf-
dc.format.mimetype application/pdf-
dc.format.mimetype application/pdf-
dc.format.mimetype application/pdf-
dc.format.mimetype application/pdf-
dc.format.mimetype application/pdf-
dc.format.mimetype application/pdf-
dc.format.mimetype application/pdf-
dc.format.mimetype application/pdf-
dc.language.iso en_US-
dc.source.uri (資料來源) http://thesis.lib.nccu.edu.tw/record/#G0093356026en_US
dc.subject (關鍵詞) 情境知覺zh_TW
dc.subject (關鍵詞) AAA架構zh_TW
dc.subject (關鍵詞) 存取控制政策zh_TW
dc.subject (關鍵詞) 無線網路安全zh_TW
dc.subject (關鍵詞) Context-awareen_US
dc.subject (關鍵詞) AAA Architectureen_US
dc.subject (關鍵詞) Access control policyen_US
dc.subject (關鍵詞) Wireless securityen_US
dc.title (題名) AAA架構下情境感知存取控制政策之設計與應用zh_TW
dc.title (題名) Context-aware access control for the AAA architectureen_US
dc.type (資料類型) thesisen
dc.relation.reference (參考文獻) Abowd, G. D., Dey, A. K., Brown, P. J., Davies, N., Smith, M. and Steggles, P.zh_TW
dc.relation.reference (參考文獻) 1999. Towards a better understanding of context and context-awareness. In HUCzh_TW
dc.relation.reference (參考文獻) `99: Proceedings of the 1st international symposium on handheld and ubiquitouszh_TW
dc.relation.reference (參考文獻) computing (pp. 304{307). London, UK: Springer-Verlag.zh_TW
dc.relation.reference (參考文獻) Chen, H., Finin, T., Joshi, A., Kagal, L., Perich, F. and Chakraborty, D. Intelligentzh_TW
dc.relation.reference (參考文獻) agents meet the semantic web in smart spaces. IEEE Internet Computing, 8(6),zh_TW
dc.relation.reference (參考文獻) 69{79, 2004.zh_TW
dc.relation.reference (參考文獻) Chong, S. K., Krishnaswamy, S. and Loke, S. W. 2005. A context-aware approach tozh_TW
dc.relation.reference (參考文獻) conserving energy in wireless sensor networks. In PERCOMW `05: Proceedingszh_TW
dc.relation.reference (參考文獻) of the third ieee international conference on pervasive computing and communica-zh_TW
dc.relation.reference (參考文獻) tions workshops (PERCOMW`05) (pp. 401{405). Washington, DC, USA: IEEEzh_TW
dc.relation.reference (參考文獻) Computer Society.zh_TW
dc.relation.reference (參考文獻) Dey, A. K. 2000. Providing architectural support for building context-aware applications.zh_TW
dc.relation.reference (參考文獻) Unpublished doctoral dissertation, Georgia Institute of Technology.zh_TW
dc.relation.reference (參考文獻) Ferraiolo, D. and Kuhn, R. 1992. Role based access control. In 15th national computerzh_TW
dc.relation.reference (參考文獻) security conference.zh_TW
dc.relation.reference (參考文獻) Gwizdka, J. 2000. What`s in the context? In Position paper for CHI 2000 workshopzh_TW
dc.relation.reference (參考文獻) on the what, who, where, when, why and how of context-awareness.zh_TW
dc.relation.reference (參考文獻) JÄahnert, J. Problem statement: Metering and accounting in the full-IP 4G environ-zh_TW
dc.relation.reference (參考文獻) ment. Lecture Notes in Computer Science, 2816, 298-307, 2003.zh_TW
dc.relation.reference (參考文獻) Laat, C. de, Gross, G., Gommans, L., Vollbrecht, J. and Spence, D. Generic AAAzh_TW
dc.relation.reference (參考文獻) architecture. Request for Comments: 2903, 2000.zh_TW
dc.relation.reference (參考文獻) Metz, C. AAA protocols: Authentication, authorization, and accounting for the Inter-zh_TW
dc.relation.reference (參考文獻) net. IEEE Internet Computing, 3(6), 75{79, 1999.zh_TW
dc.relation.reference (參考文獻) Most¶efaoui, G. K. and Br¶ezillon, P. A generic framework for context-based distributedzh_TW
dc.relation.reference (參考文獻) authorizations. Lecture Notes in Computer Science, 2680, 204-217, 2003.zh_TW
dc.relation.reference (參考文獻) Most¶efaoui, G. K. and Br¶ezillon, P. 2004. Modeling context-based security policieszh_TW
dc.relation.reference (參考文獻) with contextual graphs. In 2nd IEEE conference on pervasive computing andzh_TW
dc.relation.reference (參考文獻) communications workshops (PERCOMW`04).zh_TW
dc.relation.reference (參考文獻) Mostefaoui, G. K., Pasquier-Rocha, J. and Brezillon, P. 2004. Context-aware comput-zh_TW
dc.relation.reference (參考文獻) ing: A guide for the pervasive computing community. In ICPS `04: Proceedingszh_TW
dc.relation.reference (參考文獻) of the the IEEE/ACS international conference on pervasive services (ICPS`04)zh_TW
dc.relation.reference (參考文獻) (pp. 39{48). Washington, DC, USA: IEEE Computer Society.zh_TW
dc.relation.reference (參考文獻) Prasad, N. R., Alam, M. and Ruggieri, M. Light-weight AAA infrastructure for mobilityzh_TW
dc.relation.reference (參考文獻) support across heterogeneous networks. Wireless Personal Communications: Anzh_TW
dc.relation.reference (參考文獻) International Journal, 29(3-4), 205{219, 2004.zh_TW
dc.relation.reference (參考文獻) Sandhu, R. and Samarati, P. Access control: Principle and practice. IEEE Communi-zh_TW
dc.relation.reference (參考文獻) cations Magazine, 32(9), 40{48, 1994.zh_TW
dc.relation.reference (參考文獻) Sandhu, R. and Samarati, P. Authentication, access control, and audit. ACM Com-zh_TW
dc.relation.reference (參考文獻) puting Surveys (CSUR), 28(1), 241{243, 1996.zh_TW
dc.relation.reference (參考文獻) Schilit, B., Adams, N. and Want, R. 1994. Context-aware computing applications. Inzh_TW
dc.relation.reference (參考文獻) IEEE workshop on mobile computing systems and applications. Santa Cruz, CA,zh_TW
dc.relation.reference (參考文獻) US.zh_TW
dc.relation.reference (參考文獻) Schilit, W. N. 1995. A system architecture for context-aware mobile computing. Un-zh_TW
dc.relation.reference (參考文獻) published doctoral dissertation, COLUMBIA UNIVERSITY.zh_TW
dc.relation.reference (參考文獻) Zseby, T., Zander, S. and Carle, G. Policy-based accounting. Request for Comments:zh_TW
dc.relation.reference (參考文獻) 3334, 2002.zh_TW