Modely řízení přístupu ke zdrojům operačního systému / Operating Systems' Resource Access Control Models

Vopička, Adam

January 2010

The thesis deals with models used in access control to operating systems' resources. The thesis' goals are the theoretical description of these models and their comparison, the description of their implementations in selected operating systems and the description of their utilization in securing typified servers. In the first chapter, the reader is introduced to basic terms and principles of computer security and access control. In the second, also theoretical part, selected access control models are described from different viewpoints, for example their factual specialization, basic rules, principles and evolution. At the end of the chapter, the models are compared to each other according to specified criteria. The third, more practically oriented chapter, continues from the initial, both general and concrete introduction with operating systems, to description of access control model implementations in selected operating systems. At the end of the chapter, these implementations too are compared according to specified criteria. The fourth, final part, is dedicated to the description of the actual securing of a web and file server using operating system level access control means. The end of the chapter is dedicated to the possibilities of using these means to secure web applications. The contribution of this thesis from the theoretical point of view is a well-arranged and compact access control model comparison, and also the merger of the theoretical base with practical use of the described model implementations. The thesis is recommended to people interested in the computer security issues in general and people interested in access control from both theoretical and practical sides, e.g. system administrators or system designers.

Systém bezpečnosti informací ve firmě / Company Information Security System

Hála, Jaroslav

January 2011

This work deals with the introduction of information security system in a company that provides internet. It is a hardware and software solutions for the benefit of quality information needed to monitor and manage networks on a professional level. Used solutions are versatile with regard to the diversity of the market and the speed of technology development.

Agent-based one-shot authorisation scheme in a commercial extranet environment

Au, Wai Ki Richard

January 2005

The enormous growth of the Internet and the World Wide Web has provided the opportunity for an enterprise to extend its boundaries in the global business environment. While commercial functions can be shared among a variety of strategic allies - including business partners and customers, extranets appear to be the cost-effective solution to providing global connectivity for different user groups. Because extranets allow third-party users into corporate networks, they need to be extremely secure and external access needs to be highly controllable. Access control and authorisation mechanisms must be in place to regulate user access to information/resources in a manner that is consistent with the current set of policies and practices both at intra-organisational and cross-organisational levels. In the business-to-customer (B2C) e-commerce setting, a service provider faces a wide spectrum of new customers, who may not have pre-existing relationships established. Thus the authorisation problem is particularly complex. In this thesis, a new authorisation scheme is proposed to facilitate the service provider to establish trust with potential customers, grant access privileges to legitimate users and enforce access control in a diversified commercial environment. Four modules with a number of innovative components and mechanisms suitable for distributed authorisation on extranets are developed: * One-shot Authorisation Module - One-shot authorisation token is designed as a flexible and secure credential for access control enforcement in client/server systems; * Token-Based Trust Establishment Module - Trust token is proposed for server-centric trust establishment in virtual enterprise environment. * User-Centric Anonymous Authorisation Module - One-task authorisation key and anonymous attribute certificate are developed for anonymous authorisation in a multi-organisational setting; * Agent-Based Privilege Negotiation Module - Privilege negotiation agents are proposed to provide dynamic authorisation services with secure client agent environment for hosting these agents on user's platform

distributed authorisation

extranet

Intranet

smart card

personal secure device

authentication

security architecture

security server

trust establishment

trust token

credential-based authorisation

one-shot authorisation token

one-task authorisation key

anonymous attribute certificate

key binding certificate

anonymous authorisation

referee server

privilege negotiation agent

authorisation agent

secure client agent environment