Certificate-Based Authentication and Authorization Architecture in Digital Library

Abstract

AbstractIn this paper, we design and implement a certificate-based authentication and authorization architecture in digital library. Our certificate-based authentication architecture consists of resource server, directory server, policy engine and log server. The heart of this system is the policy engine, which gathers and verifies certificates and then evaluates the user’s right to access to the requested resource based on these certificates. Our system uses two types of persistent certificates: X.509 user identity certificates and attribute certificates. The identity certificates are generated and managed by certificate authorities, such as the Netscape CA server. These certificate authorities provide a Web interface that allows the creation or revocation of certificates. A directory server can be used to provide the certificates for use by applications and Web browser to manage the certificates for the user. The resulting certificates can be stored in directories chosen by the user that are accessible via a Web server, a directory server, or an MSQL database. The client first has to pass the Kerberos authentication. He has to provide the identity and the password. If he has passed the authentication, then the certificate authority issues the certificate for him. We implement the Kerberos algorithm and DES algorithm in the architecture. When we have got certificates and want to get services from service provider, we have to get authorization. In our model, authentication and authorization is separated. The authorization architecture consists of browser, service provider and authorization directory server. When an individual within the consumer community requests information from a remote service provider, the browser sends the individual’s digital certificate. The service provider validates the individual’s certificate and uses it to locate the institution’s authorization server. The authorization server checks the validity of the service provider’s certificate. If valid, it returns attributes concerning the individual’s status to the provider in the form of a list of attribute names and values. From the authorization server’s response, the service provider decides to whether deliver the service to the individual. Finally we compare the difference of certificate-based architecture and the user identity-password architecture. The excellence of the certificate-based architecture and the shortcomings of IP address, identity-password architecture are analyzed