高级检索
    田俊峰, 孙可辉. 基于HIBC的云信任分散统一认证机制[J]. 计算机研究与发展, 2015, 52(7): 1660-1671. DOI: 10.7544/issn1000-1239.2015.20140295
    引用本文: 田俊峰, 孙可辉. 基于HIBC的云信任分散统一认证机制[J]. 计算机研究与发展, 2015, 52(7): 1660-1671. DOI: 10.7544/issn1000-1239.2015.20140295
    Tian Junfeng, Sun Kehui. Trust-Distributed-Based Authentication Mechanism Using Hierarchical Identity-Based Cryptography[J]. Journal of Computer Research and Development, 2015, 52(7): 1660-1671. DOI: 10.7544/issn1000-1239.2015.20140295
    Citation: Tian Junfeng, Sun Kehui. Trust-Distributed-Based Authentication Mechanism Using Hierarchical Identity-Based Cryptography[J]. Journal of Computer Research and Development, 2015, 52(7): 1660-1671. DOI: 10.7544/issn1000-1239.2015.20140295

    基于HIBC的云信任分散统一认证机制

    Trust-Distributed-Based Authentication Mechanism Using Hierarchical Identity-Based Cryptography

    • 摘要: 开放式云环境中,整合在同一云基础设施平台上的服务提供商之间既相互依存,又相互独立,相互合作的同时又相互竞争,不能接受同一个公用中央机构的完全控制.适用于大规模云环境下的统一认证机制面临中央机构安全瓶颈、密钥托管等问题.为解决此类问题,基于HIBC(hierarchical identity-based cryptography)算法,依据信任分散理论,提出了一种将中央机构的秘密值秘密共享给参与主体的思想,构建了一套完整的混合云统一认证机制,既实现了统一认证的需求又提高了参与主体对自身的控制能力,中央机构核心工作改由参与主体合作完成.运用伪公钥和滑动窗口机制有效防止了内部合谋攻击和外部截获攻击,加大了敌手攻击的难度.同时给出了跨域认证方案和会话密钥协商方案.最后,比较分析了所提出的方案在不依赖可信中心、无需证书维护、无密钥托管、跨域认证、监督机制、可规模使用等方面具有的优越性.

       

      Abstract: The relationship among cloud service providers is becoming more and more complex, while these service providers are integrated on a public large-scale cloud computing platform. Cooperative relation and competitive relation coexist. Although a unified authentication is necessary for integrating, providers aren’t able to totally trust in a unique central authority. Single sign-on architecture could be confronted with the problems (such as security bottleneck, mandatory dependencies, key escrow, etc.) brought by the central authority. In order to solve these problems, an authentication mechanism based on trust dispersion theory using hierarchical identity-based cryptography is proposed in this paper. The secret value of central authority will be shared by service providers, as a result, not only the unified authentication is achieved, but also providers’ ability of self control is guaranteed. The central authority hands its core work of generating private keys to the corporation among main participants in the first level. Fake public key idea and sliding window can increase the difficulty of adversarial attacking. Cross domain authentication and key exchanging method are also supported. Comparing analysis shows that our scheme has superiority on not relying on central authority, without certificates maintenance, not having key escrow, cross-domain authentication, monitoring mechanism and so on.

       

    /

    返回文章
    返回