ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2015, Vol. 52 ›› Issue (7): 1660-1671.doi: 10.7544/issn1000-1239.2015.20140295

• 信息安全 • 上一篇    下一篇

基于HIBC的云信任分散统一认证机制

田俊峰,孙可辉   

  1. (河北大学网络技术研究所 河北保定 071002) (skh7518671@qq.com)
  • 出版日期: 2015-07-01
  • 基金资助: 
    基金项目:国家自然科学基金项目(60873203,61170254);河北省自然科学基金项目(F2012201145);河北省高等学校科学技术研究重点项目(ZH2012029)

Trust-Distributed-Based Authentication Mechanism Using Hierarchical Identity-Based Cryptography

Tian Junfeng, Sun Kehui   

  1. (Institute of Network Technology, Hebei University, Baoding, Hebei 071002)
  • Online: 2015-07-01

摘要: 开放式云环境中,整合在同一云基础设施平台上的服务提供商之间既相互依存,又相互独立,相互合作的同时又相互竞争,不能接受同一个公用中央机构的完全控制.适用于大规模云环境下的统一认证机制面临中央机构安全瓶颈、密钥托管等问题.为解决此类问题,基于HIBC(hierarchical identity-based cryptography)算法,依据信任分散理论,提出了一种将中央机构的秘密值秘密共享给参与主体的思想,构建了一套完整的混合云统一认证机制,既实现了统一认证的需求又提高了参与主体对自身的控制能力,中央机构核心工作改由参与主体合作完成.运用伪公钥和滑动窗口机制有效防止了内部合谋攻击和外部截获攻击,加大了敌手攻击的难度.同时给出了跨域认证方案和会话密钥协商方案.最后,比较分析了所提出的方案在不依赖可信中心、无需证书维护、无密钥托管、跨域认证、监督机制、可规模使用等方面具有的优越性.

关键词: 单点登录, 身份认证, 分级基于身份的加密算法, 密钥托管, 跨域认证

Abstract: The relationship among cloud service providers is becoming more and more complex, while these service providers are integrated on a public large-scale cloud computing platform. Cooperative relation and competitive relation coexist. Although a unified authentication is necessary for integrating, providers aren’t able to totally trust in a unique central authority. Single sign-on architecture could be confronted with the problems (such as security bottleneck, mandatory dependencies, key escrow, etc.) brought by the central authority. In order to solve these problems, an authentication mechanism based on trust dispersion theory using hierarchical identity-based cryptography is proposed in this paper. The secret value of central authority will be shared by service providers, as a result, not only the unified authentication is achieved, but also providers’ ability of self control is guaranteed. The central authority hands its core work of generating private keys to the corporation among main participants in the first level. Fake public key idea and sliding window can increase the difficulty of adversarial attacking. Cross domain authentication and key exchanging method are also supported. Comparing analysis shows that our scheme has superiority on not relying on central authority, without certificates maintenance, not having key escrow, cross-domain authentication, monitoring mechanism and so on.

Key words: single sign-on (SSO), identity authentication, hierarchical identity-based cryptography (HIBC), key escrow, cross domain authentication

中图分类号: