本文關(guān)鍵詞：云計算環(huán)境中認證與密鑰協(xié)商關(guān)鍵技術(shù)研究　出處：《山東師范大學(xué)》2014年博士論文　論文類型：學(xué)位論文

  更多相關(guān)文章： 雙向認證 密鑰協(xié)商協(xié)議 單點登錄 口令認證 驗證元 跨域認證

【摘要】：近年來,云計算（Cloud Computing）作為IT資源使用的一種新模式,具有計算能力強、按需提供服務(wù)、高可靠性、IT基礎(chǔ)設(shè)施投入低等優(yōu)點,所以越來越受到學(xué)術(shù)界、產(chǎn)業(yè)界、政府等各界的重視。云計算在發(fā)展過程中面臨的最關(guān)鍵問題就是安全問題,大多數(shù)不選擇云計算系統(tǒng)用戶就是擔(dān)心云計算中不能保證數(shù)據(jù)安全和個人隱私安全。屢屢發(fā)生的云安全事件也在不斷證實這種擔(dān)心并非杞人憂天。 觀察各類云計算平臺可以看出,不管云計算體系如何構(gòu)建,無論采用何種交付模型,數(shù)據(jù)傳輸都是云計算中最頻繁的操作之一,也是最容易受到攻擊、安全問題頻發(fā)的一個環(huán)節(jié)。要確保傳輸數(shù)據(jù)實現(xiàn)機密性、完整性、可用性、不可否認性等安全目標(biāo),需要在身份認證的基礎(chǔ)上用傳輸加密技術(shù)來保證。 在傳統(tǒng)的開放式系統(tǒng)中身份認證多是單向認證,即由服務(wù)器來認證用戶身份,只有通過認證的用戶才能夠使用系統(tǒng)提供的服務(wù)。與之不同的是,云計算環(huán)境十分復(fù)雜,其中不僅存在非法用戶,還存在惡意獲取用戶數(shù)據(jù)的服務(wù)器(“黑云”),他們很容易獲取大量涉及用戶隱私和系統(tǒng)安全的數(shù)據(jù)信息,并造成較大的危害。因此,云計算環(huán)境中不僅需要服務(wù)器認證用戶身份還需要用戶認證服務(wù)器的真實性,即用戶和服務(wù)器之間雙向認證。 加密傳輸數(shù)據(jù)需要由通訊各方共同協(xié)商一個會話密鑰,再用會話密鑰對要傳輸?shù)臄?shù)據(jù)對稱加密。網(wǎng)絡(luò)信息安全技術(shù)中使用認證和密鑰協(xié)商協(xié)議完成認證身份和建立共享會話密鑰的任務(wù)�；诳诹畹恼J證方式仍是目前使用最方便、最廣泛的身份認證技術(shù)。經(jīng)典的基于口令認證的密鑰交換協(xié)議是服務(wù)器和客戶端共享口令（或驗證元）,服務(wù)器憑借共享信息來認證客戶端身份,雙方協(xié)商會話密鑰。后來的研究者們又提出了一些基于口令認證的密鑰交換協(xié)議,但無論從協(xié)議本身還是云計算的應(yīng)用環(huán)境來看,仍有一些問題需要深入研究。 鑒于此,本文將從提高云計算安全性的角度,選擇云計算環(huán)境下的口令認證和密鑰協(xié)商協(xié)議作為研究方向。主要研究成果如下： 第一，提出了三個客戶端與服務(wù)器的認證與密鑰協(xié)商協(xié)議，隨后進行了證明和安全性分析。 針對云計算環(huán)境下最常見的客戶端與服務(wù)器的兩方認證和密鑰協(xié)商進行了分析研究。在Bellovin和Merritt的EKE協(xié)議基礎(chǔ)上，先提出了一個共享密鑰的認證和密鑰協(xié)商協(xié)議，，并在CK01模型下證明了協(xié)議的安全性；又提出了一個基于口令和公鑰體系的認證和密鑰協(xié)商協(xié)議，能有效抵抗口令泄露攻擊和臨時密鑰泄露攻擊；考慮到公鑰體系的成本比較高，我們又提出了一個基于驗證元的兩方密鑰協(xié)商協(xié)議，并對其安全性和效率進行了分析。 第二，針對單一云中的兩個客戶端的認證和密鑰協(xié)商問題，提出了兩個由第三方協(xié)助的認證和密鑰協(xié)商協(xié)議。 對單一云中兩個客戶端的認證和密鑰協(xié)商進行進行分析研究，考慮到如果任意兩個客戶端直接進行認證與密鑰協(xié)商，則每個客戶端需要維護的口令數(shù)量龐大，難于推廣應(yīng)用。為解決這個問題，引入第三方服務(wù)器，借助于服務(wù)器與每個客戶端共享秘密協(xié)助兩個客戶端認證和密鑰協(xié)商，有人稱之為3PAKE，實際上是由第三方協(xié)助的兩方認證。先介紹了一個Lu等人提出的S-3PAKE協(xié)議，并進行了安全性分析�？紤]到存在的漏洞，提出了一個第三方協(xié)助的基于口令認證的兩方密鑰協(xié)商協(xié)議，并對其進行了安全性分析；考慮到平衡模型下的協(xié)議易遭受服務(wù)器泄露攻擊，提出了一個基于驗證元的VB-3PAKE協(xié)議，也對其進行了安全性分析。 第三,對于云計算環(huán)境下跨域認證和密鑰協(xié)商問題，提出了兩個協(xié)議：基于PKI的跨域客戶端口令認證與密鑰協(xié)商協(xié)議；基于驗證元的跨域口令認證和密鑰協(xié)商協(xié)議。 對云計算環(huán)境下跨域的口令認證和密鑰協(xié)商進行了分析與研究，借鑒同一云中引進第三方服務(wù)器協(xié)助兩個客戶端進行認證與密鑰協(xié)商，跨域的兩個客戶端分別在自己的域服務(wù)器的協(xié)助下進行口令認證和密鑰協(xié)商，有人稱之為4PAKE，其實它是由兩個服務(wù)器協(xié)助兩方認證。先介紹了比較有影響的Byun2007協(xié)議，對其安全性進行了分析。提出了一個提出了基于PKI的跨域口令認證和密鑰協(xié)商協(xié)議,分析認為,該協(xié)議雖能提供較好的安全性,但其PKI構(gòu)建不易;又提出了一個基于驗證元的跨域口令認證和密鑰協(xié)商協(xié)議，分析后認為相對于其它一些跨域協(xié)議，在執(zhí)行效率相當(dāng)?shù)那闆r下安全性有所提高。 第四,針對云計算環(huán)境下的用戶群組的認證和密鑰協(xié)商問題，提出了一個新的基于口令認證的群組密鑰交換協(xié)議。 對云計算環(huán)境下的用戶群組進行認證和密鑰協(xié)商進行了研究，對已有的多個典型群組用戶之間建立共享會話密鑰進行了安全分析,在此基礎(chǔ)上提出了一個新的基于口令認證的群組密鑰交換協(xié)議,對其進行了安全性分析，在標(biāo)準(zhǔn)模型下證明了其安全性。在計算效率和通信效率基本相當(dāng)?shù)那闆r下，安全性有明顯的提高。
[Abstract]:In recent years, cloud computing (Cloud Computing) as a new model of IT resource usage, has high computing capacity, service, provide high reliability according to need, IT infrastructure investment is low, so more and more academic, industry, government and other community attention. Cloud computing is the key problems faced in the development the process is the safety issue, most do not choose cloud computing system that users cloud computing does not guarantee data security and privacy. The frequent occurrence of cloud security events has also been confirmed that this fear is not unfounded.
To observe the various types of cloud computing platform can be seen, no matter how to build a cloud computing system, regardless of the delivery model, data transmission is one of the most frequent operation of cloud computing, but also the most vulnerable part of safety problems. To ensure the transmission of data to achieve the confidentiality, integrity, availability, non think of safety goals, needs based on identity authentication using transmission encryption technology to guarantee.
In the open system in the traditional identity authentication is one-way authentication, from the server to authenticate the user, use the service provided by the system can only authenticated users. In contrast, the cloud computing environment is very complex, which is not only the existence of illegal users, there is a malicious access to user data server ("cloud"), they are easy to obtain user privacy and security system involves a large number of data, and caused great harm. Therefore, the authenticity of the cloud computing environment requires not only the user identity authentication server also requires the user authentication server, the mutual authentication between user and server.
The encrypted transmission data required by the communication parties to negotiate a session key and session key for data transmission to symmetric encryption. Use of authentication and key agreement protocol to complete the authentication and establish a shared session key task of network information security technology. The password authentication is the most convenient based on identity authentication technology most widely. The classic password based authenticated key exchange protocol is the server and the client share the password (or verifier), the server with information sharing to client identity authentication and session key negotiation. Later the researchers put forward some pake, but no matter from the protocol itself or the cloud computing application environment see, there are still some problems need further research.
In view of this, this paper will choose the password authentication and key agreement protocol in cloud computing environment as the research direction from the perspective of improving cloud computing security.
First, three client and server authentication and key agreement protocols are proposed, and then the authentication and security analysis are carried out.
The client and server cloud computing environment is the most common of the two party authentication and key agreement are analyzed. Based on EKE Bellovin and Merritt, we propose a shared key authentication and key agreement protocol, and prove the security of the protocol under the CK01 model; and put forward a based on the authentication and key agreement protocol and public key password system, can effectively resist the password attack and temporary key leakage attacks; considering the public key system cost is relatively high, we also propose a verification based on $two party key agreement protocol and its security and efficiency are analyzed.
Second, in view of the authentication and key negotiation of two clients in a single cloud, two authentication and key agreement protocols assisted by third parties are proposed.
The authentication and key agreement on a single cloud two clients were analyzed, taking into account if any two direct client authentication and key agreement, each client needs to maintain the password in large quantities, difficult to application. In order to solve this problem, introducing the third party server, with the help of each client and server shared secret assistance two client authentication and key agreement, known as 3PAKE, is actually helped by the third party. The two party certification first introduced a Lu proposed S-3PAKE protocol, and security analysis. Considering the existence of loopholes, proposed two party password based authenticated key agreement protocol a third to assist the party, and its security is analyzed; considering the equilibrium model under the protocol vulnerable server compromiseattack, proposed a verification based on element VB-3PAKE The protocol has also been analyzed for security.
Third, there are two protocols for cross domain authentication and key agreement under cloud computing environment: cross domain client password authentication and key agreement protocol based on PKI, cross domain password authentication and key agreement protocol based on verification element.
The cloud password authentication and key negotiation cross domain environment analysis and research, from the same cloud to introduce the third party server to assist two client authentication and key agreement, the two clients were cross domain password authentication and key negotiation in the domain server their assistance, known as 4PAKE in fact, it is assisted by the two party authentication server two. First introduced the influential Byun2007 protocol, analyzes its security. Put forward a proposed cross domain password authentication and key negotiation protocol based on the PKI analysis that the protocol can provide better security, but the PKI building is not easy; and proposes a cross domain password authentication and key agreement protocol verification based on element analysis that, compared with other cross domain protocol, the execution efficiency of a security is improved.
Fourth, a new group key exchange protocol based on password authentication is proposed in view of the authentication and key negotiation of the user groups in the cloud computing environment.
Computing environment of the user group of cloud authentication and key negotiation is studied, the security analysis of shared session key establishment between multiple users of the existing typical group, this paper proposes a new group key exchange protocol based on password authentication, its security is analyzed, and its security the proof in the standard model. The computation efficiency and communication efficiency is approximately equal to the situation, the safety is improved obviously.

【學(xué)位授予單位】：山東師范大學(xué)
【學(xué)位級別】：博士
【學(xué)位授予年份】：2014
【分類號】：TP3;TN918.4

【參考文獻】

相關(guān)期刊論文 前2條

1 殷胤;李寶;;標(biāo)準(zhǔn)模型下可證安全的加密密鑰協(xié)商協(xié)議[J];軟件學(xué)報;2007年02期

2 ;A New Provably-Secure Key Agreement Protocol for Roaming in Mobile Networks[J];Wuhan University Journal of Natural Sciences;2008年05期

本文編號：1419720