中国科学院软件研究所机构知识库
Advanced  
ISCAS OpenIR  > 中科院软件所  > 中科院软件所
题名:
分布式环境下的安全认证技术研究
作者: 彭华熹
答辩日期: 2007-05-27
授予单位: 中国科学院软件研究所
授予地点: 软件研究所
学位: 博士
关键词: 认证 ; 基于身份的密码体制 ; 多信任域认证 ; 匿名性
其他题名: Research on Authentication Technology for Distributed Environments
摘要: 随着互联网的不断发展,分布式网络环境的开放性、分散性、信任的非集中性等特性使得其安全性问题受到人们越来越多的关注。而认证问题是其安全问题中首要考虑的问题,本文在已有相关研究的基础上,对分布式网络环境下的信任机构安全、多信任域身份认证、匿名性保护等认证问题进行了分析和研究,并提出了相应的改进方案以及解决方案,有效促进了分布式网络环境下认证系统安全性的完善。本文围绕上述关键问题进行了研究,并取得了一系列成果: (1)信任机构安全是认证系统的安全基础,信任机构掌握着认证系统的核心秘密,为认证系统承担密钥分发的重任。分析了现有方案单点失效的安全缺陷,利用基于身份的密码体制(IDPKC)、秘密分享技术、门限密码技术等研究并提出了实用的基于身份的可扩充的弹性密钥分发方案。该方案取消了集中式的密钥分发中心,分布式生成和管理密钥信息,提高了密钥的安全性;并且该方案提供了部分密钥的验证机制,可及时发现恶意的内部攻击者;同时,该方案还提供了部分密钥更新机制,实现了可扩充性,增强了密钥分发方案的可靠性。 (2)分析了在分布式网络环境下,用户主体和资源的非集中化管理、移动性等特点对多信任域认证以及匿名性的安全需求,指出了一个典型的匿名跨域认证方案的匿名性安全缺陷,并且在原有方案的基础上提出了一个改进方案,最后对改进方案进行了安全性分析,分析表明,改进后的方案具有很强的匿名性,能满足匿名无线网络认证的安全需求。原有跨域认证方案的安全缺陷有一定的代表性,表明该多信任域认证模型或方案构造的复杂性,有待进一步研究。 (3)在对上述现有跨域认证协议分析的基础上,分析了多信任域的网络环境给认证模型带来的安全需求,利用IDPKC简单、灵活的优点,避免了传统基于证书的PKI体系带来的系统成本高、证书链处理和传输代价大等弊端;基于CK模型采用模块化的方式构造了一个具有匿名性的基于身份的多信任域认证模型(IDAM-MA),该方案在匿名性上具有较高的安全性,最后用形式化的方法对该模型的认证和匿名安全性进行了详细的分析和证明,分析表明该模型具有较高的实用价值。 (4)在上述基于身份的多信任域认证模型的基础上,针对原有方案可能存在的一些安全性和效率问题,从新的角度考虑匿名性的构造,提出了新的可追踪的身份隐藏方案,该方案降低了对本地域认证服务的安全性依赖,较好的解决了多信任域认证过程中的匿名性问题,更具实用性。 总的来说,本文分析了分布式网络环境对认证技术的安全需求,针对其中信任机构安全、多信任域认证、匿名性保护等关键问题进行了研究,并提出了实用的解决方案,可以为一些典型的分布式网络环境(如Internet Web,网格网络,无线网络等)中认证模型的设计和实现提供借鉴。
英文摘要: Along with the development of the internet, because of the characters of the opening, dispersing, uncentralized trust in distributed network environments, people pay more and more attention on the security in this field. Especially, authentication is one of the most important things that we should consider for the security issues. In this thesis, based on the existing researches, we do some researches on the problems of trusted authority security, authentication for multi-domain, anonymity security in distributed environments and achieve some improved and innovative results which promote the design of the authentication model in distributed environments. The main contributions of this thesis are listed as follows: (1)The security of trusted authority is the basis of authentication system. Trusted authority is charged with the distribution of private keys for authentication system, because the core secret of the authentication system is controlled by the trusted authority. We analyze the security flaw in the existing schemes. Based on identity-based public key cryptography (IDPKC), secret sharing, threshold cryptography, we proposed a practical identity-based extensible resilient key distribution scheme. In our scheme, the centralized key distribution center is not needed and a distributed algorithm is implemented to generate and distribute a secret master key. The wrong partial key can also be identified in the runtime and the scheme can find the attacker in time. Furthermore, the scheme can update the partial keys along with the variety of the system. This character enhances the reliability of the key distribution scheme. (2)We analyze the security requirements of the multi-domain authentication and anonymity brought by the character of the uncentralized management and movement of the users and resources. The anonymity security flaw of an existed cross-domain authentication protocol is analyzed. Based on the original scheme, an improved scheme with anonymity is proposed. The anonymity security of the improved scheme is analyzed in a formal way. The research results reveal that the improvement has a good anonymous property and achieve the ideal security requirements of anonymity. The security flaw of the original scheme is representative. This indicates that the multi-domain authentication model is very complex and further researches are needed. (3)We analyze the security requirements in multi-domain authentication. Based on identity-based public key cryptography, our scheme overcomes some problems posed by traditional authentication model based on PKI. Especially, by using the modular approach under the CK-model, the identity-based authentication model for multi-domain with anonymity (IDAM-MA) is proposed and the security of entity authentication and anonymity is analyzed in a formal way. (4)Based on the above multi-domain authentication model, the security and efficiency of original scheme are analyzed and a traceable anonymity scheme is proposed. The advanced scheme reduces the dependence on the home domain authentication service and proposes an effective method to solve the anonymity problem in multi-domain authentication. In summary, the thesis analyzes the authentication security requirements in the distributed environments and does some research in the key issues of trusted authority security, multi-domain authentication, anonymity security etc. Several practical schemes are proposed and could provide a reference for the design and implement of the authentication system in distributed environments, such as, Internet Web, Grid network, wireless network etc.
语种: 中文
内容类型: 学位论文
URI标识: http://ir.iscas.ac.cn/handle/311060/7006
Appears in Collections:中科院软件所

Files in This Item:
File Name/ File Size Content Type Version Access License
10001_200318015003118彭华熹_paper.pdf(759KB)----限制开放-- 联系获取全文

Recommended Citation:
彭华熹. 分布式环境下的安全认证技术研究[D]. 软件研究所. 中国科学院软件研究所. 2007-05-27.
Service
Recommend this item
Sava as my favorate item
Show this item's statistics
Export Endnote File
Google Scholar
Similar articles in Google Scholar
[彭华熹]'s Articles
CSDL cross search
Similar articles in CSDL Cross Search
[彭华熹]‘s Articles
Related Copyright Policies
Null
Social Bookmarking
Add to CiteULike Add to Connotea Add to Del.icio.us Add to Digg Add to Reddit
所有评论 (0)
暂无评论
 
评注功能仅针对注册用户开放,请您登录
您对该条目有什么异议,请填写以下表单,管理员会尽快联系您。
内 容:
Email:  *
单位:
验证码:   刷新
您在IR的使用过程中有什么好的想法或者建议可以反馈给我们。
标 题:
 *
内 容:
Email:  *
验证码:   刷新

Items in IR are protected by copyright, with all rights reserved, unless otherwise indicated.

 

 

Valid XHTML 1.0!
Copyright © 2007-2017  中国科学院软件研究所 - Feedback
Powered by CSpace