云计算环境中认证与密钥协商关键技术研究

发布时间：2018-01-13 17:03

本文关键词：云计算环境中认证与密钥协商关键技术研究　出处：《山东师范大学》2014年博士论文　论文类型：学位论文

【摘要】：近年来,云计算（Cloud Computing）作为IT资源使用的一种新模式,具有计算能力强、按需提供服务、高可靠性、IT基础设施投入低等优点,所以越来越受到学术界、产业界、政府等各界的重视。云计算在发展过程中面临的最关键问题就是安全问题,大多数不选择云计算系统用户就是担心云计算中不能保证数据安全和个人隐私安全。屡屡发生的云安全事件也在不断证实这种担心并非杞人忧天。观察各类云计算平台可以看出,不管云计算体系如何构建,无论采用何种交付模型,数据传输都是云计算中最频繁的操作之一,也是最容易受到攻击、安全问题频发的一个环节。要确保传输数据实现机密性、完整性、可用性、不可否认性等安全目标,需要在身份认证的基础上用传输加密技术来保证。在传统的开放式系统中身份认证多是单向认证,即由服务器来认证用户身份,只有通过认证的用户才能够使用系统提供的服务。与之不同的是,云计算环境十分复杂,其中不仅存在非法用户,还存在恶意获取用户数据的服务器(“黑云”),他们很容易获取大量涉及用户隐私和系统安全的数据信息,并造成较大的危害。因此,云计算环境中不仅需要服务器认证用户身份还需要用户认证服务器的真实性,即用户和服务器之间双向认证。加密传输数据需要由通讯各方共同协商一个会话密钥,再用会话密钥对要传输的数据对称加密。网络信息安全技术中使用认证和密钥协商协议完成认证身份和建立共享会话密钥的任务。基于口令的认证方式仍是目前使用最方便、最广泛的身份认证技术。经典的基于口令认证的密钥交换协议是服务器和客户端共享口令（或验证元）,服务器凭借共享信息来认证客户端身份,双方协商会话密钥。后来的研究者们又提出了一些基于口令认证的密钥交换协议,但无论从协议本身还是云计算的应用环境来看,仍有一些问题需要深入研究。鉴于此,本文将从提高云计算安全性的角度,选择云计算环境下的口令认证和密钥协商协议作为研究方向。主要研究成果如下：第一，提出了三个客户端与服务器的认证与密钥协商协议，随后进行了证明和安全性分析。针对云计算环境下最常见的客户端与服务器的两方认证和密钥协商进行了分析研究。在Bellovin和Merritt的EKE协议基础上，先提出了一个共享密钥的认证和密钥协商协议，，并在CK01模型下证明了协议的安全性；又提出了一个基于口令和公钥体系的认证和密钥协商协议，能有效抵抗口令泄露攻击和临时密钥泄露攻击；考虑到公钥体系的成本比较高，我们又提出了一个基于验证元的两方密钥协商协议，并对其安全性和效率进行了分析。第二，针对单一云中的两个客户端的认证和密钥协商问题，提出了两个由第三方协助的认证和密钥协商协议。对单一云中两个客户端的认证和密钥协商进行进行分析研究，考虑到如果任意两个客户端直接进行认证与密钥协商，则每个客户端需要维护的口令数量庞大，难于推广应用。为解决这个问题，引入第三方服务器，借助于服务器与每个客户端共享秘密协助两个客户端认证和密钥协商，有人称之为3PAKE，实际上是由第三方协助的两方认证。先介绍了一个Lu等人提出的S-3PAKE协议，并进行了安全性分析。考虑到存在的漏洞，提出了一个第三方协助的基于口令认证的两方密钥协商协议，并对其进行了安全性分析；考虑到平衡模型下的协议易遭受服务器泄露攻击，提出了一个基于验证元的VB-3PAKE协议，也对其进行了安全性分析。第三,对于云计算环境下跨域认证和密钥协商问题，提出了两个协议：基于PKI的跨域客户端口令认证与密钥协商协议；基于验证元的跨域口令认证和密钥协商协议。对云计算环境下跨域的口令认证和密钥协商进行了分析与研究，借鉴同一云中引进第三方服务器协助两个客户端进行认证与密钥协商，跨域的两个客户端分别在自己的域服务器的协助下进行口令认证和密钥协商，有人称之为4PAKE，其实它是由两个服务器协助两方认证。先介绍了比较有影响的Byun2007协议，对其安全性进行了分析。提出了一个提出了基于PKI的跨域口令认证和密钥协商协议,分析认为,该协议虽能提供较好的安全性,但其PKI构建不易;又提出了一个基于验证元的跨域口令认证和密钥协商协议，分析后认为相对于其它一些跨域协议，在执行效率相当的情况下安全性有所提高。第四,针对云计算环境下的用户群组的认证和密钥协商问题，提出了一个新的基于口令认证的群组密钥交换协议。对云计算环境下的用户群组进行认证和密钥协商进行了研究，对已有的多个典型群组用户之间建立共享会话密钥进行了安全分析,在此基础上提出了一个新的基于口令认证的群组密钥交换协议,对其进行了安全性分析，在标准模型下证明了其安全性。在计算效率和通信效率基本相当的情况下，安全性有明显的提高。
[Abstract]:In recent years, cloud computing (Cloud Computing) as a new model of IT resource usage, has high computing capacity, service, provide high reliability according to need, IT infrastructure investment is low, so more and more academic, industry, government and other community attention. Cloud computing is the key problems faced in the development the process is the safety issue, most do not choose cloud computing system that users cloud computing does not guarantee data security and privacy. The frequent occurrence of cloud security events has also been confirmed that this fear is not unfounded.
To observe the various types of cloud computing platform can be seen, no matter how to build a cloud computing system, regardless of the delivery model, data transmission is one of the most frequent operation of cloud computing, but also the most vulnerable part of safety problems. To ensure the transmission of data to achieve the confidentiality, integrity, availability, non think of safety goals, needs based on identity authentication using transmission encryption technology to guarantee.
In the open system in the traditional identity authentication is one-way authentication, from the server to authenticate the user, use the service provided by the system can only authenticated users. In contrast, the cloud computing environment is very complex, which is not only the existence of illegal users, there is a malicious access to user data server ("cloud"), they are easy to obtain user privacy and security system involves a large number of data, and caused great harm. Therefore, the authenticity of the cloud computing environment requires not only the user identity authentication server also requires the user authentication server, the mutual authentication between user and server.
The encrypted transmission data required by the communication parties to negotiate a session key and session key for data transmission to symmetric encryption. Use of authentication and key agreement protocol to complete the authentication and establish a shared session key task of network information security technology. The password authentication is the most convenient based on identity authentication technology most widely. The classic password based authenticated key exchange protocol is the server and the client share the password (or verifier), the server with information sharing to client identity authentication and session key negotiation. Later the researchers put forward some pake, but no matter from the protocol itself or the cloud computing application environment see, there are still some problems need further research.
In view of this, this paper will choose the password authentication and key agreement protocol in cloud computing environment as the research direction from the perspective of improving cloud computing security.
First, three client and server authentication and key agreement protocols are proposed, and then the authentication and security analysis are carried out.
The client and server cloud computing environment is the most common of the two party authentication and key agreement are analyzed. Based on EKE Bellovin and Merritt, we propose a shared key authentication and key agreement protocol, and prove the security of the protocol under the CK01 model; and put forward a based on the authentication and key agreement protocol and public key password system, can effectively resist the password attack and temporary key leakage attacks; considering the public key system cost is relatively high, we also propose a verification based on $two party key agreement protocol and its security and efficiency are analyzed.
Second, in view of the authentication and key negotiation of two clients in a single cloud, two authentication and key agreement protocols assisted by third parties are proposed.
The authentication and key agreement on a single cloud two clients were analyzed, taking into account if any two direct client authentication and key agreement, each client needs to maintain the password in large quantities, difficult to application. In order to solve this problem, introducing the third party server, with the help of each client and server shared secret assistance two client authentication and key agreement, known as 3PAKE, is actually helped by the third party. The two party certification first introduced a Lu proposed S-3PAKE protocol, and security analysis. Considering the existence of loopholes, proposed two party password based authenticated key agreement protocol a third to assist the party, and its security is analyzed; considering the equilibrium model under the protocol vulnerable server compromiseattack, proposed a verification based on element VB-3PAKE The protocol has also been analyzed for security.
Third, there are two protocols for cross domain authentication and key agreement under cloud computing environment: cross domain client password authentication and key agreement protocol based on PKI, cross domain password authentication and key agreement protocol based on verification element.
The cloud password authentication and key negotiation cross domain environment analysis and research, from the same cloud to introduce the third party server to assist two client authentication and key agreement, the two clients were cross domain password authentication and key negotiation in the domain server their assistance, known as 4PAKE in fact, it is assisted by the two party authentication server two. First introduced the influential Byun2007 protocol, analyzes its security. Put forward a proposed cross domain password authentication and key negotiation protocol based on the PKI analysis that the protocol can provide better security, but the PKI building is not easy; and proposes a cross domain password authentication and key agreement protocol verification based on element analysis that, compared with other cross domain protocol, the execution efficiency of a security is improved.
Fourth, a new group key exchange protocol based on password authentication is proposed in view of the authentication and key negotiation of the user groups in the cloud computing environment.
Computing environment of the user group of cloud authentication and key negotiation is studied, the security analysis of shared session key establishment between multiple users of the existing typical group, this paper proposes a new group key exchange protocol based on password authentication, its security is analyzed, and its security the proof in the standard model. The computation efficiency and communication efficiency is approximately equal to the situation, the safety is improved obviously.

【学位授予单位】：山东师范大学
【学位级别】：博士
【学位授予年份】：2014
【分类号】：TP3;TN918.4

【参考文献】