云安全联盟认证与密钥协商

Cloud Computing has been envisioned as the next-generation architecture of IT Enterprise. With the rapid development of cloud computing, it also be confused with serious security problems. Today most cloud computing system provide data security and mutual authentication with asymmetric and traditional public key cryptography. For these research work, the authentication process is cumbersome, and the certificate management is complicated, and there is not a good scheme of key negotiation among entities in heterogeneous cloud network. This project studies the problem of mutual authentication among servers in the Intra-Cloud and Inter-Cloud, such as the authentication among multiple heterogeneous clouds. We consider the federated authentication of servers from different clouds, which would bring some inconvenience for a hybrid cloud that includes multiple private clouds and public clouds. The project proposes a Alliance-Authentication agreement among clouds. This scheme constructs a large prime group over elliptic curve, and uses direct product decomposition of the large prime group to construct multiple automorphism groups. Each cloud can generate key parameters from different automorphism groups, and all the members in the same cloud would register themselves to their key management center KMC) with their blinded keys instead of their private keys to avoid the KMC faking the members to access resources. We use the bilinear mapping of this automorphism groups for Inter-Cloud signature to achieve the Inter-Cloud Alliance-Authentication to overcome the complexity of certificate transmission and bottlenecks in the certificate-based scheme . The scheme can also achieve anonymity, trace ability, and privacy protection. The program adopts the direct product decomposition and group isomorphism technology to achieve security certification between heterogeneous cloud, and decrease the complexity of certification in existing cloud security and save the space of key storage. In order to security collaborative computing among heterogeneous clouds, the servers that participate collaborative computing need for transmitting the ciphertext information when they mutual communication. This project we studied the asymmetric multi-domain key agreement protocol, and achieved anonymous consultation, to avoid the security risks that traditional key agreement generated the symmetric key to encrypt the message. We will also verify the safety and performance of the program.

在云计算应用快速发展的背景下，云安全问题日益突出。目前大多数云计算系统仅提供基于证书的相互认证和传统公钥加密技术，认证过程繁琐，证书管理复杂，异构云之间安全密钥协商解决方案匮乏，安全性差。针对云安全存在的联盟认证及密钥协商问题，本课题将基于云流量分析构建云安全模型。课题重点研究混合云环境下，单个云内部及多个云之间的认证问题，提出基于身份的相互盲认证，解决基于证书的认证所存在的单点崩溃及网络瓶颈问题。所提出的盲认证具有匿名性和可跟踪性，能够实现隐私保护。采用群的直积分解及群同构技术实现异构云之间的安全认证，有效解决现有云安全认证复杂及大量密钥存储问题。针对异构云的安全协同计算，本课题重点研究密钥同态技术，提出一轮非对称群组密钥协商，实现匿名协商，避免传统密钥协商加密消息所产生的安全隐患，同时解决时区差异条件下的多轮在线密钥协商。课题将通过实验验证所提出模型及方法的安全性并进行性能分析。

云计算是当前新型信息技术应用的重要平台，云安全研究的相对滞后阻碍了新型信息技术的推广及应用，本项目是云安全研究领域的关键技术之一，广泛应用于云访问控制、云资源共享、云网络环境下的多方协同计算、多域安全操作等，为这些应用领域提供安全技术保障，具有重要的科学意义。本项目以公钥密码学和可证明安全理论为基本理论工具，借鉴已有身份认证和密钥协商方法，针对特定的网络环境如云计算网络、多域网络、异构网络等在跨域操作、无密钥托管等过程中的特点和特殊的安全性要求，研究新型的跨域联盟认证及密钥协商安全模型，在联盟认证、隐藏身份认证、联盟签名、匿名签名、个人隐私保护、密钥分解与组合、组合公钥技术、公/私钥映射关系及群论等问题上进行深入的研究和探索，提出特定安全环境下的多域联盟认证及高效的密钥协商协议。本项目的研究工作按照拟定的计划开展，主要研究成果包括：基于身份的联盟认证协议、无证书身份认证、群的直积分解及群同构技术、联盟盲签名和批量签名技术、群组匿名密钥协商技术、可认证群组密钥协商协议、一轮群组密钥协商协议、动态群组密钥协商协议等，并采用所构建的安全模型进行安全性验证，通过实验证实方案的各项性能。本项目设计的协议可用于云计算网路、传感器网络、物联网等多安全域复杂交叉网络。相关研究成果在国内外信息安全领域的顶级及重要期刊上发表，共发表SCI/EI检索等学术论文25篇，授权发明专利7项，培养博士生5名，硕士研究生15名。