基于联盟链的跨域认证方案

doi:10.11959/j.issn.2096-109x.2022036

网络与信息安全学报 ›› 2022, Vol. 8 ›› Issue (3): 123-133.doi: 10.11959/j.issn.2096-109x.2022036

基于联盟链的跨域认证方案

牛建林, 任志宇, 杜学绘

信息工程大学，河南郑州 450001

修回日期:2022-03-02 出版日期:2022-06-15 发布日期:2022-06-01
作者简介:牛建林（1995− ），男，河南焦作人，信息工程大学硕士生，主要研究方向为网络与信息安全、区块链安全
任志宇（1974− ），女，河南汤阴人，博士，信息工程大学副教授，主要研究方向为网络与信息安全
杜学绘（1968− ），女，河南新乡人，博士，信息工程大学教授、博士生导师，主要研究方向为网络与信息安全、空间信息网络、云计算安全
基金资助:
国家重点研发计划(2018YFB0803603);国家自然科学基金(61702550);国家自然科学基金(61802436)

Cross-domain authentication scheme based on consortium blockchain

Jianlin NIU, Zhiyu REN, Xuehui DU

Information Engineering University, Zhengzhou 450001, China

Revised:2022-03-02 Online:2022-06-15 Published:2022-06-01
Supported by:
The National Key R＆D Program of China(2018YFB0803603);The National Natural Science Foundation of China(61702550);The National Natural Science Foundation of China(61802436)

摘要/Abstract

摘要：

针对传统跨域认证易单点失效、过度依赖第三方等安全问题，提出了一种结合基于身份的密码（IBC，identity-based cryptography）体制与联盟链的跨域认证方案。通过设计包括实体层、代理层、区块链层、存储层在内的分层跨域认证架构，在跨域认证场景中引入联盟链，从而能够使两者较好地融合，增加了联盟链在跨域认证场景中的适应性。在存储层，设计摘要数据格式，将其存储于链上，摘要数据对应的完整数据存储于链下的星际文件系统，从而形成一种安全可靠的链上链下分布式存储方案，解决引入区块链后存在的链上存储受到限制的问题。提出一种基于永久自主权身份和临时身份的身份管理方案，解决结合IBC体制后身份难以注销和匿名身份难以监管的问题。在此基础上，设计完整的跨域全认证、重认证以及密钥协商协议以实现跨域认证流程。在安全性方面，使用 SVO 逻辑对认证协议进行分析，证明了跨域认证协议的安全性。通过仿真对计算负载性能、通信负载以及联盟链性能进行了测试与分析。分析表明，与相关方案相比，协议在满足安全性的同时，在服务端和用户端均有较好的计算负载表现。在通信效率上，相较于其他方案有不错的表现。通过联盟链工具对链上读写时延进行了测试，结果表明所提方案有良好的可用性。

关键词: 跨域认证, 联盟链, 基于身份的密码体制, 身份管理

Abstract:

To solve the security problems of traditional cross-domain authentication schemes, such as single point of failure and excessive dependence on third parties, a cross-domain authentication scheme was proposed which combines IBC and consortium blockchain.The consortium blockchain was introduced into the cross-domain authentication scene by designing the layered cross-domain authentication architecture including entity layer, proxy layer, blockchain layer and storage layer.In the storage layer, abstract data format was designed and stored in the chain, and the complete data corresponding to the abstract data was stored in the interplanetary file system under the chain.This safe and reliable on-chain distributed storage scheme solved the limitation problem of on-chain storage caused by introduction of blockchain.Besides, an identity management scheme based on permanent autonomy identity and temporary identity was proposed to solve the challenges that it is difficult to cancel identity and to supervise anonymous identity after combining IBC system.On this basis, complete cross-domain full authentication, re-authentication and key negotiation protocols were designed to implement the cross-domain authentication process.In terms of security, SVO logic was used to analyze the authentication protocol, and the security of the cross-domain authentication protocol was proved.The performance of calculation overhead, communication overhead and consortium blockchain were tested and analyzed by simulation.Analysis results showed that the protocol satisfies the security requirements and has improved calculation overhead performance on both server and client sides, comparing with other related works.In terms of communication overhead, it also has better performance.The query/write latency was tested by the consortium blockchain tool, and the results showed that the scheme has good usability.

Key words: cross-domain authentication, consortium blockchain, identity-based cryptography, identity management

中图分类号:

TP393

牛建林, 任志宇, 杜学绘. 基于联盟链的跨域认证方案[J]. 网络与信息安全学报, 2022, 8(3): 123-133.

Jianlin NIU, Zhiyu REN, Xuehui DU. Cross-domain authentication scheme based on consortium blockchain[J]. Chinese Journal of Network and Information Security, 2022, 8(3): 123-133.

图/表 10

图1

图2

图3

图4

表1

表2

图5

图6

图7

图8

参考文献 19

[1]	HOUSLEY R , POLK W , FORD W ,et al. Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) Profile:RFC3280[EB].
[2]	ELLISON C , SCHNEIER B . Ten risks of PKI:what you’re not being told about public key infrastructure[J]. Computer Security Journal, 2000,16(1): 1-7.
[3]	MATSUMOTO S , REISCHUK R M . IKP:turning a PKI around with decentralized automated incentives[C]// Proceedings of 2017 IEEE Symposium on Security and Privacy (SP). 2017: 410-426.
[4]	ANDROULAKI E , BARGER A , BORTNIKOV V ,et al. Hyperledger fabric:a distributed operating system for permissioned blockchains[C]// Proceedings of Proceedings of the Thirteenth EuroSys Conference. 2018.
[5]	ZHANG Y H , DENG R H , BERTINO E ,et al. Robust and universal seamless handover authentication in 5G HetNets[J]. IEEE Transactions on Dependable and Secure Computing, 2021,18(2): 858-874.
[6]	SHAMIR A . Identity-based cryptosystems and signature schemes[M]// Advances in Cryptology. Berlin Heidelberg: Springer, 1985: 47-53.
[7]	BONEH D , FRANKLIN M . Identity-based encryption from the Weil pairing[M]// Advances in Cryptology—CRYPTO 2001. Berlin Heidelberg: Springer, 2001: 213-229.
[8]	彭华熹 . 一种基于身份的多信任域认证模型[J]. 计算机学报, 2006,29(8): 1271-1281.
	PENG H X . An identity-based authentication model for multi-domain[J]. Chinese Journal of Computers, 2006,29(8): 1271-1281.
[9]	BELLARE M , NAMPREMPRE C , NEVEN G . Security proofs for identity-based identification and signature schemes[M]// Advances in Cryptology - EUROCRYPT 2004. Berlin Heidelberg: Springer, 2004: 268-286.
[10]	罗长远, 霍士伟, 邢洪智 . 普适环境中基于身份的跨域认证方案[J]. 通信学报, 2011,32(9): 111-115,122.
	LUO C Y , HUO S W , XING H Z . Identity-based cross-domain authentication scheme in pervasive computing environments[J]. Journal on Communications, 2011,32(9): 111-115,122.
[11]	YUAN C , ZHANG W F , WANG X M . EIMAKP:heterogeneous cross-domain authenticated key agreement protocols in the EIM system[J]. Arabian Journal for Science and Engineering, 2017,42(8): 3275-3287.
[12]	周致成, 李立新, 李作辉 . 基于区块链技术的高效跨域认证方案[J]. 计算机应用, 2018,38(2): 316-320,326.
	ZHOU Z C , LI L X , LI Z H . Efficient cross-domain authentication scheme based on blockchain technology[J]. Journal of Computer Applications, 2018,38(2): 316-320,326.
[13]	马晓婷, 马文平, 刘小雪 . 基于区块链技术的跨域认证方案[J]. 电子学报, 2018,46(11): 2571-2579.
	MA X T , MA W P , LIU X X . A cross domain authentication scheme based on blockchain technology[J]. Acta Electronica Sinica, 2018,46(11): 2571-2579.
[14]	SHEN M , LIU H S , ZHU L H ,et al. Blockchain-assisted secure device authentication for cross-domain industrial IoT[J]. IEEE Journal on Selected Areas in Communications, 2020,38(5): 942-954.
[15]	蔡振华, 林嘉韵, 刘芳 . 区块链存储：技术与挑战[J]. 网络与信息安全学报, 2020,6(5): 11-20.
	CAI Z H , LIN J Y , LIU F . Blockchain storage:technologies and challenges[J]. Chinese Journal of Network and Information Security, 2020,6(5): 11-20.
[16]	BENET J . IPFS-content addressed,versioned,P2P file system[EB].
[17]	赖英旭, 刘岩, 刘静 . 一种网络间可信连接协议[J]. 软件学报, 2019,30(12): 3730-3749.
	LAI Y X , LIU Y , LIU J . Trusted connection protocol between networks[J]. Journal of Software, 2019,30(12): 3730-3749.
[18]	韩继红, 郭渊博, 王亚弟 . 安全协议形式化分析方法[J]. 信息工程大学学报, 2008,9(3): 272-276.
	HAN J H , GUO Y B , WANG Y D . On methods and techniques for formal analysis of security protocols[J]. Journal of Information Engineering University, 2008,9(3): 272-276.
[19]	KILINC H H , YANIK T . A survey of SIP authentication and key agreement schemes[J]. IEEE Communications Surveys ＆ Tutorials, 2014,16(2): 1005-1023.

实体	临时身份获取	跨域认证	密钥协商	总耗时/ms
U_A	PE+AS	PE	RNG+PM	14.315
KGC_A	/	IBS	/	23.866
HAS	AS+PE+AV	/	/	7.893
BAS_A	AS+AV	/	/	4.043
SP_B	/	/	RNG+PM	2.765
FAS	/	AS+IBV+H	/	9.724
BAS_B	/	AS	/	4.043

方案		计算负载	耗时/ms
文献[10]方案	用户端	3PM	6.678
	服务端	4AS+4AV+2PE+2PD+3PM	38.248
文献[12]方案	用户端	2AS	7.7
	服务端	4AS+4AV+2H	41.006
文献[13]方案	用户端	PE	3.85
	服务端	2IBS+3AS+5PE+3AV+5PD+4PM+2Hn	93.03
本文方案	用户端	PE	3.85
	服务端	PE+IBS+2AS+AV+IBV+Hn	37.63

基于联盟链的跨域认证方案

Cross-domain authentication scheme based on consortium blockchain

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 10

参考文献 19

相关文章 5

Metrics

推荐阅读 0

[1]	叶岳洋, 张兴兰. Fabric中的匿名身份认证技术研究[J]. 网络与信息安全学报, 2021, 7(3): 134-140.
[2]	钱思杰,陈立全,王诗卉. 基于改进PBFT算法的PKI跨域认证方案[J]. 网络与信息安全学报, 2020, 6(4): 37-44.
[3]	丁永善,李立新,李作辉. 基于证书的匿名跨域认证方案[J]. 网络与信息安全学报, 2018, 4(5): 32-38.
[4]	董友康,张大伟,韩臻,常亮. 基于联盟区块链的董事会电子投票系统[J]. 网络与信息安全学报, 2017, 3(12): 31-37.
[5]	黄仁季,吴晓平,李洪成. 基于身份标识加密的身份认证方案[J]. 网络与信息安全学报, 2016, 2(6): 32-37.