边缘计算环境下轻量级终端跨域认证协议

doi:10.11959/j.issn.2096-109x.2023055

摘要/Abstract

摘要：

边缘计算由于低时延、高带宽、低成本等众多优点，被广泛应用在各种智能应用场景中，但也因其分布式、实时性和数据多源异构性等特点，面临安全方面的诸多挑战。身份认证是终端接入网络的第一步，也是边缘计算的第一道防线，为了解决边缘计算环境下的安全问题，在“云-边-端”三级网络认证架构基础上，提出了一种适用于边缘计算环境下的终端跨域认证协议。该协议首先基于 SM9 算法实现终端与本地边缘节点间的接入认证，并协商出会话密钥；然后利用该密钥结合对称加密技术和 Hash 算法实现终端的跨域认证；认证过程中采用假名机制，保护终端用户的隐私安全，终端只需一次注册，便可在不同安全域之间随机漫游。通过 BAN 逻辑证明了协议的正确性，并对协议的安全性进行分析。结果表明，该协议可以抵抗物联网场景下的常见攻击，同时具备单点登录、用户匿名等特点。最后从计算成本和通信成本两方面对跨域认证协议进行性能分析，并与现有方案进行对比。实验结果显示，该协议在计算成本和通信开销上优于其他方案，满足资源受限的终端设备需求，是一种轻量级安全的身份认证协议。

关键词: 边缘计算, 身份认证, 多信任域, 轻量级

Abstract:

Edge computing has gained widespread usage in intelligent applications due to its benefits, including low latency, high bandwidth, and cost-effectiveness.However, it also faces many security challenges due to its distributed, real-time, multi-source and heterogeneous data characteristics.Identity authentication serves as the initial step for terminal to access to the network and acts as the first line of defense for edge computing.To address the security issues in the edge computing environment, a terminal cross-domain authentication protocol suitable for the edge computing environment was proposed based on the ＆quot;cloud-edge-end＆quot; three-level network authentication architecture.Access authentication was implemented between terminals and local edge nodes based on the SM9 algorithm, and session keys were negotiated.The secret key was combined with symmetric encryption technology and hash function to achieve cross-domain authentication for the terminal.The pseudonym mechanism was used in the authentication process to protect the privacy of end users.The terminal only needs to register once, and it can roam randomly between different security domains.BAN logic was used to prove the correctness of the protocol and analyze its security.The results show that this protocol is capable of resisting common attacks in IoT scenarios, and it features characteristics such as single sign-on and user anonymity.The performance of the cross-domain authentication protocol was evaluated based on computational and communication costs, and compared with existing schemes.The experimental results show that this protocol outperforms other schemes in terms of computational and communication costs, making it suitable for resource-constrained terminal devices.Overall, the proposed protocol offers lightweight and secure identity authentication within edge computing environments.

Key words: edge computing, identity authentication, multiple trust domain, lightweight

中图分类号:

TP309

朱宏颖, 张新有, 邢焕来, 冯力. 边缘计算环境下轻量级终端跨域认证协议[J]. 网络与信息安全学报, 2023, 9(4): 74-89.

Hongying ZHU, Xinyou ZHANG, Huanlai XING, Li FENG. Lightweight terminal cross-domain authentication protocol in edge computing environment[J]. Chinese Journal of Network and Information Security, 2023, 9(4): 74-89.

图/表 15

图1

表1

图2

图3

表2

图4

图5

表3

BAN逻辑符号及含义Table 3 BAN logical symbols and meanings"

符号	含义
$P \| \equiv X$	P相信X是真的
$P ⊲ X$	P收到消息X
$P \| \Rightarrow X$	P对消息X有管辖权
$P \| ~ X$	P发过含有X的消息
$# (X)$	消息X是新鲜的
$P \overset{K}{\leftrightarrow} Q \overset{k}{\to} P$	P和Q共享密钥K进行通信k是P的公开密钥
${X}_{k}$	用密钥k加密后的密X

表3

表4

表5

表6

表7

表8

表9

通信成本对比Table 9 Comparison of communication cost"

方案	终端发送消息长度/bit	MS2/FA/FN发送消息长度/bit	总计/bit
文献[5]方案	$\| M_{aes} \| + 3 \|ID\| + \| r \| = 1184$	$2 \| M_{aes} \| + \| M_{rsa} \| = 1536$	2 720
文献[22]方案	$\| M_{aes} \| + 2 \| M_{ac} \| + \| G \| + 2 \| T \| + \| H \| = 1920$	$\| M_{aes} \| + 4 \| M_{ac} \| + 3 \| G \| + 4 \| T \| + \| H \| = 4192$	6 112
文献[23]方案	$\| G \| + \| H \| + \| T \| + \| Z_{q} \| = 1472$	$6 \| G \| + 3 \| H \| + 3 \| T \| + 2 \| Z_{q} \| = 7328$	8 800
本文方案	$2 \| ID\| + \| r \| + \| M_{aes} \| = 928$	$\| M_{aes} \| + \| M_{rsa} \| = 1280$	2 208

表9

图6

参考文献 23

[1]	沈传年 . 边缘计算安全与隐私保护研究进展[J]. 网络安全与数据治理, 2022,41(8): 41-48.
	SHEN C N . Research progress of edge computing security and privacy protection[J]. Network Security and Data Governance, 2022,41(8): 41-48.
[2]	LIU L , WANG Q , LI B Q . A system architecture for intelligent agriculture based on edge computing[J]. International Journal of Computer Applications in Technology, 2020,64(2): 126-132.
[3]	YANG C , HUANG Q , LI Z ,et al. Big data and cloud computing:innovation opportunities and challenges[J]. International Journal of Digital Earth, 2017,10(1): 13-53.
[4]	WANG T , QIU L , SANGAIAH A K ,et al. Edge-computing-based trustworthy data collection model in the internet of things[J]. IEEE Internet of Things Journal, 2020,7(5): 4218-4227.
[5]	吴卫 . 边缘计算环境下物联网身份认证与隐私保护技术研究[D]. 西安:西安电子科技大学, 2019.
	WU W . Research on IoT identity authentication and privacy protection technology in edge computing environment[D]. Xi’an:Xidian University, 2019.
[6]	YU Y . Mobile edge computing towards 5G:vision,recent progress,and open challenges[J]. China Communications, 2016,13: 89-99.
[7]	YANG L , LIU J . Cross domain authentication based on blockchain for mobile terminals in edge computing environment[C]// 2021 16th International Conference on Intelligent Systems and Knowledge Engineering (ISKE). 2021: 525-529.
[8]	马立川, 裴庆祺, 肖慧子 . 万物互联背景下的边缘计算安全需求与挑战[J]. 中兴通讯技术, 2019,25(3): 37-42.
	MA L C , PEI Q Q , XIAO H Z . Security requirements and challenges of edge computing in the context of the internet of everything[J]. ZTE Communication Technology, 2019,25(3): 37-42.
[9]	ISLAM A , DEBNATH A , GHOSE M ,et al. A survey on task offloading in multi-access edge computing[J]. Journal of Systems Architecture, 2021,118:102225.
[10]	AHMED E , REHMANI M H . Mobile edge computing:opportunities,solutions,and challenges[J]. Future Generation Computer Systems, 2017,70: 59-63.
[11]	WANG X , GAO F , ZHANG J ,et al. Cross-domain authentication mechanism for power terminals based on blockchain and credibility evaluation[C]// 2020 5th International Conference on Computer and Communication Systems (ICCCS). 2020: 936-940.
[12]	FAN K , PAN Q , WANG J ,et al. Cross-domain based data sharing scheme in cooperative edge computing[C]// 2018 IEEE International Conference on Edge Computing (EDGE). 2018: 87-92.
[13]	CHEN C L , CHIANG M L , HSIEH H C ,et al. A lightweight mutual authentication with wearable device in location-based mobile edge computing[J]. Wireless Personal Communications, 2020,113: 575-598.
[14]	SUN H , TAN Y , LI C ,et al. An edge-cloud collaborative cross-domain identity-based authentication protocol with privacy protection[J]. Chinese Journal of Electronics, 2022,31(4): 721-731.
[15]	LYU P , WANG Y , WANG Y Z ,et al. A highly reliable cross-domain identity authentication protocol based on blockchain in edge computing environment[C]// 2022 IEEE 25th International Conference on Computer Supported Cooperative Work in Design(CSCWD). 2022: 1040-1046.
[16]	张金花, 李晓伟, 曾新 ,等. 边缘计算环境下基于区块链的跨域认证与密钥协商协议[J]. 信息安全学报, 2021,6(1): 54-61.
	ZHANG J H , LI X W , ZENG X ,et al. Cross domain authentication and key agreement protocol based on blockchain in edge computing environment[J]. Journal of Information Security, 2021,6(1): 54-61.
[17]	DONG S , YANG H , YUAN J ,et al. Blockchain-based cross-domain authentication strategy for trusted access to mobile devices in the IoT[C]// 2020 International Wireless Communications and Mobile Computing (IWCMC). 2020: 1610-1612.
[18]	WANG W , HU N , LIU X . BlockCAM:a blockchain-based crossdomain authentication model[C]// 2018 IEEE Third International Conference on Data Science in Cyberspace (DSC). 2018: 896-901.
[19]	赖建昌, 黄欣沂, 何德彪 ,等. 国密 SM9 数字签名和密钥封装算法的安全性分析[J]. 中国科学:信息科学, 2021,51(11): 1900-1913.
	LAI J C , HUANG X Y , HE D B ,et al. Security analysis of digital signature and key encapsulation algorithm for state secret SM9[J]. Chinese Science:Information Science, 2021,51(11): 1900-1913.
[20]	殷明 . 基于标识的密码算法 SM9 研究综述[J]. 信息技术与信息化, 2020(5): 88-93.
	YIN M . Overview of research on identity based cryptography algorithm SM9[J]. Information Technology and Informatization, 2020(5): 88-93.
[21]	丁洁, 林志阳, 沈荻帆 . 浅谈无可信第三方的身份认证协议[J]. 科技创新与应用, 2016(10): 57-58.
	DING J , LIN Z Y , SHEN D F . On the identity authentication protocol without trusted third parties[J]. Technological Innovation and Application, 2016 (10): 57-58.
[22]	LU Y , XU G , LI L ,et al. Robust privacy-preserving mutual authenticated key agreement scheme in roaming service for global mobility networks[J]. IEEE Systems Journal, 2019,13(2): 1454-1465.
[23]	MA M , HE D , WANG H ,et al. An efficient and provably secure authenticated key agreement protocol for fog-based vehicular ad-hoc networks[J]. IEEE Internet of Things Journal, 2019,6(5): 8065-8075.

符号	含义
cid	曲线识别符
F_q	椭圆曲线基域的参数
b	椭圆曲线方程参数
N	曲线阶的素因子
G₁，G₂	循环加法群
P₁，P₂	G₁，G₂的生成元
e	双线性对
(k_s,P_pub-s)	系统签名主密钥对
(k_e, P_pub-e)	系统加密主密钥对

符号	含义
MS1/MS2	不同安全域中的边缘节点
ID_ms	MS身份标识
SID_u	终端匿名身份标识
(h,S)	终端的数字签名
KDF	密钥派生函数
K_c1	终端与MS1之间的会话密钥
K_cms/K/K_sm	随机数，用作对称密钥
K_c2	终端与MS2之间的会话密钥
r₁,r₂,r₃	随机数
T₅，T₇	时间戳
x\|\|y	字符串x和y的拼接

安全性能	文献[5]方案	文献[22]方案	文献[23]方案	本文方案
双向认证	√	√	√	√
密钥安全	×	√	√	√
中间人攻击	×	√	√	√
抗重放攻击	√	×	√	√
抗假冒攻击	√	√	×	√
前向安全	√	√	√	√
单点登录	×	×	×	√
用户匿名	√	√	√	√
安全可证	√	√	×	√

操作	参数
非对称加密	T_re
非对称解密	T_rd
对称加密	T_ae
对称解密	T_ad
哈希操作	T_h
点加操作	T_add
点乘操作	T_mul
双线性对操作	T_pair

平台	T_re	T_rd	T_ae	T_ad	T_h	T_pair	T_mul	T_add
终端	0.741	1.596	0.118	0.063	0.018	7.461	2.304	0.106
MS2	0.554	1.011	0.085	0.041	0.013	4.658	1.925	0.036