基于属性加密的软件定义网络域间访问控制方法

An inter-domain access control scheme for software defined network based on attribute-based encryption

软件定义网络(SDN)区别于传统的计算机网络,其核心思想是将网络控制与数据转发分离。SDN不仅有利于降低网络当中的硬件成本,还使得网络管理员能够方便地对来自不同厂商的设备进行集中化的调试和管理。尽管具备传统网络不可比拟的优势,SDN的应用却带来了新的安全问题。当前如何保证SDN控制器掌控的敏感信息不被窃取是SDN安全领域内的关键问题之一。然而现有SDN访问控制方案往往无法提供安全的信息保护,而且往往着眼于单域环境下的管理,不能满足多域网络管理的需求。本文提出了一种抗密钥暴露的密文策略属性快速加密算法(AKE-CP-ABFE),基于该算法构建了一种针对多控制器设置的SDN域间访问控制系统模型。利用预计算技术使加密者无需进行复杂的指数运算或双线性映射。此外将用户或者设备的MAC地址嵌入到私钥当中,即使私钥已经暴露,获取私钥的人也无法使用该私钥。分析证明AKE-CP-ABFE具备良好的安全性。仿真实验表明,该方法能以较高的计算效率保证SDN敏感信息域间分享的安全性和灵活性。

Different from traditional computer network,software defined network(SDN)separates the network control from data transmission.SDN facilitates reducing hardware cost and centralized configuration and management of devices of different vendors.Despite its overwhelming advantages that traditional network architecture does not has,the applications of SDN brings out a series of new problems in terms of security.One of the key problems is how to prevent eavesdropping sensitive information possessed by SDN controllers.However,existing SDN access control schemes cannot provide secure information protection.Furthermore,most schemes focus on single-domain management but fail to meet inter-domain requirements.To address it,an anti-key-exposure ciphertext policy attribute-based fast encryption(AKE-CP-ABFE)is proposed.By introducing pre-computation technique,the encryptors do not need to execute any complicated exponentiation or bilinear map.Besides,MAC addresses are inserted into the private keys so that others cannot use private key of someone.Theoretical analysis proves that AKE-CP-ABFE has great security.Based on the proposed scheme,an inter-domain access control system model with multi-controller setting is established.Simulation experiment demonstrates that it guarantees security and flexibility of inter-domain sensitive information sharing in SDN.