基于身份密码系统和区块链的跨域认证协议

A Cross-Domain Authentication Protocol by Identity-Based Cryptography on Consortium Blockchain

随着信息网络技术的快速发展和网络规模的持续扩张,网络环境中提供的海量数据和多样服务的丰富性和持久性都得到了前所未有的提升.处于不同网络管理域中的用户与信息服务实体之间频繁交互,在身份认证、权限管理、信任迁移等方面面临一系列安全问题和挑战.本文针对异构网络环境中用户访问不同信任域网络服务时的跨域身份认证问题,基于IBC身份密码系统,结合区块链技术的分布式对等网络架构,提出了一种联盟链上基于身份密码体制的跨信任域身份认证方案.首先,针对基于IBC架构下固有的实体身份即时撤销困难问题,通过加入安全仲裁节点来实现用户身份管理,改进了一种基于安全仲裁的身份签名方案mIBS,在保证功能有效性和安全性的基础上,mIBS性能较ID-BMS方案节省1次哈希运算、2次点乘运算和3次点加运算.其次,本文设计了区块链证书用于跨域认证,利用联盟链分布式账本存储和验证区块链证书,实现域间信任实体的身份核验和跨域认证.所提出的跨域认证协议通过安全性分析证明了其会话密钥安全,并且协议的通信过程有效地减轻了用户端的计算负担.通过真实机器上的算法性能测试,与现有同类方案在统一测试标准下比较,本文方案在运行效率上也体现出了明显的优势.

With the exciting growth of global Internet services and applications in the past decades,tremendous amount of various data and service resources are prevailing on network and attracting users from different administration domains all over the world.The Internet cyberspace is never short of security threats and resource abusers.Reliable and efficient network entity authentications and identification verifications are the corner stones for all types of secure network application environments and usage scenarios.Especially how to verify an entity’s identity outside its origin,and how to extend such authentication capability across different administration domains in network without obvious security weak point or performance bottleneck,it is a realistic challenge for traditional cryptography based authentication schemes.Either the encryption key based or the PKI certificate based approaches suffer the threats on credential managements and the inefficiency revocation.Towards the problem of cross-domain authentication when users in heterogeneous network environments access network services from different trust domains,this paper proposes a new design of blockchain certificate to implement cross-domain authentication based on the identity-based cryptosystem and the distributed architecture of blockchain technology.A novel cross-trust-domain authentication scheme based on IBC system is constructed and evaluated.Firstly,to solve the problem of instantaneous entity identity revocation based on the IBC architecture,a security-mediator based identity signature scheme,mIBS,is proposed with optimized identity management scheme.A security mediator serves in a trust domain to approve or decline any authentication attempt.By retaining part of each entity’s identity authentication key in the domain,the security mediator can quickly collaborate with other nodes to either verify the entity’s identity or fail its request for authentication,i.e.revocation.The proposed mIBS algorithm for IBC-based intro-domain authentication,ensures entity authentication functionality and security,with the computation overhead reduced greatly compared with the ID-BMS scheme.The cross-domain authentication is supported and implemented on a consortium blockchain system.We optimize the PKI certificate structure and design a blockchain certificate to record domain credential on blockchain.Blockchain certificate authorities,just like CAs in X.509,are organized and coordinated together to run the consortium ledger as the domain credential storage,verification and exchange platform.Compared with the centralized CA organization,the distributed ledger on blockchain nodes has better replication of certificate data,higher scalability,cryptography-guaranteed information integrity,and decentralized consensus calculation capability.The proposed mIBS algorithm and the blockchain-based authentication protocol are thoroughly evaluated for security and efficiency.Theoretical analysis and deduction show the new scheme holds the same security strength as the original IBC system,but saves some on the operation execution overhead.The state-of-the-art distributed user authentication schemes in literature are used as benchmarks to evaluate the proposed blockchain-based distribution authentication.The new scheme is robust enough to survive any typical network attacks and interruptions,and with significantly improved computation overhead efficiency when being measured alive on experimental machines.