摘要
分布式系统如云计算、物联网等在各关键领域被广泛应用,其安全性越来越重要。由于部署环境复杂,具有分散、异构、动态等特性,分布式系统的信息安全保障面临着严峻的挑战,传统的身份认证方案通常计算开销大、证书管理复杂、成员动态更新不及时,不能很好地满足大型分布式系统需求。文章针对大量客户端与应用服务器交互的典型应用场景提出了一种基于Merkle树和哈希链的层次化轻量认证方案。方案将客户端划分为若干邻域,每个邻域内设置一个认证代理节点以管理邻域内的客户端并向应用服务器上报认证信息,方案结合Merkle树和哈希链技术实现对客户端的身份认证和一次一密的通信加密及消息认证,使用哈希和异或的高效运算方式实现较低的计算开销。安全性分析和性能分析表明,方案具有全面的安全性和更好的性能。
Distributed systems such as cloud computing and the Internet of Things are widely used in various critical application domains,and their security issues are receiving increasing attention.Due to the complex deployment environment,the characteristics such as decentralization,heterogeneity,and dynamics,the security guarantee of distributed systems faces severe challenges.Traditional authentication schemes usually have the limitations of high computational cost,complex certificate management,and untimely member dynamic updates,which cannot meet the requirements of large-scale distributed systems.In this paper,aiming at the typical application scenarios where a large number of clients interact with application servers,a hierarchical lightweight authentication scheme based on Merkle tree and hash chain was proposed.In this scheme,there were several neighborhoods in the system,each client belongs to a neighborhood,and an authentication proxy node was set in each neighborhood to manage the clients in the neighborhood and report authentication information to the application server.The scheme adopted both Merkle tree and hash chain to realize identity authentication for the client,one-time pad encryption,and message authentication,and used efficient operations of hash and XOR to achieve lower computational costs.Security analysis and performance analysis show that the scheme has comprehensive security and better performance.
作者
沈卓炜
汪仁博
孙贤军
SHEN Zhuowei;WANG Renbo;SUN Xianjun(School of Cyber Science and Engineering,Southeast University,Nanjing 211189,China;Key Laboratory of Computer Network and Information Integration of Ministry of Education,Southeast University,Nanjing 211189,China;Security and Preventive Technology Division,The Third Research Institute of Ministry of Public Security,Shanghai 200031,China)
出处
《信息网络安全》
CSCD
北大核心
2024年第5期709-718,共10页
Netinfo Security
基金
国家重点研发计划[2022YFB3104602]。