一种基于可信DAA连接的单点登录模型

系统仿真学报 ›› 2016, Vol. 28 ›› Issue (4): 890-897.

一种基于可信DAA连接的单点登录模型

杨晓晖, 江丽军, 王虹, 常思远

河北大学网络技术研究所,河北保定 071002

收稿日期:2014-07-15 修回日期:2014-10-20 出版日期:2016-04-08 发布日期:2020-07-02
作者简介:杨晓晖(1975-),男,河北巨鹿,博士,教授,研究方向为云计算与信息安全;江丽军(1986-),男,河北涉县,硕士生,研究方向为可信计算。
基金资助:
国家科技支撑计划(2013BAK07B04);国家自然科学基金(61170254);河北省自然科学基金(F2014201152)

Single Sign-on Model Based on Trusted-DAA Connection

Yang Xiaohui, Jiang Lijun, Wang Hong, Chang Siyuan

Institute of Network Technology, Hebei University, Baoding 071002, China

Received:2014-07-15 Revised:2014-10-20 Online:2016-04-08 Published:2020-07-02

摘要/Abstract

摘要： 针对云计算环境下传统单点登录模式采用SSL连接时存在的证书更新不及时、证书更新需要第三方CA参与等问题,在云身份认证服务器和云服务供应商之间引入TPM,采用DAA身份认证方式设计了一种可信DAA连接(T-D-SSL)来实现跨平台的可信身份认证、安全信道建立及证书更新操作。在此基础上,结合SAML2.0和ID-FF1.2,设计并实现了云计算环境下基于可信DAA连接的单点登录模型,在保证安全的同时减少了TPM带来的性能损耗。仿真实验结果表明,该模型能够安全高效的实现云计算环境下的跨域单点登录。

关键词: 可信计算, 单点登录, 直接匿名验证, 身份认证

Abstract: Traditional single sign-on (SSO) models adopt SSL connections in the cloud computing environments, while there exist several problems such as certificates cannot be updated in time, certificate updating needs a third party CA, etc.. To solve above problems, TPM was introduced between cloud identity providers and cloud service providers, and a trusted DAA connection (T-D-SSL) was designed by adopting the DAA authentication method to implementation cross platform trusted authentication, secure channel establishment, and certificate updating operation. Combining with T-D-SSL, SAML2.0, and ID-FF1.2, a new SSO model of the cloud computing environments was proposed, which could make sure the system security and reduce the performance lose due to the introduction of TPM. The simulation experiment results indicate T-D-SSL model can realize cross domain SSO safely and efficiently in the cloud computing environments.

Key words: trusted computing, single sign-on, direct anonymous attestation, authentication

中图分类号:

TP393

杨晓晖, 江丽军, 王虹, 常思远. 一种基于可信DAA连接的单点登录模型[J]. 系统仿真学报, 2016, 28(4): 890-897.

Yang Xiaohui, Jiang Lijun, Wang Hong, Chang Siyuan. Single Sign-on Model Based on Trusted-DAA Connection[J]. Journal of System Simulation, 2016, 28(4): 890-897.

参考文献

[1] 冯登国, 张敏, 张妍, 等. 云计算安全研究[J]. 软件学报, 2011, 22(1): 71-83.
[2] Radha V, Reddy D H.A Survey on Single Sign-On Techniques[J]. Procedia Technology (S1877-7058), 2012, 4: 134-139.
[3] Microsoft Windows Live ID服务 [EB/OL]. (2006-06-19) [2014-02-06] https://msdn.microsoft.com/zh-cn/library/aa479889.aspx.
[4] Cantor S, Hodges J, Kemp J, et al. Liberty ID-FF Architecture Overview [EB/OL]. (2004-09-30) [2014-02-06]http://www.projectliberty.org/liberty/.
[5] Internet2. Shibboleth Project [EB/OL]. (2014-02-26) [2014-03-10]http://shibboleth.net/about/.
[6] Lewis K D, Lewis J E.Web Single Sign-On Authentication using SAML[J]. International Journal of Computer Science Issues (IJCSI)(S1694-0784), 2010, 7(4): 41-48.
[7] Armando A, Carbone R, Compagna L, et al.From Multiple Credentials to Browser-based Single Sign-on: Are We More Secure?[M]// Future Challenges in Security and Privacy for Academia and Industry. Germany: Springer Berlin Heidelberg, 2011: 68-79.
[8] Kirandeep K, Divya B.Security Vulnerabilities in SAML based Single Sign-On Authentication in Cloud [C]// 1st International Workshop on Cloud Computing and Information Security. Amsterdam, Holland: Atlantis Press, 2013: 294-298.
[9] 沈昌祥, 张焕国, 王怀民, 等. 可信计算的研究与发展[J]. 中国科学: 信息科学, 2010, 40(2): 139-166.
[10] 冯登国, 秦宇, 汪丹, 等. 可信计算技术研究[J]. 计算机研究与发展, 2011, 48(8): 1332-1349.
[11] Brickell E, Camenisch J, Chen L.Direct anonymous attestation[C]// Proceedings of the 11th ACM conference on Computer and communications security. USA: ACM, 2004: 132-145.
[12] 张毅, 周鹏, 侯整风. 一种基于ELGamal签名和零知识证明的双向认证方案[J]. 系统仿真学报, 2011, 23(1): 307-309.
[13] 谭良, 孟伟明, 周明天. 一种优化的直接匿名证言协议方案[J]. 计算机研究与发展, 2014, 51(2): 334-343.
[14] 胡建军. GF(p)上构造安全椭圆曲线的一种新方法[J].武汉大学学报(工学版), 2014, 47(2): 286-288.