Research On The Key Technologies Of Cross-Domain Authentication

With the spread of e-commerce and e-government applications, the information security has become increasingly important. Authentication and access control theories and technologies are the important fields of the information security branch. Based on the cross-domain authentication, it is feasible for different trust domains to be interconnected, intercommunicated and interoperable. Through the deep research into the authentication and access control theory domain, several main results obtained in the following areas:(1) Based on the research of the general cross-domain authentication model, a multi-mode cross-domain authentication scheme is proposed. This scheme is based on PKI(Public Key Infrastructure) and PMI(Privilege Management Infrastructure). On server side, authentication, authorization and auditing are implemented by middleware, and SAML(Security Assertion Markup Language) is introduced to exchange authentication and authorization information. On client side, security cookie, shared memory and ticket technology are adopted to realize cross-domain SSO solution. The existing single sign-on schemes support only C/S (Client/Server) mode, or B/S(Browser/Server) mode, which can not support the application of multi-mode hybrid situation. The scheme can solve above problems. Compared with the current methods, this solution had a higher level of security, more comprehensive problem solving for multi-mode cross-domain authentication and SSO, therefore had the extensive application prospect.(2) In order to meet the authentication requirement of the revoking frequently and dynamic network environment, a universal revocation scheme for the authentication system is proposed. The entering, leaving, revoking and authentication of nodes are implemented based on the public key cryptography scheme and the secure dynamic accumulator, and the cross-domain property is also supported. The results show that the proposed protocol is provable secure to realize the identity authentication, session key agreement and key update with entity secrecy and perfect forward secrecy etc. Compared with the existing schemes, this solution has a higher level of security, better performance and more comprehensive problem solving for revocation.(3) The client-to-client password-authenticated key exchange (C2C-PAKE) protocols are proposed to allow two clients from different realms to establish a shared common session key based on their passwords. Most existing schemes made an improvement of the prototype of the C2C-PAKE protocol of Byun2007. Recently, Feng et al and Liu et al respectively proposed an efficient C2C-PAKE protocol which was based on the public key mechanism. After the cryptanalysis, we found that the above protocols were easy to suffer the attacks due to unknown key-share attack and a malicious server could mount man-in-the-middle attacks and could eavesdrop the communication between the two clients, therefore the protocols have been improved.(4) A unified resource access control system is designed and implemented. The system uses a flexible hierarchical architecture design, thus in theory, the levels of this system architecture are not limited. The system consists of different levels of authentication systems, authorization system and access control systems module and key subsystems. The system realizes RBAC(Role-Based Access Control) model using attribute certificate, and implements different users’login with centralized authentication and SSO(single sign-on) technology. And the system is with different authentication modes and authentication equipments. Different applications use the different access control techniques. To be convenient for applications, a transparent proxy gateway approach is proposed. Using such an access control manner the appropriate client agents or plug-ins are not necessarily installed in the protected server (or application system) side. Authorization management is adopted with a classification system which provides a distributed or centralized and flexible management model. The system puts up a standard of external authentication, authorization and auditing interface and is implemented independently of authentication hardware products. It has been proved that the design of this system could well meet with the requirements of resource access control in practice, therefore can be widely used.