Research On The Key Technologies Of Identity Authentication In Mobile Cloud Computing

In the mobile cloud computing environment, the wireless network is open and heterogeneous, the hardware resources are limited, and the computation offloading power of a mobile device is weak. Because of the aforementioned limitations, the identity authentication mechanism in mobile cloud computing paradigm should not only implement secure bidirectional authentication between cloud entities efficiently,but also meet the special challenge that the trusted third party sometimes needs to be removed from the authentication procedures. In order to fufill the requirements above,this article analyzes the vulnerabilities of 3G/4G AKA protocols in the data link layer and SAML 2.0 SSO protocols in the network application layer, and then presents a PKI-based improvement scheme of SAML 2.0 SSO. On the other hand, the article proposes an IBC-based layered mobile cloud computing security architecture to build a more efficient and secure cloud entity authenticated mechanism. Based on the architecture, the acticle designs several bidirectional identity authentication and key aggrement protocols in a federated mobile cloud system. Furthermore,the acticle also builds a hierarchical cloud entity identity and key management architecture to ease the running pressure of the root PKG node in each child security domain, and presents a hierarchical identity based authenticated key agreement protocol, by which the mobile cloud entities can securely agree session key and check each other's identity. Finally,in order to retrieve an anonymous signer in mobile cloud computing environment, this acticle proposes an identity based revocable ring signature scheme. The main results of the acticle are as follows:(1) This article systematically analyzes the vulnerabilities of 3G/4G AKA and SAML 2.0 SSO protocols,and then finds that the protocols cannot realize bidirectional identity authentication mechanism, by which a malicious attacker can disrupt normal protocol processes and threaten account security. Based on the analysis results, the article proposes a PKI-based improvement scheme for SAML 2.0 SSO to realize mutual authentication between user and service provider, without corrupting original protocol processes and packet structures. The security properties of the improved protocol have been proved by S-pi calculus formal verification.(2) This article proposes an IBC-based layered security architecture to provide a trusted transmission mechanism among mobile cloud systems maintained by different organizations. In this architecture, GPKG is the trusted authority in global security domain, and each child security domain is a self-contained domain with an independent root PKG which is responsible for certificating cloud entities in its own domain. In order to improve the carrying power of the layered security architecture,the article divides the child security domain again and builds a hierarchical mobile cloud entity identity and key management architecture based on HIBE system.(3) Based on the layered security architecture, this article proposes several identity-based cloud entity authenticated protocol to implement mutual identification,session key exchange, data sharing and secure data transfer services in a federated mobile cloud system. The security properties of the protocols have been proved by S-pi calculus formal verification. The protocols not only ensure the confidentiality of the data transferred, but also resist man-in-the-middle attacks and masquerading attacks. The efficiencies of the protocols have been tested in a lab environment.(4) On the basis of HIBE system proposed by Dan Boneh et al., this article reconstructs the private key and presents a hierarchical identity-based authenticated key agreement protocol using the bilinear mapping on ellipse curve in multiplicative cyclic group. The protocol provides secure session key exchange and authentication mechanism for cloud entities on different hierarchical levels in the child security domain. Based on the assumption of CDH and GDH, the article proves that the protocol not only achieves known-key security, forward security and PKG forward security in the eCK model, but also resists key-compromise impersonation attacks.(5) On the basis of HIBE system proposed by Dan Boneh et al., this article provides an identity-based revocable ring signature scheme using the bilinear mapping on ellipse curve multiplicative cyclic group. The scheme not only implements anonymous signature, but also can identify the anonymous signer. Based on assumption of CDH and GDH, the article proves that the scheme achieves unconditional anonymity, unforgeability and undeniability in the PPT model.