Research On Authentication Technologies In Service Orientied Multi-Domain Collaboration Environment

The SOA-based business collaboration and function integration between information systems are the important application pattern in multi-domain environment. However, the Service Oriented multi-Domain Collaboration (SODC) environment brings about new challenges to cross-domain secure interoperation. One of the important problems in secure interoperation is that how to meet the needs of authentication in communications between all kinds of security entities.Based on the research on cross-domain identity authentication and SOA security authentication technologies, taking into account the new characters of SODC environment, this thesis explores the SODC oriented authentication technologies, the main research work shows below:1. The needs of authentication in SODC environment are analyzed, and the corresponding authentication system architecture is designed. The shortages of existing cross-domain identity authentication and SOA security authentication technologies in SODC environment are analyzed. Aiming at the characters and needs of authentication in SODC environment, the corresponding authentication system is designed, which includes the whole structure of authentication system, the inner-domain authentication structure, the particular structure and working flow of authentication. This architecture syncretizes user identity authentication, federated identity management and SOAP message authentication technologies, and effectively supports secure authentication of SODC environment, and establishes the foundation of design of authentication system.2. Aiming at the dynamic business collaboration relations and distributed user identity management in SODC environment, a dynamic and distributed Federated Identity Management scheme is proposed. An identity federation framework is designed, the constitution method of identity federation is explored, and the identity information sharing algorithm is designed, and the single sign-on mechanism is proposed. The identity management scheme can effectively supports the constitution of dynamic identity federation in SODC environment, and realized independent identity information management and secure sharing for each domain, and supports the privacy protection of user identity, thus support the identity management in SODC environment.3. A service invocation authentication scheme based on multi-signature in SODC environment is proposed. Aiming at the needs of web service invocation and the characters of comprising multi-participators in web service collaboration and combination, the multi-signature algorithm is imported into authentication scheme, and a service invocation authentication scheme based on multi-signature is proposed. A new structured multi-signature scheme is proposed, which support sharing of session key between signers, and the security of the scheme is proved in random oracle model; a service invocation authentication scheme based on this multi-signature scheme is designed, which support functions of entity authentication, identity propagation, path authentication and message security protection; a laconic session management mechanism and anti-replay mechanism are proposed and used in the authentication scheme, which support session authentication and anti-replay attack; the security of the service invocation authentication scheme is analyzed at last. The service invocation authentication scheme obeys several security standards such as WS-Security and SAML, and is an integrated authentication scheme in SODC environment, and has profitable meaning for SOA secure authentication.4. Technology validation system is designed and implemented, which implemented the key technologies of federated identity management and service invocation authentication, and validated the feasibility of the technologies.