Authentication And Authorization Mechanism Based On Logic Virtual Domains For Cloud

With the development of cloud computing, virtualization technology which shieldsthe difference of underlying hardware is wildly used. The virtual logic domain (LVD) thatcan unite the virtual machines (VMs) which meet the same polices and across differentservice nodes to provide a safe operating environment for the upper application, hasattracted wide attention. Authentication and authorization are used to identify the identityto ensure secure communication between entities. However, resource sharing in the cloudleads that credentials of authentication and authorization systems are easier to be stolenthan in traditional environment. Developing a trusted authentication and authorizationsystem for LVDs, which can prove the integrity of the entities for the users and be lowoverhead, has important theoretical and practical significance.The key of this thesis is how to realize the trusted authentication system in the LVD,safeguard the system and easy access to the LVD. First, a trusted intra-domain certificateauthority (CA) is built, which manages the identities of intra-domain entities and thecertificates and uses strong authentication to authenticate each entity to construct trustedchannel; in addition, trusted computing technology is integrated into Public KeyInfrastructure (PKI) to store the credentials in the virtual Trusted Platform Module (vTPM)to safeguard the intra-domain authentication and authorization system. Secondly, a singlesign-on solution is realized for users to login efficiently LVD on the basis of Secure Shell(SSH) protocols and the intra-domain CA; moreover, a VM-based remote attestation and aLVD-based on remote attestation interfaces are used to attest the platform consistency.Functional tests show that the system which is based on trusted computing canachieve special format of the certificate management and authentication. Performancetests show that the extra cost of the authentication system in the LVD is not acceptable;and the authentication time of the SSO implemented in SSH does not bring insignificanttime delay compared with the original authentication.