| The alliance environment is a resource sharing platform which is composed by different mutual trust domains.In the alliance environment,each domain has at least one authentication server,which manages the security access of resource in the domain and provides certification service for the user.Usually,the user access resource in different trust domains,the current method for achieving cross domain identity authentication by generating temporary ticket still exists the security vulnerabilities,such as the weak cross domain ability,imbalance authentication load,the security risk of Cookie,password guessing attack and replay attack in the domain,so the security management of cross-domain authentication and user authentication in the domain become the urgent problem.In this paper,studies were launched on the above problems,mainly including:1)First of all,we analyze the security of identity authentication process in the single domain as well as identity authentication process in the multiple domains,and take Kerberos as an example to verify their security by simulating the attack process,The results show that,when the user access the cross domain resources frequently,the verification process of the temporary certificate generation,exchange and cross domain are frequently invoked,which leads to the reduction of cross domain efficiency and its imbalance load between the domains.The authentication mechanism of the traditional authentication server itself does not have the function of crossing domain,so it needs the additional Servlet to carry out the cross domain operation,through the cooperation,and completes the complex authentication operation and the token issuing process,so as to increase the load and increase the security risk,such as the security risks of user information which is caused by the Cookie which is stored with plain text,password guessing attack which is caused by the symmetric key,the possible crack of the ticket,and the replay attack of the service ticket when the clock is not synchronized.2)Aiming at the the cross domain identity authentication in the multiple domains,we propose a cross domain federal identity authentication model,which is based on multi-agent authentication mechanism of unified public key encryption and token active mass mechanism.First of all,we adopt the multi-agent authentication mechanism of unified public key encryption,the authentication server in each domain is added to an agent service which is assigned with the same public key,this service is responsible for domain Cookie,cross domain Cookie,and the generation of cross domain tokens,and uses the unified public key to achieve the information encrypted transmission,on the one hand,the method can prevent Cookie and token forgery effectively,on the other hand,it can improve the efficiency of cross domain access;Secondly,we adopt the token mass mechanism in the agent service,and convert the authentication model from the passive request pattern to the active response pattern,as long as the user has logged in,the token is distributed to the authentication server in the federated domains,this method can speed up the user's ability to cross domain andshorten the time of cross domain,it has higher application value in the domains which have many cross-domain operation.3)Aiming at the domain identity authentication in the multiple domains,we improve the traditional Kerberos authentication protocol,and propose the Kerberos domain identity authentication model based on dynamic password and one-time public key.First of all,in the aspect of processing cross domain information,we adopt the multi-agent authentication mechanism to solve the problem that the authentication server can not cross the domain,and use the cache mechanism to manage authentication ticket,so that the user which has logged in can complete the certification operation through the fast channel.Secondly,in the aspect of user authentication in the domain,we adopt the Diffie-Hellman's password mechanism and the dynamic password mode to solve the security problem of password guessing attack,meanwhile,we use the method of one-time public key and the public key based on ElGamal cipher mechanism to ensure the security of service ticket,and prevent the replay attacks.4)The experimental analysis of the cross domain identity authentication model and the domain identity authentication model in the alliance environment.Firstly,we perform the security detection for Kerberos identity authentication in the domain,in the stage of password transmission,by comparing the improved user password encryption method with the traditional method,we know that the method of dynamic password can ensure the security of user information;In the stage of service ticket transmission,we monitor data transmission of the fifth step in the authentication process,then we perform the replay attack after we copy the packets,by comparing the improved response results of the server with the the traditional results,we know that the method of "one time public key" is better resist the replay attack.Secondly,we perform the security detection for the cross domain federal identity authentication process,after the user complete the cross domain operation,by comparing the improved cross domain transfer time with the traditional time,we know that the cross domain authentication model based on the token passing mechanism has better authentication efficiency;By comparing operation of the server in the console,we know that the improved authentication model has a balance load,and will not happen the single point collapse;In the aspect of Cookie security,we simulate the Cookie attack process,by comparing the results of server's response,we know that the improved authentication model has higher security. |
PDF Full Text Request