The Research On HDFS Security Authentication Mechanism

The HDFS security authentication mechanism is the first level to ensure secure interaction of data in a distributed environment.It can effectively prevent the intrusion of illegal users and ensure the security of the cluster.It has great practical and application significance for research.The traditional HDFS security authentication mechanism directly adopts the kerberos third-party authentication protocol.This mechanism uses KDC as the authentication center to centrally handle the security authentication of a large number of DataNodes,so it is easy to cause security vulnerabilities such as single point overload,duplicate authentication,replay attack,and multiple key distribution.Therefore,this paper studies the problems existing in the traditional security mechanisms.The specific research contents include:(1)In the traditional HDFS authentication mechanism,KDC Certification Center needs to handle the security certification of a large number of DataNodes,which causes single-point overload,duplicate authentication and replay attack,aiming at these problems,this paper improved the overall authentication process for Client,KDC,NameNode,and DataNode,introduced a token push mechanism to re-plan the HDFS authentication process into three phases,and establishes an HDFS-authentication model,the HDFS-TPK authentication model.The model divides the authentication process into three phases,namely the NameNode ticket authentication phase,the KDC-based Agent token generation and push phase,and the DataNode data access authentication phase.After the NameNode ticket is authenticated,the KDC directly generates the Agent cross-node token and pushes it to all DataNodes.When the user accesses the DataNode,it no longer passes the KDC for authentication,but directly uses the token for authentication,thereby greatly reducing the load of the KDC authentication server.At the same time,it also reduces the repeated authentication through the KDC.In addition,a new parameter T-nonce is introduced in the authentication package of the Client and the NameNode and the DataNodes.The parameter is obtained by hashing the timestamp and IP address,combining with the timestamp and IP address ensures its real-time and uniqueness,making it impossible for illegal users to implement replay attacks.(2)Due to the existence of a large number of DataNodes in HDFS,Clilent needs to generate many session keys for the encryption and decryption during the authentication process,which easily leads to multiple distributions and repeated storage of keys.This paper introduced a HDFS key management mechanism based on a multi-level one-way hash chain in the HDFS-TPK model.When KDC authenticates the ticket in the first stage,the root key K0 is generated for the user service and distributed to all DataNodes along with the Agent token,and the master key chain is established on the DataNode,and store the root key and sub-keychain header of each user service in an array mode.In the authentication process,the root key K0 and the secondary key chain of the current user service are found from the master key chain,and the corresponding key value is generated according to the access sequence number Seq value to perform encryption and decryption operations,And add the key value to the secondary keychain.Because of the adoption of the local keychain mechanism,the problem of multiple allocation and duplicate storage of session keys is avoided.Because the local keychain mechanism is adopted,the problem of multiple allocation and repeated storage of session keys is avoided.In addition,the keys using multi-level one-way hash chains are generated by hash functions,therefore,it can be ensured that different key values are obtained each time,thereby effectively avoiding password guessing attacks;The secondary key chain is released after the end of the user service,which simplifies the key management operation.(3)Compare and analyze the HDFS-TPK-based HDFS authentication mechanism proposed in this paper with the traditional Kerberos-based HDFS authentication mechanism.Firstly,built the experimental platform and respectively deployed HDFS-TPK and Kerberos on the Hadoop cluster.The experimental results show that the improved model can effectively solve the problem of single-point overload problem,duplicate authentication and replay attack in the traditional identity authentication model.Especially in a cluster system for a large number of data nodes,the effect is particularly significant.In addition,experiments show that the improved key management mechanism simplifies the key management process,thereby shortening the time for user authentication and effectively avoiding password guessing attacks.