The Security Authentication Technology Of Open Source Cloud Platform Based On OpenStack And Its Implementation

Cloud computing is a kind of on-demand billing mode that computer resources can be purchased on-demand,which greatly improves the utilization of resources.At the same time,it is able to realize the automatic management of resources and services that various solutions are integrated through cloud platform,which can reduce the cost and difficulty of user's deployment.OpenStack is an open source cloud platform jointly launched by NASA and Rackspace.It has attracted wide attention because of its good compatibility,scalability and flexibility.Now all the major IT vendors provide technical support for it.OpenStack was once the hottest project in cloud computing research.However,although OpenStack is powerful,its focus has always been on virtualization technology,so some components are only designed as a necessary module,without considering some problems in its applications,such as its security authentication component Keystone.As the first essential component of OpenStack,Keystone undertakes the authorization and authentication of the whole system.Keystone is required to provide authorization and authentication services for users and other components.However,Keystone only provides a framework for security authentication and a simple authentication process.There are serious security vulnerabilities.Moreover,official security documents explicitly recommend that it should not be used directly in applications,so a more reliable security authentication scheme on its third-party interface is provided generally.In this thesis,in order to solve the security problems in Openstack,the basic authentication framework of OpenStack is improved.Our work is as follows:Firstly,Keystone authentication process is improved based on public key cryptography technology.The token used in UUID authentication process in the authentication framework is modified,and a specific authentication protocol to realize mutual authentication between users and resource servers is designed.In this way,even if illegal users acquire Token,they can not obtain the corresponding resources or services;at the same time,in the process of mutual authentication,session keys are negotiated to encrypt the subsequent communication data.Secondly,on the basis of the above authentication protocol,the anti-Do S attack module is designed for the authentication scheme.The proof-of-work method based on elliptic curve is adopted,and anti-Do S attack module is added to Keystone architecture,so that each request needs to complete a certain workload according to the current network situation before it can be processed in practice,so as to defend against Do S attack to the authentication protocol.Thirdly,key management of Keystone framework is realized by extending and improving Barbican module.Among them,Harshicorp Vault,an open source project,is used to improve its key storage plug-in,and elliptic curve-based encryption algorithm is used to improve its encryption plug-in,so as to improve the security of the system and provide key management support for the scheme designed in this thesis.Finally,an OpenStack experimental verification platform is built based on Linux environment,and the functions of the above schemes are tested.The results show that the improved token has high security.Users and resource servers can authenticate each other and negotiate session keys to protect the security of subsequent data transmission.At the same time,the Keystone module of cloud platform can resist certain Do S attacks.