Study On Authentication Protocol For Multi-Cloud Environments

Cloud services are a new type of network services that rely on cloud computing.They have been widely used in finance,medical treatment,transportation and other fields.However,the outsourcing service mode of cloud computing and the security risks of the cloud platform have caused users' concerns about data privacy security.Authentication and Key Exchange(AKE)protocols can ensure the legitimacy of cloud server and user's identity,and achieve secure data access control.Therefore,the AKE protocols become the key to multi-cloud service applications.However,the existing AKE protocol has more or less issues in terms of security and scalability,and cannot meet the application requirements of the multi-cloud service computing environment.This paper aims to analyze the shortcomings of typical AKE solutions in multi-server scenarios,give design criterias and AKE protocols for multi-cloud service scenarios.The specific studies of this paper are as follows:1.This paper analyzes four typical multi-server scenario AKE schemes.First,the paper points out that these protocols have following shortcomings:(1)Most protocols store the derived value of the user's password on the smart card or server.After performing side channel attack to crack equipment or corrupt server,the adversary can use the value to execute offline dictionary attacks to crack the user's password.(2)Some protocols may be vulnerable to attacks such as temporary information leakage attacks,key compromise impersonation attacks(KCI),or fail to provide security attributes such as user anonymity and perfect forward secrecy,which are unsuitable to applications with higher security requirements such as medical treatment,finance.(3)Some protocols need to interact with the online registration center during the authentication phase,which significantly increases the cost of authentication.The design criterias for the AKE protocol in multi-cloud service scenarios are given,including:(1)The protocol doesn't store password-derived values,which can resist a series of attacks such as offline dictionary attacks and insider attacks.(2)the protocol can address new challenges such as KCI attacks,temporary information leakage attacks,and ensure forward security,user anonymity and other security attributes.(3)No registration center participates in authentication during the authentication phase.2.Based on the above design criterias of protocol,this paper proposes a singlecredential AKE framework,and puts forward an instantiation protocol.First,a singlecredential AKE framework based on Oblivious Pseudo-Random Function(OPRF)and the two-party asymmetric AKE protocol is given.The user uses the combination of single credential(such as: password + private key,password + private key + biometric)to complete registration in the key generation authority,it can securely access any legitimate cloud server.Specifically,the password and private key are associated through the OPRF interaction process to ensure the secure storage and retrieval,recovery of them.Then the two-party asymmetric AKE scheme is used to implement mutual authentication and key negotiation between the user and the cloud server.Second,a two-party asymmetric AKE protocol was constructed using the Identity-Based Higncryption(IBHigncryption),and the singlecredential AKE framework was instantiated.This instantiation protocol can provide anonymity while enhancing protection against password leakage.Finally,the provable security analysis under the random oracle model is presented,and the performance analysis comparison of similar schemes is carried out to show that the scheme is provable security and has the system acceptable computation cost.