| Data Distribution Service(DDS)is a data-centric publish-subscribe system specification that can achieve loose coupling between publishers and subscribers and has high real-time and throughput characteristics.Because of these benefits,DDS is widely used in Io T scenarios.As the scale of the Io T increases,the traditional cloud computing architecture is gradually replaced by edge computing in order to reduce network bandwidth pressure and processing time delay.Edge nodes are set up near the terminals to provide data storage and computing services.The complexity of the hierarchical structure and the increase in the number of devices make the DDS secure communication schemes in traditional Io T scenarios no longer suitable for edge computing,which is defected in two aspects: identity authentication and data security sharing on the edge side.The current DDS identity authentication schemes are generally implemented based on the public key infrastructure signature algorithm.The certificate needs to be issued for each user,which is not suitable for edge computing scenarios with a large number of terminals.Besides,the current schemes cannot meet the authentication requirements of the edge computing scenarios with “cloud-edge-device” architecture and coexistence of multiple trust domains.In the scenario of data security sharing using edge nodes for storage and forwarding,the current schemes generally adopts the method of link encryption.The DDS secure communication scheme can only guarantee the confidentiality of data transmission process and the data needs to be stored on edge nodes in the form of plaintext.However,compared with the cloud center,the edge node has weaker security protection capability and is more vulnerable to be attacked,which leads to the leakage of stored data.Thus this thesis studies the key mechanism of DDS secure communication for edge computing,including an identity authentication and edge-side data security sharing scheme suitable for edge computing scenarios.The main contributions of this thesis conclude:(1)An identity-based digital signature algorithm(Key Escrow-Less and Identity Revocable Identity Base Sign,KEIR-IBS)is proposed,which solves the escrow of key and difficulty in identity revocation of the existing algorithms.In the KEIR-IBS algorithm,the user’s key is jointly generated by the private key generation center and the user,which avoids the escrow of key.In addition,timestamp information is embedded in the key generation,signature and verification algorithm,so that only the digital signature generated by the user whose identity has not been revoked in current time period can be verified successfully.So the KEIR-IBS algorithm supports identity revocation.Furthermore,this thesis proves that the KEIR-IBS algorithm is existentially unforgeable on adaptively chosen message attacks.So the authentication protocol based on this algorithm can resist the forgery attack.(2)A layered authentication scheme based on DDS for edge computing is proposed based on the proposed KEIR-IBS digital signature algorithm,which can cover the cloud center,edge nodes and terminals.The identity authentication process in the layered authentication architecture is implemented,including the two-way authentication between edge nodes and the cloud center or other edge nodes.For the multi-trust domain scenario,both the efficient intradomain access authentication and lightweight cross-domain access authentication based on challenge response for terminals are implemented.(3)An identity-based proxy re-encryption algorithm(Key Escrow-Less Identity Base Proxy Re-Encryption,KEIB-PRE)is proposed for multi-trust domain scenario.On the basis of the key segmentation of KEIR-IBS signature algorithm,the re-encryption key is constructed according to the security parameters of the trust domain of the data requester and the owner based on the discrete logarithm problem.Compared with the existing identity-based proxy based re-encryption algorithm,the KEIB-PRE algorithm avoids the key escrow,supports ciphertext conversion across trust domains,and can resist collusion attacks by data requesters and storage centers.Furthermore,this thesis proves that the KEIB-PRE algorithm has the indistinguishability against selective chosen-plaintext attack under the random oracle model.The edge-side DDS data security sharing scheme is implemented based on the hybrid encryption method combining the KEIB-PRE algorithm and symmetric encryption,.(4)This thesis designs and implements a DDS secure communication prototype system for edge computing based on above schemes.The function and performance of the prototype system are tested,and the results show that the scheme proposed in this thesis implements the identity authentication between nodes in the edge computing scenario and the data security sharing on the edge side,while ensuring the high performance of DDS. |
