CN102055769A - Multi- trust domain authentication system under lattice-based grid environment - Google Patents

Multi- trust domain authentication system under lattice-based grid environment Download PDF

Info

Publication number
CN102055769A
CN102055769A CN2010106226817A CN201010622681A CN102055769A CN 102055769 A CN102055769 A CN 102055769A CN 2010106226817 A CN2010106226817 A CN 2010106226817A CN 201010622681 A CN201010622681 A CN 201010622681A CN 102055769 A CN102055769 A CN 102055769A
Authority
CN
China
Prior art keywords
territory
visit
domain
lattice
authentication
Prior art date
Application number
CN2010106226817A
Other languages
Chinese (zh)
Other versions
CN102055769B (en
Inventor
郑军
刘洪倡
孙新
张启坤
Original Assignee
北京理工大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京理工大学 filed Critical 北京理工大学
Priority to CN 201010622681 priority Critical patent/CN102055769B/en
Publication of CN102055769A publication Critical patent/CN102055769A/en
Application granted granted Critical
Publication of CN102055769B publication Critical patent/CN102055769B/en

Links

Abstract

The invention relates to a multi- trust domain authentication system under a lattice-based grid environment, belonging to the field of information safety. The multi- trust domain authentication system comprises a grid structure constructing module, a trust domain management module, a lattice structure converting module and a cross domain access control module, and the working process comprises grid initialization, initialization within domain, initialization of an authentication server and user authentication. In the invention, each trust domain is an authentication entity, thus making the most of the resource sharing advantage of a grid model; when each domain is used as an authentication server, only the related authentication information by taking the domain as an upper bound domain or a lower bound domain needs to be stored, and the global authentication information needs not to be stored, thus reducing redundancy of information storage and facilitating maintenance and management; and in the authentication process, the authentication server of each domain is known, and the authentication path is relatively determined, thereby improving the cross domain authentication efficiency.

Description

A kind of based on multiple trusting domains Verification System under the grid environment of lattice

Technical field

The present invention relates to a kind ofly, belong to field of information security technology based on multiple trusting domains Verification System under the grid environment of lattice.

Technical background

Informatization and development of internet technology, make information sharing become more and more convenient, obtaining, transmit and handling of information in the network is more convenient, but the very responsive security feature that information is had to a certain extent makes how to realize that the identification authorization of striding trust domain between different enterprises and the application just seems to have very much necessity with authentication.Be subjected to an information security technology---the access control of extensive concern in recent years always,, cause the extensive concern of domestic and international academia and business circles for this problem provides a kind of solution route.

Grid computing also receives much concern in recent years as infrastructure and next generation network.Grid is usually used in the scientific engineering computing field, it provides a kind of flexible, safe, collaborative resource-sharing pattern, in this pattern, formed a kind of dynamic environment by various types of networks resource providers such as individuality or mechanisms, and all computers can participate in calculating and the sharing of resource.Authentication in the grid adopts the entity certificate and the letter of attorment that satisfy standard that entity authentication is provided usually based on symmetry and asymmetric encryption theory, perhaps realizes the authentication of entity in communication process by the certain agreement of structure.The agreement of entity authentication is perfect relatively in the network service, and therefore, the focus of research generally concentrates on the machine-processed aspect by using certificate to authenticate at present.Foremost certificate verification system is exactly PKI (Public Key Infrastructure), it is based upon on the public key encryption basis, provide the infrastructure of information security service by using asymmetric cryptography principle and realization technology to set up, the PKI system model as shown in Figure 1.By PKI, information such as the identity of network entity, role can be dissolved in the cross-domain authentication, thereby be realized differently requiring, the authentication mode of various objectives, even can also be in authentication model key element such as joining day, session, construct the authentication model of many granularities.Development along with asymmetric cryptographic technique research, the PKI technology has also obtained development widely, because advantages such as PKI have the digital signature that support can openly be verified and can't be counterfeit, secret ability is strong, certificate is not needed online query by third party's issue, support certificate revocation, network interconnection ability is strong, it uses each aspect that has been deep into network at present.

But, PKI also exists certificate management and cancels complexity, authenticate deficiencies such as the Network Transmission bottleneck that brought and single-point collapse by certain mechanism that has privilege, though once the someone attempted CA structure by transforming the PKI authentication system as proposing level type CA, topological structures such as netted CA and bridge CA, and in conjunction with forward direction, the back to, depth-first, method for searching path such as breadth First, thereby improve the authentication efficient that the certification path construction problem improves PKI, but it is very huge to work as network size, trust domain quantity is more and when being in the state of dynamic change, the complex maintenance of PKI just highlights more.As seen, PKI authentication techniques application potential in the cross-domain verification process under grid environment can also obtain continuing to excavate, and should further bring into play its advantage, improves the authentication in this field and renders a service.

Summary of the invention

The objective of the invention is in order to overcome the defective of prior art, solve and select the low problem of certification path process efficiency in the conventional authentication system, proposed a kind of based on multiple trusting domains Verification System under the grid environment of lattice.

The present invention is achieved by the following technical solutions.

Of the present invention a kind of based on multiple trusting domains Verification System under the grid environment of lattice, comprise four modules: network makes up module, trust domain administration module, lattice structure modular converter and cross-domain access control module, the user is undertaken alternately by user capture interface and body series, realizes the visit to internet resource;

It is the module of the native system bottom that network makes up module, be responsible for the Internet resources of internet are carried out unified management and tissue, realization is to the network entity of bottom and calling of application, and to shared resource allocation in the network and use, this module construction is with the network configuration of grid configuration tissue;

The trust domain administration module is to be made up by network on the constructed basis with the network configuration of grid configuration tissue of module, divide and the management trust domain according to the trust domain management strategy, the acting server of selected each trust domain, finish the communication between each trust domain and the registration of relevant information, form organized, metastable trust domain group, as the logical foundations of lattice structure modular converter;

The lattice structure modular converter uses the lattice technology that the formed trust domain group of trust domain administration module is carried out logical organization again, determine logical expressions and the address of each trust domain in lattice, the enantiomorphic relationship of dative address, the trust domain network address is provided, correlation in the clear and definite lattice between each trust domain, finish searching and the registration management of relevant information of the infimum territory of any two trust domain and supremum territory, form clear and definite and metastable lattice structure, for cross-domain access control module provides logical foundations;

Cross-domain access control module and user capture interface carry out alternately, and according to cross-domain access control policy, finish the route transmission of authentication information, the granting and the authentication of certificate between trust domain in the path searching between the trust domain bound territory corresponding, the cross-domain access process with it, and the final realization of cross-domain visit;

Above-mentioned lattice structure modular converter uses the lattice technology to the method that trust domain group in the grid carries out logical organization to be:

Definition Be paritially ordered set, ρ (S) represents S set={ a 1, a 2... a nThe set of all subclass, " being contained in " relation of expression set; Because any two different element x and y have supremum and infimum among the set ρ (S), so claim ρ (S) about paritially ordered set Constitute lattice, owing to the uniqueness of supremum in the case relation and infimum, will ask the supremum of x and y and binary operation ∨ and the ∧ that infimum is defined as x and y respectively, promptly x ∨ y and x ∧ y represent supremum and the infimum of x and y respectively; All have the definite supremum and the characteristics of infimum according to any two elements in the set of satisfying certain partial ordering relation in the case theory, ready-portioned trust domain in the grid environment is carried out logic divide again, the trust domain that marks off is expressed as a element in ρ (S) set;

Cross-domain access control policy is in the above-mentioned cross-domain access control module: according to case theory, the grid trust domain is being carried out on the basis of case form tissue, territory and visit purpose territory are initiated in the visit that cross-domain visit relates to, agreement is the certificate issued server with their supremum territory, the infimum territory is the certificate verification server, acting server is the interface that entity and certificate server communicate and authenticate in the territory, be responsible for the management of this territory entity, this territory internal entity access control, and to the granting of foreign lands entity authentication certificate or the work of authentication, concrete verification process is described below:

1) acting server in visit initiation territory obtains the network address in visit purpose territory;

2) visit is initiated the acting server in territory according to the networking address search visit address of purpose territory in lattice;

3) lattice address and lattice address computation self territory in visit purpose territory and infimum territory and the supremum territory in visit purpose territory of the acting server in territory according to self initiated in visit;

4) the visit acting server of initiating the territory search and the supremum territory between certification path, propose certificate request to the supremum territory then, and transmit the relevant informations such as the network address, lattice address and identity information in this territory;

5) supremum territory issue certificate, and give the acting server that the territory is initiated in visit;

6) the acting server transmission certificate of the acting server in territory to visit purpose territory initiated in visit;

7) visit purpose domain lookup its with the infimum territory between certification path, propose the certificate verification application, and transmit the certificate of certification in visit initiation territory;

8) certificate verification is finished in the infimum territory, and authentication result is returned to visit purpose territory;

9) visit purpose territory is implemented according to authentication result or is finished cross-domain visit this time,, then visits the purpose territory and initiates territory transmission access key to visit, and accept the interview by authentication as if certificate of certification; If the certificate of certification authentification failure is then visited the refusal this visit of purpose territory;

Above-mentioned steps 4) and searching of the certification path in the step 7) be the bound relation of element in the lattice of constructing according to system, detailed process is:

Visit initiate the territory at first judge visit purpose territory with from the relation in lattice, if visit purpose territory is the supremum territory of oneself, then visit is initiated the territory and is searched earlier whether visit purpose territory is arranged in the territory adjacent with self, if have, then only send message,, then select to adjacent with self and be that the territory in self upper bound sends information if do not have to visit purpose territory, this selection course also can be repeated in the territory that receives information, sends to visit purpose territory or be dropped up to information.Because the certainty of bound relation in the lattice, final information is bound to arrive visit purpose territory, the territory, the upper bound in other non-supremum territories can abandon the information that receives because can not find the territory, the upper bound of self, but this processing does not influence the reception of supremum territory to information;

If visit purpose territory is the infimum territory of oneself, then visit is initiated the territory and is searched earlier whether visit purpose territory is arranged in the territory adjacent with self, if have, then only send information to visit purpose territory, if do not have, then select to adjacent with self and be that the territory of self lower bound sends information, this selection course also can be repeated in the territory that receives information, sends to visit purpose territory or is dropped up to information.Because the certainty of bound relation in the lattice, final information is bound to arrive visit purpose territory, the lower bound territory in other non-infimum territories can abandon the information that receives because can not find the lower bound territory of self, equally, and this processing reception of lower bound territory that also can not have the greatest impact to information.

Of the present invention a kind of based on multiple trusting domains Verification System under the grid environment of lattice, its course of work is:

1) grid initialization.Grid initialization self structure, and definite network size, for all related entities are distributed identify label, determine the trust domain partition strategy and divide and register each trust domain according to this, for each trust domain distributive lattice is represented, represent to determine relation and inter-domain communication rule and communication path between each territory according to lattice, initialization is also informed all related entities private keys and session key generating algorithm;

2) initialization in the territory.After the grid initialization was finished, each entity was a scope with this territory, determined this territory acting server according to key elements such as the degree of belief of each entity, access frequency, entity calculated performances.Build up mutual trust between this territory internal entity and appoint mechanism, access shared resources does not need authentication to each other.

3) certificate server initialization.The lattice that each trust domain obtains according to initialization are represented to communicate with the territory relevant with self, finish the lattice in all territories in the network and represent mapping with the network true address, calculate and determine the supremum territory and the infimum territory of any two trust domain, the acting server in each territory is registered relevant information, judgement of proxy server initializes identity and certificate generate, certification policy, and to the proxy server communication of adjacent domains, with registration from as entity.

4) authentification of user.When cross-domain visit, the user uses the identity information of self, acting server by this territory is provided the server transmission relevant information of territory (being self territory, place and the supremum of aiming field) to its pairing identity judgement and certificate of certification, certificate server is made corresponding reaction according to judgement, certification policy, and authentication result is returned to visit initiate entity, visit is initiated entity and is carried out cross-domain visit according to authentication result and access strategy.

Beneficial effect

Of the present invention a kind of based on multiple trusting domains Verification System under the grid environment of lattice, its advantage with respect to prior art is: each trust domain all is a certification entity, and can serve as certificate server, has made full use of the resource-sharing advantage of grid model; Each territory is in as certificate server, only need storage with self relevant authentication information, and needn't store the authentication information of the overall situation, as association key, respective coordinates etc. as the territory of the upper bound or lower bound, reduce the redundancy of information stores, be convenient to maintenance and management; In verification process, the certificate server in each territory all is known concerning self, and because the selection of partial ordering relation, its certification path also is to determine relatively, thereby has improved the efficient of cross-domain authentication.

Description of drawings

Fig. 1 is the PKI system model;

Fig. 2 is system hierarchy figure of the present invention;

The network model of Fig. 3 for using the lattice technology to be constructed among the embodiment;

Fig. 4 is the schematic diagram of system authentication process among the embodiment.

Embodiment

The present invention will be further described below in conjunction with drawings and Examples.

Embodiment

A kind of based on multiple trusting domains Verification System under the grid environment of lattice, comprise four modules: network makes up module, trust domain administration module, lattice structure modular converter and cross-domain access control module, the user is undertaken alternately by user capture interface and body series, realizes the visit to internet resource;

It is the module of the native system bottom that network makes up module, be responsible for the Internet resources of internet are carried out unified management and tissue, realization is to the network entity of bottom and calling of application, and to shared resource allocation in the network and use, this module construction is with the network configuration of grid configuration tissue;

The trust domain administration module is to be made up by network on the constructed basis with the network configuration of grid configuration tissue of module, divide and the management trust domain according to the trust domain management strategy, the acting server of selected each trust domain, finish the communication between each trust domain and the registration of relevant information, form organized, metastable trust domain group, as the logical foundations of lattice structure modular converter;

The lattice structure modular converter uses the lattice technology that the formed trust domain group of trust domain administration module is carried out logical organization again, determine logical expressions and the address of each trust domain in lattice, the enantiomorphic relationship of dative address, the trust domain network address is provided, correlation in the clear and definite lattice between each trust domain, finish searching and the registration management of relevant information of the infimum territory of any two trust domain and supremum territory, form clear and definite and metastable lattice structure, for cross-domain access control module provides logical foundations;

Cross-domain access control module and user capture interface carry out alternately, and according to cross-domain access control policy, finish the route transmission of authentication information, the granting and the authentication of certificate between trust domain in the path searching between the trust domain bound territory corresponding, the cross-domain access process with it, and the final realization of cross-domain visit;

Above-mentioned lattice structure modular converter uses the lattice technology to the method that trust domain group in the grid carries out logical organization to be:

Definition Be paritially ordered set, ρ (S) represents S set={ a 1, a 2... a nThe set of all subclass, " being contained in " relation of expression set; Because any two different element x and y have supremum and infimum among the set ρ (S), so claim ρ (S) about paritially ordered set Constitute lattice, owing to the uniqueness of supremum in the case relation and infimum, will ask the supremum of x and y and binary operation ∨ and the ∧ that infimum is defined as x and y respectively, promptly x ∨ y and x ∧ y represent supremum and the infimum of x and y respectively; All have the definite supremum and the characteristics of infimum according to any two elements in the set of satisfying certain partial ordering relation in the case theory, ready-portioned trust domain in the grid environment is carried out logic divide again, the trust domain that marks off is expressed as a element in ρ (S) set;

For S set={ it is 2 that a, b, c}, S have the number of the subclass of 3 elements and S 3=8, partial ordering set Be lattice, and ρ (S) can represent 8 territories, be respectively that { c}, { a}, { b}, { c}, { a, b}, { a, c}, { b, c}, empty set Ф are A, B for any two elements among the ρ (S), A ∨ B=A ∪ B then, A ∧ B=A ∩ B for a, b.Lattice The network model of being constructed as shown in Figure 3.

Cross-domain access control policy is in the above-mentioned cross-domain access control module: according to case theory, the grid trust domain is being carried out on the basis of case form tissue, territory and visit purpose territory are initiated in the visit that cross-domain visit relates to, agreement is the certificate issued server with their supremum territory, the infimum territory is the certificate verification server, acting server is the interface that entity and certificate server communicate and authenticate in the territory, be responsible for the management of this territory entity, this territory internal entity access control, and to the granting of foreign lands entity authentication certificate or the work of authentication, concrete verification process is described below:

1) acting server in visit initiation territory obtains the network address in visit purpose territory;

2) visit is initiated the acting server in territory according to the networking address search visit address of purpose territory in lattice;

3) lattice address and lattice address computation self territory in visit purpose territory and infimum territory and the supremum territory in visit purpose territory of the acting server in territory according to self initiated in visit;

4) the visit acting server of initiating the territory search and the supremum territory between certification path, propose certificate request to the supremum territory then, and transmit the relevant informations such as the network address, lattice address and identity information in this territory;

5) supremum territory issue certificate, and give the acting server that the territory is initiated in visit;

6) the acting server transmission certificate of the acting server in territory to visit purpose territory initiated in visit;

7) visit purpose domain lookup its with the infimum territory between certification path, propose the certificate verification application, and transmit the certificate of certification in visit initiation territory;

8) certificate verification is finished in the infimum territory, and authentication result is returned to visit purpose territory;

9) visit purpose territory is implemented according to authentication result or is finished cross-domain visit this time,, then visits the purpose territory and initiates territory transmission access key to visit, and accept the interview by authentication as if certificate of certification; If the certificate of certification authentification failure is then visited the refusal this visit of purpose territory;

Above-mentioned steps 4) and searching of the certification path in the step 7) be the bound relation of element in the lattice of constructing according to system, detailed process is:

Visit initiate the territory at first judge visit purpose territory with from the relation in lattice, if visit purpose territory is the supremum territory of oneself, then visit is initiated the territory and is searched earlier whether visit purpose territory is arranged in the territory adjacent with self, if have, then only send message,, then select to adjacent with self and be that the territory in self upper bound sends information if do not have to visit purpose territory, this selection course also can be repeated in the territory that receives information, sends to visit purpose territory or be dropped up to information.Because the certainty of bound relation in the lattice, final information is bound to arrive visit purpose territory, the territory, the upper bound in other non-supremum territories can abandon the information that receives because can not find the territory, the upper bound of self, but this processing does not influence the reception of supremum territory to information;

If visit purpose territory is the infimum territory of oneself, then visit is initiated the territory and is searched earlier whether visit purpose territory is arranged in the territory adjacent with self, if have, then only send information to visit purpose territory, if do not have, then select to adjacent with self and be that the territory of self lower bound sends information, this selection course also can be repeated in the territory that receives information, sends to visit purpose territory or is dropped up to information.Because the certainty of bound relation in the lattice, final information is bound to arrive visit purpose territory, the lower bound territory in other non-infimum territories can abandon the information that receives because can not find the lower bound territory of self, equally, and this processing reception of lower bound territory that also can not have the greatest impact to information.

Of the present invention a kind of based on multiple trusting domains Verification System under the grid environment of lattice, its course of work is:

1) grid initialization.Grid initialization self structure, and definite network size, for all related entities are distributed identify label, determine the trust domain partition strategy and divide and register each trust domain according to this, for each trust domain distributive lattice is represented, represent to determine relation and inter-domain communication rule and communication path between each territory according to lattice, initialization is also informed all related entities private keys and session key generating algorithm;

2) initialization in the territory.After the grid initialization was finished, each entity was a scope with this territory, determined this territory acting server according to key elements such as the degree of belief of each entity, access frequency, entity calculated performances.Build up mutual trust between this territory internal entity and appoint mechanism, access shared resources does not need authentication to each other.

3) certificate server initialization.The lattice that each trust domain obtains according to initialization are represented to communicate with the territory relevant with self, finish the lattice in all territories in the network and represent mapping with the network true address, calculate and determine the supremum territory and the infimum territory of any two trust domain, the acting server in each territory is registered relevant information, judgement of proxy server initializes identity and certificate generate, certification policy, and to the proxy server communication of adjacent domains, with registration from as entity.

4) authentification of user.When cross-domain visit, the user uses the identity information of self, acting server by this territory is provided the server transmission relevant information of territory (being self territory, place and the supremum of aiming field) to its pairing identity judgement and certificate of certification, certificate server is made corresponding reaction according to judgement, certification policy, and authentication result is returned to visit initiate entity, visit is initiated entity and is carried out cross-domain visit according to authentication result and access strategy.

As shown in Figure 4, the entity E among the A of territory AWant the entity E among the access domain B BResource, then cross-domain verification process is:

1) entity E AInitiate the acting server CA in territory to visit AAsk cross-domain visit, and transmit entity E BThe network address;

2) the acting server CA in territory is initiated in visit ABy entity E BThe network address obtain visit purpose territory CA BThe network address, according to networking address search visit purpose territory CA BAddress in lattice is then according to self lattice address and visit purpose territory CA BLattice address computation self territory and visit purpose territory CA BInfimum territory and supremum territory, the acting server CA in territory is initiated in visit at last ASearch and supremum territory CA CBetween certification path, and to supremum territory CA CPropose certificate request, and transmit the relevant informations such as the network address, lattice address and identity information in this territory;

3) supremum territory acting server CA CThe issue certificate, and give the acting server CA that the territory is initiated in visit A

4) the acting server CA in territory is initiated in visit ATo visit purpose domain server CA BSend certificate;

5) the acting server CA in visit purpose territory BTo entity E BAsk for entity E BSession key;

6) entity E BActing server CA to visit purpose territory BReturn its session key;

7) visit purpose territory acting server CA BSearch itself and infimum territory acting server CA CBetween certification path, propose the certificate verification application, and transmit visit and initiate territory CA ACertificate of certification give the infimum territory;

8) infimum territory acting server CA DFinish certificate verification, and authentication result is returned to visit purpose territory acting server CA B

9) visit purpose territory acting server CA BImplement or end cross-domain visit this time according to authentication result, if certificate of certification is then visited purpose territory acting server CA by authentication BInitiate territory acting server CA to visit ASend the message of grant access, and sending entity E BAccess key; If the certificate of certification authentification failure is then visited purpose territory acting server CA BInitiate the acting server CA in territory to visit ASend the message of refusal this visit, and finish authentication this time;

10) the acting server CA in territory is initiated in visit AReceive visit purpose territory acting server CA BNotice, then the result is passed to entity E A

11) entity E AWhether can implement cross-domain visit according to result's decision of receiving, if can, entity E then used BSession key to entity E BInitiate visit; If cannot, then finish cross-domain visit this time.

Claims (4)

1. one kind based on multiple trusting domains Verification System under the grid environment of lattice, and the user is undertaken alternately by user capture interface and body series, realizes the visit to internet resource, it is characterized in that:
Comprise that network makes up module, trust domain administration module, lattice structure modular converter and cross-domain access control module, appointing that four modules are finished in native system is respectively:
Network makes up the network configuration of module construction with the grid configuration tissue, be in the native system bottom, be responsible for the Internet resources of internet are carried out unified management and tissue, realize the network entity of bottom and calling of application, and to shared resource allocation in the network and use;
The trust domain administration module is to be made up by network on the constructed basis with the network configuration of grid configuration tissue of module, divide and the management trust domain according to the trust domain management strategy, the acting server of selected each trust domain, finish the communication between each trust domain and the registration of relevant information, form organized, metastable trust domain group, as the logical foundations of lattice structure modular converter;
The lattice structure modular converter uses the lattice technology that the formed trust domain group of trust domain administration module is carried out logical organization again, determine logical expressions and the address of each trust domain in lattice, the enantiomorphic relationship of dative address, the trust domain network address is provided, correlation in the clear and definite lattice between each trust domain, finish infimum territory and the selection in supremum territory and the registration management of relevant information of any two trust domain, form clear and definite and metastable lattice structure, for cross-domain access control module provides logical foundations;
Cross-domain access control module and user capture interface carry out alternately, and according to cross-domain access control policy, finish the route transmission of authentication information, the granting and the authentication of certificate between trust domain in the path searching between the trust domain bound territory corresponding, the cross-domain access process with it, and the final realization of cross-domain visit.
2. according to claim 1 a kind of based on multiple trusting domains Verification System under the grid environment of lattice, it is characterized in that: described lattice structure modular converter uses the lattice technology to the method that trust domain group in the grid carries out logical organization to be:
Definition Be paritially ordered set, wherein ρ (S) represents S set={ a 1, a 2... a nThe set of all subclass, " being contained in " relation of expression set; Because any two different element x and y have supremum and infimum among the set ρ (S), so claim ρ (S) about paritially ordered set Constitute lattice, owing to the uniqueness of supremum in the case relation and infimum, will ask the supremum of x and y and binary operation ∨ and the ∧ that infimum is defined as x and y respectively, promptly x ∨ y and x ∧ y represent supremum and the infimum of x and y respectively; All have the definite supremum and the characteristics of infimum according to any two elements in the set of satisfying certain partial ordering relation in the case theory, ready-portioned trust domain in the grid environment is carried out logic divide again, the trust domain that marks off is expressed as a element in ρ (S) set.
3. according to claim 1 a kind of based on multiple trusting domains Verification System under the grid environment of lattice, it is characterized in that: cross-domain access control policy is in the described cross-domain access control module: according to case theory, the grid trust domain is being carried out on the basis of case form tissue, territory and visit purpose territory are initiated in the visit that cross-domain visit relates to, agreement is the certificate issued server with their supremum territory, the infimum territory is the certificate verification server, acting server is the interface that entity and certificate server communicate and authenticate in the territory, be responsible for the management of this territory entity, this territory internal entity access control, and to the granting of foreign lands entity authentication certificate or the work of authentication, concrete verification process is described below:
1) acting server in visit initiation territory obtains the network address in visit purpose territory;
2) visit is initiated the acting server in territory according to the networking address search visit address of purpose territory in lattice;
3) lattice address and lattice address computation self territory in visit purpose territory and infimum territory and the supremum territory in visit purpose territory of the acting server in territory according to self initiated in visit;
4) the visit acting server of initiating the territory search and the supremum territory between certification path, propose certificate request to the supremum territory then, and transmit the relevant informations such as the network address, lattice address and identity information in this territory;
5) supremum territory issue certificate, and give the acting server that the territory is initiated in visit;
6) the acting server transmission certificate of the acting server in territory to visit purpose territory initiated in visit;
7) visit purpose domain lookup its with the infimum territory between certification path, propose the certificate verification application, and transmit the certificate of certification in visit initiation territory;
8) certificate verification is finished in the infimum territory, and authentication result is returned to visit purpose territory;
9) visit purpose territory is implemented according to authentication result or is finished cross-domain visit this time,, then visits the purpose territory and initiates territory transmission access key to visit, and accept the interview by authentication as if certificate of certification; If the certificate of certification authentification failure is then visited the refusal this visit of purpose territory.
4. according to claim 3 a kind of based on multiple trusting domains Verification System under the grid environment of lattice, it is characterized in that: searching of the certification path in described step 4) and the step 7) is the bound relation of element in the lattice of constructing according to system, and detailed process is:
Visit initiate the territory at first judge visit purpose territory with from the relation in lattice, if visit purpose territory is the supremum territory of oneself, then visit is initiated the territory and is searched earlier whether visit purpose territory is arranged in the territory adjacent with self, if have, then only send message,, then select to adjacent with self and be that the territory in self upper bound sends information if do not have to visit purpose territory, this selection course also can be repeated in the territory that receives information, sends to visit purpose territory or be dropped up to information; If visit purpose territory is the infimum territory of oneself, then visit is initiated the territory and is searched earlier whether visit purpose territory is arranged in the territory adjacent with self, if have, then only send information to visit purpose territory, if do not have, then select to adjacent with self and be that the territory of self lower bound sends information, this selection course also can be repeated in the territory that receives information, sends to visit purpose territory or is dropped up to information.
CN 201010622681 2010-12-29 2010-12-29 Multi- trust domain authentication system under lattice-based grid environment CN102055769B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201010622681 CN102055769B (en) 2010-12-29 2010-12-29 Multi- trust domain authentication system under lattice-based grid environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201010622681 CN102055769B (en) 2010-12-29 2010-12-29 Multi- trust domain authentication system under lattice-based grid environment

Publications (2)

Publication Number Publication Date
CN102055769A true CN102055769A (en) 2011-05-11
CN102055769B CN102055769B (en) 2013-04-03

Family

ID=43959695

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201010622681 CN102055769B (en) 2010-12-29 2010-12-29 Multi- trust domain authentication system under lattice-based grid environment

Country Status (1)

Country Link
CN (1) CN102055769B (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102833265A (en) * 2012-09-13 2012-12-19 北京航空航天大学 Network theory based signature scheme and secure linear network encoding method thereof
CN104769909A (en) * 2012-08-30 2015-07-08 艾诺威网络有限公司 Internetwork authentication
CN106161377A (en) * 2015-04-13 2016-11-23 中国科学院软件研究所 A kind of social networks access control method based on user characteristics
CN106296530A (en) * 2015-06-23 2017-01-04 伊姆西公司 Trust for non-polymeric infrastructure covers
US9762679B2 (en) 2013-03-15 2017-09-12 Aerohive Networks, Inc. Providing stateless network services
US9769056B2 (en) 2013-03-15 2017-09-19 Aerohive Networks, Inc. Gateway using multicast to unicast conversion
CN107257292A (en) * 2017-05-26 2017-10-17 河南职业技术学院 A kind of cross-domain distributed big data communication system design planning method
US9992619B2 (en) 2014-08-12 2018-06-05 Aerohive Networks, Inc. Network device based proximity beacon locating
CN108848074A (en) * 2018-05-31 2018-11-20 西安电子科技大学 The information service entities cross-domain authentication method of trust value is acted on behalf of based on domain
WO2020113546A1 (en) * 2018-12-07 2020-06-11 北京大学深圳研究生院 Privacy protection and identity management method and system for multi-mode identifier network

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
张秋余 等: "基于格的多信任域认证机制及其自适应算法", 《通信学报》, vol. 28, no. 11, 30 November 2007 (2007-11-30) *
杨璐: "基于信任域的网格结构信任模型研究", 《中国优秀硕士学位论文全文数据库信息科技辑》, no. 8, 15 August 2008 (2008-08-15) *
苗丰满: "基于格理论的跨域认证系统的研究", 《中国优秀硕士学位论文全文数据库信息科技辑》, no. 11, 15 November 2009 (2009-11-15) *
陈颖 等: "网格环境下的一种动态跨域访问控制策略", 《计算机研究与发展》, vol. 43, no. 11, 31 August 2006 (2006-08-31) *

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9979727B2 (en) 2012-08-30 2018-05-22 Aerohive Networks, Inc. Internetwork authentication
US10243956B2 (en) 2012-08-30 2019-03-26 Aerohive Networks, Inc. Internetwork authentication
CN104769909A (en) * 2012-08-30 2015-07-08 艾诺威网络有限公司 Internetwork authentication
US10666653B2 (en) 2012-08-30 2020-05-26 Aerohive Networks, Inc. Internetwork authentication
CN104769909B (en) * 2012-08-30 2018-06-01 艾诺威网络有限公司 Certification between net
US9762579B2 (en) 2012-08-30 2017-09-12 Aerohive Networks, Inc. Internetwork authentication
CN102833265A (en) * 2012-09-13 2012-12-19 北京航空航天大学 Network theory based signature scheme and secure linear network encoding method thereof
CN102833265B (en) * 2012-09-13 2015-01-07 北京航空航天大学 Network theory based signature scheme and secure linear network encoding method thereof
US9769056B2 (en) 2013-03-15 2017-09-19 Aerohive Networks, Inc. Gateway using multicast to unicast conversion
US10355977B2 (en) 2013-03-15 2019-07-16 Aerohive Networks, Inc. Gateway using multicast to unicast conversion
US9762679B2 (en) 2013-03-15 2017-09-12 Aerohive Networks, Inc. Providing stateless network services
US10230802B2 (en) 2013-03-15 2019-03-12 Aerohive Networks, Inc. Providing stateless network services
US9992619B2 (en) 2014-08-12 2018-06-05 Aerohive Networks, Inc. Network device based proximity beacon locating
US10694319B2 (en) 2014-08-12 2020-06-23 Extreme Networks, Inc. Network device based proximity beacon locating
US10123168B2 (en) 2014-08-12 2018-11-06 Aerohive Networks, Inc. Network device based proximity beacon locating
CN106161377B (en) * 2015-04-13 2019-03-29 中国科学院软件研究所 A kind of social networks access control method based on user characteristics
CN106161377A (en) * 2015-04-13 2016-11-23 中国科学院软件研究所 A kind of social networks access control method based on user characteristics
CN106296530B (en) * 2015-06-23 2021-01-15 伊姆西Ip控股有限责任公司 Trust coverage for non-converged infrastructure
CN106296530A (en) * 2015-06-23 2017-01-04 伊姆西公司 Trust for non-polymeric infrastructure covers
CN107257292B (en) * 2017-05-26 2019-11-19 河南职业技术学院 A kind of cross-domain distributed big data communication system design planning method
CN107257292A (en) * 2017-05-26 2017-10-17 河南职业技术学院 A kind of cross-domain distributed big data communication system design planning method
CN108848074A (en) * 2018-05-31 2018-11-20 西安电子科技大学 The information service entities cross-domain authentication method of trust value is acted on behalf of based on domain
CN108848074B (en) * 2018-05-31 2020-06-16 西安电子科技大学 Information service entity cross-domain authentication method based on domain agent trust value
WO2020113546A1 (en) * 2018-12-07 2020-06-11 北京大学深圳研究生院 Privacy protection and identity management method and system for multi-mode identifier network

Also Published As

Publication number Publication date
CN102055769B (en) 2013-04-03

Similar Documents

Publication Publication Date Title
Li et al. A robust ECC-based provable secure authentication protocol with privacy preserving for industrial internet of things
Gai et al. Permissioned blockchain and edge computing empowered privacy-preserving smart grid networks
Aggarwal et al. Blockchain for smart communities: Applications, challenges and opportunities
Wazid et al. Design of secure key management and user authentication scheme for fog computing services
Huang et al. Secure data access control with ciphertext update and computation outsourcing in fog computing for Internet of Things
Jesus et al. A survey of how to use blockchain to secure internet of things and the stalker attack
Liu et al. Achieving reliable and secure services in cloud computing environments
Ferrag et al. Privacy-preserving schemes for ad hoc social networks: A survey
Miller et al. Anonymous byzantine consensus from moderately-hard puzzles: A model for bitcoin
Almadhoun et al. A user authentication scheme of IoT devices using blockchain-enabled fog nodes
Gu et al. Trust management mechanism for Internet of Things
Biswas et al. A scalable blockchain framework for secure transactions in IoT
Merwe et al. A survey on peer-to-peer key management for mobile ad hoc networks
Maji et al. Attribute-based signatures
Anggorojati et al. Capability-based access control delegation model on the federated IoT network
US9344438B2 (en) Secure node identifier assignment in a distributed hash table for peer-to-peer networks
Androulaki et al. Reputation systems for anonymous networks
Fernández-Caramés et al. A Review on the Use of Blockchain for the Internet of Things
CN107070644A (en) A kind of decentralization public key management method and management system based on trust network
US8539225B2 (en) Method and device for dynamic deployment of trust bridges in an ad hoc wireless network
Gong et al. Protecting location privacy for task allocation in ad hoc mobile cloud computing
Cui et al. A hybrid BlockChain-based identity authentication scheme for multi-WSN
Mahalle et al. Identity establishment and capability based access control (IECAC) scheme for Internet of Things
Lin et al. A new transitively closed undirected graph authentication scheme for blockchain-based identity management systems
Li et al. Securing cluster-based ad hoc networks with distributed authorities

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant