CN102055769A - Multi- trust domain authentication system under lattice-based grid environment - Google Patents

Multi- trust domain authentication system under lattice-based grid environment Download PDF

Info

Publication number
CN102055769A
CN102055769A CN2010106226817A CN201010622681A CN102055769A CN 102055769 A CN102055769 A CN 102055769A CN 2010106226817 A CN2010106226817 A CN 2010106226817A CN 201010622681 A CN201010622681 A CN 201010622681A CN 102055769 A CN102055769 A CN 102055769A
Authority
CN
China
Prior art keywords
territory
visit
domain
lattice
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2010106226817A
Other languages
Chinese (zh)
Other versions
CN102055769B (en
Inventor
郑军
刘洪倡
孙新
张启坤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Technology BIT
Original Assignee
Beijing Institute of Technology BIT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Technology BIT filed Critical Beijing Institute of Technology BIT
Priority to CN 201010622681 priority Critical patent/CN102055769B/en
Publication of CN102055769A publication Critical patent/CN102055769A/en
Application granted granted Critical
Publication of CN102055769B publication Critical patent/CN102055769B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention relates to a multi- trust domain authentication system under a lattice-based grid environment, belonging to the field of information safety. The multi- trust domain authentication system comprises a grid structure constructing module, a trust domain management module, a lattice structure converting module and a cross domain access control module, and the working process comprises grid initialization, initialization within domain, initialization of an authentication server and user authentication. In the invention, each trust domain is an authentication entity, thus making the most of the resource sharing advantage of a grid model; when each domain is used as an authentication server, only the related authentication information by taking the domain as an upper bound domain or a lower bound domain needs to be stored, and the global authentication information needs not to be stored, thus reducing redundancy of information storage and facilitating maintenance and management; and in the authentication process, the authentication server of each domain is known, and the authentication path is relatively determined, thereby improving the cross domain authentication efficiency.

Description

A kind of based on multiple trusting domains Verification System under the grid environment of lattice
Technical field
The present invention relates to a kind ofly, belong to field of information security technology based on multiple trusting domains Verification System under the grid environment of lattice.
Technical background
Informatization and development of internet technology, make information sharing become more and more convenient, obtaining, transmit and handling of information in the network is more convenient, but the very responsive security feature that information is had to a certain extent makes how to realize that the identification authorization of striding trust domain between different enterprises and the application just seems to have very much necessity with authentication.Be subjected to an information security technology---the access control of extensive concern in recent years always,, cause the extensive concern of domestic and international academia and business circles for this problem provides a kind of solution route.
Grid computing also receives much concern in recent years as infrastructure and next generation network.Grid is usually used in the scientific engineering computing field, it provides a kind of flexible, safe, collaborative resource-sharing pattern, in this pattern, formed a kind of dynamic environment by various types of networks resource providers such as individuality or mechanisms, and all computers can participate in calculating and the sharing of resource.Authentication in the grid adopts the entity certificate and the letter of attorment that satisfy standard that entity authentication is provided usually based on symmetry and asymmetric encryption theory, perhaps realizes the authentication of entity in communication process by the certain agreement of structure.The agreement of entity authentication is perfect relatively in the network service, and therefore, the focus of research generally concentrates on the machine-processed aspect by using certificate to authenticate at present.Foremost certificate verification system is exactly PKI (Public Key Infrastructure), it is based upon on the public key encryption basis, provide the infrastructure of information security service by using asymmetric cryptography principle and realization technology to set up, the PKI system model as shown in Figure 1.By PKI, information such as the identity of network entity, role can be dissolved in the cross-domain authentication, thereby be realized differently requiring, the authentication mode of various objectives, even can also be in authentication model key element such as joining day, session, construct the authentication model of many granularities.Development along with asymmetric cryptographic technique research, the PKI technology has also obtained development widely, because advantages such as PKI have the digital signature that support can openly be verified and can't be counterfeit, secret ability is strong, certificate is not needed online query by third party's issue, support certificate revocation, network interconnection ability is strong, it uses each aspect that has been deep into network at present.
But, PKI also exists certificate management and cancels complexity, authenticate deficiencies such as the Network Transmission bottleneck that brought and single-point collapse by certain mechanism that has privilege, though once the someone attempted CA structure by transforming the PKI authentication system as proposing level type CA, topological structures such as netted CA and bridge CA, and in conjunction with forward direction, the back to, depth-first, method for searching path such as breadth First, thereby improve the authentication efficient that the certification path construction problem improves PKI, but it is very huge to work as network size, trust domain quantity is more and when being in the state of dynamic change, the complex maintenance of PKI just highlights more.As seen, PKI authentication techniques application potential in the cross-domain verification process under grid environment can also obtain continuing to excavate, and should further bring into play its advantage, improves the authentication in this field and renders a service.
Summary of the invention
The objective of the invention is in order to overcome the defective of prior art, solve and select the low problem of certification path process efficiency in the conventional authentication system, proposed a kind of based on multiple trusting domains Verification System under the grid environment of lattice.
The present invention is achieved by the following technical solutions.
Of the present invention a kind of based on multiple trusting domains Verification System under the grid environment of lattice, comprise four modules: network makes up module, trust domain administration module, lattice structure modular converter and cross-domain access control module, the user is undertaken alternately by user capture interface and body series, realizes the visit to internet resource;
It is the module of the native system bottom that network makes up module, be responsible for the Internet resources of internet are carried out unified management and tissue, realization is to the network entity of bottom and calling of application, and to shared resource allocation in the network and use, this module construction is with the network configuration of grid configuration tissue;
The trust domain administration module is to be made up by network on the constructed basis with the network configuration of grid configuration tissue of module, divide and the management trust domain according to the trust domain management strategy, the acting server of selected each trust domain, finish the communication between each trust domain and the registration of relevant information, form organized, metastable trust domain group, as the logical foundations of lattice structure modular converter;
The lattice structure modular converter uses the lattice technology that the formed trust domain group of trust domain administration module is carried out logical organization again, determine logical expressions and the address of each trust domain in lattice, the enantiomorphic relationship of dative address, the trust domain network address is provided, correlation in the clear and definite lattice between each trust domain, finish searching and the registration management of relevant information of the infimum territory of any two trust domain and supremum territory, form clear and definite and metastable lattice structure, for cross-domain access control module provides logical foundations;
Cross-domain access control module and user capture interface carry out alternately, and according to cross-domain access control policy, finish the route transmission of authentication information, the granting and the authentication of certificate between trust domain in the path searching between the trust domain bound territory corresponding, the cross-domain access process with it, and the final realization of cross-domain visit;
Above-mentioned lattice structure modular converter uses the lattice technology to the method that trust domain group in the grid carries out logical organization to be:
Definition Be paritially ordered set, ρ (S) represents S set={ a 1, a 2... a nThe set of all subclass,
Figure BSA00000411624300032
" being contained in " relation of expression set; Because any two different element x and y have supremum and infimum among the set ρ (S), so claim ρ (S) about paritially ordered set
Figure BSA00000411624300033
Constitute lattice, owing to the uniqueness of supremum in the case relation and infimum, will ask the supremum of x and y and binary operation ∨ and the ∧ that infimum is defined as x and y respectively, promptly x ∨ y and x ∧ y represent supremum and the infimum of x and y respectively; All have the definite supremum and the characteristics of infimum according to any two elements in the set of satisfying certain partial ordering relation in the case theory, ready-portioned trust domain in the grid environment is carried out logic divide again, the trust domain that marks off is expressed as a element in ρ (S) set;
Cross-domain access control policy is in the above-mentioned cross-domain access control module: according to case theory, the grid trust domain is being carried out on the basis of case form tissue, territory and visit purpose territory are initiated in the visit that cross-domain visit relates to, agreement is the certificate issued server with their supremum territory, the infimum territory is the certificate verification server, acting server is the interface that entity and certificate server communicate and authenticate in the territory, be responsible for the management of this territory entity, this territory internal entity access control, and to the granting of foreign lands entity authentication certificate or the work of authentication, concrete verification process is described below:
1) acting server in visit initiation territory obtains the network address in visit purpose territory;
2) visit is initiated the acting server in territory according to the networking address search visit address of purpose territory in lattice;
3) lattice address and lattice address computation self territory in visit purpose territory and infimum territory and the supremum territory in visit purpose territory of the acting server in territory according to self initiated in visit;
4) the visit acting server of initiating the territory search and the supremum territory between certification path, propose certificate request to the supremum territory then, and transmit the relevant informations such as the network address, lattice address and identity information in this territory;
5) supremum territory issue certificate, and give the acting server that the territory is initiated in visit;
6) the acting server transmission certificate of the acting server in territory to visit purpose territory initiated in visit;
7) visit purpose domain lookup its with the infimum territory between certification path, propose the certificate verification application, and transmit the certificate of certification in visit initiation territory;
8) certificate verification is finished in the infimum territory, and authentication result is returned to visit purpose territory;
9) visit purpose territory is implemented according to authentication result or is finished cross-domain visit this time,, then visits the purpose territory and initiates territory transmission access key to visit, and accept the interview by authentication as if certificate of certification; If the certificate of certification authentification failure is then visited the refusal this visit of purpose territory;
Above-mentioned steps 4) and searching of the certification path in the step 7) be the bound relation of element in the lattice of constructing according to system, detailed process is:
Visit initiate the territory at first judge visit purpose territory with from the relation in lattice, if visit purpose territory is the supremum territory of oneself, then visit is initiated the territory and is searched earlier whether visit purpose territory is arranged in the territory adjacent with self, if have, then only send message,, then select to adjacent with self and be that the territory in self upper bound sends information if do not have to visit purpose territory, this selection course also can be repeated in the territory that receives information, sends to visit purpose territory or be dropped up to information.Because the certainty of bound relation in the lattice, final information is bound to arrive visit purpose territory, the territory, the upper bound in other non-supremum territories can abandon the information that receives because can not find the territory, the upper bound of self, but this processing does not influence the reception of supremum territory to information;
If visit purpose territory is the infimum territory of oneself, then visit is initiated the territory and is searched earlier whether visit purpose territory is arranged in the territory adjacent with self, if have, then only send information to visit purpose territory, if do not have, then select to adjacent with self and be that the territory of self lower bound sends information, this selection course also can be repeated in the territory that receives information, sends to visit purpose territory or is dropped up to information.Because the certainty of bound relation in the lattice, final information is bound to arrive visit purpose territory, the lower bound territory in other non-infimum territories can abandon the information that receives because can not find the lower bound territory of self, equally, and this processing reception of lower bound territory that also can not have the greatest impact to information.
Of the present invention a kind of based on multiple trusting domains Verification System under the grid environment of lattice, its course of work is:
1) grid initialization.Grid initialization self structure, and definite network size, for all related entities are distributed identify label, determine the trust domain partition strategy and divide and register each trust domain according to this, for each trust domain distributive lattice is represented, represent to determine relation and inter-domain communication rule and communication path between each territory according to lattice, initialization is also informed all related entities private keys and session key generating algorithm;
2) initialization in the territory.After the grid initialization was finished, each entity was a scope with this territory, determined this territory acting server according to key elements such as the degree of belief of each entity, access frequency, entity calculated performances.Build up mutual trust between this territory internal entity and appoint mechanism, access shared resources does not need authentication to each other.
3) certificate server initialization.The lattice that each trust domain obtains according to initialization are represented to communicate with the territory relevant with self, finish the lattice in all territories in the network and represent mapping with the network true address, calculate and determine the supremum territory and the infimum territory of any two trust domain, the acting server in each territory is registered relevant information, judgement of proxy server initializes identity and certificate generate, certification policy, and to the proxy server communication of adjacent domains, with registration from as entity.
4) authentification of user.When cross-domain visit, the user uses the identity information of self, acting server by this territory is provided the server transmission relevant information of territory (being self territory, place and the supremum of aiming field) to its pairing identity judgement and certificate of certification, certificate server is made corresponding reaction according to judgement, certification policy, and authentication result is returned to visit initiate entity, visit is initiated entity and is carried out cross-domain visit according to authentication result and access strategy.
Beneficial effect
Of the present invention a kind of based on multiple trusting domains Verification System under the grid environment of lattice, its advantage with respect to prior art is: each trust domain all is a certification entity, and can serve as certificate server, has made full use of the resource-sharing advantage of grid model; Each territory is in as certificate server, only need storage with self relevant authentication information, and needn't store the authentication information of the overall situation, as association key, respective coordinates etc. as the territory of the upper bound or lower bound, reduce the redundancy of information stores, be convenient to maintenance and management; In verification process, the certificate server in each territory all is known concerning self, and because the selection of partial ordering relation, its certification path also is to determine relatively, thereby has improved the efficient of cross-domain authentication.
Description of drawings
Fig. 1 is the PKI system model;
Fig. 2 is system hierarchy figure of the present invention;
The network model of Fig. 3 for using the lattice technology to be constructed among the embodiment;
Fig. 4 is the schematic diagram of system authentication process among the embodiment.
Embodiment
The present invention will be further described below in conjunction with drawings and Examples.
Embodiment
A kind of based on multiple trusting domains Verification System under the grid environment of lattice, comprise four modules: network makes up module, trust domain administration module, lattice structure modular converter and cross-domain access control module, the user is undertaken alternately by user capture interface and body series, realizes the visit to internet resource;
It is the module of the native system bottom that network makes up module, be responsible for the Internet resources of internet are carried out unified management and tissue, realization is to the network entity of bottom and calling of application, and to shared resource allocation in the network and use, this module construction is with the network configuration of grid configuration tissue;
The trust domain administration module is to be made up by network on the constructed basis with the network configuration of grid configuration tissue of module, divide and the management trust domain according to the trust domain management strategy, the acting server of selected each trust domain, finish the communication between each trust domain and the registration of relevant information, form organized, metastable trust domain group, as the logical foundations of lattice structure modular converter;
The lattice structure modular converter uses the lattice technology that the formed trust domain group of trust domain administration module is carried out logical organization again, determine logical expressions and the address of each trust domain in lattice, the enantiomorphic relationship of dative address, the trust domain network address is provided, correlation in the clear and definite lattice between each trust domain, finish searching and the registration management of relevant information of the infimum territory of any two trust domain and supremum territory, form clear and definite and metastable lattice structure, for cross-domain access control module provides logical foundations;
Cross-domain access control module and user capture interface carry out alternately, and according to cross-domain access control policy, finish the route transmission of authentication information, the granting and the authentication of certificate between trust domain in the path searching between the trust domain bound territory corresponding, the cross-domain access process with it, and the final realization of cross-domain visit;
Above-mentioned lattice structure modular converter uses the lattice technology to the method that trust domain group in the grid carries out logical organization to be:
Definition
Figure BSA00000411624300081
Be paritially ordered set, ρ (S) represents S set={ a 1, a 2... a nThe set of all subclass,
Figure BSA00000411624300082
" being contained in " relation of expression set; Because any two different element x and y have supremum and infimum among the set ρ (S), so claim ρ (S) about paritially ordered set
Figure BSA00000411624300083
Constitute lattice, owing to the uniqueness of supremum in the case relation and infimum, will ask the supremum of x and y and binary operation ∨ and the ∧ that infimum is defined as x and y respectively, promptly x ∨ y and x ∧ y represent supremum and the infimum of x and y respectively; All have the definite supremum and the characteristics of infimum according to any two elements in the set of satisfying certain partial ordering relation in the case theory, ready-portioned trust domain in the grid environment is carried out logic divide again, the trust domain that marks off is expressed as a element in ρ (S) set;
For S set={ it is 2 that a, b, c}, S have the number of the subclass of 3 elements and S 3=8, partial ordering set
Figure BSA00000411624300084
Be lattice, and ρ (S) can represent 8 territories, be respectively that { c}, { a}, { b}, { c}, { a, b}, { a, c}, { b, c}, empty set Ф are A, B for any two elements among the ρ (S), A ∨ B=A ∪ B then, A ∧ B=A ∩ B for a, b.Lattice The network model of being constructed as shown in Figure 3.
Cross-domain access control policy is in the above-mentioned cross-domain access control module: according to case theory, the grid trust domain is being carried out on the basis of case form tissue, territory and visit purpose territory are initiated in the visit that cross-domain visit relates to, agreement is the certificate issued server with their supremum territory, the infimum territory is the certificate verification server, acting server is the interface that entity and certificate server communicate and authenticate in the territory, be responsible for the management of this territory entity, this territory internal entity access control, and to the granting of foreign lands entity authentication certificate or the work of authentication, concrete verification process is described below:
1) acting server in visit initiation territory obtains the network address in visit purpose territory;
2) visit is initiated the acting server in territory according to the networking address search visit address of purpose territory in lattice;
3) lattice address and lattice address computation self territory in visit purpose territory and infimum territory and the supremum territory in visit purpose territory of the acting server in territory according to self initiated in visit;
4) the visit acting server of initiating the territory search and the supremum territory between certification path, propose certificate request to the supremum territory then, and transmit the relevant informations such as the network address, lattice address and identity information in this territory;
5) supremum territory issue certificate, and give the acting server that the territory is initiated in visit;
6) the acting server transmission certificate of the acting server in territory to visit purpose territory initiated in visit;
7) visit purpose domain lookup its with the infimum territory between certification path, propose the certificate verification application, and transmit the certificate of certification in visit initiation territory;
8) certificate verification is finished in the infimum territory, and authentication result is returned to visit purpose territory;
9) visit purpose territory is implemented according to authentication result or is finished cross-domain visit this time,, then visits the purpose territory and initiates territory transmission access key to visit, and accept the interview by authentication as if certificate of certification; If the certificate of certification authentification failure is then visited the refusal this visit of purpose territory;
Above-mentioned steps 4) and searching of the certification path in the step 7) be the bound relation of element in the lattice of constructing according to system, detailed process is:
Visit initiate the territory at first judge visit purpose territory with from the relation in lattice, if visit purpose territory is the supremum territory of oneself, then visit is initiated the territory and is searched earlier whether visit purpose territory is arranged in the territory adjacent with self, if have, then only send message,, then select to adjacent with self and be that the territory in self upper bound sends information if do not have to visit purpose territory, this selection course also can be repeated in the territory that receives information, sends to visit purpose territory or be dropped up to information.Because the certainty of bound relation in the lattice, final information is bound to arrive visit purpose territory, the territory, the upper bound in other non-supremum territories can abandon the information that receives because can not find the territory, the upper bound of self, but this processing does not influence the reception of supremum territory to information;
If visit purpose territory is the infimum territory of oneself, then visit is initiated the territory and is searched earlier whether visit purpose territory is arranged in the territory adjacent with self, if have, then only send information to visit purpose territory, if do not have, then select to adjacent with self and be that the territory of self lower bound sends information, this selection course also can be repeated in the territory that receives information, sends to visit purpose territory or is dropped up to information.Because the certainty of bound relation in the lattice, final information is bound to arrive visit purpose territory, the lower bound territory in other non-infimum territories can abandon the information that receives because can not find the lower bound territory of self, equally, and this processing reception of lower bound territory that also can not have the greatest impact to information.
Of the present invention a kind of based on multiple trusting domains Verification System under the grid environment of lattice, its course of work is:
1) grid initialization.Grid initialization self structure, and definite network size, for all related entities are distributed identify label, determine the trust domain partition strategy and divide and register each trust domain according to this, for each trust domain distributive lattice is represented, represent to determine relation and inter-domain communication rule and communication path between each territory according to lattice, initialization is also informed all related entities private keys and session key generating algorithm;
2) initialization in the territory.After the grid initialization was finished, each entity was a scope with this territory, determined this territory acting server according to key elements such as the degree of belief of each entity, access frequency, entity calculated performances.Build up mutual trust between this territory internal entity and appoint mechanism, access shared resources does not need authentication to each other.
3) certificate server initialization.The lattice that each trust domain obtains according to initialization are represented to communicate with the territory relevant with self, finish the lattice in all territories in the network and represent mapping with the network true address, calculate and determine the supremum territory and the infimum territory of any two trust domain, the acting server in each territory is registered relevant information, judgement of proxy server initializes identity and certificate generate, certification policy, and to the proxy server communication of adjacent domains, with registration from as entity.
4) authentification of user.When cross-domain visit, the user uses the identity information of self, acting server by this territory is provided the server transmission relevant information of territory (being self territory, place and the supremum of aiming field) to its pairing identity judgement and certificate of certification, certificate server is made corresponding reaction according to judgement, certification policy, and authentication result is returned to visit initiate entity, visit is initiated entity and is carried out cross-domain visit according to authentication result and access strategy.
As shown in Figure 4, the entity E among the A of territory AWant the entity E among the access domain B BResource, then cross-domain verification process is:
1) entity E AInitiate the acting server CA in territory to visit AAsk cross-domain visit, and transmit entity E BThe network address;
2) the acting server CA in territory is initiated in visit ABy entity E BThe network address obtain visit purpose territory CA BThe network address, according to networking address search visit purpose territory CA BAddress in lattice is then according to self lattice address and visit purpose territory CA BLattice address computation self territory and visit purpose territory CA BInfimum territory and supremum territory, the acting server CA in territory is initiated in visit at last ASearch and supremum territory CA CBetween certification path, and to supremum territory CA CPropose certificate request, and transmit the relevant informations such as the network address, lattice address and identity information in this territory;
3) supremum territory acting server CA CThe issue certificate, and give the acting server CA that the territory is initiated in visit A
4) the acting server CA in territory is initiated in visit ATo visit purpose domain server CA BSend certificate;
5) the acting server CA in visit purpose territory BTo entity E BAsk for entity E BSession key;
6) entity E BActing server CA to visit purpose territory BReturn its session key;
7) visit purpose territory acting server CA BSearch itself and infimum territory acting server CA CBetween certification path, propose the certificate verification application, and transmit visit and initiate territory CA ACertificate of certification give the infimum territory;
8) infimum territory acting server CA DFinish certificate verification, and authentication result is returned to visit purpose territory acting server CA B
9) visit purpose territory acting server CA BImplement or end cross-domain visit this time according to authentication result, if certificate of certification is then visited purpose territory acting server CA by authentication BInitiate territory acting server CA to visit ASend the message of grant access, and sending entity E BAccess key; If the certificate of certification authentification failure is then visited purpose territory acting server CA BInitiate the acting server CA in territory to visit ASend the message of refusal this visit, and finish authentication this time;
10) the acting server CA in territory is initiated in visit AReceive visit purpose territory acting server CA BNotice, then the result is passed to entity E A
11) entity E AWhether can implement cross-domain visit according to result's decision of receiving, if can, entity E then used BSession key to entity E BInitiate visit; If cannot, then finish cross-domain visit this time.

Claims (4)

1. one kind based on multiple trusting domains Verification System under the grid environment of lattice, and the user is undertaken alternately by user capture interface and body series, realizes the visit to internet resource, it is characterized in that:
Comprise that network makes up module, trust domain administration module, lattice structure modular converter and cross-domain access control module, appointing that four modules are finished in native system is respectively:
Network makes up the network configuration of module construction with the grid configuration tissue, be in the native system bottom, be responsible for the Internet resources of internet are carried out unified management and tissue, realize the network entity of bottom and calling of application, and to shared resource allocation in the network and use;
The trust domain administration module is to be made up by network on the constructed basis with the network configuration of grid configuration tissue of module, divide and the management trust domain according to the trust domain management strategy, the acting server of selected each trust domain, finish the communication between each trust domain and the registration of relevant information, form organized, metastable trust domain group, as the logical foundations of lattice structure modular converter;
The lattice structure modular converter uses the lattice technology that the formed trust domain group of trust domain administration module is carried out logical organization again, determine logical expressions and the address of each trust domain in lattice, the enantiomorphic relationship of dative address, the trust domain network address is provided, correlation in the clear and definite lattice between each trust domain, finish infimum territory and the selection in supremum territory and the registration management of relevant information of any two trust domain, form clear and definite and metastable lattice structure, for cross-domain access control module provides logical foundations;
Cross-domain access control module and user capture interface carry out alternately, and according to cross-domain access control policy, finish the route transmission of authentication information, the granting and the authentication of certificate between trust domain in the path searching between the trust domain bound territory corresponding, the cross-domain access process with it, and the final realization of cross-domain visit.
2. according to claim 1 a kind of based on multiple trusting domains Verification System under the grid environment of lattice, it is characterized in that: described lattice structure modular converter uses the lattice technology to the method that trust domain group in the grid carries out logical organization to be:
Definition
Figure FSA00000411624200011
Be paritially ordered set, wherein ρ (S) represents S set={ a 1, a 2... a nThe set of all subclass, " being contained in " relation of expression set; Because any two different element x and y have supremum and infimum among the set ρ (S), so claim ρ (S) about paritially ordered set
Figure FSA00000411624200013
Constitute lattice, owing to the uniqueness of supremum in the case relation and infimum, will ask the supremum of x and y and binary operation ∨ and the ∧ that infimum is defined as x and y respectively, promptly x ∨ y and x ∧ y represent supremum and the infimum of x and y respectively; All have the definite supremum and the characteristics of infimum according to any two elements in the set of satisfying certain partial ordering relation in the case theory, ready-portioned trust domain in the grid environment is carried out logic divide again, the trust domain that marks off is expressed as a element in ρ (S) set.
3. according to claim 1 a kind of based on multiple trusting domains Verification System under the grid environment of lattice, it is characterized in that: cross-domain access control policy is in the described cross-domain access control module: according to case theory, the grid trust domain is being carried out on the basis of case form tissue, territory and visit purpose territory are initiated in the visit that cross-domain visit relates to, agreement is the certificate issued server with their supremum territory, the infimum territory is the certificate verification server, acting server is the interface that entity and certificate server communicate and authenticate in the territory, be responsible for the management of this territory entity, this territory internal entity access control, and to the granting of foreign lands entity authentication certificate or the work of authentication, concrete verification process is described below:
1) acting server in visit initiation territory obtains the network address in visit purpose territory;
2) visit is initiated the acting server in territory according to the networking address search visit address of purpose territory in lattice;
3) lattice address and lattice address computation self territory in visit purpose territory and infimum territory and the supremum territory in visit purpose territory of the acting server in territory according to self initiated in visit;
4) the visit acting server of initiating the territory search and the supremum territory between certification path, propose certificate request to the supremum territory then, and transmit the relevant informations such as the network address, lattice address and identity information in this territory;
5) supremum territory issue certificate, and give the acting server that the territory is initiated in visit;
6) the acting server transmission certificate of the acting server in territory to visit purpose territory initiated in visit;
7) visit purpose domain lookup its with the infimum territory between certification path, propose the certificate verification application, and transmit the certificate of certification in visit initiation territory;
8) certificate verification is finished in the infimum territory, and authentication result is returned to visit purpose territory;
9) visit purpose territory is implemented according to authentication result or is finished cross-domain visit this time,, then visits the purpose territory and initiates territory transmission access key to visit, and accept the interview by authentication as if certificate of certification; If the certificate of certification authentification failure is then visited the refusal this visit of purpose territory.
4. according to claim 3 a kind of based on multiple trusting domains Verification System under the grid environment of lattice, it is characterized in that: searching of the certification path in described step 4) and the step 7) is the bound relation of element in the lattice of constructing according to system, and detailed process is:
Visit initiate the territory at first judge visit purpose territory with from the relation in lattice, if visit purpose territory is the supremum territory of oneself, then visit is initiated the territory and is searched earlier whether visit purpose territory is arranged in the territory adjacent with self, if have, then only send message,, then select to adjacent with self and be that the territory in self upper bound sends information if do not have to visit purpose territory, this selection course also can be repeated in the territory that receives information, sends to visit purpose territory or be dropped up to information; If visit purpose territory is the infimum territory of oneself, then visit is initiated the territory and is searched earlier whether visit purpose territory is arranged in the territory adjacent with self, if have, then only send information to visit purpose territory, if do not have, then select to adjacent with self and be that the territory of self lower bound sends information, this selection course also can be repeated in the territory that receives information, sends to visit purpose territory or is dropped up to information.
CN 201010622681 2010-12-29 2010-12-29 Multi- trust domain authentication system under lattice-based grid environment Active CN102055769B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201010622681 CN102055769B (en) 2010-12-29 2010-12-29 Multi- trust domain authentication system under lattice-based grid environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201010622681 CN102055769B (en) 2010-12-29 2010-12-29 Multi- trust domain authentication system under lattice-based grid environment

Publications (2)

Publication Number Publication Date
CN102055769A true CN102055769A (en) 2011-05-11
CN102055769B CN102055769B (en) 2013-04-03

Family

ID=43959695

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201010622681 Active CN102055769B (en) 2010-12-29 2010-12-29 Multi- trust domain authentication system under lattice-based grid environment

Country Status (1)

Country Link
CN (1) CN102055769B (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102833265A (en) * 2012-09-13 2012-12-19 北京航空航天大学 Network theory based signature scheme and secure linear network encoding method thereof
CN104769909A (en) * 2012-08-30 2015-07-08 艾诺威网络有限公司 Internetwork authentication
CN106161377A (en) * 2015-04-13 2016-11-23 中国科学院软件研究所 A kind of social networks access control method based on user characteristics
CN106296530A (en) * 2015-06-23 2017-01-04 伊姆西公司 Trust for non-polymeric infrastructure covers
US9762679B2 (en) 2013-03-15 2017-09-12 Aerohive Networks, Inc. Providing stateless network services
US9769056B2 (en) 2013-03-15 2017-09-19 Aerohive Networks, Inc. Gateway using multicast to unicast conversion
CN107257292A (en) * 2017-05-26 2017-10-17 河南职业技术学院 A kind of cross-domain distributed big data communication system design planning method
US9992619B2 (en) 2014-08-12 2018-06-05 Aerohive Networks, Inc. Network device based proximity beacon locating
CN108848074A (en) * 2018-05-31 2018-11-20 西安电子科技大学 The information service entities cross-domain authentication method of trust value is acted on behalf of based on domain
CN110661816A (en) * 2019-10-22 2020-01-07 北京印刷学院 Cross-domain authentication method based on block chain and electronic equipment
WO2020113546A1 (en) * 2018-12-07 2020-06-11 北京大学深圳研究生院 Privacy protection and identity management method and system for multi-mode identifier network
CN111431850A (en) * 2020-02-18 2020-07-17 北京网聘咨询有限公司 Cross-domain security authentication method in cloud computing
CN113839865A (en) * 2021-11-30 2021-12-24 北京鲸鲮信息系统技术有限公司 Management method and system for cross-domain call service
CN113852614A (en) * 2021-09-15 2021-12-28 中国人民解放军陆军工程大学 Communication authentication path establishing method and device

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
张秋余 等: "基于格的多信任域认证机制及其自适应算法", 《通信学报》 *
杨璐: "基于信任域的网格结构信任模型研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 *
苗丰满: "基于格理论的跨域认证系统的研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 *
陈颖 等: "网格环境下的一种动态跨域访问控制策略", 《计算机研究与发展》 *

Cited By (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10243956B2 (en) 2012-08-30 2019-03-26 Aerohive Networks, Inc. Internetwork authentication
CN104769909A (en) * 2012-08-30 2015-07-08 艾诺威网络有限公司 Internetwork authentication
US9979727B2 (en) 2012-08-30 2018-05-22 Aerohive Networks, Inc. Internetwork authentication
US10666653B2 (en) 2012-08-30 2020-05-26 Aerohive Networks, Inc. Internetwork authentication
US9762579B2 (en) 2012-08-30 2017-09-12 Aerohive Networks, Inc. Internetwork authentication
CN104769909B (en) * 2012-08-30 2018-06-01 艾诺威网络有限公司 Certification between net
CN102833265B (en) * 2012-09-13 2015-01-07 北京航空航天大学 Network theory based signature scheme and secure linear network encoding method thereof
CN102833265A (en) * 2012-09-13 2012-12-19 北京航空航天大学 Network theory based signature scheme and secure linear network encoding method thereof
US10355977B2 (en) 2013-03-15 2019-07-16 Aerohive Networks, Inc. Gateway using multicast to unicast conversion
US9769056B2 (en) 2013-03-15 2017-09-19 Aerohive Networks, Inc. Gateway using multicast to unicast conversion
US11336560B2 (en) 2013-03-15 2022-05-17 Extreme Networks, Inc. Gateway using multicast to unicast conversion
US10230802B2 (en) 2013-03-15 2019-03-12 Aerohive Networks, Inc. Providing stateless network services
US9762679B2 (en) 2013-03-15 2017-09-12 Aerohive Networks, Inc. Providing stateless network services
US10694319B2 (en) 2014-08-12 2020-06-23 Extreme Networks, Inc. Network device based proximity beacon locating
US9992619B2 (en) 2014-08-12 2018-06-05 Aerohive Networks, Inc. Network device based proximity beacon locating
US10123168B2 (en) 2014-08-12 2018-11-06 Aerohive Networks, Inc. Network device based proximity beacon locating
CN106161377B (en) * 2015-04-13 2019-03-29 中国科学院软件研究所 A kind of social networks access control method based on user characteristics
CN106161377A (en) * 2015-04-13 2016-11-23 中国科学院软件研究所 A kind of social networks access control method based on user characteristics
CN106296530A (en) * 2015-06-23 2017-01-04 伊姆西公司 Trust for non-polymeric infrastructure covers
CN106296530B (en) * 2015-06-23 2021-01-15 伊姆西Ip控股有限责任公司 Trust coverage for non-converged infrastructure
CN107257292A (en) * 2017-05-26 2017-10-17 河南职业技术学院 A kind of cross-domain distributed big data communication system design planning method
CN107257292B (en) * 2017-05-26 2019-11-19 河南职业技术学院 A kind of cross-domain distributed big data communication system design planning method
CN108848074B (en) * 2018-05-31 2020-06-16 西安电子科技大学 Information service entity cross-domain authentication method based on domain agent trust value
CN108848074A (en) * 2018-05-31 2018-11-20 西安电子科技大学 The information service entities cross-domain authentication method of trust value is acted on behalf of based on domain
WO2020113546A1 (en) * 2018-12-07 2020-06-11 北京大学深圳研究生院 Privacy protection and identity management method and system for multi-mode identifier network
CN110661816A (en) * 2019-10-22 2020-01-07 北京印刷学院 Cross-domain authentication method based on block chain and electronic equipment
CN110661816B (en) * 2019-10-22 2021-11-05 北京印刷学院 Cross-domain authentication method based on block chain and electronic equipment
CN111431850A (en) * 2020-02-18 2020-07-17 北京网聘咨询有限公司 Cross-domain security authentication method in cloud computing
CN111431850B (en) * 2020-02-18 2022-04-19 北京网聘咨询有限公司 Cross-domain security authentication method in cloud computing
CN113852614A (en) * 2021-09-15 2021-12-28 中国人民解放军陆军工程大学 Communication authentication path establishing method and device
CN113852614B (en) * 2021-09-15 2023-10-24 中国人民解放军陆军工程大学 Communication authentication path establishment method and device
CN113839865A (en) * 2021-11-30 2021-12-24 北京鲸鲮信息系统技术有限公司 Management method and system for cross-domain call service

Also Published As

Publication number Publication date
CN102055769B (en) 2013-04-03

Similar Documents

Publication Publication Date Title
CN102055769B (en) Multi- trust domain authentication system under lattice-based grid environment
Cui et al. Extensible conditional privacy protection authentication scheme for secure vehicular networks in a multi-cloud environment
Fernández-Caramés et al. A Review on the Use of Blockchain for the Internet of Things
Fang et al. Digital signature scheme for information non-repudiation in blockchain: a state of the art review
Kaur et al. Blockchain-based cyber-physical security for electrical vehicle aided smart grid ecosystem
CN110086821A (en) The authentication method of electric power things-internet gateway and the access of electric power internet-of-things terminal based on block chain
CN101714996B (en) Authentication system and method based on peer-to-peer computing network
Zou et al. Reportcoin: A novel blockchain-based incentive anonymous reporting system
CN112418860A (en) Block chain efficient management framework based on cross-chain technology and working method
Luecking et al. Decentralized identity and trust management framework for Internet of Things
CN108667616A (en) Across cloud security Verification System based on mark and method
Shehab et al. Secure collaboration in mediator-free environments
Sun et al. Dt-dpos: A delegated proof of stake consensus algorithm with dynamic trust
Lin et al. Insecurity of an anonymous authentication for privacy-preserving IoT target-driven applications
Chen et al. Blockchain-based key management scheme in fog-enabled IoT systems
He et al. A novel cryptocurrency wallet management scheme based on decentralized multi-constrained derangement
Rana et al. Efficient design of an authenticated key agreement protocol for dew-assisted IoT systems
Maldonado-Ruiz et al. An innovative and decentralized identity framework based on blockchain technology
Zhao et al. A novel decentralized cross‐domain identity authentication protocol based on blockchain
Liu et al. Cross-heterogeneous domain authentication scheme based on blockchain
Ogundoyin et al. Secure and privacy-preserving D2D communication in fog computing services
Hietalahti A clustering-based group key agreement protocol for ad-hoc networks
Joy et al. Smart card authentication model based on elliptic curve cryptography in IoT networks
Qiliang et al. Attribute‐based worker selection scheme by using blockchain in decentralized crowdsourcing scenario
Xie et al. Cross-Chain-Based Trustworthy Node Identity Governance in Internet of Things

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant