CN102055769A - Multi- trust domain authentication system under lattice-based grid environment - Google Patents
Multi- trust domain authentication system under lattice-based grid environment Download PDFInfo
- Publication number
- CN102055769A CN102055769A CN2010106226817A CN201010622681A CN102055769A CN 102055769 A CN102055769 A CN 102055769A CN 2010106226817 A CN2010106226817 A CN 2010106226817A CN 201010622681 A CN201010622681 A CN 201010622681A CN 102055769 A CN102055769 A CN 102055769A
- Authority
- CN
- China
- Prior art keywords
- territory
- visit
- domain
- lattice
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention relates to a multi- trust domain authentication system under a lattice-based grid environment, belonging to the field of information safety. The multi- trust domain authentication system comprises a grid structure constructing module, a trust domain management module, a lattice structure converting module and a cross domain access control module, and the working process comprises grid initialization, initialization within domain, initialization of an authentication server and user authentication. In the invention, each trust domain is an authentication entity, thus making the most of the resource sharing advantage of a grid model; when each domain is used as an authentication server, only the related authentication information by taking the domain as an upper bound domain or a lower bound domain needs to be stored, and the global authentication information needs not to be stored, thus reducing redundancy of information storage and facilitating maintenance and management; and in the authentication process, the authentication server of each domain is known, and the authentication path is relatively determined, thereby improving the cross domain authentication efficiency.
Description
Technical field
The present invention relates to a kind ofly, belong to field of information security technology based on multiple trusting domains Verification System under the grid environment of lattice.
Technical background
Informatization and development of internet technology, make information sharing become more and more convenient, obtaining, transmit and handling of information in the network is more convenient, but the very responsive security feature that information is had to a certain extent makes how to realize that the identification authorization of striding trust domain between different enterprises and the application just seems to have very much necessity with authentication.Be subjected to an information security technology---the access control of extensive concern in recent years always,, cause the extensive concern of domestic and international academia and business circles for this problem provides a kind of solution route.
Grid computing also receives much concern in recent years as infrastructure and next generation network.Grid is usually used in the scientific engineering computing field, it provides a kind of flexible, safe, collaborative resource-sharing pattern, in this pattern, formed a kind of dynamic environment by various types of networks resource providers such as individuality or mechanisms, and all computers can participate in calculating and the sharing of resource.Authentication in the grid adopts the entity certificate and the letter of attorment that satisfy standard that entity authentication is provided usually based on symmetry and asymmetric encryption theory, perhaps realizes the authentication of entity in communication process by the certain agreement of structure.The agreement of entity authentication is perfect relatively in the network service, and therefore, the focus of research generally concentrates on the machine-processed aspect by using certificate to authenticate at present.Foremost certificate verification system is exactly PKI (Public Key Infrastructure), it is based upon on the public key encryption basis, provide the infrastructure of information security service by using asymmetric cryptography principle and realization technology to set up, the PKI system model as shown in Figure 1.By PKI, information such as the identity of network entity, role can be dissolved in the cross-domain authentication, thereby be realized differently requiring, the authentication mode of various objectives, even can also be in authentication model key element such as joining day, session, construct the authentication model of many granularities.Development along with asymmetric cryptographic technique research, the PKI technology has also obtained development widely, because advantages such as PKI have the digital signature that support can openly be verified and can't be counterfeit, secret ability is strong, certificate is not needed online query by third party's issue, support certificate revocation, network interconnection ability is strong, it uses each aspect that has been deep into network at present.
But, PKI also exists certificate management and cancels complexity, authenticate deficiencies such as the Network Transmission bottleneck that brought and single-point collapse by certain mechanism that has privilege, though once the someone attempted CA structure by transforming the PKI authentication system as proposing level type CA, topological structures such as netted CA and bridge CA, and in conjunction with forward direction, the back to, depth-first, method for searching path such as breadth First, thereby improve the authentication efficient that the certification path construction problem improves PKI, but it is very huge to work as network size, trust domain quantity is more and when being in the state of dynamic change, the complex maintenance of PKI just highlights more.As seen, PKI authentication techniques application potential in the cross-domain verification process under grid environment can also obtain continuing to excavate, and should further bring into play its advantage, improves the authentication in this field and renders a service.
Summary of the invention
The objective of the invention is in order to overcome the defective of prior art, solve and select the low problem of certification path process efficiency in the conventional authentication system, proposed a kind of based on multiple trusting domains Verification System under the grid environment of lattice.
The present invention is achieved by the following technical solutions.
Of the present invention a kind of based on multiple trusting domains Verification System under the grid environment of lattice, comprise four modules: network makes up module, trust domain administration module, lattice structure modular converter and cross-domain access control module, the user is undertaken alternately by user capture interface and body series, realizes the visit to internet resource;
It is the module of the native system bottom that network makes up module, be responsible for the Internet resources of internet are carried out unified management and tissue, realization is to the network entity of bottom and calling of application, and to shared resource allocation in the network and use, this module construction is with the network configuration of grid configuration tissue;
The trust domain administration module is to be made up by network on the constructed basis with the network configuration of grid configuration tissue of module, divide and the management trust domain according to the trust domain management strategy, the acting server of selected each trust domain, finish the communication between each trust domain and the registration of relevant information, form organized, metastable trust domain group, as the logical foundations of lattice structure modular converter;
The lattice structure modular converter uses the lattice technology that the formed trust domain group of trust domain administration module is carried out logical organization again, determine logical expressions and the address of each trust domain in lattice, the enantiomorphic relationship of dative address, the trust domain network address is provided, correlation in the clear and definite lattice between each trust domain, finish searching and the registration management of relevant information of the infimum territory of any two trust domain and supremum territory, form clear and definite and metastable lattice structure, for cross-domain access control module provides logical foundations;
Cross-domain access control module and user capture interface carry out alternately, and according to cross-domain access control policy, finish the route transmission of authentication information, the granting and the authentication of certificate between trust domain in the path searching between the trust domain bound territory corresponding, the cross-domain access process with it, and the final realization of cross-domain visit;
Above-mentioned lattice structure modular converter uses the lattice technology to the method that trust domain group in the grid carries out logical organization to be:
Definition
Be paritially ordered set, ρ (S) represents S set={ a
1, a
2... a
nThe set of all subclass,
" being contained in " relation of expression set; Because any two different element x and y have supremum and infimum among the set ρ (S), so claim ρ (S) about paritially ordered set
Constitute lattice, owing to the uniqueness of supremum in the case relation and infimum, will ask the supremum of x and y and binary operation ∨ and the ∧ that infimum is defined as x and y respectively, promptly x ∨ y and x ∧ y represent supremum and the infimum of x and y respectively; All have the definite supremum and the characteristics of infimum according to any two elements in the set of satisfying certain partial ordering relation in the case theory, ready-portioned trust domain in the grid environment is carried out logic divide again, the trust domain that marks off is expressed as a element in ρ (S) set;
Cross-domain access control policy is in the above-mentioned cross-domain access control module: according to case theory, the grid trust domain is being carried out on the basis of case form tissue, territory and visit purpose territory are initiated in the visit that cross-domain visit relates to, agreement is the certificate issued server with their supremum territory, the infimum territory is the certificate verification server, acting server is the interface that entity and certificate server communicate and authenticate in the territory, be responsible for the management of this territory entity, this territory internal entity access control, and to the granting of foreign lands entity authentication certificate or the work of authentication, concrete verification process is described below:
1) acting server in visit initiation territory obtains the network address in visit purpose territory;
2) visit is initiated the acting server in territory according to the networking address search visit address of purpose territory in lattice;
3) lattice address and lattice address computation self territory in visit purpose territory and infimum territory and the supremum territory in visit purpose territory of the acting server in territory according to self initiated in visit;
4) the visit acting server of initiating the territory search and the supremum territory between certification path, propose certificate request to the supremum territory then, and transmit the relevant informations such as the network address, lattice address and identity information in this territory;
5) supremum territory issue certificate, and give the acting server that the territory is initiated in visit;
6) the acting server transmission certificate of the acting server in territory to visit purpose territory initiated in visit;
7) visit purpose domain lookup its with the infimum territory between certification path, propose the certificate verification application, and transmit the certificate of certification in visit initiation territory;
8) certificate verification is finished in the infimum territory, and authentication result is returned to visit purpose territory;
9) visit purpose territory is implemented according to authentication result or is finished cross-domain visit this time,, then visits the purpose territory and initiates territory transmission access key to visit, and accept the interview by authentication as if certificate of certification; If the certificate of certification authentification failure is then visited the refusal this visit of purpose territory;
Above-mentioned steps 4) and searching of the certification path in the step 7) be the bound relation of element in the lattice of constructing according to system, detailed process is:
Visit initiate the territory at first judge visit purpose territory with from the relation in lattice, if visit purpose territory is the supremum territory of oneself, then visit is initiated the territory and is searched earlier whether visit purpose territory is arranged in the territory adjacent with self, if have, then only send message,, then select to adjacent with self and be that the territory in self upper bound sends information if do not have to visit purpose territory, this selection course also can be repeated in the territory that receives information, sends to visit purpose territory or be dropped up to information.Because the certainty of bound relation in the lattice, final information is bound to arrive visit purpose territory, the territory, the upper bound in other non-supremum territories can abandon the information that receives because can not find the territory, the upper bound of self, but this processing does not influence the reception of supremum territory to information;
If visit purpose territory is the infimum territory of oneself, then visit is initiated the territory and is searched earlier whether visit purpose territory is arranged in the territory adjacent with self, if have, then only send information to visit purpose territory, if do not have, then select to adjacent with self and be that the territory of self lower bound sends information, this selection course also can be repeated in the territory that receives information, sends to visit purpose territory or is dropped up to information.Because the certainty of bound relation in the lattice, final information is bound to arrive visit purpose territory, the lower bound territory in other non-infimum territories can abandon the information that receives because can not find the lower bound territory of self, equally, and this processing reception of lower bound territory that also can not have the greatest impact to information.
Of the present invention a kind of based on multiple trusting domains Verification System under the grid environment of lattice, its course of work is:
1) grid initialization.Grid initialization self structure, and definite network size, for all related entities are distributed identify label, determine the trust domain partition strategy and divide and register each trust domain according to this, for each trust domain distributive lattice is represented, represent to determine relation and inter-domain communication rule and communication path between each territory according to lattice, initialization is also informed all related entities private keys and session key generating algorithm;
2) initialization in the territory.After the grid initialization was finished, each entity was a scope with this territory, determined this territory acting server according to key elements such as the degree of belief of each entity, access frequency, entity calculated performances.Build up mutual trust between this territory internal entity and appoint mechanism, access shared resources does not need authentication to each other.
3) certificate server initialization.The lattice that each trust domain obtains according to initialization are represented to communicate with the territory relevant with self, finish the lattice in all territories in the network and represent mapping with the network true address, calculate and determine the supremum territory and the infimum territory of any two trust domain, the acting server in each territory is registered relevant information, judgement of proxy server initializes identity and certificate generate, certification policy, and to the proxy server communication of adjacent domains, with registration from as entity.
4) authentification of user.When cross-domain visit, the user uses the identity information of self, acting server by this territory is provided the server transmission relevant information of territory (being self territory, place and the supremum of aiming field) to its pairing identity judgement and certificate of certification, certificate server is made corresponding reaction according to judgement, certification policy, and authentication result is returned to visit initiate entity, visit is initiated entity and is carried out cross-domain visit according to authentication result and access strategy.
Beneficial effect
Of the present invention a kind of based on multiple trusting domains Verification System under the grid environment of lattice, its advantage with respect to prior art is: each trust domain all is a certification entity, and can serve as certificate server, has made full use of the resource-sharing advantage of grid model; Each territory is in as certificate server, only need storage with self relevant authentication information, and needn't store the authentication information of the overall situation, as association key, respective coordinates etc. as the territory of the upper bound or lower bound, reduce the redundancy of information stores, be convenient to maintenance and management; In verification process, the certificate server in each territory all is known concerning self, and because the selection of partial ordering relation, its certification path also is to determine relatively, thereby has improved the efficient of cross-domain authentication.
Description of drawings
Fig. 1 is the PKI system model;
Fig. 2 is system hierarchy figure of the present invention;
The network model of Fig. 3 for using the lattice technology to be constructed among the embodiment;
Fig. 4 is the schematic diagram of system authentication process among the embodiment.
Embodiment
The present invention will be further described below in conjunction with drawings and Examples.
Embodiment
A kind of based on multiple trusting domains Verification System under the grid environment of lattice, comprise four modules: network makes up module, trust domain administration module, lattice structure modular converter and cross-domain access control module, the user is undertaken alternately by user capture interface and body series, realizes the visit to internet resource;
It is the module of the native system bottom that network makes up module, be responsible for the Internet resources of internet are carried out unified management and tissue, realization is to the network entity of bottom and calling of application, and to shared resource allocation in the network and use, this module construction is with the network configuration of grid configuration tissue;
The trust domain administration module is to be made up by network on the constructed basis with the network configuration of grid configuration tissue of module, divide and the management trust domain according to the trust domain management strategy, the acting server of selected each trust domain, finish the communication between each trust domain and the registration of relevant information, form organized, metastable trust domain group, as the logical foundations of lattice structure modular converter;
The lattice structure modular converter uses the lattice technology that the formed trust domain group of trust domain administration module is carried out logical organization again, determine logical expressions and the address of each trust domain in lattice, the enantiomorphic relationship of dative address, the trust domain network address is provided, correlation in the clear and definite lattice between each trust domain, finish searching and the registration management of relevant information of the infimum territory of any two trust domain and supremum territory, form clear and definite and metastable lattice structure, for cross-domain access control module provides logical foundations;
Cross-domain access control module and user capture interface carry out alternately, and according to cross-domain access control policy, finish the route transmission of authentication information, the granting and the authentication of certificate between trust domain in the path searching between the trust domain bound territory corresponding, the cross-domain access process with it, and the final realization of cross-domain visit;
Above-mentioned lattice structure modular converter uses the lattice technology to the method that trust domain group in the grid carries out logical organization to be:
Definition
Be paritially ordered set, ρ (S) represents S set={ a
1, a
2... a
nThe set of all subclass,
" being contained in " relation of expression set; Because any two different element x and y have supremum and infimum among the set ρ (S), so claim ρ (S) about paritially ordered set
Constitute lattice, owing to the uniqueness of supremum in the case relation and infimum, will ask the supremum of x and y and binary operation ∨ and the ∧ that infimum is defined as x and y respectively, promptly x ∨ y and x ∧ y represent supremum and the infimum of x and y respectively; All have the definite supremum and the characteristics of infimum according to any two elements in the set of satisfying certain partial ordering relation in the case theory, ready-portioned trust domain in the grid environment is carried out logic divide again, the trust domain that marks off is expressed as a element in ρ (S) set;
For S set={ it is 2 that a, b, c}, S have the number of the subclass of 3 elements and S
3=8, partial ordering set
Be lattice, and ρ (S) can represent 8 territories, be respectively that { c}, { a}, { b}, { c}, { a, b}, { a, c}, { b, c}, empty set Ф are A, B for any two elements among the ρ (S), A ∨ B=A ∪ B then, A ∧ B=A ∩ B for a, b.Lattice
The network model of being constructed as shown in Figure 3.
Cross-domain access control policy is in the above-mentioned cross-domain access control module: according to case theory, the grid trust domain is being carried out on the basis of case form tissue, territory and visit purpose territory are initiated in the visit that cross-domain visit relates to, agreement is the certificate issued server with their supremum territory, the infimum territory is the certificate verification server, acting server is the interface that entity and certificate server communicate and authenticate in the territory, be responsible for the management of this territory entity, this territory internal entity access control, and to the granting of foreign lands entity authentication certificate or the work of authentication, concrete verification process is described below:
1) acting server in visit initiation territory obtains the network address in visit purpose territory;
2) visit is initiated the acting server in territory according to the networking address search visit address of purpose territory in lattice;
3) lattice address and lattice address computation self territory in visit purpose territory and infimum territory and the supremum territory in visit purpose territory of the acting server in territory according to self initiated in visit;
4) the visit acting server of initiating the territory search and the supremum territory between certification path, propose certificate request to the supremum territory then, and transmit the relevant informations such as the network address, lattice address and identity information in this territory;
5) supremum territory issue certificate, and give the acting server that the territory is initiated in visit;
6) the acting server transmission certificate of the acting server in territory to visit purpose territory initiated in visit;
7) visit purpose domain lookup its with the infimum territory between certification path, propose the certificate verification application, and transmit the certificate of certification in visit initiation territory;
8) certificate verification is finished in the infimum territory, and authentication result is returned to visit purpose territory;
9) visit purpose territory is implemented according to authentication result or is finished cross-domain visit this time,, then visits the purpose territory and initiates territory transmission access key to visit, and accept the interview by authentication as if certificate of certification; If the certificate of certification authentification failure is then visited the refusal this visit of purpose territory;
Above-mentioned steps 4) and searching of the certification path in the step 7) be the bound relation of element in the lattice of constructing according to system, detailed process is:
Visit initiate the territory at first judge visit purpose territory with from the relation in lattice, if visit purpose territory is the supremum territory of oneself, then visit is initiated the territory and is searched earlier whether visit purpose territory is arranged in the territory adjacent with self, if have, then only send message,, then select to adjacent with self and be that the territory in self upper bound sends information if do not have to visit purpose territory, this selection course also can be repeated in the territory that receives information, sends to visit purpose territory or be dropped up to information.Because the certainty of bound relation in the lattice, final information is bound to arrive visit purpose territory, the territory, the upper bound in other non-supremum territories can abandon the information that receives because can not find the territory, the upper bound of self, but this processing does not influence the reception of supremum territory to information;
If visit purpose territory is the infimum territory of oneself, then visit is initiated the territory and is searched earlier whether visit purpose territory is arranged in the territory adjacent with self, if have, then only send information to visit purpose territory, if do not have, then select to adjacent with self and be that the territory of self lower bound sends information, this selection course also can be repeated in the territory that receives information, sends to visit purpose territory or is dropped up to information.Because the certainty of bound relation in the lattice, final information is bound to arrive visit purpose territory, the lower bound territory in other non-infimum territories can abandon the information that receives because can not find the lower bound territory of self, equally, and this processing reception of lower bound territory that also can not have the greatest impact to information.
Of the present invention a kind of based on multiple trusting domains Verification System under the grid environment of lattice, its course of work is:
1) grid initialization.Grid initialization self structure, and definite network size, for all related entities are distributed identify label, determine the trust domain partition strategy and divide and register each trust domain according to this, for each trust domain distributive lattice is represented, represent to determine relation and inter-domain communication rule and communication path between each territory according to lattice, initialization is also informed all related entities private keys and session key generating algorithm;
2) initialization in the territory.After the grid initialization was finished, each entity was a scope with this territory, determined this territory acting server according to key elements such as the degree of belief of each entity, access frequency, entity calculated performances.Build up mutual trust between this territory internal entity and appoint mechanism, access shared resources does not need authentication to each other.
3) certificate server initialization.The lattice that each trust domain obtains according to initialization are represented to communicate with the territory relevant with self, finish the lattice in all territories in the network and represent mapping with the network true address, calculate and determine the supremum territory and the infimum territory of any two trust domain, the acting server in each territory is registered relevant information, judgement of proxy server initializes identity and certificate generate, certification policy, and to the proxy server communication of adjacent domains, with registration from as entity.
4) authentification of user.When cross-domain visit, the user uses the identity information of self, acting server by this territory is provided the server transmission relevant information of territory (being self territory, place and the supremum of aiming field) to its pairing identity judgement and certificate of certification, certificate server is made corresponding reaction according to judgement, certification policy, and authentication result is returned to visit initiate entity, visit is initiated entity and is carried out cross-domain visit according to authentication result and access strategy.
As shown in Figure 4, the entity E among the A of territory
AWant the entity E among the access domain B
BResource, then cross-domain verification process is:
1) entity E
AInitiate the acting server CA in territory to visit
AAsk cross-domain visit, and transmit entity E
BThe network address;
2) the acting server CA in territory is initiated in visit
ABy entity E
BThe network address obtain visit purpose territory CA
BThe network address, according to networking address search visit purpose territory CA
BAddress in lattice is then according to self lattice address and visit purpose territory CA
BLattice address computation self territory and visit purpose territory CA
BInfimum territory and supremum territory, the acting server CA in territory is initiated in visit at last
ASearch and supremum territory CA
CBetween certification path, and to supremum territory CA
CPropose certificate request, and transmit the relevant informations such as the network address, lattice address and identity information in this territory;
3) supremum territory acting server CA
CThe issue certificate, and give the acting server CA that the territory is initiated in visit
A
4) the acting server CA in territory is initiated in visit
ATo visit purpose domain server CA
BSend certificate;
5) the acting server CA in visit purpose territory
BTo entity E
BAsk for entity E
BSession key;
6) entity E
BActing server CA to visit purpose territory
BReturn its session key;
7) visit purpose territory acting server CA
BSearch itself and infimum territory acting server CA
CBetween certification path, propose the certificate verification application, and transmit visit and initiate territory CA
ACertificate of certification give the infimum territory;
8) infimum territory acting server CA
DFinish certificate verification, and authentication result is returned to visit purpose territory acting server CA
B
9) visit purpose territory acting server CA
BImplement or end cross-domain visit this time according to authentication result, if certificate of certification is then visited purpose territory acting server CA by authentication
BInitiate territory acting server CA to visit
ASend the message of grant access, and sending entity E
BAccess key; If the certificate of certification authentification failure is then visited purpose territory acting server CA
BInitiate the acting server CA in territory to visit
ASend the message of refusal this visit, and finish authentication this time;
10) the acting server CA in territory is initiated in visit
AReceive visit purpose territory acting server CA
BNotice, then the result is passed to entity E
A
11) entity E
AWhether can implement cross-domain visit according to result's decision of receiving, if can, entity E then used
BSession key to entity E
BInitiate visit; If cannot, then finish cross-domain visit this time.
Claims (4)
1. one kind based on multiple trusting domains Verification System under the grid environment of lattice, and the user is undertaken alternately by user capture interface and body series, realizes the visit to internet resource, it is characterized in that:
Comprise that network makes up module, trust domain administration module, lattice structure modular converter and cross-domain access control module, appointing that four modules are finished in native system is respectively:
Network makes up the network configuration of module construction with the grid configuration tissue, be in the native system bottom, be responsible for the Internet resources of internet are carried out unified management and tissue, realize the network entity of bottom and calling of application, and to shared resource allocation in the network and use;
The trust domain administration module is to be made up by network on the constructed basis with the network configuration of grid configuration tissue of module, divide and the management trust domain according to the trust domain management strategy, the acting server of selected each trust domain, finish the communication between each trust domain and the registration of relevant information, form organized, metastable trust domain group, as the logical foundations of lattice structure modular converter;
The lattice structure modular converter uses the lattice technology that the formed trust domain group of trust domain administration module is carried out logical organization again, determine logical expressions and the address of each trust domain in lattice, the enantiomorphic relationship of dative address, the trust domain network address is provided, correlation in the clear and definite lattice between each trust domain, finish infimum territory and the selection in supremum territory and the registration management of relevant information of any two trust domain, form clear and definite and metastable lattice structure, for cross-domain access control module provides logical foundations;
Cross-domain access control module and user capture interface carry out alternately, and according to cross-domain access control policy, finish the route transmission of authentication information, the granting and the authentication of certificate between trust domain in the path searching between the trust domain bound territory corresponding, the cross-domain access process with it, and the final realization of cross-domain visit.
2. according to claim 1 a kind of based on multiple trusting domains Verification System under the grid environment of lattice, it is characterized in that: described lattice structure modular converter uses the lattice technology to the method that trust domain group in the grid carries out logical organization to be:
Definition
Be paritially ordered set, wherein ρ (S) represents S set={ a
1, a
2... a
nThe set of all subclass,
" being contained in " relation of expression set; Because any two different element x and y have supremum and infimum among the set ρ (S), so claim ρ (S) about paritially ordered set
Constitute lattice, owing to the uniqueness of supremum in the case relation and infimum, will ask the supremum of x and y and binary operation ∨ and the ∧ that infimum is defined as x and y respectively, promptly x ∨ y and x ∧ y represent supremum and the infimum of x and y respectively; All have the definite supremum and the characteristics of infimum according to any two elements in the set of satisfying certain partial ordering relation in the case theory, ready-portioned trust domain in the grid environment is carried out logic divide again, the trust domain that marks off is expressed as a element in ρ (S) set.
3. according to claim 1 a kind of based on multiple trusting domains Verification System under the grid environment of lattice, it is characterized in that: cross-domain access control policy is in the described cross-domain access control module: according to case theory, the grid trust domain is being carried out on the basis of case form tissue, territory and visit purpose territory are initiated in the visit that cross-domain visit relates to, agreement is the certificate issued server with their supremum territory, the infimum territory is the certificate verification server, acting server is the interface that entity and certificate server communicate and authenticate in the territory, be responsible for the management of this territory entity, this territory internal entity access control, and to the granting of foreign lands entity authentication certificate or the work of authentication, concrete verification process is described below:
1) acting server in visit initiation territory obtains the network address in visit purpose territory;
2) visit is initiated the acting server in territory according to the networking address search visit address of purpose territory in lattice;
3) lattice address and lattice address computation self territory in visit purpose territory and infimum territory and the supremum territory in visit purpose territory of the acting server in territory according to self initiated in visit;
4) the visit acting server of initiating the territory search and the supremum territory between certification path, propose certificate request to the supremum territory then, and transmit the relevant informations such as the network address, lattice address and identity information in this territory;
5) supremum territory issue certificate, and give the acting server that the territory is initiated in visit;
6) the acting server transmission certificate of the acting server in territory to visit purpose territory initiated in visit;
7) visit purpose domain lookup its with the infimum territory between certification path, propose the certificate verification application, and transmit the certificate of certification in visit initiation territory;
8) certificate verification is finished in the infimum territory, and authentication result is returned to visit purpose territory;
9) visit purpose territory is implemented according to authentication result or is finished cross-domain visit this time,, then visits the purpose territory and initiates territory transmission access key to visit, and accept the interview by authentication as if certificate of certification; If the certificate of certification authentification failure is then visited the refusal this visit of purpose territory.
4. according to claim 3 a kind of based on multiple trusting domains Verification System under the grid environment of lattice, it is characterized in that: searching of the certification path in described step 4) and the step 7) is the bound relation of element in the lattice of constructing according to system, and detailed process is:
Visit initiate the territory at first judge visit purpose territory with from the relation in lattice, if visit purpose territory is the supremum territory of oneself, then visit is initiated the territory and is searched earlier whether visit purpose territory is arranged in the territory adjacent with self, if have, then only send message,, then select to adjacent with self and be that the territory in self upper bound sends information if do not have to visit purpose territory, this selection course also can be repeated in the territory that receives information, sends to visit purpose territory or be dropped up to information; If visit purpose territory is the infimum territory of oneself, then visit is initiated the territory and is searched earlier whether visit purpose territory is arranged in the territory adjacent with self, if have, then only send information to visit purpose territory, if do not have, then select to adjacent with self and be that the territory of self lower bound sends information, this selection course also can be repeated in the territory that receives information, sends to visit purpose territory or is dropped up to information.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN 201010622681 CN102055769B (en) | 2010-12-29 | 2010-12-29 | Multi- trust domain authentication system under lattice-based grid environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN 201010622681 CN102055769B (en) | 2010-12-29 | 2010-12-29 | Multi- trust domain authentication system under lattice-based grid environment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN102055769A true CN102055769A (en) | 2011-05-11 |
CN102055769B CN102055769B (en) | 2013-04-03 |
Family
ID=43959695
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN 201010622681 Active CN102055769B (en) | 2010-12-29 | 2010-12-29 | Multi- trust domain authentication system under lattice-based grid environment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN102055769B (en) |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102833265A (en) * | 2012-09-13 | 2012-12-19 | 北京航空航天大学 | Network theory based signature scheme and secure linear network encoding method thereof |
CN104769909A (en) * | 2012-08-30 | 2015-07-08 | 艾诺威网络有限公司 | Internetwork authentication |
CN106161377A (en) * | 2015-04-13 | 2016-11-23 | 中国科学院软件研究所 | A kind of social networks access control method based on user characteristics |
CN106296530A (en) * | 2015-06-23 | 2017-01-04 | 伊姆西公司 | Trust for non-polymeric infrastructure covers |
US9762679B2 (en) | 2013-03-15 | 2017-09-12 | Aerohive Networks, Inc. | Providing stateless network services |
US9769056B2 (en) | 2013-03-15 | 2017-09-19 | Aerohive Networks, Inc. | Gateway using multicast to unicast conversion |
CN107257292A (en) * | 2017-05-26 | 2017-10-17 | 河南职业技术学院 | A kind of cross-domain distributed big data communication system design planning method |
US9992619B2 (en) | 2014-08-12 | 2018-06-05 | Aerohive Networks, Inc. | Network device based proximity beacon locating |
CN108848074A (en) * | 2018-05-31 | 2018-11-20 | 西安电子科技大学 | The information service entities cross-domain authentication method of trust value is acted on behalf of based on domain |
CN110661816A (en) * | 2019-10-22 | 2020-01-07 | 北京印刷学院 | Cross-domain authentication method based on block chain and electronic equipment |
WO2020113546A1 (en) * | 2018-12-07 | 2020-06-11 | 北京大学深圳研究生院 | Privacy protection and identity management method and system for multi-mode identifier network |
CN111431850A (en) * | 2020-02-18 | 2020-07-17 | 北京网聘咨询有限公司 | Cross-domain security authentication method in cloud computing |
CN113839865A (en) * | 2021-11-30 | 2021-12-24 | 北京鲸鲮信息系统技术有限公司 | Management method and system for cross-domain call service |
CN113852614A (en) * | 2021-09-15 | 2021-12-28 | 中国人民解放军陆军工程大学 | Communication authentication path establishing method and device |
-
2010
- 2010-12-29 CN CN 201010622681 patent/CN102055769B/en active Active
Non-Patent Citations (4)
Title |
---|
张秋余 等: "基于格的多信任域认证机制及其自适应算法", 《通信学报》 * |
杨璐: "基于信任域的网格结构信任模型研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
苗丰满: "基于格理论的跨域认证系统的研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
陈颖 等: "网格环境下的一种动态跨域访问控制策略", 《计算机研究与发展》 * |
Cited By (32)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10243956B2 (en) | 2012-08-30 | 2019-03-26 | Aerohive Networks, Inc. | Internetwork authentication |
CN104769909A (en) * | 2012-08-30 | 2015-07-08 | 艾诺威网络有限公司 | Internetwork authentication |
US9979727B2 (en) | 2012-08-30 | 2018-05-22 | Aerohive Networks, Inc. | Internetwork authentication |
US10666653B2 (en) | 2012-08-30 | 2020-05-26 | Aerohive Networks, Inc. | Internetwork authentication |
US9762579B2 (en) | 2012-08-30 | 2017-09-12 | Aerohive Networks, Inc. | Internetwork authentication |
CN104769909B (en) * | 2012-08-30 | 2018-06-01 | 艾诺威网络有限公司 | Certification between net |
CN102833265B (en) * | 2012-09-13 | 2015-01-07 | 北京航空航天大学 | Network theory based signature scheme and secure linear network encoding method thereof |
CN102833265A (en) * | 2012-09-13 | 2012-12-19 | 北京航空航天大学 | Network theory based signature scheme and secure linear network encoding method thereof |
US10355977B2 (en) | 2013-03-15 | 2019-07-16 | Aerohive Networks, Inc. | Gateway using multicast to unicast conversion |
US9769056B2 (en) | 2013-03-15 | 2017-09-19 | Aerohive Networks, Inc. | Gateway using multicast to unicast conversion |
US11336560B2 (en) | 2013-03-15 | 2022-05-17 | Extreme Networks, Inc. | Gateway using multicast to unicast conversion |
US10230802B2 (en) | 2013-03-15 | 2019-03-12 | Aerohive Networks, Inc. | Providing stateless network services |
US9762679B2 (en) | 2013-03-15 | 2017-09-12 | Aerohive Networks, Inc. | Providing stateless network services |
US10694319B2 (en) | 2014-08-12 | 2020-06-23 | Extreme Networks, Inc. | Network device based proximity beacon locating |
US9992619B2 (en) | 2014-08-12 | 2018-06-05 | Aerohive Networks, Inc. | Network device based proximity beacon locating |
US10123168B2 (en) | 2014-08-12 | 2018-11-06 | Aerohive Networks, Inc. | Network device based proximity beacon locating |
CN106161377B (en) * | 2015-04-13 | 2019-03-29 | 中国科学院软件研究所 | A kind of social networks access control method based on user characteristics |
CN106161377A (en) * | 2015-04-13 | 2016-11-23 | 中国科学院软件研究所 | A kind of social networks access control method based on user characteristics |
CN106296530A (en) * | 2015-06-23 | 2017-01-04 | 伊姆西公司 | Trust for non-polymeric infrastructure covers |
CN106296530B (en) * | 2015-06-23 | 2021-01-15 | 伊姆西Ip控股有限责任公司 | Trust coverage for non-converged infrastructure |
CN107257292A (en) * | 2017-05-26 | 2017-10-17 | 河南职业技术学院 | A kind of cross-domain distributed big data communication system design planning method |
CN107257292B (en) * | 2017-05-26 | 2019-11-19 | 河南职业技术学院 | A kind of cross-domain distributed big data communication system design planning method |
CN108848074B (en) * | 2018-05-31 | 2020-06-16 | 西安电子科技大学 | Information service entity cross-domain authentication method based on domain agent trust value |
CN108848074A (en) * | 2018-05-31 | 2018-11-20 | 西安电子科技大学 | The information service entities cross-domain authentication method of trust value is acted on behalf of based on domain |
WO2020113546A1 (en) * | 2018-12-07 | 2020-06-11 | 北京大学深圳研究生院 | Privacy protection and identity management method and system for multi-mode identifier network |
CN110661816A (en) * | 2019-10-22 | 2020-01-07 | 北京印刷学院 | Cross-domain authentication method based on block chain and electronic equipment |
CN110661816B (en) * | 2019-10-22 | 2021-11-05 | 北京印刷学院 | Cross-domain authentication method based on block chain and electronic equipment |
CN111431850A (en) * | 2020-02-18 | 2020-07-17 | 北京网聘咨询有限公司 | Cross-domain security authentication method in cloud computing |
CN111431850B (en) * | 2020-02-18 | 2022-04-19 | 北京网聘咨询有限公司 | Cross-domain security authentication method in cloud computing |
CN113852614A (en) * | 2021-09-15 | 2021-12-28 | 中国人民解放军陆军工程大学 | Communication authentication path establishing method and device |
CN113852614B (en) * | 2021-09-15 | 2023-10-24 | 中国人民解放军陆军工程大学 | Communication authentication path establishment method and device |
CN113839865A (en) * | 2021-11-30 | 2021-12-24 | 北京鲸鲮信息系统技术有限公司 | Management method and system for cross-domain call service |
Also Published As
Publication number | Publication date |
---|---|
CN102055769B (en) | 2013-04-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102055769B (en) | Multi- trust domain authentication system under lattice-based grid environment | |
Cui et al. | Extensible conditional privacy protection authentication scheme for secure vehicular networks in a multi-cloud environment | |
Fernández-Caramés et al. | A Review on the Use of Blockchain for the Internet of Things | |
Fang et al. | Digital signature scheme for information non-repudiation in blockchain: a state of the art review | |
Kaur et al. | Blockchain-based cyber-physical security for electrical vehicle aided smart grid ecosystem | |
CN110086821A (en) | The authentication method of electric power things-internet gateway and the access of electric power internet-of-things terminal based on block chain | |
CN101714996B (en) | Authentication system and method based on peer-to-peer computing network | |
Zou et al. | Reportcoin: A novel blockchain-based incentive anonymous reporting system | |
CN112418860A (en) | Block chain efficient management framework based on cross-chain technology and working method | |
Luecking et al. | Decentralized identity and trust management framework for Internet of Things | |
CN108667616A (en) | Across cloud security Verification System based on mark and method | |
Shehab et al. | Secure collaboration in mediator-free environments | |
Sun et al. | Dt-dpos: A delegated proof of stake consensus algorithm with dynamic trust | |
Lin et al. | Insecurity of an anonymous authentication for privacy-preserving IoT target-driven applications | |
Chen et al. | Blockchain-based key management scheme in fog-enabled IoT systems | |
He et al. | A novel cryptocurrency wallet management scheme based on decentralized multi-constrained derangement | |
Rana et al. | Efficient design of an authenticated key agreement protocol for dew-assisted IoT systems | |
Maldonado-Ruiz et al. | An innovative and decentralized identity framework based on blockchain technology | |
Zhao et al. | A novel decentralized cross‐domain identity authentication protocol based on blockchain | |
Liu et al. | Cross-heterogeneous domain authentication scheme based on blockchain | |
Ogundoyin et al. | Secure and privacy-preserving D2D communication in fog computing services | |
Hietalahti | A clustering-based group key agreement protocol for ad-hoc networks | |
Joy et al. | Smart card authentication model based on elliptic curve cryptography in IoT networks | |
Qiliang et al. | Attribute‐based worker selection scheme by using blockchain in decentralized crowdsourcing scenario | |
Xie et al. | Cross-Chain-Based Trustworthy Node Identity Governance in Internet of Things |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant |