摘要
openstack作为开源云平台的行业标准,其身份认证机制采用的是keystone组件提供的基于用户名/口令的单因素认证方式,不适用于对安全等级需求较高的应用场景。因此,设计出一种基于数字证书的身份认证协议,该协议包括云用户身份标识协议和云用户身份鉴别协议,来满足高安全性应用场景的安全需求。通过对keystone组件进行扩展实现了基于数字证书的身份认证系统,该系统综合运用了密码认证服务器、UKey、加密、完善的密钥管理等技术。经分析,该系统能够有效抵抗多种网络攻击,提高了云用户在登录云平台时的安全性。
As the industry standard for open source cloud platforms, openstack uses the single-factor authentication me-thod based on username and password that provides by keystone components to identity authentication mechanism, whileit is not suitable for application scenarios with high security level requirements. A digital certificate-based identity au-thentication protocol which had cloud user identification protocol and authentication protocol was designed to meet therequirements. With expending the keystone component to achieve a digital certificate-based identity authentication sys-tem, a combination of authentication server, UKey technology, encryption technology and well-established key manage-ment and so on was used. According to the research, the system can effectively resist multiple cyber-attacks and improvethe security of cloud users when they log in to the cloud platform.
引文
[1]王斌锋,苏金树,陈琳.云计算数据中心网络设计综述[J].计算机研究与发展,2016,53(9):2085-2106.WANG B F,SU J S,CHEN L.Overview of cloud computing data center network design[J].Computer Research and Development,2016,53(9):2085-2106.
[2]张玉清,王晓菲,刘雪峰,等.云计算环境安全综述[J].软件学报,2016,27(6):1328-1348.ZHANG Y Q,WANG X F,LIU X F,et al.Survey on cloud computing security.[J]Journal of Software,2016,27(6):1328-1348.
[3]HARN L,REN J.Generalized digital certificate for user authentication and key establishment for secure communications[J].IEEE Transactions on Wireless Communications,2011,10(7):2372-2379.
[4]WEN X,GU G,LI Q,et al.Comparison of open-source cloud manegement platforms:openstack and OpenNebula[C]//IEEE Fuzzy Systems and Knowledge Discovery.2012:2457-2461.
[5]SEFRAOUI O,AISSAOUI M,ELEULDJ M.openstack:toward an open-source solution for cloud computing[J].International Journal of Computer Applications,2012,55(3):38-42.
[6]KHAN R H,YLITALO J,AHMED A S.Openid authentication as a service in openstack[C]//The 7th International Conference on Information Assurance and Security.2011:372-377.
[7]MARTINELLI S,NASH H,TOPOL B.Identity,authentication,and access management in openstack:implementing and deploying keystone[M].O’Reilly Media,2015.
[8]ABDULLA N,ER?ELEBI E.Identify cloud security weakness related to authentication and identity management(IAM)using openstack keystone model[C]//International Conference on Engineering and Technology,Computer,Basics and Applied Sciences.2017:1-5.
[9]COOPER J D.Analysis of security in cloud platforms using openstack as case study[D].AGDER:The University of AGDER Faculty of En gineering and Science,2013.
[10]TORKURA K A,CHENG F,MEINEL C.Application of quantitative security metrics in cloud computing[J].Internet Technology&Secured Transactions.2015:256-262.
[11]WOO S W,JOH H C,ALHAZMI O H,et al.Modeling vulnerability discovery process in apache and iis http servers[J]Computers&Security,2011,30(1):50-62.
[12]SITARAM D,HARWALKAR S,SIMHA U,et al.standards based integration of advanced key management capabilities with openstack[C]//IEEE International Conference on Cloud Computing in Emerging Markets.2016:98-103.
[13]王帅,常朝稳,魏彦芬.基于云计算的USB Key身份认证方案[J].计算机应用研究,2014,31(7):2130-2134.WANG S,CHANG C W,WEI Y F.USB key authentication scheme based on cloud computing[J].Computer Application Research,2014,31(7):2130-2134.
[14]李鹏坤,王小峰,苏金树,等.基于标识密码的数据报传输层安全协议[J].软件学报,2017,28(2):90-97.LI P K,WANG X F,SU J S,et al.Datagram transport layer security protocol based on identity cipher[J].Journal of Software,2017,28(2):90-97.
[15]周长春,田晓丽,张宁,等.云计算中身份认证技术研究[J].计算机科学,2016,43(6A):339-341.ZHOU C C,TIAN X L,ZHANG N,et al.Research on identity authentication technology in cloud computing[J].Computer Science,2016,43(6A):339-341.
[16]CUI B,XI T.Security analysis of openstack keystone[C]//International Conference on Innovative Mobile&Internet Services in Ubiquitous Computing.2015:283-288.