摘要
为了解决后台分布式微服务-前端反向代理网络架构中统一细粒度访问控制和数据安全通信的问题,提出了可撤销属性的认证方策略属性基签名,基于Type-3配对的属性基签名及其互认证密钥协商方案。在所提方案签名算法中,无须关联访问策略,生成的签名只和用户部分属性有关,访问策略在验证算法中输入,来校验与签名相关联的用户属性是否真实合法并满足访问策略,所以签名与访问策略实现了解耦,使得一个签名可复用于多个访问策略的认证过程。另外,提出了属性哈希过滤算法,并基于该算法实现了属性的立即撤销机制,使得签名者不能用过期无效的属性继续用于策略认证。并在选择策略模型下严格地验证了所提属性基签名方案的存在不可伪造性。进一步地,为了实现数据的安全通信,提出了与所提属性基签名方案配套的满足扩展Canetti-Krawczyk安全模型的认证密钥协商方案。最后,通过理论和实验对比分析得知,在安全级别为128 bit高级加密标准的要求下,所提方案中的微服务器端的认证算法比其他属性认证算法消耗更少的时间,因此所提方案更加适用于复合微服务请求的场景。
In the pursuit of establishing a unified model for fine-grained access control and secure data communication within a distributed microservices architecture,a verifier-policy attributed-based signature(VP-ABS)scheme,augmented with attribute revocation and an authenticated key agreement protocol,was proposed.This scheme was underpinned by Type-3 pairing.In this scheme,signatures generated by signers were linked solely to a subset of the signer's attributes and were disassociated from the access policy.This decoupling allowed for the reusability of the signer's signature across multiple access policies.Additionally,an attribute-Hash filter algorithm was introduced to facilitate a direct attribute revocation mechanism within the proposed VP-ABS scheme.This mechanism was designed to prevent users from authenticating with expired attributes.To further secure data communication,a mutually authenticated key agreement protocol was also proposed.This protocol was secure within the framework of the extended Canetti-Krawczyk(eCK)model and was built upon the foundation of the VP-ABS scheme.A rigorous unforgeability proof for the VP-ABS scheme was provided.Ultimately,theoretical comparisons and simulation experiments conducted at a 128-bit advanced encryption standard(AES)security level demonstrated that the proposed attribute-based authentication and secure communication scheme outperforms other contemporary schemes in terms of efficiency.
作者
张智烁
杨会喜
黄文
廖永建
周世杰
ZHANG Zhishuo;YANG Huixi;HUANG Wen;LIAO Yongjian;ZHOU Shijie(School of Information and Software Engineering,University of Electronic Science and Technology,Chengdu 610057,China;Department of Mechanical and Electrical Engineering,Cangzhou Vocational and Technical College,Cangzhou 061001,China;School of Computer Science,Sichuan University,Chengdu 610065,China)
出处
《网络与信息安全学报》
2024年第2期81-94,共14页
Chinese Journal of Network and Information Security
基金
中央高校国产移动终端操作系统高安全性关键技术研究及方案设计(No.ZYGX2020ZB019)。
关键词
细粒度访问控制
属性哈希过滤
属性撤销
解耦式属性基签名
互认证密钥协商
不可伪造性
fine-grained access control
attributed Hash filter
attributed direct revocation
policy-decoupled attribute-based signature
mutually authenticated key agreement protocol
existentially unforgeable
