2019/12/1 An Improved CPK Identity Authentication Scheme Based on Cloud Environment Author: Yanyan Song, Jun Qin Publisher: 2017 Asia-Pacific Engineering and Technology Conference (APETC 2017) Presenter: 柯懷貿 Date: 2019/05/15 Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C. 1 CSIE CIAL Lab
Introduction With the rapid development of network technology, terminals of cloud computing are widely distributed. As a result, services provided by cloud computing will be attacked by hackers and other uncertain factors easily. In order to provide corresponding services, cloud service providers must establish a perfect identity authentication mechanism. Making a contrastive analysis on different authentication modes, domestic scholars reach a consensus that CPK authentication mode possesses advantages other authentication modes do not have. 在多維幾何空間中,我們可以用矩形表示規則。 這意味著規則的每個字段代表不同維度的覆蓋區域。 良好的數據包分類算法必須同時具有更快的速度和更少的存儲要求。 National Cheng Kung University CSIE Computer & Internet Architecture Lab
Identity-Based Authentication Public Key Infrastructure (PKI) needs trusted third-party CA to store public key, and it may take a lot of time to fine out specific user’s certificate when sending message. Identity-based authentication does not need CA because public key is generated by user’s unique ID. Therefore, everyone can generate other’s public key through his own ID instead of requirement for CA, even it is offline. In CPK, keys are generated by hashing unique ID and mapping to Public Seed Matrix and Secret Seed Matrix. The former one is open and the latter is hold by Key Management Center (KMC). 在多維幾何空間中,我們可以用矩形表示規則。 這意味著規則的每個字段代表不同維度的覆蓋區域。 良好的數據包分類算法必須同時具有更快的速度和更少的存儲要求。 National Cheng Kung University CSIE Computer & Internet Architecture Lab
CPK Combined Public Key (CPK) identity authentication algorithm was proposed by the Chinese scholar Nan, Xiang-Hao in 1999. CPK is to produce a huge number of public and private key pairs through “combination” for small-scale matrix, to realize the purpose of large-scale key management and to reduce the computation and communication overhead greatly. The fundamental theory of CPK key combination is key compound theorem of elliptic curve cryptography (ECC). 在多維幾何空間中,我們可以用矩形表示規則。 這意味著規則的每個字段代表不同維度的覆蓋區域。 良好的數據包分類算法必須同時具有更快的速度和更少的存儲要求。 National Cheng Kung University CSIE Computer & Internet Architecture Lab
Key Combination with ECC Multiple pairs of public keys and private keys are selected from the public and private key matrix, and new pairs of public keys and private keys can be gained through point add operation for these public keys and private keys. As above, Ri and ri (i=1~m) will form a new public key R and a new private key r. 在多維幾何空間中,我們可以用矩形表示規則。 這意味著規則的每個字段代表不同維度的覆蓋區域。 良好的數據包分類算法必須同時具有更快的速度和更少的存儲要求。 National Cheng Kung University CSIE Computer & Internet Architecture Lab
Key Matrix We construct two matrix including Public Seed Key Matrix (PSK) and Secret Seed Key Matrix (SSK) . Assume key matrix is m*h, so PSK and SSK are expressed as : Relation between PSK and SSK is : There are m possibilities when an element is taken out from one column. Therefore, a m*h matrix can generate m^h pairs of public keys and private keys. 在多維幾何空間中,我們可以用矩形表示規則。 這意味著規則的每個字段代表不同維度的覆蓋區域。 良好的數據包分類算法必須同時具有更快的速度和更少的存儲要求。 National Cheng Kung University CSIE Computer & Internet Architecture Lab
Role Based Access Control The purpose of access control is to prevent unauthorized access and unauthorized operation for information resources and to maintain data integrity and confidentiality. When roles are set in the RBAC model, different requirements of different users for the service should be considered, and the user roles should be set according to their tasks in the system. The same user can switch between different roles, and the system can also add, modify and delete role groups. 在多維幾何空間中,我們可以用矩形表示規則。 這意味著規則的每個字段代表不同維度的覆蓋區域。 良好的數據包分類算法必須同時具有更快的速度和更少的存儲要求。 National Cheng Kung University CSIE Computer & Internet Architecture Lab
Purposed Access Control Model The access control model based on cloud environment is composed of five functional modules, as following picture. The access control scheme has integrated RBAC model with CPK authentication method, which has restrained user privilege to access recourses under cloud computing environment more meticulously. 在多維幾何空間中,我們可以用矩形表示規則。 這意味著規則的每個字段代表不同維度的覆蓋區域。 良好的數據包分類算法必須同時具有更快的速度和更少的存儲要求。 National Cheng Kung University CSIE Computer & Internet Architecture Lab
Integration of CPK and Access Control Model It is feasible to transfer CPK identity authentication scheme into cloud computing environment, and Cloud CPK (CCPK) will be given. The role based access control mode is adopted in cloud computing. Keys of corresponding levels will be assigned to users according to the user roles indicated by user identification, making it possible for users to access the cloud computing resources within their privilege. 在多維幾何空間中,我們可以用矩形表示規則。 這意味著規則的每個字段代表不同維度的覆蓋區域。 良好的數據包分類算法必須同時具有更快的速度和更少的存儲要求。 National Cheng Kung University CSIE Computer & Internet Architecture Lab
Ring Signature Algorithm Ring signature is a simplified group signature. Every user in the ring is at the same level and every user can sign on behalf of the whole group. The verifier is concerned about the group that signs rather than the specific user in the group that signs. 在多維幾何空間中,我們可以用矩形表示規則。 這意味著規則的每個字段代表不同維度的覆蓋區域。 良好的數據包分類算法必須同時具有更快的速度和更少的存儲要求。 National Cheng Kung University CSIE Computer & Internet Architecture Lab
Experimental Environment and Process Java language is adopted as the programming language of simulation program, and CloudSim cloud simulation open source library is introduced. Hardware configurations of the computer used in the simulation experiment are as follows: Intel Core i5-3850 is adopted as CPU; the internal storage is 8GB; the capacity of hard disk is 500GB; the operating system is Windows 7 ultimate edition 64Bit Service Pack 1; Eclipse is applied as the development software; the experimental simulation can be started by importing the CloudSim pack into the Eclipse item. 在多維幾何空間中,我們可以用矩形表示規則。 這意味著規則的每個字段代表不同維度的覆蓋區域。 良好的數據包分類算法必須同時具有更快的速度和更少的存儲要求。 National Cheng Kung University CSIE Computer & Internet Architecture Lab
Experimental Environment and Process At first, user A is set as sending end and user B is treated as receiving end. The mode of bidirectional authentication is adopted, and the identity authentication process under cloud computing is almost completed. CCPK has an obvious advantage in centralized production and distribution of keys. Meanwhile, ring signature and role based access control model are introduced to enhance the safety performance of cloud computing. The CCPK identity authentication scheme has not only saved service cost but also improved authentication efficiency. 在多維幾何空間中,我們可以用矩形表示規則。 這意味著規則的每個字段代表不同維度的覆蓋區域。 良好的數據包分類算法必須同時具有更快的速度和更少的存儲要求。 National Cheng Kung University CSIE Computer & Internet Architecture Lab