OpenStack身份认证安全性分析与改进

Open Stack是一个开源的云平台管理项目,旨在提供可靠的云部署方案和良好的可扩展性,但在重复失败登录、密码强度、密钥和数字证书管理等方面存在安全性问题。本文采用USB Key存储用户的密钥及数字证书,保证了双因子认证。采用基于角色的访问控制进行业务鉴权,同时设置反向认证令牌,实现用户和业务系统间的双向认证。利用PKI在Keystone进行密钥和数字证书颁发以及对数字证书的验证,增强认证的安全性。实现了Open Stack身份认证安全性的改进。方案已在校园网云存储平台上应用,为Open Stack安全性改进提供了参考。

Security Analysis and Improvement of OpenStack Identity Authentication

OpenStack is an open source cloud platform management program,designed to provide reliable cloud deploy-ment and good scalability, but there are some security problems about repeat failed login, password strength, key and digital certificate management and so on. The paper uses the USB Key to store the user's key and digital certificate, which can guarantee the double factor authentication. The business authentication is based on the role of access control, while the reverse authentication token is set up to realize two-way authentication between users and business systems. Use the PKI in the Keystone to be responsible for the key and certificates and verification of digital certificates,which enhances the security of authentication. The improvement of the security of OpenStack identity authentication is realized. Finally, the security of the improved scheme is analyzed. The scheme has been applied to the campus network cloud storage platform,and it provides a reference for the improvement of OpenStack security.