一种新的信息服务实体跨域认证模型

为解决基于身份的信息服务多信任域认证系统不能实现身份即时撤销的问题,提出了一种可撤销的身份签名方案。在SM9(国产标识密码)签名算法的基础上,引进一个安全仲裁来保管实体的部分私钥,通过终止安全仲裁给实体发送签名信令来撤销实体的签名能力,从而实现 身份 的即时撤销。在该方案的基础上,利用基于证书的公钥基础设施(PKI)与基于身份的密码体制(IBC)的组合应用优点,提出了一种新的信息服务实体跨域认证模型。该模型不仅具有灵活高效的认证特点,而且适合构建大规模信息服务实体的应用环境。同时,设计了一种跨域认证协议,实现了跨信任域的双向实体认证和密钥协商。分析结果表明,该协议具有较高的安全性及较少的通信量和计算量。

New Cross-domain Authentication Model for Information Services Entity

To solve the problem that the identity of information services entity(ISE) cannot be revoked immediately in the cross-domain authentication system,a revocable identity-based signature scheme was proposed.Based on the SM9 signature algorithm,a security mediator(SEM) was introduced to keep a part of the private key of the ISE.By terminating the SEM to send the token to ISE to revoke its signature capability,the identity of ISE can be revoked immediately.Based on this scheme,a new cross-domain authentication model for ISE was proposed by taking the combining advantages of certificate-based public key infrastructure(PKI) and identity-based cryptography(IBC).The proposed model is not only flexible and efficient,but also suitable for constructing large-scale application environment of ISE.Meanwhile,a cross-domain authentication protocol was designed to realize the mutual authentication with key agreement between cross-domain entities.Analysis shows that the proposed protocol has high security and low communication and computation cost.