信息网络安全 ›› 2024, Vol. 24 ›› Issue (5): 709-718.doi: 10.3969/j.issn.1671-1122.2024.05.005

• 理论研究 • 上一篇    下一篇

基于Merkle树和哈希链的层次化轻量认证方案

沈卓炜1,2, 汪仁博1,2, 孙贤军3()   

  1. 1.东南大学网络空间安全学院,南京 211189
    2.东南大学计算机网络和信息集成教育部重点实验室,南京 211189
    3.公安部第三研究所安全防范技术处,上海 200031
  • 收稿日期:2024-03-06 出版日期:2024-05-10 发布日期:2024-06-24
  • 通讯作者: 孙贤军 E-mail:sxj_sun8110@163.com
  • 作者简介:沈卓炜(1974—),男,江苏,副教授,博士,CCF会员,主要研究方向为分布式系统与网络安全|汪仁博(1996—),男,湖北,硕士研究生,主要研究方向为分布式系统与网络安全|孙贤军(1981—),男,安徽,助理研究员,硕士,主要研究方向为信息系统网络安全防护
  • 基金资助:
    国家重点研发计划(2022YFB3104602)

A Hierarchical Lightweight Authentication Scheme Based on Merkle Tree and Hash Chain

SHEN Zhuowei1,2, WANG Renbo1,2, SUN Xianjun3()   

  1. 1. School of Cyber Science and Engineering, Southeast University, Nanjing 211189, China
    2. Key Laboratory of Computer Network and Information Integration of Ministry of Education, Southeast University, Nanjing 211189, China
    3. Security and Preventive Technology Division, The Third Research Institute of Ministry of Public Security, Shanghai 200031, China
  • Received:2024-03-06 Online:2024-05-10 Published:2024-06-24
  • Contact: SUN Xianjun E-mail:sxj_sun8110@163.com

摘要:

分布式系统如云计算、物联网等在各关键领域被广泛应用,其安全性越来越重要。由于部署环境复杂,具有分散、异构、动态等特性,分布式系统的信息安全保障面临着严峻的挑战,传统的身份认证方案通常计算开销大、证书管理复杂、成员动态更新不及时,不能很好地满足大型分布式系统需求。文章针对大量客户端与应用服务器交互的典型应用场景提出了一种基于Merkle树和哈希链的层次化轻量认证方案。方案将客户端划分为若干邻域,每个邻域内设置一个认证代理节点以管理邻域内的客户端并向应用服务器上报认证信息,方案结合Merkle树和哈希链技术实现对客户端的身份认证和一次一密的通信加密及消息认证,使用哈希和异或的高效运算方式实现较低的计算开销。安全性分析和性能分析表明,方案具有全面的安全性和更好的性能。

关键词: Merkle树, 哈希链, 一次性密码, 身份认证

Abstract:

Distributed systems such as cloud computing and the Internet of Things are widely used in various critical application domains, and their security issues are receiving increasing attention. Due to the complex deployment environment, the characteristics such as decentralization, heterogeneity, and dynamics, the security guarantee of distributed systems faces severe challenges. Traditional authentication schemes usually have the limitations of high computational cost, complex certificate management, and untimely member dynamic updates, which cannot meet the requirements of large-scale distributed systems. In this paper, aiming at the typical application scenarios where a large number of clients interact with application servers, a hierarchical lightweight authentication scheme based on Merkle tree and hash chain was proposed. In this scheme, there were several neighborhoods in the system, each client belongs to a neighborhood, and an authentication proxy node was set in each neighborhood to manage the clients in the neighborhood and report authentication information to the application server. The scheme adopted both Merkle tree and hash chain to realize identity authentication for the client, one-time pad encryption, and message authentication, and used efficient operations of hash and XOR to achieve lower computational costs. Security analysis and performance analysis show that the scheme has comprehensive security and better performance.

Key words: Merkle tree, hash chain, one-time pad, authentication

中图分类号: