基于软件定义边界的零信任匿名访问方案

扫码查看

原文链接

NETL
NSTL
万方数据

中文摘要：软件定义边界作为一种具有良好可扩展性与安全性的零信任安全架构得到了广泛应用.标准的软件定义边界架构采用单包授权机制来实现对服务资源的隐藏与对访问者身份的验证,但现有的方案普遍采用集中式的方式存储与分发SPA密钥,且缺乏对访问者隐私信息的保护.针对以上问题,提出了一种软件定义边界架构下的零信任匿名访问方案,采用三方密钥协商实现SPA密钥的分发,并使用通用指定验证者签名实现了对访问者身份的匿名认证,且能够抵抗SPA密钥窃取、敲门放大攻击、身份假冒等网络攻击,与目前的软件定义边界方案相比具有更强的安全性.实验结果表明,所提方案降低了 33％的通信开销,在多节点网络环境下降低了 20％的平均认证时延.

外文标题：Zero Trust Anonymous Access Scheme Based on Software-defined Perimeters

外文摘要：Software-defined perimeters,as a highly scalable and secure zero-trust security architecture,have gained widespread adoption.Conventional software-defined perimeter(SDP)architectures employ a single packet authorization mechanism to achieve resource hiding and visitor identity validation.However,existing solutions often store and distribute SDP keys in a centralized manner,and lack of robust protection for visitor privacy.In response to the aforementioned challenges,a zero-trust anonymous ac-cess scheme within the software-defined perimeter architecture is proposed.This scheme utilizes a three-party key agreement for SDP key distribution and employs generalized designated verifier signatures for anonymous visitor identity authentication.More-over,it demonstrates resilience against network attacks such as SPA key theft,port knocking amplification attacks,and identity spoofing,thus exhibiting enhanced security compared to existing software-defined perimeter schemes.Experimental findings re-veal a reduction of 33％in communication overhead and a 20％decrease in average authentication latency within multi-node net-work environments.

外文关键词：

Zero trustSoftware-defined perimeterSingle packet authorizationThree-party key agreementUniversal designated verifier signatureAnonymous access

作者：

李惟贤、张建辉、曾俊杰、贾洪勇、门蕊蕊

展开 >

作者单位：

郑州大学网络空间安全学院郑州 450000

嵩山实验室郑州 450000

关键词：

零信任软件定义边界单包授权三方密钥协商通用指定验证者签名匿名访问

出版年：

2024

DOI：

10.11896/jsjkx.231000176

计算机科学

重庆西南信息有限公司（原科技部西南信息中心）

计算机科学

CSTPCD北大核心

影响因子：0.944

ISSN：1002-137X

年,卷(期)：2024.51(12)