计算机科学

计算机科学 ›› 2026, Vol. 53 ›› Issue (1): 363-370.doi: 10.11896/jsjkx.250100080

• 信息安全 • 上一篇    下一篇

基于可验证凭证的软件定义边界匿名身份认证方案

司雪鸽, 贾洪勇, 李惟贤, 曾俊杰, 门蕊蕊   

  1. 郑州大学网络空间安全学院 郑州 450002
  • 收稿日期:2025-01-13 修回日期:2025-05-10 发布日期:2026-01-08
  • 通讯作者: 贾洪勇(jiahy_pla@126.com)
  • 作者简介:(s_xuege@gs.zzu.edu.cn)
  • 基金资助:
    河南省重点研发专项(231111211900);河南省重大科技专项(221100210900)

Software-defined Perimeter Anonymous Authentication Scheme Based on Verifiable Credentials

SI Xuege, JIA Hongyong, LI Weixian, ZENG Junjie , MEN Ruirui   

  1. College of Cyber Science and Engineering, Zhengzhou University, Zhengzhou 450002, China
  • Received:2025-01-13 Revised:2025-05-10 Online:2026-01-08
  • About author:SI Xuege,born in 1999,postgraduate.Her main research interests include cryptography and zero trust security.
    JIA Hongyong,born in 1975,Ph.D,lecturer.His main research interests include cloud computing security and zero trust security of the IoT system.
  • Supported by:
    Key Research and Development Projects of Henan Province(231111211900) andthe Management of Major Science and Technology of Henan Province(221100210900).

PDF (PC)

11

摘要: 标准软件定义边界(SDP)架构采用基于访问者身份的认证与授权策略,实时监控与审计访问行为。但访问者需完全披露身份信息以获取访问权限,可能泄露与服务无关的敏感数据,从而带来隐私风险。针对当前软件定义边界架构下存在的用户隐私信息难以得到有效保护、访问记录容易遭受恶意关联等问题,提出一种适用于软件定义边界架构的基于可验证凭证的匿名认证方案。基于双线性映射和 CL 签名构建可验证凭证的验证算法,并将可验证凭证体系与标准软件定义边界架构相融合,在不改变原有基于单包授权与 TLS 安全连接认证模式的前提下实现用户匿名访问。理论分析表明,此方案能够抵抗敲门放大攻击、身份仿冒攻击等常见的网络攻击。实验结果表明,此方案在多节点网络环境进行身份认证所产生的时延更短。

关键词: 软件定义边界, 可验证凭证, 匿名认证, CL签名, 隐私保护

Abstract: The standard SDP architecture employs identity-based authentication and authorization strategies to monitor and audit access activities in real time.However,users must fully disclose their identity information to obtain access,potentially exposing sensitive data unrelated to the requested service and introducing privacy risks.To address challenges such as ineffective user privacy protection and vulnerability of access records to malicious linkage in the current SDP architecture,this paper proposes an anonymous authentication scheme based on verifiable credentials(VCs) for SDP.The scheme constructs a VC verification algorithm using bilinear pairing and CL-signature,integrating the VC system with the standard SDP architecture to enable anonymous user access without altering the original single-packet authorization and TLS secure connection authentication model.Theoretical analysis demonstrates that the proposed scheme resists common network attacks,including knock amplification and identity impersonation.Experimental results show that it achieves shorter authentication latency in multi-node network environments.

Key words: Software defined perimeter, Verifiable credentials, Anonymous authentication, CL-signature, Privacy preservation

中图分类号: 

  • TP309
[1]GARBIS J,KOILPILLAI J.Software-Defined Perimeter(SDP) Specification v2.0[M].Working Group:SDP and Zero Trust,2022.
[2]YAN J,LI S X,LI G Z,et al.Security Protection Method ofOower Internet of Things Based on Software Defined Perimeter[J].Techniques of Automation and Applications,2025,44(3):93-95,114.
[3]WANG F,LI G,WANG Y,et al.Privacy-aware traffic flow prediction based on multi-party sensor data with zero trust in smart city[J].ACM Transactions on Internet Technology,2023,23(3):1-19.
[4]CHIY P,LIU J H,LIANG J M.Design of SDP Trust Evaluation Model Based on Federated Learning[J].Journal of Information Security Research,2024,10(10):903-911.
[5]RASH M.Single packet authorization[J].Linux Journal,2007,2007(156):1.
[6]ZHANG L,GE J,WU Y,et al.On Improved Efficiency and Forward Security of 0-RTT Key Exchange for SDP[C]//2024 33rd International Conference on Computer Communications and Networks(ICCCN).IEEE,2024:1-9.
[7]LEE H,KIM D,KWON Y.TLS 1.3 in practice:How TLS 1.3 contributes to the internet[C]//Proceedings of the Web Confe-rence 2021.2021:70-79.
[8]SINGH J,BELLO Y,REFAEY A,et al.Five-Layers SDP-Based Hierarchical Security Paradigm for Multi-access Edge Computing[J].arXiv:2007.01246,2020.
[9]CAMENISCH J,LYSYANSKAYA A.Signature schemes andanonymous credentials from bilinear maps[C]//Annual international cryptology conference.Berlin:Springer,2004:56-72.
[10]FENGJ Y,YU T T,WANG Z Y,et al.An Edge Zero-Trust Model Against Compromised Terminals Threats in Power loT Environments[J].Computer Research and Development,2022,59(5):1120-1132.
[11]YANG Y,BAI F,YU Z,et al.An anonymous and supervisory cross-chain privacy protection protocol for zero-trust IoT application[J].ACM Transactions on Sensor Networks,2024,20(2):1-20.
[12]TANG F,MA C,CHENG K.Privacy-preserving authentication scheme based on zero trust architecture[J].Digital Communications and Networks,2024,10(5):1211-1220.
[13]SONGZ M,YU Y M,WANG G W,et al.Zero-knowledge authentication and management architecture for digital identity verifiable credentials based on blockchain smart contracts[J].Journal of Information Security,2023,8(1):55-77.
[14]LI S,IQBAL M,SAXENA N.Future industry internet of things with zero-trust security[J].Information Systems Frontiers,2024,26:1653-1666.
[15]RASHEED A,MAHAPATRA R N,VAROL C,et al.Exploiting zero knowledge proof and blockchains towards the enforcement of anonymity,data integrity and privacy(ADIP) in the iot[J].IEEE Transactions on Emerging Topics in Computing,2021,10(3):1476-1491.
[16]SONG Y,DING L,LIU X,et al.Differential Privacy Protection Algorithm Based on ZeroTrust Architecture for Industrial Internet[C]//2022 IEEE 4th International Conference on Power,Intelligent Computing and Systems(ICPICS).IEEE,2022:917-920.
[17]VerifiableCredentials Data Model v2.0[EB/OL].(2024-12-19)[2024-12-30].https://www.w3.org/TR/vc-data-model-2.0/.
[18]SEDLMEIR J,SMETHURST R,RIEGER A,et al.Digital identities and verifiable credentials[J].Business & Information Systems Engineering,2021,63(5):603-613.
[19]ALAM S.A blockchain-based framework for secure educational credentials[J].Turkish Journal of Computer and Mathematics Education,2021,12(10):5157-5167.
[20]MUKTA R,MARTENS J,PAIK H,et al.Blockchain-basedverifiable credential sharing with selective disclosure[C]//2020 IEEE 19th International Conference on Trust,Security and Privacy in Computing and Communications(TrustCom).IEEE,2020:959-966.
[21]SHIM K A.A strong designated verifier signature scheme tightly related to the LRSW assumption[J].International Journal of Computer Mathematics,2013,90(2):163-171.
[22]KOILPILLAI J.Software defined perimeter(SDP) a primer for cios[J].Waverley Labs LLC,2017,267:56-62.
[23]YAN J,YANG B,SU L,et al.Blockchain based Software Defined Perimeter(SDP) in Support of Authentication and Authorization[C]//2022 International Conference on Blockchain Technology and Information Security(ICBCTIS).2022:40-42.
[24]WU K H,CHENG R,JIANG X C,et al.Security ProtectionScheme of Power IoT Based on SDP[J].Netinfo Security,2022,22(2):32-38.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市两江新区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发