Computer Science

Computer Science ›› 2024, Vol. 51 ›› Issue (12): 293-302.doi: 10.11896/jsjkx.231000176

• Information Security • Previous Articles     Next Articles

Zero Trust Anonymous Access Scheme Based on Software-defined Perimeters

LI Weixian1, ZHANG Jianhui2, ZENG Junjie1, JIA Hongyong1, MEN Ruirui1   

  1. 1 School of Cyber Science and Engineering, Zhengzhou University, Zhengzhou 450000, China
    2 Songshan Laboratory, Zhengzhou 450000, China
  • Received:2023-10-25 Revised:2024-03-25 Online:2024-12-15 Published:2024-12-10
  • About author:LI Weixian,born in 1999,postgra-duate.His main research interests include zero-trust networks and privacy protection.
    ZENG Junjie,born in 1977,master,lecturer.His main research interests include cryptography and zero-trust networks.
  • Supported by:
    Science and Technology Major Project of Henan Province(221100210900-01) and 2021 China University Industry-Academic-Research Innovation Fund(2021ITA11021).

PDF (PC)

143

Abstract: Software-defined perimeters,as a highly scalable and secure zero-trust security architecture,have gained widespread adoption.Conventional software-defined perimeter(SDP) architectures employ a single packet authorization mechanism to achieve resource hiding and visitor identity validation.However,existing solutions often store and distribute SDP keys in a centralized manner,and lack of robust protection for visitor privacy.In response to the aforementioned challenges,a zero-trust anonymous access scheme within the software-defined perimeter architecture is proposed.This scheme utilizes a three-party key agreement for SDP key distribution and employs generalized designated verifier signatures for anonymous visitor identity authentication.More-over,it demonstrates resilience against network attacks such as SPA key theft,port knocking amplification attacks,and identity spoofing,thus exhibiting enhanced security compared to existing software-defined perimeter schemes.Experimental findings reveal a reduction of 33% in communication overhead and a 20% decrease in average authentication latency within multi-node network environments.

Key words: Zero trust, Software-defined perimeter, Single packet authorization, Three-party key agreement, Universal designated verifier signature, Anonymous access

CLC Number: 

  • TP309
[1]EVAN G,DOUG B.Zero Trust Networks:Building Secure Systems in Untrusted Networks[M].Beijing:People’s Posts and Telecommunications Publishing House,2019.
[2]GARBIS J,KOILPILLAI J.Software-Defined Perimeter(SDP) Specification v2.0[J/OL].https://cloudsecurityalliance.org/artifacts/sdp-architecture-guide-v2.
[3]CHEN B,XU H,XI J F,et al.Power Internet of Things device access management based on cryptographic accumulators[J].Computer Science,2022,49(S2):750-755.
[4]WANG F,LI G,WANG Y,et al.Privacy-aware traffic flow prediction based on multi-party sensor data with zero trust in smart city[J].ACM Transactions on Internet Technology,2023,23(3):1-19.
[5]WU K H,CHENG R,JIANG X C,et al.Security protection scheme for power Internet of Things based on SDP[J].Information Network Security,2022,22(2):32-38.
[6]SAKO K.Topics in Cryptology-CT-RSA 2016[C]//The Cryptographers’ Track at the RSA Conference 2016.2016.
[7]MAJOR W,BUCHANAN W J,AHMAD J.An authentication protocol based on chaos and zero knowledge proof[J].Nonlinear Dynamics,2020,99:3065-3087.
[8]RASH M.Single packet authorization with fwknop[J].TheUSENIX Magazine,2006,31(1):63-69.
[9]READING D.Fwknop- Port Knocking Tool with Single Packet Authorization[C]//Cyber Warfare and Digital Forensic(CyberSec).IEEE,2023:247-252.
[10]ROSSOW C.Amplification Hell:Revisiting Network Protocols for DDoS Abuse[C]//NDSS.2014:1-15.
[11]ALI F H M,YUNOS R,ALIAS M A M.Simple port knocking method:Against TCP replay attack and port scanning[C]//2012 International Conference on Cyber Security,Cyber Warfare and Digital Forensic(CyberSec).IEEE,2012:247-252.
[12]KRMELJ G R,PANČUR M,GROHAR M,et al.Openspa-anopen and extensible protocol for single packet authorization[C]//Proceedings of the Central European Cybersecurity Conference 2018.2018:1-6.
[13]JIANG K,XIAO Y,YUAN S,et al.Implementing ContinuousAuthentication in Network Connection Based on Improved SPA[C]//2022 IEEE 22nd International Conference on Communication Technology(ICCT).IEEE,2022:1318-1322.
[14]XU M,GUO J,YUAN H,et al.Zero-Trust Security Authentication Based on SPA and Endogenous Security Architecture[J].Electronics,2023,12(4):782.
[15]BUTAKOV S,ZAVARSKY P,MIRHEYDARI S.Honeykeys:deception mechanisms in single packet authorization[C]//Proceedings of the 14th Pre-ICIS Workshop on Information Security and Privacy.2019:1-8.
[16]KRAWCZYK H.Cryptographic extraction and key derivation:The HKDF scheme[C]//Annual Cryptology Conference.Berlin,Heidelberg:Springer Berlin Heidelberg,2010:631-648.
[17]BLUNDO C,DE SANTIS A,DI CRESCENZO G,et al.Multi-secret sharing schemes[C]//Annual International Cryptology Conference.Springer Berlin Heidelberg,1994:150-163.
[18]ALEXOPOULOS N,KIAYIAS A,TALVISTE R,et al.{MC-Mix}:Anonymous Messaging via Secure Multiparty Computation[C]//26th USENIX Security Symposium(USENIX Security 17).2017:1217-1234.
[19]MAHMOOD K,ARSHAD J,CHAUDHRY S A,et al.An enhanced anonymous identity-based key agreement protocol for smart grid advanced metering infrastructure[J].International Journal of Communication Systems,2019,32(16):e4137.
[20]JOUX A.A one round protocol for tripartite Diffie-Hellman[C]//International algorithmic Number Theory Symposium.Berlin,Heidelberg:Springer,2000:385-393.
[21]ISLAM S K H,BASU S.PB-3PAKA:Password-based three-party authenticated key agreement protocol for mobile devices in post-quantum environments[J].Journal of Information Security and Applications,2021,63:103026.
[22]SHIM K.Efficient ID-based authenticated key agreement protocol based on Weil pairing[J].Electronics Letters,2003,39(8):653-654.
[23]TANG F,MA C,CHENG K.Privacy-preserving authentication scheme based on zero trust architecture[J/OL].https://doi.org/10.1016/j.dcan.2023.01.021.
[24]ZHANG L,LI C,LI Y,et al.Group signature based privacy protection algorithm for mobile ad hoc network[C]//2017 IEEE International Conference on Information and Automation(ICIA).IEEE,2017:947-952.
[25]CAMENISCH J,LYSYANSKAYA A.Signature schemes andanonymous credentials from bilinear maps[C]//Annual International Cryptology Conference.Berlin,Heidelberg:Springer,2004:56-72.
[26]STEINFELD R,BULL L,WANG H,et al.Universal designa-ted-verifier signatures[C]//Advances in Cryptology-ASIACRYPT 2003:9th International Conference on the Theory and Application of Cryptology and Information Security,Taipei,Taiwan,November 30-December 4,2003.Proceedings 9.Springer Berlin Heidelberg,2003:523-542.
[27]DE ALMEIDA M P,DE SOUSA JÚNIOR R T,GARCIA VILLALBA L J,et al.New dos defense method based on strong de-signated verifier signatures[J].Sensors,2018,18(9):2813.
[28]RASTEGARI P,BERENJKOUB M,DAKHILALIAN M,et al.Universal designated verifier signature scheme with non-delegata-bility in the standard model[J].Information Sciences,2019,479:321-334.
[29]KOILPILLAI J.Software defined perimeter(SDP) a primer for cios[J/OL].https://waverleylabs.com/wp-content/uploads/2017/10/waverleylabs-sdp-white-paper.pdf.
[1] WANG Hai-ping and ZHAO Jing-jing. Ciphertext-policy Attribute-based Encryption with Anonymous Access Structure [J]. Computer Science, 2016, 43(2): 175-178.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.