OpenStack Keystone认证机制研究  被引量：3

作　　者：尹誉衡 YIN Yu-heng(North China Institute of Computing Technology,Beijing 100089,China)

机构地区：[1]华北计算技术研究所,北京100089

出　　处：《计算机技术与发展》2021年第2期122-126,共5页Computer Technology and Development

基　　金：国家重点研发计划“公共安全风险防控与应急技术装备”重点专项(司法专题任务)(2018YFC0831200)。

摘　　要：随着云计算技术在政治、经济、科研等领域的广泛应用,对云计算平台的安全要求也越来越高。OpenStack是一个大型开源云计算平台,被广泛应用于私有云和公有云平台的搭建中,其身份认证机制由Keystone组件基于用户名和密码提供,且在传输过程中以明文传输,容易受到中间人攻击,导致信息被窃取,无法适用于安全要求较高的场景。为了提高Keystone认证机制的安全性,对Keystone的两种认证机制进行了详细分析,指明其中存在的明文传输、易遭受重放攻击等安全问题,针对这些安全问题,提出一种对Keystone认证机制进行改进的方案。该方案结合非对称加密的方式对传输数据进行加密,加入了时间戳验证机制,有效地降低了数据在传输过程中被窃听、被篡改的风险。通过使用Wireshark抓包设置对比实验,证明了该方案的有效性。经分析,该方案降低了Keystone明文传输数据的风险,增强了Keystone传输数据的安全性。With the wide application of cloud computing technology in politics,economy,scientific research and other fields,the security requirements of cloud computing platform are also higher and higher.OpenStack is a large-scale open-source cloud computing platform,which is widely used in the construction of private cloud and public cloud platforms.Its identity authentication mechanism is provided by keystone component based on user name and password,and it is transmitted in clear text during the transmission process,which is vulnerable to man in the middle attack,resulting in information theft,so it cannot be applied to scenarios with high security requirements.In order to improve the security of keystone authentication mechanism,two authentication mechanisms of keystone are analyzed in detail,and the security problems such as plaintext transmission and replay attack are pointed out.In this scheme,the transmission data is encrypted by asymmetric encryption,and the time stamp verification mechanism is added,which effectively reduces the risk of data eavesdropping and tampering in the transmission process.The experiment shows that the proposed scheme is effective.After analysis,the scheme reduces the risk of keystone plaintext data transmission and enhances the security of keystone data transmission.

关 键 词：云计算 KEYSTONE 安全问题 认证机制 加密传输 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]