跳到主要內容

臺灣博碩士論文加值系統

(44.192.38.248) 您好!臺灣時間:2022/11/26 23:15
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

: 
twitterline
研究生:張德泰
研究生(外文):Truong, Duc Tai
論文名稱:雲端和行動通訊系統聯盟的透明第三方認證
論文名稱(外文):Transparent Third-party Authentication for Federated Cloud and Mobile Communication Systems
指導教授:林盈達林盈達引用關係
指導教授(外文):Lin, Ying-Dar
口試委員:賴源正楊人順李奇育
口試委員(外文):Lai, Yuan-ChenYang, Jen-ShunLi, Chi-Yu
口試日期:2019-12-31
學位類別:碩士
校院名稱:國立交通大學
系所名稱:電機資訊國際學程
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2020
畢業學年度:108
語文別:英文
論文頁數:44
中文關鍵詞:雲端運算邊緣運算3GPP系統聯合OpenID ConnectEPS-AKA第三方認證代理
外文關鍵詞:cloud computingedge computing3GPP systemsfederationOpenID ConnectEPS-AKAthird-party authenticationproxy
相關次數:
  • 被引用被引用:1
  • 點閱點閱:243
  • 評分評分:
  • 下載下載:13
  • 收藏至我的研究室書目清單書目收藏:0
雲端和邊緣運算的範式提供儲存及雲端服務給傳統及物聯網設備使用。近年來,物聯網設備的數量已經呈現指數型成長,且因為異質性的關係,不同種類的設備都有不同的需求。因此,單靠一個運算平台不足以實現所有物聯網設備的需求。在這個情況下,當某一個運算平台下的一個使用者或一台設備想要去存取另外一家運算平台提供的服務,但又不想建立另一家運算平台的帳號時,聯合不同的運算範式就能發揮作用。
在聯合不同運算範式下興起了許多的研究議題,其中認證是最重要的。這篇論文處理了聯合雲端及3GPP邊際系統的之間的第三方認證問題。此研究考量到雲端和邊際聯合的情況:當使用者或第一方需要去存取第三方(雲端或邊際)的服務時,以及在另一方面第三方和具有使用者身分驗證資訊的第二方(邊際或雲端)聯合時所會發生的議題。而此議題即是第三方要如何在沒有使用者帳號的情況下去認證使用者,以及3GPP網路要如何在不同的認證協定下進行雲端間的溝通。
相關的論文研究解決此議題的手法是,提出一個新的協定或是加入一個新的元件到既有的3GPP系統中。此篇論文中,我們提出了一個符合標準規範的第三方認證方法:將既有的雲端認證協定以及3GPP網路的認證整合在一起。這些既有的協定為,正常登入,OpenID Connect,和EPS-AKA。這些都是熱門而且有效的認證手法。但這些協定都有不同的認證處理手法及流程,所以直接整合在一起會導致訊息無法匹配。為了解決在兩端運算環境下認證協定訊息無法匹配的問題,我們在雲端和3GPP網路間使用了聯合的代理來進行溝通。
如上所述,我們考慮了兩種情況,分別是「雲端到邊際」及「邊際到雲端」。「雲端到邊際」的使用者身分驗證資訊會存在雲端上,而「邊際到雲端」的使用者身分驗證資訊則是會存在邊際之中。而聯合的代理在這兩種情況下會扮演不同的角色來進行雲端間的溝通。而實驗結果顯示,對於「雲端到邊際」及「邊際到雲端」,我們的方法(使用聯合的代理做第三方認證)會比分別在兩端使用OpenID Connect和EPS-AKA認證協定還要減少27.7%和37.9%的延遲時間。更重要的是,我們的方法是符合標準規範的。而在認證流程中,代理處理的時間只佔總體延遲時間的1.5%和1.6%。
Cloud and Edge computing paradigms provide storage and computing services to the traditional and Internet of Things devices. In the past few years, the number IoT devices has increased exponentially and different devices have different requirements due to heterogeneity. Hence, one computing platform is not suitable to fulfill the requirements of all IoT devices. In this case, federation of different computing paradigms comes into play where a user or a device having an account on one computing platform can access the services provided by the other computing platform, federated with the first computing platform, without having to create another account. There are multiple research problems which arise due to the federation among which authentication is the most important one. This work addresses the third-party authentication problem in federated cloud and 3GPP edge systems. This research considers cloud-edge federation where a user or the first party needs to access services in the third party (cloud or edge). The third party, on the other hand, is federated with the second party (edge or cloud), which has the user credentials. The issues which arise here are how the third party will authenticate user without the user account and how the 3GPP network will communicate with the cloud as they have different authentication protocols. Related studies in the literature solve these issues by proposing new protocols or by adding new components in the 3GPP system. In this study, we proposed the standard-compliant third-party authentication approach, which is the combination of the existing authentication protocols in the cloud and the 3GPP network. These existing protocols are normal login, OpenID Connect, and EPS-AKA, which are popular and efficient for authentication. These protocols have different authentication mechanism and message flow due to which a message mismatch occurs. To solve the message mismatch of authentication protocols between these two computing environments, we use a federated proxy between cloud and the 3GPP network. We consider two scenarios namely, cloud-to-edge in which user credentials are in cloud and edge-to-cloud in which user credentials are in edge. The federated proxy plays different roles to communicate with cloud and each in each scenario. The experimental results illustrate that, as compared with the combination of OpenID Connect and EPS-AKA, third-party authentication of edge-to-cloud and cloud-to-edge using federated proxy can reduce the authentication delay time by 27.7% and 37.9% respectively and it is also standard compliant. The time taken by the components in the proxy constitute only 1.5% and 1.6% of the total authentication delay time of edge-to-cloud authentication and cloud-to-edge authentication.
摘 要 i
ABSTRACT iii
Acknowledgement v
Contents vi
List of Tables viii
List of Figures ix
Chapter 1 Introduction 1
1.1 Cloud-Edge Federation 1
1.2 One-account-service-everywhere 2
1.3 Third-party authentication solution 3
1.4 Thesis organization 4
Chapter 2 Background and Related Works 5
2.1 Federation 5
2.2 Authentication in cloud and 3GPP 6
2.2.1 Authentication in cloud 6
2.2.2 Authentication in Cellular Networks 9
2.3 Federated authentication 12
Chapter 3 Problem Description 15
3.1 Authentication model 15
3.2 Authentication protocol conflictions 17
3.3 Problem statement 18
Chapter 4 Proposed Solution Approach 19
4.1 Approach overview 19
4.2 Federation proxy 20
4.2.1 Message flow for Cloud-to-Edge scenario 21
4.2.2 Message flow for Edge-to-Cloud scenario 23
4.3 Security analysis 25
Chapter 5 Numerical Results 28
5.1 Testbed description 28
5.2 Results 29
5.2.1 Delay time of third-party authentication in cloud-edge federation 31
5.2.2 Overhead of air interface 34
Chapter 6 Conclusions and future work 37
References 40
[1] A. Alelaiwi, “An efficient method of computation offloading in an edge cloud platform,” Journal of Parallel and Distributed Computing, vol. 127, pp 58-64, 2019.
[2] P. Mell, T. Grance, “The NIST Definition of Cloud Computing”, NIST special publication 800-145.
[3] ETSI, “Network Function Virtualisation (NFV); Management and Orchestration; Architectural option,” European Telecommunication Standard Institute, GS NFV-IFA 009, July 2016.
[4] Shareef et al., “A survey on Federation Cloud Environment,” International Journal of Advanced Research in Computer Science and Software Engineering 5(2), February - 2015, pp. 83-92.
[5] R. Buyya, R. Ranjan, R.N. Calheiros, Intercloud: utility-oriented federation of cloud computing environments for scaling of application services, in: ICA3PP, 2010, pp. 13-31.
[6] A. Quiroz, H. Kim, M. Parashar, N. Gnanasambandam, N. Sharma, Towards autonomic workload provisioning for enterprise grids and clouds.
[7] S. Govindan, A. Sivasubramaniam, B, Urgaonkar, Benefits and limitations of tapping into stored energy for datacenters, SIGARCH comput. Archit. News 39, 2011, 341-352.
[8] J. M. Kaplan, W. Forest, N. Kindler, revolutionizing data center energy efficiency, technical report, mckinsey and company, 2008.
[9] Y. Kessaci, N. Melab, E.-G. Talbi, A pareto-based metaheuristic for scheduling HPC applications on a geographically distributed cloud federation, Cluster Comput. 16, 2013, 451-468.
[10] Leandro, Marcos AP, et al. “Multi-tenancy authorization system with federated identity for cloud-based environments using shibboleth.” Proceeding of Eleventh International Conference on Networks, 2012.
[11] Celesti, Atonio, et al. “Three-phase cross-cloud federation model: the cloud sso authentication.” Advances in Future Internet (AFIN), 2010 second international conference on IEEE, 2010.
[12] Celesti, Atonio, et al. “Security and cloud computing: Intercloud identity management infrastructure.” Enabling Technologies: Infrastructures for Collaborative Enterprises (WETICE), 2010 19th IEEE International Workshop on IEEE, 2010.
[13] Ahmad, Zubair, Jamalul-Lail Ab Manan, and Suzial Sulaiman, “User requirement model for federated identities threats.” Advanced Computer theory and Engineering (ICACTE), 2010 3rd International Conference on Vol. 6 IEEE, 2010.
[14] Yan, Liang, Chunming Rong, and Gansen Zhao, “Strengthen cloud computing security with federal identity management using hierarchical identity-based cryptography.” IEEE International Conference on Cloud Computing, Springer, Berlin, Heidelberg, 2009.
[15] Stihler, Maicon, et al. “Integral federated identity management for cloud computing.” New Technologies, Mobility and Security (NTMS), 2012 5th International Conference on IEEE, 2012.
[16] Friese, I., Hogberg, J., Foll, F. A., Gourmelen, G., Lischka, M., Brennan, J., . . . Lampe, S. ”Bridging IMS and Internet Identity”.Paper presented at the 2010 14th International Conference on Intelligence in Next Generation Networks (ICIN).
[17] Ryu Wantanabe, Toshiaki Tanaka, “Federated Authentication Mechanism Using Cellular Phone - Collaboration with OpenID –,” International Conference on Information Technology: New Generations, 2009.
[18] Avishay Sharaga, Achim Luft, “Multi-hop Single Sign-On (SSO) for Identity Provider (IDP) Roaming/Proxy”, U.S. Patent 9,258,344 B2, Feb. 9, 2016.
[19] “Federation”, available at https://www.techopedia.com/definition/2500/federation [Accessed on 15 April 2019]
[20] Hyunseok Chang, Adiseshu Hari, Sarit Mukherjee, T.V Lakshman, “Bridging the Cloud to the Edge”, 2014 IEEE INFOCOM Workshop on Mobile Cloud Computing, 2014.
[21] “Google’s Stadia gaming platform price, specifications”, available at https://highlytechno.com/googles-stadia-gaming-platform-price-specifications/ [Accessed on 15 April 2019]
[22] Ankita Yadav, Nagenda Kumar, “A Survey of Authentication Methods in Cloud Computing”, International Journal of Innovative Research in Computer and Communcation Engineering, vol. 4, Issue 11, November 2016.
[23] Eghbal Ghazizadeh, Jamalul-lail Ab Manan, Mazdak Zamani, Abolghasem Pashang, “A Survey on Security Issues of Federated Identity in the Cloud Computing”, 2012 IEEE 4th International Conference on Cloud Computing Technology and Science, December 2012.
[24] “Comparison of OpenID Connect with OAuth2.0 & SAML2.0”, available at https://apicrazy.com/2014/07/23/comparison-of-openid-connect-with-oauth2-0-saml2-0/ [Accessed on 23 March 2019]
[25] “Why the future of identity is OpenID Cnnect and not SAML”, available at https://apicrazy.com/2014/08/18/why-the-future-of-identity-is-openid-connect-and-not-saml/ [Accessed on 23 March 2019]
[26] “OpenID Connect explained”, available at https://connect2id.com/learn/openid-connect [Accessed on 23 March 2019]
[27] Mike S., “OAuth vs. OpenID – What’s the difference”, available at https://www.gluu.org/blog/oauth-vs-openid-whats-the-difference/ [Accessed on 23 March 2019]
[28] L.M. Bodnar, C.M. Westphall, J. Werner, C.B. Westphall, “Towards privacy in identity management dynamic federations”, ICN 2016, The Fifteenth International Conference on Networks, IARIA, Lisbon, Portugal (2016), pp. 40-45.
[29] W. Ma, K. Sartipi, H. Sharghigoorabi, D. Koff, P. Bak, “Openid connect as a security service in cloud-based medical imaging systems”, J. Med.Imaging, 3 (2) (2016),p. 026501.
[30] N. Sakimura et al., “OpenID Connect Core 1.0 incorporating errata set,” available at https://openid.net/specs/openid-connect-core-1_0.html [Accessed on 10 August 2019]
[31] S. Behrad, E. Bertin and N. Crespi, "Securing authentication for mobile networks, a survey on 4G issues and 5G answers," 2018 21st Conference on Innovation in Clouds, Internet and Networks and Workshops, (ICIN), Paris, 2018, pp. 1-8.
[32] "Security Architecture", TS 33.401 Tech. Spec. 15.1.0, 2017.
[33] "Security Architecture", TS 33.102 Tech. Spec. 14.1.0, 2017.
[34] S. Mavoungou, G. Kaddoum, M. Taha and G. Matar, "Survey on Threats and Attacks on Mobile Networks," in IEEE Access, vol. 4, pp. 4543-4572, 2016.
[35] Mohamed Amine Ferrag, Leandros Maglaras, Antonios Argyriou, Dimitrios Kosmanos, and Gelge Janicke, “Security for 4G and 5G Cellular Networks: A Survey of Existing Authentication and Privacy-preserving schemes”, Journal of Network and Computer Applications, volume 101, 2018, pp. 55-82.
[36] 3GPP TS 133.220 “Generic Authentication Architecture (GAA) Generic Bootstrapping Architecture (GBA).”
[37] J. Bou Abdo, J. Demerjian, H. Chaouchi, K. Barbar, G. Pujolle, "Operator Centric Mobile Cloud Architecture", 2014 IEEE Wireless Communications and Networking Conference.
[38] Kevin Gibbons, John O'Raw, Kevin Curran “Security Evaluation of the OAuth 2.0 Framework”. Information Management and Computer Security, Vol. 22, No. 3, December 2014.
[39] F. Lordan, J. Jensen, R. M. Badia, “Towards Mobile Cloud Computing with Single Sign-on Access”, R.M. J Grid Computing, pp 1-20, Springer, 2017.
[40] M. Labib et al., “How to Enhance the Immunity of LTE Systems against RF Spoofing”, 2016 International conference on Computing, Networking and Communications, Comunication and Information security.
[41] A. N. Bikos, “LTE/SAE Security issues on 4G Wireless Networks,” IEEE Computer and reliable society, 2013.
連結至畢業學校之論文網頁點我開啟連結
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
無相關期刊