匿名凭证与匿名认证技术研究

项目名称： 匿名凭证与匿名认证技术研究

项目编号： No.60803129

项目类型： 青年科学基金项目

立项/批准年度： 2009

项目学科： 轻工业、手工业

项目作者： 张立武

作者单位： 中国科学院软件研究所

项目金额： 20万元

中文摘要： 传统的X.509公钥证书体系及网络身份认证技术忽视了隐私问题。用户在网络活动中需被认证合法身份，而个人属性、行为喜好等隐私信息可能会在认证身份时泄露，这给用户带来很大的安全威胁，如何既认证用户合法身份、又保护用户隐私成为亟需解决的问题。本项目通过研究匿名凭证、匿名认证等技术，在属性证书、环签名、群签名、可信计算等技术的基础上，提出了新型的平台匿名认证架构与相关机制，通过引入可信权威和TPM匿名证明等技术，为解决大规模平台匿名认证、环境证明问题给出了可行的方案；提出了新型匿名凭证防出借、匿名凭证撤销、更新等机制；提出了一种基于可信计算的具有隐私保护特征的可信凭证管理方案，针对前向和后向凭证链的隐私泄露问题，采用可信计算的封装技术使合成凭证运行在未受篡扰的可信环境中；提出了具有匿名隐私保护功能的条件代理资源加密共享方案，可灵活表达基于属性的代理访问请求，可有效保护不愿透露具体身份用户的匿名及隐私；提出具有匿名隐私保护功能的多级数字身份服务框架，采用多级模式分层保护用户真实身份和虚拟身份信息，为实现大规模的以用户为中心的认证提供了可行的匿名认证解决方案。

中文关键词： 匿名认证;匿名凭证;隐私保护;属性证书

英文摘要： The traditional X.509 PKI and network authentication technology ignored privacy issue. Users should be authenticated in network activities, but privacy information such as personal data and activities can be leaked in authentication process, this is a great security threats. How to authenticate user and protect user's privacy becomes a hot issue that needs to be solved. We focus on anonymous credential and authentication technology in this project. Based on attribute certificate,ring signature,group signature and trusted computing, we proposed a new platform anonymous authentication architecture and relevant authentication mechanism, which introduced a trust authority and incorporate TPM anonymous attestation technic, can be used to solve the problem of platform anonymous authentication and environment attestation. We proposed a new mechanism to prevent anonymous credentials be lent to other users, mechanism to update and revoke anonymous credential. We proposed a trust anonymous credential management scheme that has privacy protection character, which can solve the problem that leakage of privacy information in backward and forward credential trust chains through encapsulation mechanism of trusted computing. We proposed a conditional proxy re-encryption scheme that has privacy protection character, which can flexible represent access request based on attribute, and protect user's privacy. We proposed a new multi-level digital identity management architecture, which separate the protection of real identity from virtual identity, and provides feasible scheme for large-scale,user centric authentication application.

英文关键词： anonymous authentication;anonymous credential; privacy protection;attribute certificate