發(fā)布時間：2018-05-10 14:42

  本文選題：云計算 + 云訪問控制��； 參考：《北京郵電大學(xué)》2014年博士論文

【摘要】：云計算服務(wù)如今出現(xiàn)在網(wǎng)絡(luò)生活中的每個角落,其發(fā)展勢頭迅猛,幾乎所有相關(guān)技術(shù)公司都在積極地開發(fā)云計算領(lǐng)域。隨著云技術(shù)的高速發(fā)展,其安全問題也逐漸受到人們的關(guān)注。美國國家安全局(NSA)被竊取文件的曝光,使存儲在云上的數(shù)據(jù)安全問題成為了全球關(guān)注的焦點,如何建立起安全可靠且高效的防御體系成為當(dāng)前云技術(shù)的研究熱點。其中云訪問控制機(jī)制可以有效地解決云環(huán)境下相關(guān)的信息安全問題,從而確保用戶數(shù)據(jù)的完整性和機(jī)密性,保證授權(quán)主體能訪問客體和拒絕非授權(quán)訪問。 云訪問控制機(jī)制作為云安全技術(shù)中的核心服務(wù)內(nèi)容,有著舉足輕重的作用。其一,云計算平臺將信息儲存于一個或者若干個數(shù)據(jù)中心,實現(xiàn)數(shù)據(jù)共享,在這樣開放的網(wǎng)絡(luò)環(huán)境下,傳統(tǒng)的訪問控制手段已遠(yuǎn)遠(yuǎn)不能滿足對數(shù)據(jù)內(nèi)容進(jìn)行保護(hù)的需求,因此,在云環(huán)境下建立可行融合的數(shù)據(jù)訪問控制機(jī)制是亟待解決的首要問題。其二,考慮到資源受限的終端設(shè)備計算和存儲能力,迫切需要高效的云訪問控制機(jī)制與算法來解決弱客戶端設(shè)備負(fù)載的問題。其三,在云環(huán)境下認(rèn)證和控制不再由客戶端掌控,而是交由云端實現(xiàn)對數(shù)字內(nèi)容認(rèn)證和訪問控制來阻止非法訪問與下載,在這種情況下,如何確保訪問控制機(jī)制整體的安全性、互交性也是研究的重點。 為了有效解決上述問題,論文緊緊圍繞云訪問控制的關(guān)鍵技術(shù)開展研究,在系統(tǒng)分析現(xiàn)有云訪問控制技術(shù)的基礎(chǔ)上,從管理機(jī)制、高效機(jī)制和可信機(jī)制三個層面對云環(huán)境下的訪問控制提出改進(jìn)方案。本文的主要研究成功及創(chuàng)新如下： 1.研究現(xiàn)有云計算環(huán)境下的訪問控制模型機(jī)制,提出可行的理論框架。首先,分析了目前主流訪問控制模型,明確了云計算環(huán)境下的訪問控制模型適合采用自主的、分布式模型,其主體與權(quán)限的關(guān)系屬于直接和間接的混合訪問控制機(jī)制。接下來,通過對比現(xiàn)行三種云訪問控制模型,得出基于屬性的云訪問控制模型在具備良好的細(xì)粒度和靈活性同時,能更好地適應(yīng)于云環(huán)境下的拓展功能,為隨后提出云計算環(huán)境下的新型訪問控制方案提供了理論框架。 2.設(shè)計了一種基于屬性加密(CP-ABE)的訪問控制方案,實現(xiàn)了輕量級設(shè)備可以安全地利用云服務(wù)商提供的計算資源來外包加／解密運(yùn)算操作,而不暴露終端的敏感數(shù)據(jù),并通過性能評估驗證了該方案在安全強(qiáng)度以及計算、存儲等方面的優(yōu)勢,確保用戶在云環(huán)境下的合法利益。重點解決了以下問題：1)在利用CP-ABE設(shè)計數(shù)據(jù)訪問控制方案時,由于運(yùn)行加／解密算法會占用客戶終端大量的計算資源,提出了高效合理的云服務(wù)端卸載機(jī)制；2)針對云環(huán)境的多租戶屬性,研究了如何有效避免客戶敏感數(shù)據(jù)暴露于云服務(wù)端的問題；3)降低了上傳／下載和更新過程給設(shè)備終端造成巨大計算以及通信開銷。 3.構(gòu)建了一種基于屬性加密和基于身份簽名(IBS)相結(jié)合的云訪問控制解決方案,確保了數(shù)據(jù)安全地存放在未授權(quán)的云服務(wù)端。在云服務(wù)提供商是不可信的假設(shè)前提下,該方案能夠確保在公開的云環(huán)境下的數(shù)據(jù)安全性,并且降低數(shù)據(jù)管理的復(fù)雜度。重點實現(xiàn)了：1)降低管理復(fù)雜度；2)細(xì)粒度的訪問控制；3)針對弱客戶端的適應(yīng)性；4)數(shù)據(jù)的不可偽造性。分析和實驗結(jié)果表明該訪問控制方案具備高效性,同時能實現(xiàn)抗合謀攻擊,并在語義上抵抗在隨機(jī)預(yù)言模式下自適應(yīng)選擇密文攻擊。 4.提出了一個建立在合數(shù)階雙線性群上基于屬性加密和雙重加密系統(tǒng)的訪問控制方案,并證明了在標(biāo)準(zhǔn)模型下該方案的安全性。隨后在此構(gòu)架上,補(bǔ)充了基于直接撤銷模型的完全細(xì)粒度撤銷方案,實現(xiàn)了高效地從云服務(wù)器上撤銷用戶權(quán)限功能。具體實現(xiàn)以下成果：1)在Waters等人提出的雙重系統(tǒng)加密和Lewko等人提出的合數(shù)階雙線性群結(jié)構(gòu)的基礎(chǔ)上,提出了一個自適應(yīng)的基于屬性的安全加密模型,以實現(xiàn)云環(huán)境細(xì)粒度訪問控制；2)在Attrapadung等人提出的直接撤銷模型的基礎(chǔ)上,設(shè)計了一個完全細(xì)粒度撤銷補(bǔ)充方案；3)整體結(jié)構(gòu)實現(xiàn)了在標(biāo)準(zhǔn)模型下的安全性。 5.提出了一個新的移動云訪問控制架構(gòu),在移動設(shè)備和云基礎(chǔ)設(shè)施之間引入了中間層——訪問cloudlet層。主要研究內(nèi)容為：1)在該架構(gòu)上拓展原有ABE訪問控制方案,實現(xiàn)將移動設(shè)備上主要訪問計算量卸載到cloudlet層；2)提出了訪問控制決策機(jī)制,針對訪問任務(wù)執(zhí)行時產(chǎn)生的能源損耗和響應(yīng)時間進(jìn)行分析,選擇最優(yōu)化訪問路徑；3)該系統(tǒng)架構(gòu)實現(xiàn)了高安全性以及低能耗等功能。 最后,在本文的研究工作基礎(chǔ)上,結(jié)合云安全技術(shù)的發(fā)展情況和面臨的挑戰(zhàn),對云訪問控制未來在實際應(yīng)用方面的進(jìn)行了研究展望。
[Abstract]:With the rapid development of cloud computing, cloud computing services are developing rapidly in every corner of the network life. With the rapid development of the cloud technology, the security problem has gradually been paid attention to. The NSA has been stolen and stored on the cloud. The problem of data security has become the focus of global attention. How to establish a secure and efficient defense system has become a hot research topic in the current cloud technology. The cloud access control mechanism can effectively solve the related information security problems in the cloud environment, so as to ensure the integrity and confidentiality of the user data, and ensure that the authorized subject can visit. Asking the object and refusing unauthorized access.
As the core service content of cloud security technology, cloud access control mechanism plays an important role. First, the cloud computing platform stores information in one or several data centers to realize data sharing. Under such open network environment, traditional access control means can not meet the protection of data content. Therefore, establishing a feasible and integrated data access control mechanism in the cloud environment is the most important problem to be solved. Secondly, the problem of efficient cloud access control mechanism and algorithm is urgently needed to solve the problem of the weak client device load. Control is no longer controlled by the client, but is implemented by the cloud to implement digital content authentication and access control to prevent illegal access and downloading. In this case, how to ensure the overall security of the access control mechanism is also the focus of the research.
In order to effectively solve the above problems, the thesis focuses on the key technology of cloud access control. On the basis of the system analysis of existing cloud access control technology, this paper proposes an improved case from three layers of management mechanism, efficient mechanism and trusted mechanism in the cloud environment. The main research and innovation of this paper are as follows:
1. study the existing access control model mechanism under the existing cloud computing environment and put forward a feasible theoretical framework. Firstly, the current mainstream access control model is analyzed, and the access control model under the cloud computing environment is clear that the access control model is suitable for the use of autonomous, distributed model, and its subject and authority is a direct and indirect hybrid access control mechanism. Then, by comparing the current three kinds of cloud access control models, it is concluded that the attribute based cloud access control model has good fine-grained flexibility and flexibility, and can better adapt to the expansion function under the cloud environment. It provides a theoretical framework for the subsequent new access control scheme under the cloud computing environment.
2. an access control scheme based on attribute encryption (CP-ABE) is designed. The lightweight device can safely use the computing resources provided by the cloud service provider to outsource / decrypt operation, without exposing the sensitive data of the terminal, and verify the advantages of the scheme in security intensity, calculation and storage through performance evaluation. In order to ensure the legitimate interests of the users in the cloud environment, the following problems are solved: 1) in the use of CP-ABE to design a data access control scheme, the operation plus / decryption algorithm will occupy a large number of customer terminal computing resources, and put forward a efficient and reasonable cloud server unloader system; 2) research on the multi tenant property of the cloud environment. How to effectively avoid the problem of customer sensitive data exposed to the cloud server; 3) reduce the upload / download and update process to cause huge computing and communication overhead to the device terminal.
3. a cloud access control solution based on the combination of attribute encryption and identity based signature (IBS) is constructed to ensure that data is stored safely in unauthorized cloud server. Under the assumption that the cloud service provider is untrusted, the scheme can ensure data security in an open cloud environment and reduce data management. Complexity. 1) reduce management complexity; 2) fine-grained access control; 3) the adaptability to weak client; 4) the data is not forgery. Analysis and experimental results show that the access control scheme is efficient, and can achieve anti conspiracy attack, and is semantically resistant to self-adaptive in random oracle mode. Select the ciphertext attack.
4. an access control scheme based on the attribute encryption and double encryption system on the hierarchical bilinear group is proposed, and the security of the scheme is proved under the standard model. Then, the complete fine-grained revocation scheme based on the direct revocation model is supplemented on this framework, and the user is revoked efficiently from the cloud server. The following results are achieved: 1) on the basis of the double system encryption and Lewko and others proposed by Waters et al., a self-adaptive property based security encryption model is proposed to realize the cloud environment fine-grained access control; 2) the direct revocation model proposed by Attrapadung et al. On the basis of this, a complete fine-grained revocation supplement scheme is designed. 3) the overall structure achieves the security under the standard model.
5. a new mobile cloud access control architecture is proposed to access the cloudlet layer between mobile devices and cloud infrastructure. The main research contents are as follows: 1) expanding the original ABE access control scheme on the architecture to unload the main access computation on the mobile device to the cloudlet layer; 2) proposed access control. The decision mechanism is used to analyze the energy loss and response time produced when the access task is executed, and select the optimal access path. 3) the system architecture realizes high security and low energy consumption.
Finally, on the basis of the research work of this paper, combined with the development of cloud security technology and the challenges faced, the future of cloud access control in practical applications is prospected.

【學(xué)位授予單位】：北京郵電大學(xué)
【學(xué)位級別】：博士
【學(xué)位授予年份】：2014
【分類號】：TP393.09;TP309

【參考文獻(xiàn)】

相關(guān)期刊論文 前9條

1 龐遼軍;柳毅;王育民;;一個有效的(t,n)門限多重秘密共享體制[J];電子學(xué)報;2006年04期

2 王小明;付紅;張立臣;;基于屬性的訪問控制研究進(jìn)展[J];電子學(xué)報;2010年07期

3 寧玉梅;丁振國;曾平;王晨;;基于雙重身份認(rèn)證的云計算訪問控制模型[J];華中科技大學(xué)學(xué)報(自然科學(xué)版);2012年S1期

4 陳康;鄭緯民;;云計算:系統(tǒng)實例與研究現(xiàn)狀[J];軟件學(xué)報;2009年05期

5 馮登國;張敏;張妍;徐震;;云計算安全研究[J];軟件學(xué)報;2011年01期

6 蘇金樹;曹丹;王小峰;孫一品;胡喬林;;屬性基加密機(jī)制[J];軟件學(xué)報;2011年06期

7 李曉峰;馮登國;陳朝武;房子河;;基于屬性的訪問控制模型[J];通信學(xué)報;2008年04期

8 林果園;賀珊;黃皓;吳吉義;陳偉;;基于行為的云計算訪問控制安全模型[J];通信學(xué)報;2012年03期

9 ;An Efficient and Secure Multi-Secret Sharing Scheme with General Access Structures[J];Wuhan University Journal of Natural Sciences;2006年06期

相關(guān)博士學(xué)位論文 前1條

1 張樂友;可證明安全公鑰密碼方案的設(shè)計與分析[D];西安電子科技大學(xué);2009年

，

本文編號：1869720