本文關鍵詞：云計算環(huán)境下安全分布式存儲架構與容錯技術研究　出處：《解放軍信息工程大學》2013年博士論文　論文類型：學位論文

  更多相關文章： 分布式存儲 分層源地址驗證 數據中心網絡 安全再生碼 編碼數據恢復模式

【摘要】：云計算已經得到廣泛的關注,并且發(fā)展迅速。以數據中心網絡為基礎的分布式存儲是構建云計算的物理實體。但是由于云計算環(huán)境下分布式存儲的開放性帶來的安全隱患,以及其數據可靠性的制約,使如何實現在數據可容錯的過程中保證數據的安全性成為亟待解決的問題。本文研究了云計算環(huán)境下安全分布式存儲架構與容錯技術,主要內容和貢獻如下。 1.基于分層源地址驗證技術的數據中心網絡安全架構 本文提出一種基于分層源地址驗證的數據中心網絡安全架構,設計了一種可驗證源地址生成方法。數據中心網絡中的服務器在發(fā)送數據時必須使用這種可驗證地址作為源地址,在數據發(fā)送過程中,該地址將會被驗證,確保每臺服務器都無法仿冒其他服務器進行數據傳輸,而且從互聯網通過開放端口傳入數據中心內部的數據在沒有被分配可驗證地址的情況下無法在數據中心內部進行轉發(fā)。為了保證驗證的高效性,在驗證過程中引入了分層驗證和流認證的思想,在數據中心內部使用分層驗證,而在數據中心間使用流認證。該架構的使用,可以幫助系統(tǒng)發(fā)現不正常的數據傳輸,過濾非法主機在網絡內的數據傳輸,并定位數據中心內部可能的攻擊者,防范直接利用互聯網上的主機攻擊系統(tǒng)獲取數據。實驗結果表明基于源地址驗證的數據中心網絡安全架構可以在不影響數據傳輸的情況下實現對數據包源地址的驗證,其已經具備了實用價值,能夠解決網絡中利用偽造地址對數據網絡中心進行攻擊的問題。 2.基于廣播加密思想的安全再生碼 本文提出了一種將廣播加密模型與再生碼模型相結合的安全再生碼——FCBE (Fault-tolerant Code Based on Broadcast Encryption,FCBE)。在FCBE模型構建過程中,借鑒了廣播加密的思想,將編碼存儲及數據恢復的過程歸結為一個廣播過程,在數據存入系統(tǒng)時,由系統(tǒng)為其選擇一個安全服務器的集合作為容錯服務器。當存儲服務器失效時,只有系統(tǒng)選定的容錯服務器才能夠實現數據恢復,而其他服務器即使截獲了發(fā)送給容錯服務器的數據塊,也無法恢復原始數據。安全性分析證明了FCBE能夠實現適應性安全,實驗結果表明,其引入安全要素所造成的帶寬占用是可以接受的,不會對整個數據中心網絡的數據傳輸造成壓力。 3.基于門限機制的安全再生碼 本文提出了兩種基于門限機制的安全再生碼,其核心思想是在再生碼模型中引入可靠第三方密鑰服務器,用戶將數據存放于數據中心時從編碼矩陣中選取部分秘密,并將秘密分享給第三方密鑰服務器,當需要對失效節(jié)點中的數據進行恢復或者是其他數據使用者下載數據時,需要經過第三方密鑰服務器的驗證,通過驗證后才能夠從中獲取編碼矩陣的秘密,進而構造解碼矩陣恢復失效數據或下載原始數據。基于此思想本文提出了兩種安全再生碼SRCF (Secure Regenerating Code for Fault-tolerant, SRCF)和SRCS(Secure Regenerating code with Semi-adaptive, SRCS)。安全性分析證明了SRCF可以實現選擇明文安全,而SRCS可以實現部分適應性攻擊安全；實驗結果表明,SRCF和SRCS引入安全要素所造成的帶寬占用不大,不會對整個數據中心網絡的數據傳輸造成壓力。 4.基于流水線思想的編碼數據恢復模式 本文提出了一種基于流水線思想的數據恢復模式。該模式借鑒了工業(yè)生產中流水線生產的思想,將待恢復服務器看作流水線上的產品,將存儲服務器看作流水線工人,完成數據恢復的服務器即為生產完畢的產品。利用該模式可以進一步的降低數據恢復時所占用的帶寬,從而減小引入安全要素所增加的帶寬消耗。通過理論分析證明了該模式不會對數據恢復的正確性造成影響,且其可以減小帶寬消耗。
[Abstract]:Cloud computing has received widespread attention and rapid development. In the distributed storage of data center network based cloud computing is to build physical entities. But because cloud computing brings security risks of open distributed storage environment, and restrict the reliability of the data, so how to achieve in the process of data fault tolerance in safety the data has become an urgent problem. This paper studies the cloud computing environment security distributed storage architecture and fault tolerance technology, the main contents and contributions are as follows.
1. data center network security architecture based on layered source address verification technology
This paper presents a data center network security architecture layered source address validation based on the design of a verifiable source address generation method. Data center network server must use this address as the source address validation in sending data, in the data transmission process, the address will be verified, to ensure that each server can not fake other servers for data transmission, but also from the Internet through the open port incoming data in data centers has not been assigned can verify address under the condition of not in the data center for forwarding. In order to ensure efficient verification, the introduction of ideological hierarchical verification in the verification process and stream authentication, in the data center for internal use layered verification, using stream authentication in the data center. The use of the framework, can help the system to find the data transmission is not normal, filtering illegal The host within the network data transmission, and the internal data center positioning possible attacker, attack the host systems on the Internet directly using the prevention data acquisition. The experimental results of data center network security architecture of BenQ in the source address validation can be implemented to verify the package source address of the data did not affect the data transmission, it already has the practical value, can solve the attack on the network data center using forged address problems in the network.
2. secure regenerated code based on broadcast encryption
This paper presents a combination of broadcast encryption model and security model code regeneration (Fault-tolerant Code regeneration code - FCBE Based on Broadcast Encryption, FCBE FCBE). In the process of building the model, from the broadcast encryption theory, encoding storage and data recovery process down to a broadcast in the process, the data is stored in the when the system is set by the system for the selection of a security server as a fault-tolerant server. When the storage server fails, only the selected system fault-tolerant server can realize data recovery, while the other server even if intercepted sent to the data block fault-tolerant server, can not restore the original data. The security analysis proves that FCBE can achieve adaptive security, the experimental results show that the introduction of safety factors caused by the bandwidth is acceptable, the number of the entire data center network will not Pressure is caused by transmission.
3. secure regeneration code based on threshold mechanism
This paper presents two kinds of regeneration code security based on threshold mechanism, its core idea is to model the introduction of regenerating codes for a reliable third party key server, user data stored in the data center is selected from the secret encoding matrix, and the secret sharing to the third party key server, when the need for node failure the restoration of data or other data users to download data, need to go through third party verification key server, through the verification to be able to get from the secret encoding matrix, then structure the decoding matrix failure recovery data or download the original data. The idea of this paper is based on two security code regeneration SRCF is proposed (Secure Regenerating Code for Fault-tolerant SRCS (Secure, SRCF) and Regenerating code with Semi-adaptive, SRCS). The security analysis proves that SRCF can realize the selection of Ming Wenan, SRC S can achieve partially adaptive attack security. The experimental results show that the bandwidth consumption caused by the introduction of security elements by SRCF and SRCS does not occupy much pressure on data transmission in the entire data center network.
4. coded data recovery mode based on Pipelining
This paper presents a recovery model based on the data of the ideological line. From the mode of industrial production in the production line of thought, to restore the server as the product line, the storage server as assembly line workers, complete data recovery server is the production finished products can be further reduced when occupied by data recovery the bandwidth utilization mode, thereby reducing the consumption of security elements increased bandwidth. Through theoretical analysis proves that the model will not affect the correctness of data recovery, and it can reduce the bandwidth consumption.

【學位授予單位】：解放軍信息工程大學
【學位級別】：博士
【學位授予年份】：2013
【分類號】：TP333;TP393.08

【參考文獻】

相關期刊論文 前4條

1 穆飛;薛巍;舒繼武;鄭緯民;;一種面向大規(guī)模存儲系統(tǒng)的數據副本映射算法[J];計算機研究與發(fā)展;2009年03期

2 譚作文;范艷芳;;分工式門限認證加密方案[J];計算機學報;2010年07期

3 王永劍;裴翔;李濤;欒鐘治;錢德沛;;Nova-BFT:一種支持多種故障模型的副本狀態(tài)機協議[J];計算機研究與發(fā)展;2011年07期

4 熊潤群;羅軍舟;宋愛波;金嘉暉;;云計算環(huán)境下QoS偏好感知的副本選擇策略[J];通信學報;2011年07期

，

本文編號：1372281