本文關(guān)鍵詞：云計(jì)算環(huán)境下安全分布式存儲(chǔ)架構(gòu)與容錯(cuò)技術(shù)研究　出處：《解放軍信息工程大學(xué)》2013年博士論文　論文類型：學(xué)位論文

  更多相關(guān)文章： 分布式存儲(chǔ) 分層源地址驗(yàn)證 數(shù)據(jù)中心網(wǎng)絡(luò) 安全再生碼 編碼數(shù)據(jù)恢復(fù)模式

【摘要】：云計(jì)算已經(jīng)得到廣泛的關(guān)注,并且發(fā)展迅速。以數(shù)據(jù)中心網(wǎng)絡(luò)為基礎(chǔ)的分布式存儲(chǔ)是構(gòu)建云計(jì)算的物理實(shí)體。但是由于云計(jì)算環(huán)境下分布式存儲(chǔ)的開放性帶來的安全隱患,以及其數(shù)據(jù)可靠性的制約,使如何實(shí)現(xiàn)在數(shù)據(jù)可容錯(cuò)的過程中保證數(shù)據(jù)的安全性成為亟待解決的問題。本文研究了云計(jì)算環(huán)境下安全分布式存儲(chǔ)架構(gòu)與容錯(cuò)技術(shù),主要內(nèi)容和貢獻(xiàn)如下。 1.基于分層源地址驗(yàn)證技術(shù)的數(shù)據(jù)中心網(wǎng)絡(luò)安全架構(gòu) 本文提出一種基于分層源地址驗(yàn)證的數(shù)據(jù)中心網(wǎng)絡(luò)安全架構(gòu),設(shè)計(jì)了一種可驗(yàn)證源地址生成方法。數(shù)據(jù)中心網(wǎng)絡(luò)中的服務(wù)器在發(fā)送數(shù)據(jù)時(shí)必須使用這種可驗(yàn)證地址作為源地址,在數(shù)據(jù)發(fā)送過程中,該地址將會(huì)被驗(yàn)證,確保每臺(tái)服務(wù)器都無法仿冒其他服務(wù)器進(jìn)行數(shù)據(jù)傳輸,而且從互聯(lián)網(wǎng)通過開放端口傳入數(shù)據(jù)中心內(nèi)部的數(shù)據(jù)在沒有被分配可驗(yàn)證地址的情況下無法在數(shù)據(jù)中心內(nèi)部進(jìn)行轉(zhuǎn)發(fā)。為了保證驗(yàn)證的高效性,在驗(yàn)證過程中引入了分層驗(yàn)證和流認(rèn)證的思想,在數(shù)據(jù)中心內(nèi)部使用分層驗(yàn)證,而在數(shù)據(jù)中心間使用流認(rèn)證。該架構(gòu)的使用,可以幫助系統(tǒng)發(fā)現(xiàn)不正常的數(shù)據(jù)傳輸,過濾非法主機(jī)在網(wǎng)絡(luò)內(nèi)的數(shù)據(jù)傳輸,并定位數(shù)據(jù)中心內(nèi)部可能的攻擊者,防范直接利用互聯(lián)網(wǎng)上的主機(jī)攻擊系統(tǒng)獲取數(shù)據(jù)。實(shí)驗(yàn)結(jié)果表明基于源地址驗(yàn)證的數(shù)據(jù)中心網(wǎng)絡(luò)安全架構(gòu)可以在不影響數(shù)據(jù)傳輸?shù)那闆r下實(shí)現(xiàn)對(duì)數(shù)據(jù)包源地址的驗(yàn)證,其已經(jīng)具備了實(shí)用價(jià)值,能夠解決網(wǎng)絡(luò)中利用偽造地址對(duì)數(shù)據(jù)網(wǎng)絡(luò)中心進(jìn)行攻擊的問題。 2.基于廣播加密思想的安全再生碼 本文提出了一種將廣播加密模型與再生碼模型相結(jié)合的安全再生碼——FCBE (Fault-tolerant Code Based on Broadcast Encryption,FCBE)。在FCBE模型構(gòu)建過程中,借鑒了廣播加密的思想,將編碼存儲(chǔ)及數(shù)據(jù)恢復(fù)的過程歸結(jié)為一個(gè)廣播過程,在數(shù)據(jù)存入系統(tǒng)時(shí),由系統(tǒng)為其選擇一個(gè)安全服務(wù)器的集合作為容錯(cuò)服務(wù)器。當(dāng)存儲(chǔ)服務(wù)器失效時(shí),只有系統(tǒng)選定的容錯(cuò)服務(wù)器才能夠?qū)崿F(xiàn)數(shù)據(jù)恢復(fù),而其他服務(wù)器即使截獲了發(fā)送給容錯(cuò)服務(wù)器的數(shù)據(jù)塊,也無法恢復(fù)原始數(shù)據(jù)。安全性分析證明了FCBE能夠?qū)崿F(xiàn)適應(yīng)性安全,實(shí)驗(yàn)結(jié)果表明,其引入安全要素所造成的帶寬占用是可以接受的,不會(huì)對(duì)整個(gè)數(shù)據(jù)中心網(wǎng)絡(luò)的數(shù)據(jù)傳輸造成壓力。 3.基于門限機(jī)制的安全再生碼 本文提出了兩種基于門限機(jī)制的安全再生碼,其核心思想是在再生碼模型中引入可靠第三方密鑰服務(wù)器,用戶將數(shù)據(jù)存放于數(shù)據(jù)中心時(shí)從編碼矩陣中選取部分秘密,并將秘密分享給第三方密鑰服務(wù)器,當(dāng)需要對(duì)失效節(jié)點(diǎn)中的數(shù)據(jù)進(jìn)行恢復(fù)或者是其他數(shù)據(jù)使用者下載數(shù)據(jù)時(shí),需要經(jīng)過第三方密鑰服務(wù)器的驗(yàn)證,通過驗(yàn)證后才能夠從中獲取編碼矩陣的秘密,進(jìn)而構(gòu)造解碼矩陣恢復(fù)失效數(shù)據(jù)或下載原始數(shù)據(jù)�；诖怂枷氡疚奶岢隽藘煞N安全再生碼SRCF (Secure Regenerating Code for Fault-tolerant, SRCF)和SRCS(Secure Regenerating code with Semi-adaptive, SRCS)。安全性分析證明了SRCF可以實(shí)現(xiàn)選擇明文安全,而SRCS可以實(shí)現(xiàn)部分適應(yīng)性攻擊安全；實(shí)驗(yàn)結(jié)果表明,SRCF和SRCS引入安全要素所造成的帶寬占用不大,不會(huì)對(duì)整個(gè)數(shù)據(jù)中心網(wǎng)絡(luò)的數(shù)據(jù)傳輸造成壓力。 4.基于流水線思想的編碼數(shù)據(jù)恢復(fù)模式 本文提出了一種基于流水線思想的數(shù)據(jù)恢復(fù)模式。該模式借鑒了工業(yè)生產(chǎn)中流水線生產(chǎn)的思想,將待恢復(fù)服務(wù)器看作流水線上的產(chǎn)品,將存儲(chǔ)服務(wù)器看作流水線工人,完成數(shù)據(jù)恢復(fù)的服務(wù)器即為生產(chǎn)完畢的產(chǎn)品。利用該模式可以進(jìn)一步的降低數(shù)據(jù)恢復(fù)時(shí)所占用的帶寬,從而減小引入安全要素所增加的帶寬消耗。通過理論分析證明了該模式不會(huì)對(duì)數(shù)據(jù)恢復(fù)的正確性造成影響,且其可以減小帶寬消耗。
[Abstract]:Cloud computing has received widespread attention and rapid development. In the distributed storage of data center network based cloud computing is to build physical entities. But because cloud computing brings security risks of open distributed storage environment, and restrict the reliability of the data, so how to achieve in the process of data fault tolerance in safety the data has become an urgent problem. This paper studies the cloud computing environment security distributed storage architecture and fault tolerance technology, the main contents and contributions are as follows.
1. data center network security architecture based on layered source address verification technology
This paper presents a data center network security architecture layered source address validation based on the design of a verifiable source address generation method. Data center network server must use this address as the source address validation in sending data, in the data transmission process, the address will be verified, to ensure that each server can not fake other servers for data transmission, but also from the Internet through the open port incoming data in data centers has not been assigned can verify address under the condition of not in the data center for forwarding. In order to ensure efficient verification, the introduction of ideological hierarchical verification in the verification process and stream authentication, in the data center for internal use layered verification, using stream authentication in the data center. The use of the framework, can help the system to find the data transmission is not normal, filtering illegal The host within the network data transmission, and the internal data center positioning possible attacker, attack the host systems on the Internet directly using the prevention data acquisition. The experimental results of data center network security architecture of BenQ in the source address validation can be implemented to verify the package source address of the data did not affect the data transmission, it already has the practical value, can solve the attack on the network data center using forged address problems in the network.
2. secure regenerated code based on broadcast encryption
This paper presents a combination of broadcast encryption model and security model code regeneration (Fault-tolerant Code regeneration code - FCBE Based on Broadcast Encryption, FCBE FCBE). In the process of building the model, from the broadcast encryption theory, encoding storage and data recovery process down to a broadcast in the process, the data is stored in the when the system is set by the system for the selection of a security server as a fault-tolerant server. When the storage server fails, only the selected system fault-tolerant server can realize data recovery, while the other server even if intercepted sent to the data block fault-tolerant server, can not restore the original data. The security analysis proves that FCBE can achieve adaptive security, the experimental results show that the introduction of safety factors caused by the bandwidth is acceptable, the number of the entire data center network will not Pressure is caused by transmission.
3. secure regeneration code based on threshold mechanism
This paper presents two kinds of regeneration code security based on threshold mechanism, its core idea is to model the introduction of regenerating codes for a reliable third party key server, user data stored in the data center is selected from the secret encoding matrix, and the secret sharing to the third party key server, when the need for node failure the restoration of data or other data users to download data, need to go through third party verification key server, through the verification to be able to get from the secret encoding matrix, then structure the decoding matrix failure recovery data or download the original data. The idea of this paper is based on two security code regeneration SRCF is proposed (Secure Regenerating Code for Fault-tolerant SRCS (Secure, SRCF) and Regenerating code with Semi-adaptive, SRCS). The security analysis proves that SRCF can realize the selection of Ming Wenan, SRC S can achieve partially adaptive attack security. The experimental results show that the bandwidth consumption caused by the introduction of security elements by SRCF and SRCS does not occupy much pressure on data transmission in the entire data center network.
4. coded data recovery mode based on Pipelining
This paper presents a recovery model based on the data of the ideological line. From the mode of industrial production in the production line of thought, to restore the server as the product line, the storage server as assembly line workers, complete data recovery server is the production finished products can be further reduced when occupied by data recovery the bandwidth utilization mode, thereby reducing the consumption of security elements increased bandwidth. Through theoretical analysis proves that the model will not affect the correctness of data recovery, and it can reduce the bandwidth consumption.

【學(xué)位授予單位】：解放軍信息工程大學(xué)
【學(xué)位級(jí)別】：博士
【學(xué)位授予年份】：2013
【分類號(hào)】：TP333;TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前4條

1 穆飛;薛巍;舒繼武;鄭緯民;;一種面向大規(guī)模存儲(chǔ)系統(tǒng)的數(shù)據(jù)副本映射算法[J];計(jì)算機(jī)研究與發(fā)展;2009年03期

2 譚作文;范艷芳;;分工式門限認(rèn)證加密方案[J];計(jì)算機(jī)學(xué)報(bào);2010年07期

3 王永劍;裴翔;李濤;欒鐘治;錢德沛;;Nova-BFT:一種支持多種故障模型的副本狀態(tài)機(jī)協(xié)議[J];計(jì)算機(jī)研究與發(fā)展;2011年07期

4 熊潤群;羅軍舟;宋愛波;金嘉暉;;云計(jì)算環(huán)境下QoS偏好感知的副本選擇策略[J];通信學(xué)報(bào);2011年07期

，

本文編號(hào)：1372281