本文關(guān)鍵詞：基于HDFS架構(gòu)的云存儲訪問控制機制的研究與設(shè)計　出處：《河南工業(yè)大學》2013年碩士論文　論文類型：學位論文

  更多相關(guān)文章： 云存儲 訪問控制 HDFS CP-ABE SDMoR TBCCSAC

【摘要】：云存儲作為云計算領(lǐng)域獨立的應用，逐步成為商業(yè)應用熱點，但同時其安全性一直是用戶和服務(wù)提供商擔心和關(guān)注的重點。一個開放的云存儲服務(wù)系統(tǒng)應具備高安全的訪問控制機制，需要滿足以下五個方面基本需求：用戶間數(shù)據(jù)邏輯隔離，即實現(xiàn)認證和授權(quán)兩方面訪問控制；靈活的用戶資源權(quán)限管理，即實現(xiàn)資源讀寫權(quán)限的授權(quán)、回收和變更等管理；海量用戶認證管理支持，需要支持千萬級以上用戶高效應用；基于域的安全管理，能實現(xiàn)域內(nèi)、域間的訪問控制；防止云服務(wù)商竊取用戶存儲的信息，即在云端不完全可信的情況下，通過加密等措施保護云端數(shù)據(jù)安全。本文分析了云存儲安全需求，圍繞HDFS架構(gòu)的云存儲系統(tǒng)訪問控制機制開展研究，針對其存在的安全缺陷提出改進設(shè)計，，并完成驗證部署。 分析了HDFS自身的訪問控制機制，指出其安全性中存在兩個缺陷，一是缺乏健壯認證機制，二是存在冒充集群節(jié)點隱患。針對上述缺陷，設(shè)計了融合Kerberos認證機制強化HDFS云存儲系統(tǒng)安全性的工程解決方案，基于對稱密碼體制實現(xiàn)健壯的認證，并有效防止假冒節(jié)點。該方案適合小用戶規(guī)模的私有云存儲系統(tǒng)建設(shè)，具有輕量敏捷等特點。 本文基于HDFS設(shè)計了一種新的面向角色的分域管理訪問控制（SDMoR），改進了域管理、海量用戶認證和權(quán)限管理等算法機制，解決了引入Kerberos認證機制的HDFS用戶規(guī)模受限，及缺少域內(nèi)、域間訪問控制支持的問題，滿足云存儲訪問控制的四個基本需求，在云存儲服務(wù)可信的前提假設(shè)下，該方案適合中等規(guī)模用戶的云存儲系統(tǒng)建設(shè)。 研究分析了云存儲服務(wù)商不完全可信環(huán)境下密文訪問控制機制用CP-ABE，指出該機制存在的三個問題：一是資源所有者需要確切地了解每一個訪問者屬性知識；二是資源所有者及用戶的訪問密鑰維護量大；三是對用戶覆蓋云存儲系統(tǒng)上密文數(shù)據(jù)時缺少寫權(quán)限合法性認證。針對上述問題，設(shè)計和實現(xiàn)一種基于可信第三方的CP-ABE云存儲訪問控制（TBCCSAC），使用可信第三方管理用戶屬性證書，動態(tài)生成資源訪問密鑰SK，引入訪問控制令牌機制，有效的解決了云存儲中用戶屬性知識管理維護量大、密鑰分發(fā)與管理負擔重，以及寫權(quán)限鑒別缺失的三個問題。對TBCCSAC安全性和性能進行分析，結(jié)果表明在可接受的計算性能影響下，解決了基于CP-AER機制云存儲應用中安全問題。最后將此機制應用于HDFS，并進行實驗驗證，該機制很好地實現(xiàn)了云存儲訪問控制的五個基本需求，適合大規(guī)模用戶應用云存儲系統(tǒng)。
[Abstract]:Cloud storage as an independent application in the field of cloud computing has gradually become a hot commercial application. But at the same time, its security has always been the focus of concern for users and service providers. An open cloud storage service system should have a high security access control mechanism. It needs to meet the following five basic needs: logical isolation of data between users, namely, implementation of authentication and authorization access control; Flexible user resource rights management, that is, to achieve resource read and write authority authorization, recycling and change management; Massive user authentication management support, need to support more than 10 million levels of user efficient application; The security management based on domain can realize the access control within and between domains. In order to prevent cloud service providers from stealing the information stored by users, that is, to protect cloud data security through encryption and other measures, this paper analyzes the security requirements of cloud storage. This paper studies the access control mechanism of cloud storage system based on HDFS architecture, proposes an improved design for its security defects, and completes the verification and deployment. This paper analyzes the access control mechanism of HDFS itself, and points out that there are two defects in its security, one is the lack of robust authentication mechanism, the other is the hidden danger of impersonating cluster nodes. An engineering solution to enhance the security of HDFS cloud storage system based on Kerberos authentication mechanism is designed, and robust authentication is realized based on symmetric cryptosystem. The scheme is suitable for the construction of private cloud storage system with small user scale and has the characteristics of lightweight agility and so on. This paper designs a new role-oriented domain management access control (SDMoR) based on HDFS, which improves the algorithms of domain management, massive user authentication and privilege management. The problem of limited scale of HDFS users with Kerberos authentication mechanism and the lack of support for intra-domain and inter-domain access control is solved to meet the four basic needs of cloud storage access control. Under the assumption that cloud storage service is credible, this scheme is suitable for medium scale users' cloud storage system construction. This paper studies and analyzes the CP-ABE used in the ciphertext access control mechanism under the incomplete trusted environment of cloud storage service provider. Three problems of this mechanism are pointed out: first, the resource owner needs to know exactly the attribute knowledge of each visitor; Second, the resource owner and user maintain a large amount of access key; The third is the lack of authentication of write authority legitimacy when users overlay ciphertext data on cloud storage system. This paper designs and implements a CP-ABE cloud storage access control system based on trusted third party (TBC), which uses trusted third party to manage user attribute certificate and dynamically generate resource access key SK. The mechanism of access control token is introduced, which effectively solves the heavy burden of user attribute knowledge management and key distribution and management in cloud storage. The security and performance of TBCCSAC are analyzed, and the results show that under the influence of acceptable computing performance. The security problem in cloud storage application based on CP-AER mechanism is solved. Finally, the mechanism is applied to HDFS, and the experimental results show that the mechanism can meet the five basic requirements of cloud storage access control. Suitable for large-scale user application cloud storage system.
【學位授予單位】：河南工業(yè)大學
【學位級別】：碩士
【學位授予年份】：2013
【分類號】：TP393.08;TP333

【參考文獻】

相關(guān)期刊論文 前8條

1 王峰;雷葆華;;Hadoop分布式文件系統(tǒng)的模型分析[J];電信科學;2010年12期

2 張淼;徐國愛;胡正名;楊義先;;可信計算環(huán)境下基于主機身份的一次性密鑰交換協(xié)議[J];電子與信息學報;2007年06期

3 王連強,張劍,呂述望,劉振華;一種基于密碼的層次訪問控制方案及其分析[J];計算機工程與應用;2005年33期

4 葉錫君,許勇,吳國新;基于角色的訪問控制在Web中的實現(xiàn)技術(shù)[J];計算機工程;2002年01期

5 黨繼勝;汪學明;;基于公鑰的Kerberos認證協(xié)議改進與證明[J];計算機應用;2006年S2期

6 孫國梓;董宇;李云;;基于CP-ABE算法的云存儲數(shù)據(jù)訪問控制[J];通信學報;2011年07期

7 馬亮;顧明;;基于角色的工作流系統(tǒng)訪問控制模型[J];小型微型計算機系統(tǒng);2006年01期

8 杜瑞忠;田俊峰;張煥國;;基于信任和個性偏好的云服務(wù)選擇模型[J];浙江大學學報(工學版);2013年01期

本文編號：1396183