本文選題：云計算 + 對等計算��； 參考：《華中科技大學》2013年博士論文

【摘要】：云計算和對等(Peer-to-Peer,P2P)計算是兩種主流的分布式計算技術(shù),能夠有效地支持互聯(lián)網(wǎng)上大規(guī)模分布式應用。P2P云存儲服務系統(tǒng)是一種全新的互聯(lián)網(wǎng)應用模式,它組合了兩種技術(shù)的優(yōu)勢,采用高度可擴展的P2P網(wǎng)絡架構(gòu)將系統(tǒng)中用戶計算機的閑置存儲資源整合起來,以提供成本低廉且容量巨大的存儲空間,同時基于云計算的管理和運營機制來提供具有高性能、高可靠性和高服務質(zhì)量的服務。它具有大規(guī)模性、分布性、開放性、動態(tài)性、異質(zhì)性、隱私性等特點,使它面臨著更具復雜性和挑戰(zhàn)性的安全問題。因此,設計有效的安全控制機制從數(shù)據(jù)、應用和用戶三個重要層面上來解決關鍵安全問題具有十分重要的意義。 在P2P云中,云服務器和用戶都并非完全可信。如何保障系統(tǒng)中存儲數(shù)據(jù)的機密性,并實現(xiàn)安全靈活的數(shù)據(jù)共享是一個關鍵安全問題。提出了一個基于屬性基加密(Attribute-Based Encryption,ABE)的安全、高效和細粒度的數(shù)據(jù)訪問控制機制(ABE-based Access control mechanism for P2P storage Cloud, AAPC)。在AAPC中,設計了一個新的密文策略ABE方案,對數(shù)據(jù)進行加密和細粒度訪問控制。為了解決用戶訪問權(quán)限撤銷問題,進一步設計了一個代理重加密方案。它結(jié)合P2P信譽系統(tǒng),使數(shù)據(jù)擁有者能夠?qū)⒎睆偷某蜂N工作代理給云服務器和可信節(jié)點,使得數(shù)據(jù)擁有者和云服務器的計算開銷均大幅降低。安全性分析表明AAPC在標準安全模型下是可證安全的,能夠有效抵抗串謀攻擊并保護用戶訪問權(quán)限信息。性能評估顯示相比其它同類ABE方案和相關的撤銷方案,AAPC中所有系統(tǒng)操作的時間都非常短,產(chǎn)生的密鑰和密文也很小,并且當用戶規(guī)模越大和動態(tài)時,它能夠取得更加顯著的性能優(yōu)勢。 在P2P云的基于網(wǎng)絡編碼的內(nèi)容分發(fā)應用中,針對網(wǎng)絡編碼的污染攻擊十分嚴重。如何抵抗這種攻擊以保證內(nèi)容分發(fā)的安全是一個關鍵安全問題。提出了一個基于橢圓曲線密碼(Elliptic Curve Cryptography,ECC)的同態(tài)簽名機制(ECC-based Homomorphic Signature mechanism,EHS)。利用EHS,系統(tǒng)節(jié)點能夠?qū)幋a塊進行高效的即時檢測以快速發(fā)現(xiàn)污染塊。為了進一步提高檢測效率同時保持高安全性,引入批檢測方法和合作安全方法,使節(jié)點能對多個編碼塊一同進行批檢測,同時使他們在發(fā)現(xiàn)污染塊時能警告其他可能被污染的節(jié)點以合作抵抗污染攻擊。相比其它網(wǎng)絡編碼的污染探測類機制,EHS具有很高的安全性,而且產(chǎn)生的計算開銷和通信開銷均比較小。 EHS屬于污染探測類機制,相比這類機制,攻擊者識別是更加有效的抵抗污染攻擊的方法。在EHS的基礎上,提出了一個基于身份的惡意節(jié)點識別機制(Identity-based Malicious peer Identification mechanism, IMI)。為了快速地識別惡意節(jié)點,引入基于向量零空間性質(zhì)的輕量級塊檢測方法,同時引入輕量級塊簽名方法,使得每個節(jié)點都必須對其發(fā)出的編碼塊簽名以對這些塊負責。EHS結(jié)合IMI形成了一套完整的P2P云中網(wǎng)絡編碼污染防御機制,具有高安全性、低開銷、不依賴于特定的網(wǎng)絡拓撲等特性。仿真實驗顯示,在實際應用場景中,IMI能夠保證網(wǎng)絡中很低的污染率,并能快速地鑒定出所有惡意節(jié)點。 P2P云中可能有不少惡意用戶,他們會破壞系統(tǒng)功能,并且還會發(fā)動Sybil攻擊,即會以多個身份加入系統(tǒng)以加強對系統(tǒng)的攻擊。如何決定用戶是否能夠加入系統(tǒng)以抵抗這種攻擊也是一個關鍵安全問題。提出了一個基于身份基密碼(Identity-Based Cryptography,IBC)的準入控制機制(IBC-Based Admission control mechanism for P2P storage Cloud, IAPC)。它包括四個協(xié)議,分別為不同實際場景中加入的用戶安全高效地分配身份標識。在基本協(xié)議中,云服務器使用回叫的方式認證用戶,再為合法用戶基于其IP地址分配隨機的身份標識并產(chǎn)生對應的公私鑰對。擴展協(xié)議1使云服務器能夠?qū)⒐ぷ鞔斫o多個可信節(jié)點。另外兩個協(xié)議針對使用NAT(Network Address Translation)的網(wǎng)絡用戶,分別對上述兩個協(xié)議進行擴充,基于用戶的IP地址和端口號來為其分配身份,并在為他們分發(fā)私鑰時加入密碼難題,使其在得到私鑰時必須付出一定的計算代價以防止惡意用戶連續(xù)使用多個端口號來獲取大量身份。IAPC無需進行復雜的身份證書管理,有效解決了如密鑰托管、用戶撤銷、IP地址轉(zhuǎn)換等安全問題；協(xié)議維持合理的計算時間,限制了惡意用戶獲取身份的速率,系統(tǒng)具備良好的可擴展性。
[Abstract]:Peer - to - Peer ( P2P ) computing is two kinds of mainstream distributed computing technologies , which can effectively support large - scale distributed applications on the Internet . The P2P cloud storage service system is a brand - new model of Internet application . It combines the advantages of two technologies . It has the characteristics of high performance , high reliability and high quality of service based on cloud computing management and operation mechanism . It has the characteristics of large scale , distribution , openness , dynamics , heterogeneity , privacy and so on . Therefore , it is very important to design effective security control mechanism to solve key security problems from the three important aspects of data , application and user .

In P2P cloud , cloud server and user are not completely trusted . How to guarantee confidentiality of data stored in the system and secure flexible data sharing is a key security problem . A secure , efficient and granular data access control mechanism ( ABE - based Access control mechanism for P2P storage Cloud , AAPC ) based on Attribute - Based Encryption ( ABE ) is proposed . In AAPC , a new ciphertext strategy ABE scheme is designed to encrypt the data and fine - grained access control . In order to solve the problem of user ' s access authorization revocation , a proxy re - encryption scheme is designed . It combines P2P reputation system to make data owner and cloud server compute the cost of computing . Security analysis shows that AAPC is safe in standard security model , and can effectively resist collusion attack and protect user ' s access rights information . The performance evaluation shows that AAPC has a very short time for all system operations in standard security model , and the key and ciphertext generated are very small , and when the user ' s scale is larger and dynamic , it can achieve more remarkable performance advantage .

In the P2P cloud - based content distribution application based on network coding , the pollution attack against network coding is very serious . How to resist this attack to ensure the security of content distribution is a key security problem . A homomorphic signature mechanism ( ECC - based Homomorphic Signature mechanism , EHS ) based on elliptic curve cryptosystem ( ECC ) is proposed . In order to further improve the detection efficiency while maintaining high security , the batch detection method and the cooperative security method are introduced , so that the node can batch detection together with the plurality of coding blocks , and meanwhile , the nodes can warn other nodes which may be polluted when the pollution blocks are found to cooperate to resist the pollution attack . Compared with other network coding pollution detection mechanisms , EHS has high safety , and the calculation cost and communication cost are small .

In this paper , an identity - based malicious peer identification mechanism ( IMI ) is proposed on the basis of EHS . In order to quickly identify a malicious node , a lightweight block detection method based on vector null space property is introduced , meanwhile , a lightweight block signature method is introduced , so that each node must sign the encoding block issued by it to be responsible for the blocks .

There may be a lot of malicious users in the P2P cloud , they will destroy the system function and also launch the Sybil attack , that is , join the system with multiple identities to strengthen the attack on the system . How to decide whether the user can join the system to resist the attack is also a key security problem . An admission control mechanism based on identity - based cryptography ( IAPC ) is proposed . In the basic protocol , cloud server uses the callback method to authenticate the user , and assigns the random identity identifier to the legitimate user based on its IP address and generates corresponding public and private key pair .
the protocol maintains reasonable calculation time , limits the rate of obtaining identity by malicious users , and the system has good expansibility .
【學位授予單位】：華中科技大學
【學位級別】：博士
【學位授予年份】：2013
【分類號】：TP333;TP309

【參考文獻】

相關期刊論文 前3條

1 吳吉義;傅建慶;平玲娣;謝琪;;一種對等結(jié)構(gòu)的云存儲系統(tǒng)研究[J];電子學報;2011年05期

2 陳國良;孫廣中;徐云;龍柏;;并行計算的一體化研究現(xiàn)狀與發(fā)展趨勢[J];科學通報;2009年08期

3 羅軍舟;金嘉暉;宋愛波;東方;;云計算:體系架構(gòu)與關鍵技術(shù)[J];通信學報;2011年07期

相關博士學位論文 前1條

1 吳吉義;基于DHT的開放對等云存儲服務系統(tǒng)研究[D];浙江大學;2011年

，

本文編號：2092705