對象存儲系統(tǒng)中數據私密性保護與共享
發(fā)布時間:2018-07-28 11:10
【摘要】:隨著數據價值不斷提升,分布式存儲系統(tǒng)中的數據加密存儲變得更為重要。為降低對存儲系統(tǒng)的信任,以滿足對用戶隱私保護的需求,端對端的加密存儲應運而生。對象存儲設備因其智能管理數據的特征,被海量信息存儲領域普遍應用。對象存儲系統(tǒng)的安全方面,,大部分研究是針對認證和授權,但如何保證數據在傳輸和存儲中的安全,以及如何將數據安全共享給用戶仍是亟待解決的問題。 在基于身份的安全對象存儲系統(tǒng)中,文件被加密后以密文形式存儲及傳輸,實現了端對端的數據機密性保護;谏矸莸募用芊绞絀BE,使用身份信息作為公鑰,降低了PKI公鑰管理的復雜度。IBE方式加密保護數據密鑰SK,只有相應的私鑰可解密得到數據密鑰并能夠正確訪問文件內容。同時,結合基于角色的訪問控制機制,有效管理共享密鑰FK。引入角色證書,同一角色具有相同的訪問權限及共享密鑰,FK與訪問權限控制項一起被視為數據的安全屬性,減少安全元數據列表的冗余信息,實現了共享密鑰的高效查找及更新。HMAC-SHA1消息認證協(xié)議使用數據密鑰SK作為隨機密鑰,提供數據完整性保護。引入緩存機制,有效緩存高頻率被訪問的內容,節(jié)省了獲取元數據的時間及避免重復加解密操作,提高了系統(tǒng)性能。 測試表明,系統(tǒng)提供了有效的密鑰保護與共享機制,且安全開銷控制在合理的范圍內,完整性保護開銷不超過15%,加密開銷控制在25%以內。
[Abstract]:With the increasing value of data, the data encryption storage in distributed storage system becomes more and more important. In order to reduce the trust of storage system to meet the need of privacy protection, end-to-end encrypted storage came into being. Object storage devices are widely used in the field of mass information storage because of their characteristics of intelligent management data. In the security aspect of object storage system, most of the researches focus on authentication and authorization, but how to ensure the security of data transmission and storage, and how to share data security with users is still an urgent problem to be solved. In an identity-based secure object storage system, files are encrypted and stored and transmitted in ciphertext form, which realizes end-to-end data confidentiality protection. Ibe, an identity-based encryption method, uses identity information as the public key, which reduces the complexity of PKI public key management. Ibe can encrypt and protect the data key SKK. Only the corresponding private key can be decrypted to obtain the data key and the file contents can be accessed correctly. At the same time, combining the role-based access control mechanism, the shared key FK is managed effectively. By introducing the role certificate, the same role has the same access rights and the shared key FK is regarded as the security attribute of the data together with the access rights control item, which reduces the redundant information in the security metadata list. The efficient search and update of the shared key. HMAC-SHA1 message authentication protocol uses the data key SK as the random key to provide data integrity protection. The cache mechanism is introduced to cache the contents accessed with high frequency effectively, which saves the time of obtaining metadata, avoids repeated encryption and decryption operations, and improves the system performance. The test results show that the system provides an effective key protection and sharing mechanism, and the security cost is controlled within a reasonable range, the integrity protection cost is not more than 15%, and the encryption cost is less than 25%.
【學位授予單位】:華中科技大學
【學位級別】:碩士
【學位授予年份】:2012
【分類號】:TP333;TP309.2
本文編號:2149934
[Abstract]:With the increasing value of data, the data encryption storage in distributed storage system becomes more and more important. In order to reduce the trust of storage system to meet the need of privacy protection, end-to-end encrypted storage came into being. Object storage devices are widely used in the field of mass information storage because of their characteristics of intelligent management data. In the security aspect of object storage system, most of the researches focus on authentication and authorization, but how to ensure the security of data transmission and storage, and how to share data security with users is still an urgent problem to be solved. In an identity-based secure object storage system, files are encrypted and stored and transmitted in ciphertext form, which realizes end-to-end data confidentiality protection. Ibe, an identity-based encryption method, uses identity information as the public key, which reduces the complexity of PKI public key management. Ibe can encrypt and protect the data key SKK. Only the corresponding private key can be decrypted to obtain the data key and the file contents can be accessed correctly. At the same time, combining the role-based access control mechanism, the shared key FK is managed effectively. By introducing the role certificate, the same role has the same access rights and the shared key FK is regarded as the security attribute of the data together with the access rights control item, which reduces the redundant information in the security metadata list. The efficient search and update of the shared key. HMAC-SHA1 message authentication protocol uses the data key SK as the random key to provide data integrity protection. The cache mechanism is introduced to cache the contents accessed with high frequency effectively, which saves the time of obtaining metadata, avoids repeated encryption and decryption operations, and improves the system performance. The test results show that the system provides an effective key protection and sharing mechanism, and the security cost is controlled within a reasonable range, the integrity protection cost is not more than 15%, and the encryption cost is less than 25%.
【學位授予單位】:華中科技大學
【學位級別】:碩士
【學位授予年份】:2012
【分類號】:TP333;TP309.2
【參考文獻】
相關期刊論文 前1條
1 李新國,葛建華,趙春明;IBE公鑰加密系統(tǒng)的用戶私鑰分發(fā)方案[J];西安電子科技大學學報;2004年04期
本文編號:2149934
本文鏈接:http://sikaile.net/kejilunwen/jisuanjikexuelunwen/2149934.html
