【摘要】：隨著數(shù)字校園現(xiàn)代化建設(shè)的不斷發(fā)展,文件的數(shù)量和訪問(wèn)量不斷上漲,傳統(tǒng)的文件存儲(chǔ)系統(tǒng)正逐漸被分布式云存儲(chǔ)系統(tǒng)所取代。分布式云存儲(chǔ)系統(tǒng)可以有效地解決數(shù)字校園環(huán)境下大容量、大目錄和大量的小文件存儲(chǔ)需求,但是數(shù)據(jù)中心網(wǎng)絡(luò)化的存儲(chǔ)模式在迎合海量數(shù)據(jù)處理的需求同時(shí),卻也引發(fā)了許多亟待解決的安全問(wèn)題。數(shù)據(jù)存儲(chǔ)的可靠性、機(jī)密性、完整性等安全性問(wèn)題成為數(shù)字校園環(huán)境下分布式云存儲(chǔ)系統(tǒng)面臨的新的挑戰(zhàn)。針對(duì)數(shù)字校園文件存儲(chǔ)現(xiàn)狀和新的挑戰(zhàn),通過(guò)研究已有分布式云存儲(chǔ)系統(tǒng)的技術(shù)和實(shí)現(xiàn),本文設(shè)計(jì)了元數(shù)據(jù)和數(shù)據(jù)分離的Me Se安全存儲(chǔ)體系結(jié)構(gòu),解決了文件的存儲(chǔ)安全問(wèn)題,針對(duì)大量小文件的存儲(chǔ)設(shè)計(jì)實(shí)現(xiàn)了能夠保證數(shù)據(jù)存儲(chǔ)可靠性、機(jī)密性和完整性的安全機(jī)制。本文所做的主要工作包括以下幾個(gè)方面:1.為數(shù)字校園環(huán)境設(shè)計(jì)并實(shí)現(xiàn)了元數(shù)據(jù)和數(shù)據(jù)分離的安全存儲(chǔ)體系結(jié)構(gòu)—Me Se安全存儲(chǔ)體系結(jié)構(gòu)。在Me Se中將元數(shù)據(jù)服務(wù)器單獨(dú)置于海量存儲(chǔ)系統(tǒng)前端有利于元數(shù)據(jù)的安全獨(dú)立受控,提高了Me Se安全存儲(chǔ)體系結(jié)構(gòu)的安全性。同時(shí),基于威脅建模方法學(xué)的研究針對(duì)分布式云存儲(chǔ)系統(tǒng)提出了形式化的威脅建模方法。在此基礎(chǔ)上,在Me Se設(shè)計(jì)初期使用此方法對(duì)其進(jìn)行了詳細(xì)的威脅建模分析。2.為Me Se安全存儲(chǔ)體系結(jié)構(gòu)設(shè)計(jì)并實(shí)現(xiàn)了基于密級(jí)的敏感數(shù)據(jù)分片編碼機(jī)制,將數(shù)據(jù)編碼分片后分布存儲(chǔ)到后端存儲(chǔ)系統(tǒng)中,保障了數(shù)據(jù)的機(jī)密性、可靠性和安全性。在此基礎(chǔ)上,課題設(shè)計(jì)了一種基于敏感數(shù)據(jù)編碼的低網(wǎng)絡(luò)傳輸開(kāi)銷(xiāo)的文件增量更新策略,在文件的隨機(jī)更新過(guò)程中只傳輸修改過(guò)的片段,從而降低網(wǎng)絡(luò)傳輸開(kāi)銷(xiāo)。3.為了在數(shù)字校園環(huán)境下應(yīng)用系統(tǒng)間實(shí)現(xiàn)數(shù)據(jù)的安全共享,在Me Se元數(shù)據(jù)和數(shù)據(jù)分離的存儲(chǔ)體系結(jié)構(gòu)的基礎(chǔ)上,數(shù)據(jù)的共享必須基于元數(shù)據(jù)的共享,所以課題設(shè)計(jì)實(shí)現(xiàn)了基于認(rèn)證授權(quán)的元數(shù)據(jù)安全共享機(jī)制。通過(guò)安全授權(quán)技術(shù)實(shí)現(xiàn)元數(shù)據(jù)共享,保證數(shù)據(jù)在應(yīng)用系統(tǒng)間共享不會(huì)發(fā)生信息泄露、用戶(hù)認(rèn)證證書(shū)泄露等威脅。
[Abstract]:With the development of digital campus modernization, the number of files and the number of visits are increasing. The traditional file storage system is gradually replaced by the distributed cloud storage system. Distributed cloud storage system can effectively solve the large capacity, large directory and a large number of small file storage requirements in the digital campus environment, but the data center network storage mode meets the demand of massive data processing at the same time. But also caused many urgent security problems. The security problems of data storage, such as reliability, confidentiality and integrity, have become a new challenge for distributed cloud storage system in digital campus environment. In view of the present situation and new challenges of file storage in digital campus, this paper designs a Me Se secure storage architecture which separates metadata from data by studying the technology and implementation of distributed cloud storage system, which solves the problem of file storage security. A security mechanism which can guarantee the reliability, confidentiality and integrity of data storage is designed and implemented for the storage of a large number of small files. The main work of this paper includes the following aspects: 1. A secure storage architecture, Me Se secure storage architecture, which separates metadata from data, is designed and implemented for the digital campus environment. Putting the metadata server in the front end of the mass storage system alone in Me Se is beneficial to the security and control of the metadata and improves the security of the Me Se secure storage architecture. At the same time, based on threat modeling methodology, a formal threat modeling method is proposed for distributed cloud storage systems. On this basis, this method is used in the initial stage of Me Se design to analyze the threat modeling in detail. 2. 2. The security storage architecture of Me Se is designed and implemented, and the sensitive data slicing mechanism based on the secret level is designed and implemented. The data encoding is distributed and stored in the back-end storage system, which ensures the confidentiality, reliability and security of the data. On this basis, a file incremental updating strategy based on sensitive data encoding with low network transmission overhead is designed. Only modified fragments are transmitted during the random file updating process, thus reducing the network transmission overhead. In order to realize the secure sharing of data among application systems in the digital campus environment, the data sharing must be based on the metadata sharing on the basis of the storage architecture of Me Se metadata and data separation. So the thesis designs and implements the metadata security sharing mechanism based on authentication authorization. Metadata sharing is realized through security authorization technology, which ensures that data sharing between application systems will not result in information leakage, user authentication certificate leakage and other threats.
【學(xué)位授予單位】：國(guó)防科學(xué)技術(shù)大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2013
【分類(lèi)號(hào)】：TP333;TP309
，

本文編號(hào)：2276914