本文關(guān)鍵詞：云計算環(huán)境下安全分布式存儲架構(gòu)與容錯技術(shù)研究　出處：《解放軍信息工程大學(xué)》2013年博士論文　論文類型：學(xué)位論文

  更多相關(guān)文章： 分布式存儲 分層源地址驗證 數(shù)據(jù)中心網(wǎng)絡(luò) 安全再生碼 編碼數(shù)據(jù)恢復(fù)模式

【摘要】：云計算已經(jīng)得到廣泛的關(guān)注,并且發(fā)展迅速。以數(shù)據(jù)中心網(wǎng)絡(luò)為基礎(chǔ)的分布式存儲是構(gòu)建云計算的物理實體。但是由于云計算環(huán)境下分布式存儲的開放性帶來的安全隱患,以及其數(shù)據(jù)可靠性的制約,使如何實現(xiàn)在數(shù)據(jù)可容錯的過程中保證數(shù)據(jù)的安全性成為亟待解決的問題。本文研究了云計算環(huán)境下安全分布式存儲架構(gòu)與容錯技術(shù),主要內(nèi)容和貢獻如下。 1.基于分層源地址驗證技術(shù)的數(shù)據(jù)中心網(wǎng)絡(luò)安全架構(gòu) 本文提出一種基于分層源地址驗證的數(shù)據(jù)中心網(wǎng)絡(luò)安全架構(gòu),設(shè)計了一種可驗證源地址生成方法。數(shù)據(jù)中心網(wǎng)絡(luò)中的服務(wù)器在發(fā)送數(shù)據(jù)時必須使用這種可驗證地址作為源地址,在數(shù)據(jù)發(fā)送過程中,該地址將會被驗證,確保每臺服務(wù)器都無法仿冒其他服務(wù)器進行數(shù)據(jù)傳輸,而且從互聯(lián)網(wǎng)通過開放端口傳入數(shù)據(jù)中心內(nèi)部的數(shù)據(jù)在沒有被分配可驗證地址的情況下無法在數(shù)據(jù)中心內(nèi)部進行轉(zhuǎn)發(fā)。為了保證驗證的高效性,在驗證過程中引入了分層驗證和流認證的思想,在數(shù)據(jù)中心內(nèi)部使用分層驗證,而在數(shù)據(jù)中心間使用流認證。該架構(gòu)的使用,可以幫助系統(tǒng)發(fā)現(xiàn)不正常的數(shù)據(jù)傳輸,過濾非法主機在網(wǎng)絡(luò)內(nèi)的數(shù)據(jù)傳輸,并定位數(shù)據(jù)中心內(nèi)部可能的攻擊者,防范直接利用互聯(lián)網(wǎng)上的主機攻擊系統(tǒng)獲取數(shù)據(jù)。實驗結(jié)果表明基于源地址驗證的數(shù)據(jù)中心網(wǎng)絡(luò)安全架構(gòu)可以在不影響數(shù)據(jù)傳輸?shù)那闆r下實現(xiàn)對數(shù)據(jù)包源地址的驗證,其已經(jīng)具備了實用價值,能夠解決網(wǎng)絡(luò)中利用偽造地址對數(shù)據(jù)網(wǎng)絡(luò)中心進行攻擊的問題。 2.基于廣播加密思想的安全再生碼 本文提出了一種將廣播加密模型與再生碼模型相結(jié)合的安全再生碼——FCBE (Fault-tolerant Code Based on Broadcast Encryption,FCBE)。在FCBE模型構(gòu)建過程中,借鑒了廣播加密的思想,將編碼存儲及數(shù)據(jù)恢復(fù)的過程歸結(jié)為一個廣播過程,在數(shù)據(jù)存入系統(tǒng)時,由系統(tǒng)為其選擇一個安全服務(wù)器的集合作為容錯服務(wù)器。當(dāng)存儲服務(wù)器失效時,只有系統(tǒng)選定的容錯服務(wù)器才能夠?qū)崿F(xiàn)數(shù)據(jù)恢復(fù),而其他服務(wù)器即使截獲了發(fā)送給容錯服務(wù)器的數(shù)據(jù)塊,也無法恢復(fù)原始數(shù)據(jù)。安全性分析證明了FCBE能夠?qū)崿F(xiàn)適應(yīng)性安全,實驗結(jié)果表明,其引入安全要素所造成的帶寬占用是可以接受的,不會對整個數(shù)據(jù)中心網(wǎng)絡(luò)的數(shù)據(jù)傳輸造成壓力。 3.基于門限機制的安全再生碼 本文提出了兩種基于門限機制的安全再生碼,其核心思想是在再生碼模型中引入可靠第三方密鑰服務(wù)器,用戶將數(shù)據(jù)存放于數(shù)據(jù)中心時從編碼矩陣中選取部分秘密,并將秘密分享給第三方密鑰服務(wù)器,當(dāng)需要對失效節(jié)點中的數(shù)據(jù)進行恢復(fù)或者是其他數(shù)據(jù)使用者下載數(shù)據(jù)時,需要經(jīng)過第三方密鑰服務(wù)器的驗證,通過驗證后才能夠從中獲取編碼矩陣的秘密,進而構(gòu)造解碼矩陣恢復(fù)失效數(shù)據(jù)或下載原始數(shù)據(jù)。基于此思想本文提出了兩種安全再生碼SRCF (Secure Regenerating Code for Fault-tolerant, SRCF)和SRCS(Secure Regenerating code with Semi-adaptive, SRCS)。安全性分析證明了SRCF可以實現(xiàn)選擇明文安全,而SRCS可以實現(xiàn)部分適應(yīng)性攻擊安全；實驗結(jié)果表明,SRCF和SRCS引入安全要素所造成的帶寬占用不大,不會對整個數(shù)據(jù)中心網(wǎng)絡(luò)的數(shù)據(jù)傳輸造成壓力。 4.基于流水線思想的編碼數(shù)據(jù)恢復(fù)模式 本文提出了一種基于流水線思想的數(shù)據(jù)恢復(fù)模式。該模式借鑒了工業(yè)生產(chǎn)中流水線生產(chǎn)的思想,將待恢復(fù)服務(wù)器看作流水線上的產(chǎn)品,將存儲服務(wù)器看作流水線工人,完成數(shù)據(jù)恢復(fù)的服務(wù)器即為生產(chǎn)完畢的產(chǎn)品。利用該模式可以進一步的降低數(shù)據(jù)恢復(fù)時所占用的帶寬,從而減小引入安全要素所增加的帶寬消耗。通過理論分析證明了該模式不會對數(shù)據(jù)恢復(fù)的正確性造成影響,且其可以減小帶寬消耗。
[Abstract]:Cloud computing has received widespread attention and rapid development. In the distributed storage of data center network based cloud computing is to build physical entities. But because cloud computing brings security risks of open distributed storage environment, and restrict the reliability of the data, so how to achieve in the process of data fault tolerance in safety the data has become an urgent problem. This paper studies the cloud computing environment security distributed storage architecture and fault tolerance technology, the main contents and contributions are as follows.
1. data center network security architecture based on layered source address verification technology
This paper presents a data center network security architecture layered source address validation based on the design of a verifiable source address generation method. Data center network server must use this address as the source address validation in sending data, in the data transmission process, the address will be verified, to ensure that each server can not fake other servers for data transmission, but also from the Internet through the open port incoming data in data centers has not been assigned can verify address under the condition of not in the data center for forwarding. In order to ensure efficient verification, the introduction of ideological hierarchical verification in the verification process and stream authentication, in the data center for internal use layered verification, using stream authentication in the data center. The use of the framework, can help the system to find the data transmission is not normal, filtering illegal The host within the network data transmission, and the internal data center positioning possible attacker, attack the host systems on the Internet directly using the prevention data acquisition. The experimental results of data center network security architecture of BenQ in the source address validation can be implemented to verify the package source address of the data did not affect the data transmission, it already has the practical value, can solve the attack on the network data center using forged address problems in the network.
2. secure regenerated code based on broadcast encryption
This paper presents a combination of broadcast encryption model and security model code regeneration (Fault-tolerant Code regeneration code - FCBE Based on Broadcast Encryption, FCBE FCBE). In the process of building the model, from the broadcast encryption theory, encoding storage and data recovery process down to a broadcast in the process, the data is stored in the when the system is set by the system for the selection of a security server as a fault-tolerant server. When the storage server fails, only the selected system fault-tolerant server can realize data recovery, while the other server even if intercepted sent to the data block fault-tolerant server, can not restore the original data. The security analysis proves that FCBE can achieve adaptive security, the experimental results show that the introduction of safety factors caused by the bandwidth is acceptable, the number of the entire data center network will not Pressure is caused by transmission.
3. secure regeneration code based on threshold mechanism
This paper presents two kinds of regeneration code security based on threshold mechanism, its core idea is to model the introduction of regenerating codes for a reliable third party key server, user data stored in the data center is selected from the secret encoding matrix, and the secret sharing to the third party key server, when the need for node failure the restoration of data or other data users to download data, need to go through third party verification key server, through the verification to be able to get from the secret encoding matrix, then structure the decoding matrix failure recovery data or download the original data. The idea of this paper is based on two security code regeneration SRCF is proposed (Secure Regenerating Code for Fault-tolerant SRCS (Secure, SRCF) and Regenerating code with Semi-adaptive, SRCS). The security analysis proves that SRCF can realize the selection of Ming Wenan, SRC S can achieve partially adaptive attack security. The experimental results show that the bandwidth consumption caused by the introduction of security elements by SRCF and SRCS does not occupy much pressure on data transmission in the entire data center network.
4. coded data recovery mode based on Pipelining
This paper presents a recovery model based on the data of the ideological line. From the mode of industrial production in the production line of thought, to restore the server as the product line, the storage server as assembly line workers, complete data recovery server is the production finished products can be further reduced when occupied by data recovery the bandwidth utilization mode, thereby reducing the consumption of security elements increased bandwidth. Through theoretical analysis proves that the model will not affect the correctness of data recovery, and it can reduce the bandwidth consumption.

【學(xué)位授予單位】：解放軍信息工程大學(xué)
【學(xué)位級別】：博士
【學(xué)位授予年份】：2013
【分類號】：TP333;TP393.08

【參考文獻】

相關(guān)期刊論文 前4條

1 穆飛;薛巍;舒繼武;鄭緯民;;一種面向大規(guī)模存儲系統(tǒng)的數(shù)據(jù)副本映射算法[J];計算機研究與發(fā)展;2009年03期

2 譚作文;范艷芳;;分工式門限認證加密方案[J];計算機學(xué)報;2010年07期

3 王永劍;裴翔;李濤;欒鐘治;錢德沛;;Nova-BFT:一種支持多種故障模型的副本狀態(tài)機協(xié)議[J];計算機研究與發(fā)展;2011年07期

4 熊潤群;羅軍舟;宋愛波;金嘉暉;;云計算環(huán)境下QoS偏好感知的副本選擇策略[J];通信學(xué)報;2011年07期

，

本文編號：1372281