本文關(guān)鍵詞：基于HDFS架構(gòu)的云存儲訪問控制機(jī)制的研究與設(shè)計　出處：《河南工業(yè)大學(xué)》2013年碩士論文　論文類型：學(xué)位論文

  更多相關(guān)文章： 云存儲 訪問控制 HDFS CP-ABE SDMoR TBCCSAC

【摘要】：云存儲作為云計算領(lǐng)域獨立的應(yīng)用，逐步成為商業(yè)應(yīng)用熱點，但同時其安全性一直是用戶和服務(wù)提供商擔(dān)心和關(guān)注的重點。一個開放的云存儲服務(wù)系統(tǒng)應(yīng)具備高安全的訪問控制機(jī)制，需要滿足以下五個方面基本需求：用戶間數(shù)據(jù)邏輯隔離，即實現(xiàn)認(rèn)證和授權(quán)兩方面訪問控制；靈活的用戶資源權(quán)限管理，即實現(xiàn)資源讀寫權(quán)限的授權(quán)、回收和變更等管理；海量用戶認(rèn)證管理支持，需要支持千萬級以上用戶高效應(yīng)用；基于域的安全管理，能實現(xiàn)域內(nèi)、域間的訪問控制；防止云服務(wù)商竊取用戶存儲的信息，即在云端不完全可信的情況下，通過加密等措施保護(hù)云端數(shù)據(jù)安全。本文分析了云存儲安全需求，圍繞HDFS架構(gòu)的云存儲系統(tǒng)訪問控制機(jī)制開展研究，針對其存在的安全缺陷提出改進(jìn)設(shè)計，，并完成驗證部署。 分析了HDFS自身的訪問控制機(jī)制，指出其安全性中存在兩個缺陷，一是缺乏健壯認(rèn)證機(jī)制，二是存在冒充集群節(jié)點隱患。針對上述缺陷，設(shè)計了融合Kerberos認(rèn)證機(jī)制強(qiáng)化HDFS云存儲系統(tǒng)安全性的工程解決方案，基于對稱密碼體制實現(xiàn)健壯的認(rèn)證，并有效防止假冒節(jié)點。該方案適合小用戶規(guī)模的私有云存儲系統(tǒng)建設(shè)，具有輕量敏捷等特點。 本文基于HDFS設(shè)計了一種新的面向角色的分域管理訪問控制（SDMoR），改進(jìn)了域管理、海量用戶認(rèn)證和權(quán)限管理等算法機(jī)制，解決了引入Kerberos認(rèn)證機(jī)制的HDFS用戶規(guī)模受限，及缺少域內(nèi)、域間訪問控制支持的問題，滿足云存儲訪問控制的四個基本需求，在云存儲服務(wù)可信的前提假設(shè)下，該方案適合中等規(guī)模用戶的云存儲系統(tǒng)建設(shè)。 研究分析了云存儲服務(wù)商不完全可信環(huán)境下密文訪問控制機(jī)制用CP-ABE，指出該機(jī)制存在的三個問題：一是資源所有者需要確切地了解每一個訪問者屬性知識；二是資源所有者及用戶的訪問密鑰維護(hù)量大；三是對用戶覆蓋云存儲系統(tǒng)上密文數(shù)據(jù)時缺少寫權(quán)限合法性認(rèn)證。針對上述問題，設(shè)計和實現(xiàn)一種基于可信第三方的CP-ABE云存儲訪問控制（TBCCSAC），使用可信第三方管理用戶屬性證書，動態(tài)生成資源訪問密鑰SK，引入訪問控制令牌機(jī)制，有效的解決了云存儲中用戶屬性知識管理維護(hù)量大、密鑰分發(fā)與管理負(fù)擔(dān)重，以及寫權(quán)限鑒別缺失的三個問題。對TBCCSAC安全性和性能進(jìn)行分析，結(jié)果表明在可接受的計算性能影響下，解決了基于CP-AER機(jī)制云存儲應(yīng)用中安全問題。最后將此機(jī)制應(yīng)用于HDFS，并進(jìn)行實驗驗證，該機(jī)制很好地實現(xiàn)了云存儲訪問控制的五個基本需求，適合大規(guī)模用戶應(yīng)用云存儲系統(tǒng)。
[Abstract]:Cloud storage as an independent application in the field of cloud computing has gradually become a hot commercial application. But at the same time, its security has always been the focus of concern for users and service providers. An open cloud storage service system should have a high security access control mechanism. It needs to meet the following five basic needs: logical isolation of data between users, namely, implementation of authentication and authorization access control; Flexible user resource rights management, that is, to achieve resource read and write authority authorization, recycling and change management; Massive user authentication management support, need to support more than 10 million levels of user efficient application; The security management based on domain can realize the access control within and between domains. In order to prevent cloud service providers from stealing the information stored by users, that is, to protect cloud data security through encryption and other measures, this paper analyzes the security requirements of cloud storage. This paper studies the access control mechanism of cloud storage system based on HDFS architecture, proposes an improved design for its security defects, and completes the verification and deployment. This paper analyzes the access control mechanism of HDFS itself, and points out that there are two defects in its security, one is the lack of robust authentication mechanism, the other is the hidden danger of impersonating cluster nodes. An engineering solution to enhance the security of HDFS cloud storage system based on Kerberos authentication mechanism is designed, and robust authentication is realized based on symmetric cryptosystem. The scheme is suitable for the construction of private cloud storage system with small user scale and has the characteristics of lightweight agility and so on. This paper designs a new role-oriented domain management access control (SDMoR) based on HDFS, which improves the algorithms of domain management, massive user authentication and privilege management. The problem of limited scale of HDFS users with Kerberos authentication mechanism and the lack of support for intra-domain and inter-domain access control is solved to meet the four basic needs of cloud storage access control. Under the assumption that cloud storage service is credible, this scheme is suitable for medium scale users' cloud storage system construction. This paper studies and analyzes the CP-ABE used in the ciphertext access control mechanism under the incomplete trusted environment of cloud storage service provider. Three problems of this mechanism are pointed out: first, the resource owner needs to know exactly the attribute knowledge of each visitor; Second, the resource owner and user maintain a large amount of access key; The third is the lack of authentication of write authority legitimacy when users overlay ciphertext data on cloud storage system. This paper designs and implements a CP-ABE cloud storage access control system based on trusted third party (TBC), which uses trusted third party to manage user attribute certificate and dynamically generate resource access key SK. The mechanism of access control token is introduced, which effectively solves the heavy burden of user attribute knowledge management and key distribution and management in cloud storage. The security and performance of TBCCSAC are analyzed, and the results show that under the influence of acceptable computing performance. The security problem in cloud storage application based on CP-AER mechanism is solved. Finally, the mechanism is applied to HDFS, and the experimental results show that the mechanism can meet the five basic requirements of cloud storage access control. Suitable for large-scale user application cloud storage system.
【學(xué)位授予單位】：河南工業(yè)大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2013
【分類號】：TP393.08;TP333

【參考文獻(xiàn)】

相關(guān)期刊論文 前8條

1 王峰;雷葆華;;Hadoop分布式文件系統(tǒng)的模型分析[J];電信科學(xué);2010年12期

2 張淼;徐國愛;胡正名;楊義先;;可信計算環(huán)境下基于主機(jī)身份的一次性密鑰交換協(xié)議[J];電子與信息學(xué)報;2007年06期

3 王連強(qiáng),張劍,呂述望,劉振華;一種基于密碼的層次訪問控制方案及其分析[J];計算機(jī)工程與應(yīng)用;2005年33期

4 葉錫君,許勇,吳國新;基于角色的訪問控制在Web中的實現(xiàn)技術(shù)[J];計算機(jī)工程;2002年01期

5 黨繼勝;汪學(xué)明;;基于公鑰的Kerberos認(rèn)證協(xié)議改進(jìn)與證明[J];計算機(jī)應(yīng)用;2006年S2期

6 孫國梓;董宇;李云;;基于CP-ABE算法的云存儲數(shù)據(jù)訪問控制[J];通信學(xué)報;2011年07期

7 馬亮;顧明;;基于角色的工作流系統(tǒng)訪問控制模型[J];小型微型計算機(jī)系統(tǒng);2006年01期

8 杜瑞忠;田俊峰;張煥國;;基于信任和個性偏好的云服務(wù)選擇模型[J];浙江大學(xué)學(xué)報(工學(xué)版);2013年01期

本文編號：1396183