云计算环境中访问控制的机制和关键技术研究

发布时间：2018-05-10 14:42

本文选题：云计算 + 云访问控制　；参考：《北京邮电大学》2014年博士论文

【摘要】：云计算服务如今出现在网络生活中的每个角落,其发展势头迅猛,几乎所有相关技术公司都在积极地开发云计算领域。随着云技术的高速发展,其安全问题也逐渐受到人们的关注。美国国家安全局(NSA)被窃取文件的曝光,使存储在云上的数据安全问题成为了全球关注的焦点,如何建立起安全可靠且高效的防御体系成为当前云技术的研究热点。其中云访问控制机制可以有效地解决云环境下相关的信息安全问题,从而确保用户数据的完整性和机密性,保证授权主体能访问客体和拒绝非授权访问。云访问控制机制作为云安全技术中的核心服务内容,有着举足轻重的作用。其一,云计算平台将信息储存于一个或者若干个数据中心,实现数据共享,在这样开放的网络环境下,传统的访问控制手段已远远不能满足对数据内容进行保护的需求,因此,在云环境下建立可行融合的数据访问控制机制是亟待解决的首要问题。其二,考虑到资源受限的终端设备计算和存储能力,迫切需要高效的云访问控制机制与算法来解决弱客户端设备负载的问题。其三,在云环境下认证和控制不再由客户端掌控,而是交由云端实现对数字内容认证和访问控制来阻止非法访问与下载,在这种情况下,如何确保访问控制机制整体的安全性、互交性也是研究的重点。为了有效解决上述问题,论文紧紧围绕云访问控制的关键技术开展研究,在系统分析现有云访问控制技术的基础上,从管理机制、高效机制和可信机制三个层面对云环境下的访问控制提出改进方案。本文的主要研究成功及创新如下： 1.研究现有云计算环境下的访问控制模型机制,提出可行的理论框架。首先,分析了目前主流访问控制模型,明确了云计算环境下的访问控制模型适合采用自主的、分布式模型,其主体与权限的关系属于直接和间接的混合访问控制机制。接下来,通过对比现行三种云访问控制模型,得出基于属性的云访问控制模型在具备良好的细粒度和灵活性同时,能更好地适应于云环境下的拓展功能,为随后提出云计算环境下的新型访问控制方案提供了理论框架。 2.设计了一种基于属性加密(CP-ABE)的访问控制方案,实现了轻量级设备可以安全地利用云服务商提供的计算资源来外包加／解密运算操作,而不暴露终端的敏感数据,并通过性能评估验证了该方案在安全强度以及计算、存储等方面的优势,确保用户在云环境下的合法利益。重点解决了以下问题：1)在利用CP-ABE设计数据访问控制方案时,由于运行加／解密算法会占用客户终端大量的计算资源,提出了高效合理的云服务端卸载机制；2)针对云环境的多租户属性,研究了如何有效避免客户敏感数据暴露于云服务端的问题；3)降低了上传／下载和更新过程给设备终端造成巨大计算以及通信开销。 3.构建了一种基于属性加密和基于身份签名(IBS)相结合的云访问控制解决方案,确保了数据安全地存放在未授权的云服务端。在云服务提供商是不可信的假设前提下,该方案能够确保在公开的云环境下的数据安全性,并且降低数据管理的复杂度。重点实现了：1)降低管理复杂度；2)细粒度的访问控制；3)针对弱客户端的适应性；4)数据的不可伪造性。分析和实验结果表明该访问控制方案具备高效性,同时能实现抗合谋攻击,并在语义上抵抗在随机预言模式下自适应选择密文攻击。 4.提出了一个建立在合数阶双线性群上基于属性加密和双重加密系统的访问控制方案,并证明了在标准模型下该方案的安全性。随后在此构架上,补充了基于直接撤销模型的完全细粒度撤销方案,实现了高效地从云服务器上撤销用户权限功能。具体实现以下成果：1)在Waters等人提出的双重系统加密和Lewko等人提出的合数阶双线性群结构的基础上,提出了一个自适应的基于属性的安全加密模型,以实现云环境细粒度访问控制；2)在Attrapadung等人提出的直接撤销模型的基础上,设计了一个完全细粒度撤销补充方案；3)整体结构实现了在标准模型下的安全性。 5.提出了一个新的移动云访问控制架构,在移动设备和云基础设施之间引入了中间层——访问cloudlet层。主要研究内容为：1)在该架构上拓展原有ABE访问控制方案,实现将移动设备上主要访问计算量卸载到cloudlet层；2)提出了访问控制决策机制,针对访问任务执行时产生的能源损耗和响应时间进行分析,选择最优化访问路径；3)该系统架构实现了高安全性以及低能耗等功能。最后,在本文的研究工作基础上,结合云安全技术的发展情况和面临的挑战,对云访问控制未来在实际应用方面的进行了研究展望。
[Abstract]:With the rapid development of cloud computing, cloud computing services are developing rapidly in every corner of the network life. With the rapid development of the cloud technology, the security problem has gradually been paid attention to. The NSA has been stolen and stored on the cloud. The problem of data security has become the focus of global attention. How to establish a secure and efficient defense system has become a hot research topic in the current cloud technology. The cloud access control mechanism can effectively solve the related information security problems in the cloud environment, so as to ensure the integrity and confidentiality of the user data, and ensure that the authorized subject can visit. Asking the object and refusing unauthorized access.
As the core service content of cloud security technology, cloud access control mechanism plays an important role. First, the cloud computing platform stores information in one or several data centers to realize data sharing. Under such open network environment, traditional access control means can not meet the protection of data content. Therefore, establishing a feasible and integrated data access control mechanism in the cloud environment is the most important problem to be solved. Secondly, the problem of efficient cloud access control mechanism and algorithm is urgently needed to solve the problem of the weak client device load. Control is no longer controlled by the client, but is implemented by the cloud to implement digital content authentication and access control to prevent illegal access and downloading. In this case, how to ensure the overall security of the access control mechanism is also the focus of the research.
In order to effectively solve the above problems, the thesis focuses on the key technology of cloud access control. On the basis of the system analysis of existing cloud access control technology, this paper proposes an improved case from three layers of management mechanism, efficient mechanism and trusted mechanism in the cloud environment. The main research and innovation of this paper are as follows:
1. study the existing access control model mechanism under the existing cloud computing environment and put forward a feasible theoretical framework. Firstly, the current mainstream access control model is analyzed, and the access control model under the cloud computing environment is clear that the access control model is suitable for the use of autonomous, distributed model, and its subject and authority is a direct and indirect hybrid access control mechanism. Then, by comparing the current three kinds of cloud access control models, it is concluded that the attribute based cloud access control model has good fine-grained flexibility and flexibility, and can better adapt to the expansion function under the cloud environment. It provides a theoretical framework for the subsequent new access control scheme under the cloud computing environment.
2. an access control scheme based on attribute encryption (CP-ABE) is designed. The lightweight device can safely use the computing resources provided by the cloud service provider to outsource / decrypt operation, without exposing the sensitive data of the terminal, and verify the advantages of the scheme in security intensity, calculation and storage through performance evaluation. In order to ensure the legitimate interests of the users in the cloud environment, the following problems are solved: 1) in the use of CP-ABE to design a data access control scheme, the operation plus / decryption algorithm will occupy a large number of customer terminal computing resources, and put forward a efficient and reasonable cloud server unloader system; 2) research on the multi tenant property of the cloud environment. How to effectively avoid the problem of customer sensitive data exposed to the cloud server; 3) reduce the upload / download and update process to cause huge computing and communication overhead to the device terminal.
3. a cloud access control solution based on the combination of attribute encryption and identity based signature (IBS) is constructed to ensure that data is stored safely in unauthorized cloud server. Under the assumption that the cloud service provider is untrusted, the scheme can ensure data security in an open cloud environment and reduce data management. Complexity. 1) reduce management complexity; 2) fine-grained access control; 3) the adaptability to weak client; 4) the data is not forgery. Analysis and experimental results show that the access control scheme is efficient, and can achieve anti conspiracy attack, and is semantically resistant to self-adaptive in random oracle mode. Select the ciphertext attack.
4. an access control scheme based on the attribute encryption and double encryption system on the hierarchical bilinear group is proposed, and the security of the scheme is proved under the standard model. Then, the complete fine-grained revocation scheme based on the direct revocation model is supplemented on this framework, and the user is revoked efficiently from the cloud server. The following results are achieved: 1) on the basis of the double system encryption and Lewko and others proposed by Waters et al., a self-adaptive property based security encryption model is proposed to realize the cloud environment fine-grained access control; 2) the direct revocation model proposed by Attrapadung et al. On the basis of this, a complete fine-grained revocation supplement scheme is designed. 3) the overall structure achieves the security under the standard model.
5. a new mobile cloud access control architecture is proposed to access the cloudlet layer between mobile devices and cloud infrastructure. The main research contents are as follows: 1) expanding the original ABE access control scheme on the architecture to unload the main access computation on the mobile device to the cloudlet layer; 2) proposed access control. The decision mechanism is used to analyze the energy loss and response time produced when the access task is executed, and select the optimal access path. 3) the system architecture realizes high security and low energy consumption.
Finally, on the basis of the research work of this paper, combined with the development of cloud security technology and the challenges faced, the future of cloud access control in practical applications is prospected.

【学位授予单位】：北京邮电大学
【学位级别】：博士
【学位授予年份】：2014
【分类号】：TP393.09;TP309

【参考文献】