基于HDFS架构的云存储访问控制机制的研究与设计

发布时间：2018-01-08 07:29

本文关键词：基于HDFS架构的云存储访问控制机制的研究与设计　出处：《河南工业大学》2013年硕士论文　论文类型：学位论文

【摘要】：云存储作为云计算领域独立的应用，逐步成为商业应用热点，但同时其安全性一直是用户和服务提供商担心和关注的重点。一个开放的云存储服务系统应具备高安全的访问控制机制，需要满足以下五个方面基本需求：用户间数据逻辑隔离，即实现认证和授权两方面访问控制；灵活的用户资源权限管理，即实现资源读写权限的授权、回收和变更等管理；海量用户认证管理支持，需要支持千万级以上用户高效应用；基于域的安全管理，能实现域内、域间的访问控制；防止云服务商窃取用户存储的信息，即在云端不完全可信的情况下，通过加密等措施保护云端数据安全。本文分析了云存储安全需求，围绕HDFS架构的云存储系统访问控制机制开展研究，针对其存在的安全缺陷提出改进设计，，并完成验证部署。分析了HDFS自身的访问控制机制，指出其安全性中存在两个缺陷，一是缺乏健壮认证机制，二是存在冒充集群节点隐患。针对上述缺陷，设计了融合Kerberos认证机制强化HDFS云存储系统安全性的工程解决方案，基于对称密码体制实现健壮的认证，并有效防止假冒节点。该方案适合小用户规模的私有云存储系统建设，具有轻量敏捷等特点。本文基于HDFS设计了一种新的面向角色的分域管理访问控制（SDMoR），改进了域管理、海量用户认证和权限管理等算法机制，解决了引入Kerberos认证机制的HDFS用户规模受限，及缺少域内、域间访问控制支持的问题，满足云存储访问控制的四个基本需求，在云存储服务可信的前提假设下，该方案适合中等规模用户的云存储系统建设。研究分析了云存储服务商不完全可信环境下密文访问控制机制用CP-ABE，指出该机制存在的三个问题：一是资源所有者需要确切地了解每一个访问者属性知识；二是资源所有者及用户的访问密钥维护量大；三是对用户覆盖云存储系统上密文数据时缺少写权限合法性认证。针对上述问题，设计和实现一种基于可信第三方的CP-ABE云存储访问控制（TBCCSAC），使用可信第三方管理用户属性证书，动态生成资源访问密钥SK，引入访问控制令牌机制，有效的解决了云存储中用户属性知识管理维护量大、密钥分发与管理负担重，以及写权限鉴别缺失的三个问题。对TBCCSAC安全性和性能进行分析，结果表明在可接受的计算性能影响下，解决了基于CP-AER机制云存储应用中安全问题。最后将此机制应用于HDFS，并进行实验验证，该机制很好地实现了云存储访问控制的五个基本需求，适合大规模用户应用云存储系统。
[Abstract]:Cloud storage as an independent application in the field of cloud computing has gradually become a hot commercial application. But at the same time, its security has always been the focus of concern for users and service providers. An open cloud storage service system should have a high security access control mechanism. It needs to meet the following five basic needs: logical isolation of data between users, namely, implementation of authentication and authorization access control; Flexible user resource rights management, that is, to achieve resource read and write authority authorization, recycling and change management; Massive user authentication management support, need to support more than 10 million levels of user efficient application; The security management based on domain can realize the access control within and between domains. In order to prevent cloud service providers from stealing the information stored by users, that is, to protect cloud data security through encryption and other measures, this paper analyzes the security requirements of cloud storage. This paper studies the access control mechanism of cloud storage system based on HDFS architecture, proposes an improved design for its security defects, and completes the verification and deployment. This paper analyzes the access control mechanism of HDFS itself, and points out that there are two defects in its security, one is the lack of robust authentication mechanism, the other is the hidden danger of impersonating cluster nodes. An engineering solution to enhance the security of HDFS cloud storage system based on Kerberos authentication mechanism is designed, and robust authentication is realized based on symmetric cryptosystem. The scheme is suitable for the construction of private cloud storage system with small user scale and has the characteristics of lightweight agility and so on. This paper designs a new role-oriented domain management access control (SDMoR) based on HDFS, which improves the algorithms of domain management, massive user authentication and privilege management. The problem of limited scale of HDFS users with Kerberos authentication mechanism and the lack of support for intra-domain and inter-domain access control is solved to meet the four basic needs of cloud storage access control. Under the assumption that cloud storage service is credible, this scheme is suitable for medium scale users' cloud storage system construction. This paper studies and analyzes the CP-ABE used in the ciphertext access control mechanism under the incomplete trusted environment of cloud storage service provider. Three problems of this mechanism are pointed out: first, the resource owner needs to know exactly the attribute knowledge of each visitor; Second, the resource owner and user maintain a large amount of access key; The third is the lack of authentication of write authority legitimacy when users overlay ciphertext data on cloud storage system. This paper designs and implements a CP-ABE cloud storage access control system based on trusted third party (TBC), which uses trusted third party to manage user attribute certificate and dynamically generate resource access key SK. The mechanism of access control token is introduced, which effectively solves the heavy burden of user attribute knowledge management and key distribution and management in cloud storage. The security and performance of TBCCSAC are analyzed, and the results show that under the influence of acceptable computing performance. The security problem in cloud storage application based on CP-AER mechanism is solved. Finally, the mechanism is applied to HDFS, and the experimental results show that the mechanism can meet the five basic requirements of cloud storage access control. Suitable for large-scale user application cloud storage system.
【学位授予单位】：河南工业大学
【学位级别】：硕士
【学位授予年份】：2013
【分类号】：TP393.08;TP333

【参考文献】