对象存储系统中数据私密性保护与共享
发布时间:2018-07-28 11:10
【摘要】:随着数据价值不断提升,分布式存储系统中的数据加密存储变得更为重要。为降低对存储系统的信任,以满足对用户隐私保护的需求,端对端的加密存储应运而生。对象存储设备因其智能管理数据的特征,被海量信息存储领域普遍应用。对象存储系统的安全方面,,大部分研究是针对认证和授权,但如何保证数据在传输和存储中的安全,以及如何将数据安全共享给用户仍是亟待解决的问题。 在基于身份的安全对象存储系统中,文件被加密后以密文形式存储及传输,实现了端对端的数据机密性保护。基于身份的加密方式IBE,使用身份信息作为公钥,降低了PKI公钥管理的复杂度。IBE方式加密保护数据密钥SK,只有相应的私钥可解密得到数据密钥并能够正确访问文件内容。同时,结合基于角色的访问控制机制,有效管理共享密钥FK。引入角色证书,同一角色具有相同的访问权限及共享密钥,FK与访问权限控制项一起被视为数据的安全属性,减少安全元数据列表的冗余信息,实现了共享密钥的高效查找及更新。HMAC-SHA1消息认证协议使用数据密钥SK作为随机密钥,提供数据完整性保护。引入缓存机制,有效缓存高频率被访问的内容,节省了获取元数据的时间及避免重复加解密操作,提高了系统性能。 测试表明,系统提供了有效的密钥保护与共享机制,且安全开销控制在合理的范围内,完整性保护开销不超过15%,加密开销控制在25%以内。
[Abstract]:With the increasing value of data, the data encryption storage in distributed storage system becomes more and more important. In order to reduce the trust of storage system to meet the need of privacy protection, end-to-end encrypted storage came into being. Object storage devices are widely used in the field of mass information storage because of their characteristics of intelligent management data. In the security aspect of object storage system, most of the researches focus on authentication and authorization, but how to ensure the security of data transmission and storage, and how to share data security with users is still an urgent problem to be solved. In an identity-based secure object storage system, files are encrypted and stored and transmitted in ciphertext form, which realizes end-to-end data confidentiality protection. Ibe, an identity-based encryption method, uses identity information as the public key, which reduces the complexity of PKI public key management. Ibe can encrypt and protect the data key SKK. Only the corresponding private key can be decrypted to obtain the data key and the file contents can be accessed correctly. At the same time, combining the role-based access control mechanism, the shared key FK is managed effectively. By introducing the role certificate, the same role has the same access rights and the shared key FK is regarded as the security attribute of the data together with the access rights control item, which reduces the redundant information in the security metadata list. The efficient search and update of the shared key. HMAC-SHA1 message authentication protocol uses the data key SK as the random key to provide data integrity protection. The cache mechanism is introduced to cache the contents accessed with high frequency effectively, which saves the time of obtaining metadata, avoids repeated encryption and decryption operations, and improves the system performance. The test results show that the system provides an effective key protection and sharing mechanism, and the security cost is controlled within a reasonable range, the integrity protection cost is not more than 15%, and the encryption cost is less than 25%.
【学位授予单位】:华中科技大学
【学位级别】:硕士
【学位授予年份】:2012
【分类号】:TP333;TP309.2
本文编号:2149934
[Abstract]:With the increasing value of data, the data encryption storage in distributed storage system becomes more and more important. In order to reduce the trust of storage system to meet the need of privacy protection, end-to-end encrypted storage came into being. Object storage devices are widely used in the field of mass information storage because of their characteristics of intelligent management data. In the security aspect of object storage system, most of the researches focus on authentication and authorization, but how to ensure the security of data transmission and storage, and how to share data security with users is still an urgent problem to be solved. In an identity-based secure object storage system, files are encrypted and stored and transmitted in ciphertext form, which realizes end-to-end data confidentiality protection. Ibe, an identity-based encryption method, uses identity information as the public key, which reduces the complexity of PKI public key management. Ibe can encrypt and protect the data key SKK. Only the corresponding private key can be decrypted to obtain the data key and the file contents can be accessed correctly. At the same time, combining the role-based access control mechanism, the shared key FK is managed effectively. By introducing the role certificate, the same role has the same access rights and the shared key FK is regarded as the security attribute of the data together with the access rights control item, which reduces the redundant information in the security metadata list. The efficient search and update of the shared key. HMAC-SHA1 message authentication protocol uses the data key SK as the random key to provide data integrity protection. The cache mechanism is introduced to cache the contents accessed with high frequency effectively, which saves the time of obtaining metadata, avoids repeated encryption and decryption operations, and improves the system performance. The test results show that the system provides an effective key protection and sharing mechanism, and the security cost is controlled within a reasonable range, the integrity protection cost is not more than 15%, and the encryption cost is less than 25%.
【学位授予单位】:华中科技大学
【学位级别】:硕士
【学位授予年份】:2012
【分类号】:TP333;TP309.2
【参考文献】
相关期刊论文 前1条
1 李新国,葛建华,赵春明;IBE公钥加密系统的用户私钥分发方案[J];西安电子科技大学学报;2004年04期
本文编号:2149934
本文链接:https://www.wllwen.com/kejilunwen/jisuanjikexuelunwen/2149934.html
