云存储数据安全去重和完整性审计协议的设计与实现

发布时间：2018-03-16 20:00

本文选题：云存储　切入点：客户端数据去重　出处：《南京理工大学》2017年硕士论文　论文类型：学位论文

【摘要】：随着云计算和云存储服务广泛使用,越来越多的企业和个人用户将他们的数据信息外包给云服务提供商,这样他们就可以随时随地享受云服务提供商所提供的数据存储和计算服务,并能减少数据存储和维护成本。但是,当存储在云端的数据越来越多的时候,将会产生大量的冗余数据,如何减少云服务提供商对相同文件的存储,已成为节约云存储空间的一个迫切需求。同时,云服务器是半可信的,它可能试图窃取用户的数据信息。因此,用户在将数据上传至云服务器之前,通常需要对数据进行加密来实现数据的隐私保护。此外,用户将数据外包给云服务器,也导致用户丧失了对数据的绝对控制权,云服务器可能有意或无意地破坏用户的数据,所以如何确保云端数据的完整性也成为了不可忽略的问题。本文重点对云存储数据安全去重和完整性审计问题进行了研究。具体工作如下:(1)针对客户端数据去重场景中收敛加密存在的安全缺陷,我们利用盲签名的方法构造了一个更加安全的密钥生成协议,通过引入一个密钥服务器,实现了对收敛密钥的二次加密,使得数据加密更加安全,能够有效地预防暴力字典攻击。并在此基础上,提出了一个基于块密钥签名的拥有权证明方法,用户和云服务器之间必须执行一个挑战/响应协议,才能确定用户是否拥有和云端相同的文件,从而有效地预防了攻击者通过单一的hash值来获取文件,并且该方案能够同时实现对密文数据的文件级和块级去重。此外,理论分析和仿真结果表明,该方案能够满足更多安全属性,同时具有较好的性能。(2)针对现有公开审计方案只考虑群组用户中仅有单个群管理者的情形,通过改进可撤销的群签名和(t,s)门限方案,我们设计了一个适用于多管理者群组共享数据的公开审计方案EPAM。该方案能够实现用户的身份隐私、可追踪性和不可陷害性,并且安全分析表明方案EPAM在随机预言模型下是可证明安全的。此外,相比现有方案,实验结果表明方案EPAM拥有较小的计算开销。(3)借助阿里云的弹性计算服务(Elastic Compute Service,ECS)、对象存储服务(Object Storage Service,OSS)以及关系型数据库服务(Relational Database Service,RDS),并利用JPBC密码学库和JavaWeb开发工具,设计与实现了一个云存储数据安全去重和完整性审计原型系统。该系统能够对我们设计的方案和现有方案进行仿真实验,从而验证每个方案在不同环节的计算开销,以对比分析不同方案的性能。
[Abstract]:With the widespread use of cloud computing and cloud storage services, more and more enterprises and individual users outsource their data information to cloud service providers. This allows them to enjoy data storage and computing services provided by cloud service providers at any time and anywhere, and to reduce the cost of data storage and maintenance. However, as more and more data is stored in the cloud, Will produce a lot of redundant data, how to reduce the cloud service provider to the same file storage, has become an urgent need to save cloud storage space. At the same time, the cloud server is semi-trusted, It may attempt to steal the user's data. Therefore, users usually need to encrypt the data to protect their privacy before uploading it to the cloud server. In addition, the user outsources the data to the cloud server. It also causes the user to lose absolute control over the data, and the cloud server may intentionally or unintentionally destroy the user's data, So how to ensure the integrity of cloud data has also become a problem that can not be ignored. This paper focuses on the cloud storage data security and integrity audit. Security flaws in convergent encryption in the scenario, We use blind signature method to construct a more secure key generation protocol. By introducing a key server, we realize the secondary encryption of the convergence key and make the data encryption more secure. On the basis of this, a proof method of ownership based on block key signature is proposed. A challenge / response protocol must be executed between the user and the cloud server. In order to determine whether the user has the same file as the cloud, it effectively prevents the attacker from obtaining the file through a single hash value, and the scheme can achieve both file level and block level heaviness of ciphertext data. Theoretical analysis and simulation results show that the scheme can satisfy more security attributes and has better performance. By improving the revocable group signature and tidbits) threshold scheme, we design an open audit scheme EPAM, which is suitable for multi-manager groups to share data. This scheme can realize user's identity privacy, traceability and non-framing. And the security analysis shows that the scheme EPAM can be proved to be safe under the stochastic prophecy model. In addition, compared with the existing scheme, The experimental results show that the scheme EPAM has a relatively small computational overhead. It makes use of Elastic Compute Service (EPAM), object Storage Service (OSS) and Relational Database Service (RDSs), and uses the JPBC cryptography library and JavaWeb development tools. A prototype system of cloud storage data security and integrity audit is designed and implemented. The system can simulate the scheme and the existing scheme, and verify the computing cost of each scheme in different links. Compare and analyze the performance of different schemes.
【学位授予单位】：南京理工大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP333;TP309

【参考文献】