云计算密钥管理研究

发布时间：2018-05-11 00:31

本文选题：云计算安全体系结构 + 密钥更新　；参考：《北京科技大学》2016年博士论文

【摘要】：近年来,随着计算机行业的迅猛发展,作为网络计算功能新标志的云计算越来越受到广泛关注。这种付费使用的分布式计算给IT产业带来诸多优势,比如为了满足用户的不同需求实时扩展资源、提供更快的计算服务、大幅度降低运营成本等。尽管现阶段云计算受欢迎的程度与日俱增,然而云计算同时也带来了严峻的安全问题,这在很大程度上影响了云计算的应用,因此,和传统模型相比,在云计算中保证终端用户的机密性和完整性更具挑战性。此外,云服务通常是多租户服务,这意味着一个单独的基础设施、平台或软件同时为多个相互不可信的用户提供服务,因此,加强这些数据的机密性保护是亟待解决的难题。密钥管理是数据保护的基础措施之一,进一步研究解决这个问题,对于整体提升云计算的安全性和实用性具有重大意义。本论文以椭圆曲线、随机预言机模型和哈希函数等数学工具,从云计算安全体系结构、密钥更新、重加密、数字签名和组密钥协商协议等方面进行研究,主要工作如下：1)提出了新的云计算安全体系结构。在体系结构中添加支持身份管理认证的,基于时限的密钥管理方案和改进后的基于访问密钥层次结构的密钥管理方案,实现细粒度的访问控制以及支持云计算安全网络的可扩展性。在成员加入或离开时能够高效地进行密钥更新,减少了密钥推导和签名检查阶段的计算时间。方案增强了云计算安全体系结构的安全性、实用性和完整性。2)提出了新的密钥更新方案、基于数据重加密的方案以及无证书数字签名方案。密钥更新方案基于密钥策略的属性加密方案(KP-ABE),支持可扩展性和层次结构访问而不需要复杂的数据结构。采用新密钥更新方案提出一个以用户为中心的隐私保护密码访问控制协议,在不依赖于任何特定的云供应商的情况下,实现安全性、高效灵活性以及隐私保护。在BBS加密和E1Gamal密码系统的基础上提出基于代理的重加密方案,但是在发生数据访问时,必须使用非对称密钥进行重加密且保证代理必须是完全可信的。针对这些缺陷,提出云供应商负责重加密任务的方案,所有数据重加密操作都由云供应商负责,增强了可扩展性。任何授权用户都可以直接在云中写和读加密的数据,实现了更快速的访问。组成员关系发生变化时,这个方案会保证数据的机密性以及前向保密性和后向保密性。针对一些早期CL-DS方案大多数都使用了双线性对和MTP函数导致计算开销大,且不能抵抗不同攻击等缺陷,使用ECC设计一个高效安全的低计算开销的方案。通过CL-PKC中两种敌手做两个挑战-应答游戏,定义方案的攻击模型,可证明方案在自适应选择消息和身份攻击下存在性不可伪造。3)提出了一个新的认证组密钥协商协议。针对低功率移动设备采用传统的基于PKI的认证组密钥协商协议,导致计算效率较低、开销较大等问题,设计一个基于ECC的认证组密钥协商协议。新协议有以下主要特点：1.无需使用双线性对和MTP运算；2.能抵抗已知攻击；3.成员的加入和离开更加灵活：4.协议弃用公钥认证的CA并且通过IBC和ECC减少了计算开销,提高了计算效率;5.在移动云网络中容易实现。
[Abstract]:In recent years, with the rapid development of the computer industry, the cloud computing, as a new symbol of network computing, has attracted more and more attention. This paid use of distributed computing brings many advantages to the IT industry, such as expanding resources to meet the different needs of the users, providing faster computing services, and greatly reducing the cost of operation. In spite of the increasing popularity of cloud computing at the present stage, cloud computing has also brought serious security problems, which greatly affects the application of cloud computing. Therefore, it is more challenging to ensure the confidentiality and integrity of end users in cloud computing compared with traditional models. In addition, cloud services are usually multi tenants. Service, which means that a single infrastructure, platform or software provides services for multiple untrusted users at the same time. Therefore, it is an urgent problem to strengthen the protection of these data confidentiality. Key management is one of the basic measures for data protection. It is of great significance. In this paper, some mathematical tools such as elliptic curve, random oracle model and hash function are used to study the cloud computing security architecture, key update, reencryption, digital signature and group key agreement protocol. The main work is as follows: 1) a new cloud computing security architecture is proposed. In the system, a time based key management scheme and an improved key management scheme based on the access key hierarchy are added to achieve fine-grained access control and support for the scalability of the cloud computing security network. The computing time of the key derivation and signature checking phase. The scheme enhances the security of the security architecture of the cloud computing security architecture, practicality and integrity.2) to propose a new key update scheme, the scheme based on the data re encryption and the certificate free digital signature scheme. The key update scheme is based on the key policy based attribute encryption scheme (KP-ABE). Extensibility and hierarchical access without complex data structures. A user centric privacy protection cryptographic access control protocol is proposed with a new key update scheme, which is secure, efficient, and privacy protected without relying on any particular cloud provider. In BBS encryption and E1Gamal cryptography, A proxy based reencryption scheme is proposed, but when data access is accessed, the asymmetric key must be reencrypted and the agent must be fully trusted. For these defects, the cloud vendor is responsible for reencrypting the task. All data re encryption operations are responsible for the cloud provider and enhanced Extensibility. Any authorized user can write and read encrypted data directly in the cloud to achieve faster access. When the group membership changes, this scheme ensures data confidentiality, forward secrecy and backward secrecy. For some early CL-DS schemes, most of the numbers use bilinear pairing and MTP function results. A high efficient and safe low computational cost scheme is designed with ECC, which can not resist different attacks such as different attacks. Two challenge response games are done by two enemies in the CL-PKC, and the attack model of the scheme is defined. It is proved that the scheme is new in the adaptive selection message and the identity attack under the existence of the non forgery.3. The authentication group key agreement protocol. For low power mobile devices using the traditional PKI based authentication group key agreement protocol, resulting in low computational efficiency and high overhead, a authentication group key negotiation protocol based on ECC is designed. The new protocol has the following main features: 1. no need to use bilinear pairing and MTP operation; 2. can resist the already Knowledge attack; the 3. members are more flexible to join and leave: the 4. protocol discarded the public key authentication CA and reduced the computing overhead through IBC and ECC, and improved the computing efficiency; 5. is easy to implement in the mobile cloud network.

【学位授予单位】：北京科技大学
【学位级别】：博士
【学位授予年份】：2016
【分类号】：TN918.4

【相似文献】