面向云数据库的多租户属性基安全隔离与数据保护方案
|
摘要
云数据库作为一种新兴的云计算应用,得到了广泛关注,而数据安全问题也成为云数据库进一步发展的难点。针对大型数据中心多租户云数据库的数据保护和业务QoS问题,文章提出了一种基于属性加密的多租户云数据库安全隔离和数据保护方案。首先,设计并实现了多租户云数据库管理系统,保证租户间的数据隔离;其次,提出了一个基于属性加密的中间件为租户数据进行加密和细粒度的权限控制,保证数据的安全性;最后,设计并实现了一套基于SDN网络架构的QoS系统,对云数据库服务的业务带宽进行保障。实验结果表明,文章设计的云数据库能够满足多租户的安全要求,当网络出现拥塞时,基于SDN的QoS系统可以保障加密数据库系统的业务带宽,确保租户的服务体验。
As a new cloud computing application,cloud database has been widely concerned,but data security has become the difficulty of further development of cloud database.Targeting the problem of data protection and Qo S of muitl-tanant cloud database in large data center,a multi-tenant cloud database security isolation and data protection based on attribute based encryption scheme is proposed.Firstly,the multi-tenant cloud database management system is designed and implemented to guarantee the data isolation between tenants.Secondly,a middleware based on attribute based encryption is proposed to encrypt the tenant data to ensure the security of the data and realize the fine grainen rank control.Finally,a Qo S system based on SDN is designed and implemented to ensure the service bandwidth of the cloud database service.The experimental results show that the proposed system can meet the security requirements of multi-tenant.When the network is congested,the Qo S system can protect the business bandwidth of the encrypted database system and ensure the service experience of the tenant.
As a new cloud computing application,cloud database has been widely concerned,but data security has become the difficulty of further development of cloud database.Targeting the problem of data protection and Qo S of muitl-tanant cloud database in large data center,a multi-tenant cloud database security isolation and data protection based on attribute based encryption scheme is proposed.Firstly,the multi-tenant cloud database management system is designed and implemented to guarantee the data isolation between tenants.Secondly,a middleware based on attribute based encryption is proposed to encrypt the tenant data to ensure the security of the data and realize the fine grainen rank control.Finally,a Qo S system based on SDN is designed and implemented to ensure the service bandwidth of the cloud database service.The experimental results show that the proposed system can meet the security requirements of multi-tenant.When the network is congested,the Qo S system can protect the business bandwidth of the encrypted database system and ensure the service experience of the tenant.
引文
[1]GUO Jiebin,LI Yunfa,ZHANG Dajun.Research on an Authentication Strategy for Data Security in Cloud Computing[J].Netinfo Security,2017,17(3):72-77.国杰彬,李运发,张大军.云计算中面向数据安全的身份认证策略研究[J].信息网络安全,2017,17(3):72-77.
[2]TIAN Hongliang,ZHANG Yong,LI Chao,et al.A Survey of Confidentiality Protection for Cloud Databases[J].Chinese Journal of Computers,2017,40(10):2245-2270.田洪亮,张勇,李超,等.云环境下数据库机密性保护技术研究综述[J].计算机学报,2017,40(10):2245-2270.
[3]TIAN Xiuxia,WANG Xiaoling,GAO Ming,et al.Database as a Service-security and Privacy Preserving[J].Journal of Software,2010,21(5):991-1006.田秀霞,王晓玲,高明,等.数据库服务——安全与隐私保护[J].软件学报,2010,21(5):991-1006.
[4]WANG Wei,WU Yuxiang,JIN Xin,et al.Data Security Storage Solutions for Public Cloud Platform Based on Trusted Third[J].Netinfo Security,2014,14(2):68-74.王威,吴羽翔,金鑫,等.基于可信第三方的公有云平台的数据安全存储方案[J].信息网络安全,2014,14(2):68-74.
[5]LIN Ziyu,LAI Yongxuan,LIN Chen,et al.Research on Cloud Databases[J].Journal of Software,2012,34(5):1148-1166.林子雨,赖永炫,林琛,等.云数据库研究[J].软件学报,2012,34(5):1148-1166.
[6]CHENG Sijia,ZHANG Changhong,PAN Shuaiqing.Design on Data Access Control Scheme for Cloud Storage Based on CP-ABE Algorithm[J].Netinfo Security,2016,16(2):1-6.程思嘉,张昌宏,潘帅卿,等.基于CP-ABE算法的云存储数据访问控制方案设计[J].信息网络安全,2016,16(2):1-6.
[7]SAHAI A,WATERS B.Fuzzy Identity-based Encryption[C]//Springer.24th International Conference on Theory and Applications of Cryptographic Techniques,May 22-26,2005,Aarhus,Denmark.Heidelberg:Springer,2005:457-473.
[8]BETHENCOURT J,SAHAI A,WATERS B.Ciphertext-policy Attribute-based Encryption[C]//IEEE.2007 IEEE Symposium on Security and Privacy,May 20-23,2007,Berkeley,CA,USA.New Jersey:IEEE,2007:321-334.
[9]GREEN M,HOHENBERGER S,WATERS B.Outsourcing the Decryption of ABE Ciphertexts[C]//ACM.20th USENIX Conference on Security,August 8-12,2011,San Francisco,CA,USA.New York:ACM,2011:34.
[10]CAO Shaohua,ZHANG Xin.Research of Application-towards Bandwidth Guarantee in SDN Network[J].Computer Engineering and Applications,2016,52(22):127-132.曹绍华,张鑫.面向业务的SDN网络带宽保障研究[J].计算机工程与应用,2016,52(22):127-132.
[11]CAI Mengfei,HE Qian,CHENG Dongsheng,et al.Mobile Cloud Storage-oriented Attribute Based Decryption Service Middleware[J].Journal of Computer Applications,2016,36(7):1828-1833.蔡孟飞,何倩,程东生,等.面向移动云存储的属性基解密服务中间件[J].计算机应用,2016,36(7):1828-1833.
[12]HE Qian,LIU Peng,WANG Yong.Attribute Based Encryption Method with Revocable Dynamic and Static Attributes for VANETs[J].Journal of Computer Research and Development,2017,54(11):2456-2466.何倩,刘鹏,王勇.可撤销动静态属性的车联网属性基加密方法[J].计算机研究与发展,2017,54(11):2456-2466.
[13]WU Hui.Research and Implementation of Qo S Management System in Open Flow Network[D].Wuhan:Wuhan Research Institute of Posts and Telecommunications,2014.吴慧.Open Flow网络中Qo S管理系统的研究与实现[D].武汉:武汉邮电科学研究院,2014.
[14]XIAO Junbi,SUI Mengmeng,LI Fan.Network Bandwidth Guarantee System Based on SDN[J].Computer Systems&Applications,2016,25(6):48-52.肖军弼,隋萌萌,李芃.基于SDN的网络带宽保障系统[J].计算机系统应用,2016,25(6):48-52.
[2]TIAN Hongliang,ZHANG Yong,LI Chao,et al.A Survey of Confidentiality Protection for Cloud Databases[J].Chinese Journal of Computers,2017,40(10):2245-2270.田洪亮,张勇,李超,等.云环境下数据库机密性保护技术研究综述[J].计算机学报,2017,40(10):2245-2270.
[3]TIAN Xiuxia,WANG Xiaoling,GAO Ming,et al.Database as a Service-security and Privacy Preserving[J].Journal of Software,2010,21(5):991-1006.田秀霞,王晓玲,高明,等.数据库服务——安全与隐私保护[J].软件学报,2010,21(5):991-1006.
[4]WANG Wei,WU Yuxiang,JIN Xin,et al.Data Security Storage Solutions for Public Cloud Platform Based on Trusted Third[J].Netinfo Security,2014,14(2):68-74.王威,吴羽翔,金鑫,等.基于可信第三方的公有云平台的数据安全存储方案[J].信息网络安全,2014,14(2):68-74.
[5]LIN Ziyu,LAI Yongxuan,LIN Chen,et al.Research on Cloud Databases[J].Journal of Software,2012,34(5):1148-1166.林子雨,赖永炫,林琛,等.云数据库研究[J].软件学报,2012,34(5):1148-1166.
[6]CHENG Sijia,ZHANG Changhong,PAN Shuaiqing.Design on Data Access Control Scheme for Cloud Storage Based on CP-ABE Algorithm[J].Netinfo Security,2016,16(2):1-6.程思嘉,张昌宏,潘帅卿,等.基于CP-ABE算法的云存储数据访问控制方案设计[J].信息网络安全,2016,16(2):1-6.
[7]SAHAI A,WATERS B.Fuzzy Identity-based Encryption[C]//Springer.24th International Conference on Theory and Applications of Cryptographic Techniques,May 22-26,2005,Aarhus,Denmark.Heidelberg:Springer,2005:457-473.
[8]BETHENCOURT J,SAHAI A,WATERS B.Ciphertext-policy Attribute-based Encryption[C]//IEEE.2007 IEEE Symposium on Security and Privacy,May 20-23,2007,Berkeley,CA,USA.New Jersey:IEEE,2007:321-334.
[9]GREEN M,HOHENBERGER S,WATERS B.Outsourcing the Decryption of ABE Ciphertexts[C]//ACM.20th USENIX Conference on Security,August 8-12,2011,San Francisco,CA,USA.New York:ACM,2011:34.
[10]CAO Shaohua,ZHANG Xin.Research of Application-towards Bandwidth Guarantee in SDN Network[J].Computer Engineering and Applications,2016,52(22):127-132.曹绍华,张鑫.面向业务的SDN网络带宽保障研究[J].计算机工程与应用,2016,52(22):127-132.
[11]CAI Mengfei,HE Qian,CHENG Dongsheng,et al.Mobile Cloud Storage-oriented Attribute Based Decryption Service Middleware[J].Journal of Computer Applications,2016,36(7):1828-1833.蔡孟飞,何倩,程东生,等.面向移动云存储的属性基解密服务中间件[J].计算机应用,2016,36(7):1828-1833.
[12]HE Qian,LIU Peng,WANG Yong.Attribute Based Encryption Method with Revocable Dynamic and Static Attributes for VANETs[J].Journal of Computer Research and Development,2017,54(11):2456-2466.何倩,刘鹏,王勇.可撤销动静态属性的车联网属性基加密方法[J].计算机研究与发展,2017,54(11):2456-2466.
[13]WU Hui.Research and Implementation of Qo S Management System in Open Flow Network[D].Wuhan:Wuhan Research Institute of Posts and Telecommunications,2014.吴慧.Open Flow网络中Qo S管理系统的研究与实现[D].武汉:武汉邮电科学研究院,2014.
[14]XIAO Junbi,SUI Mengmeng,LI Fan.Network Bandwidth Guarantee System Based on SDN[J].Computer Systems&Applications,2016,25(6):48-52.肖军弼,隋萌萌,李芃.基于SDN的网络带宽保障系统[J].计算机系统应用,2016,25(6):48-52.