基于云计算平台的安全性及信任模型研究
摘要
云计算自提出以来,以其可定制的服务、强大的处理能力和相对低廉的价格吸引了众多企业的目光。在一些企业纷纷准备投入云中的时候,不时爆出的云计算服务的问题也让许多企业踌躇不前。云计算性价比虽然高,但首先必须要保证服务的安全可靠。对云计算的安全研究,对云计算的发展和推广具有重要的意义。
本文介绍了云计算的基本概念、特点、以及应用前景,对云计算的三种典型服务作了概括性比较,着重分析了云计算服务的现状、安全现状以及待解决的问题。
针对用户的可信性,本文提出了适用于云中基于行为的信任等级和角色控制模型(Behavior-based Trust Level and Role Control Model in Cloud, BTRMC),给出了具体的可信值计算方法,根据用户的行为得出用户的可信值,判断用户的信任等级。在动态角色权限控制子模型中,角色的分配和权限的配置都是以用户的信任等级为依据的,用户信任等级的改变将带来角色和权限的动态变化,以此来管理和规范引导用户行为,保护云计算系统的安全性。
针对数据传输中的安全性,本文将云中的数据传输分成云内部的数据传输和云系统外的数据传输两个部分来研究。对于云内部的数据传输,提出了适用于云内部通信的简单安全通信模型(SSCMIC);对于云系统外部的数据传输,提出使用USB Key的软硬件结合的方法,来进行用户身份认证和消息的加密传输,以提高用户的可信度和数据的安全性。
Since the introduction of cloud computing, the attention of many enterprises is attracted on it because of its customized services, processing power and relatively low prices. While some companies are prepared to enjoy the cloud, however, problems of cloud computing service break out time to time, which makes many companies hesitate. Although performance-to-price ratio is high, the safety and reliability of the service must be ensured firstly. The research on the security of cloud computing is significant to the development and promotion of cloud computing.
In this thesis, the basic concept, features, and application prospects of cloud computing are described, three typical cloud computing services are broadly compared. And the status of cloud computing service, security status and problems to be solved are focused on.
Focusing on users’credibility, this thesis proposes Behavior-based Trust Level and Role Control Model in Cloud (BTRMC), and gives out a specific calculation method of the credibility, through which the user’s trust level based on the user’s behavior can be determined. And a dynamic role permission control model is proposed in this thesis. The distribution of roles and the configuration of permissions are according to user’s trust level. Changes in the user’s trust level will bring dynamic role and permissions changes. In this way, the cloud computing providers guide and manage the users, and protect the cloud computing systems.
Focusing on the security of data transmission, this thesis divides the data transmission into two parts, data transferring inside the cloud and data transferring outside the cloud. For the insider data transfer, the thesis proposes a simple secure communication model for inter cloud (SSCMIC). For outsider data transfer, this thesis presents a combination of hardware and software method using USB key for user authentication and encrypted transmission of information to enhance the user’s credibility and data security.
本文介绍了云计算的基本概念、特点、以及应用前景,对云计算的三种典型服务作了概括性比较,着重分析了云计算服务的现状、安全现状以及待解决的问题。
针对用户的可信性,本文提出了适用于云中基于行为的信任等级和角色控制模型(Behavior-based Trust Level and Role Control Model in Cloud, BTRMC),给出了具体的可信值计算方法,根据用户的行为得出用户的可信值,判断用户的信任等级。在动态角色权限控制子模型中,角色的分配和权限的配置都是以用户的信任等级为依据的,用户信任等级的改变将带来角色和权限的动态变化,以此来管理和规范引导用户行为,保护云计算系统的安全性。
针对数据传输中的安全性,本文将云中的数据传输分成云内部的数据传输和云系统外的数据传输两个部分来研究。对于云内部的数据传输,提出了适用于云内部通信的简单安全通信模型(SSCMIC);对于云系统外部的数据传输,提出使用USB Key的软硬件结合的方法,来进行用户身份认证和消息的加密传输,以提高用户的可信度和数据的安全性。
Since the introduction of cloud computing, the attention of many enterprises is attracted on it because of its customized services, processing power and relatively low prices. While some companies are prepared to enjoy the cloud, however, problems of cloud computing service break out time to time, which makes many companies hesitate. Although performance-to-price ratio is high, the safety and reliability of the service must be ensured firstly. The research on the security of cloud computing is significant to the development and promotion of cloud computing.
In this thesis, the basic concept, features, and application prospects of cloud computing are described, three typical cloud computing services are broadly compared. And the status of cloud computing service, security status and problems to be solved are focused on.
Focusing on users’credibility, this thesis proposes Behavior-based Trust Level and Role Control Model in Cloud (BTRMC), and gives out a specific calculation method of the credibility, through which the user’s trust level based on the user’s behavior can be determined. And a dynamic role permission control model is proposed in this thesis. The distribution of roles and the configuration of permissions are according to user’s trust level. Changes in the user’s trust level will bring dynamic role and permissions changes. In this way, the cloud computing providers guide and manage the users, and protect the cloud computing systems.
Focusing on the security of data transmission, this thesis divides the data transmission into two parts, data transferring inside the cloud and data transferring outside the cloud. For the insider data transfer, the thesis proposes a simple secure communication model for inter cloud (SSCMIC). For outsider data transfer, this thesis presents a combination of hardware and software method using USB key for user authentication and encrypted transmission of information to enhance the user’s credibility and data security.
引文
[1]冯登国,张敏,张研.云计算安全研究[J].软件学报, 2010(11):16-29
[2] W.Itani, A.Kayssi, A.Chehab, Privacy as a Service: Privacy-Aware Data Storage and Processing in Cloud Computing Architectures[C]. Dependable, Autonomic and Secure Computing, 2009. IEEE International Conference 2009:711-716
[3] Amazon. Amazon Elastic Compute Cloud Developer Guide, 2009[EB/OL]. http://docs.amazonwebservices.com/AWSEC2/lastest/DeveloperGuide/
[4] Amazon. Amazon S3 Developer Guide,2009[EB/OL]. http://docs.amazonwebservers.com/AmazonS3/latest/
[5] Sanjay Ghemawat, Howard Gobioff, Shun-Tak Leung. The Google File System[C], Procceedings of 19th ACM Symposium on Operating Systems Principles, 2003:20-43
[6] IBM.蓝云解决方案[EB/OL]. http://www-900.ibm.com/ibm/ideasfromibm/cn/cloud/solutions/index.shtml
[7] D.Chappell, Introducing Windows Azure, 2009.01[EB/OL]. http://www.microsoft.com/azure/whitepaper.mspx
[8] Survey: Cloud Computing‘No Hype’, But Fear of Security and Control Slowing Adoption[EB /OL]. http://www.circleid.com/posts/20090226_cloud_computing_hype_security/.
[9] K. Hwang. S. Kulkarni, Y. Hu. Cloud Security with Virtualized Defense and Reputation-Based Trust Management[C]. IEEE Int’l Conf. Dependable, Autonomic, and Secure Computing (DASC 09), IEEE CS Press, 2009:717-722
[10] Kandukuri, B.R. Paturi, V.R. Rakshit, A. Cloud Security Issues[C]. Services Computing, 2009. IEEE International Conference, 2009:517-520
[11]国际电信联盟组织ITU[EB/OL]. http://www.itu.int/en/pages/default.aspx
[12]结构化信息标准促进组织[EB/OL]. http://www.oasis-open.org/
[13]分布式管理任务组DMTF[EB/OL]. http://www.dmtf.org/home
[14]云安全联盟标准组织[EB/OL]. http://www.cloudsecurityalliance.org/
[15] Cloud Security Alliance. Security Guidance for Critical Areas of Focus in Cloud Computing V2.1[EB/OL]. 2009.
[16] Kaufman, L.M. Data Security in the World of cloud computing[J]. Security & Privacy, IEEE , 2009,7(4):61-64
[17] L. Wang et al. Scientific Cloud Computing: Early Definition and Experience[C] .Proc. 10th Int’l Conf. High-Performance Computing and Communications (HPCC 08), IEEE CS Press, 2008:825-830.
[18] Stephen B. Google and the Wisdom of Clouds[N]. Businessweek, 2007-12-13(2)
[19]刘鹏.云计算[M].北京:电子工业出版社, 2010.
[20] L M Vaquero, L Rodero-Merino, etal. A Break in the Clouds: Towards a Cloud Definition[J]. ACM SIGCOMM Computer Communication Review, 2009, 39(1):50-55.
[21]陈康,郑伟民.云计算:系统实例与研究现状[J].软件学报, 2009,20 (5):1337-1348.
[22]邓倩妮,陈全.云计算及其关键技术[J].高性能计算发展与应用, 2009(1):2-6
[23] Randal E. Bryant. Data-Intensive supercomputing: the case for DISC[R]. CMU Technical Report CMU-CS-07-128.May 10, 2007.
[24] Lizhe Wang, Jie Tao, Marcel Kunze. Scientific Cloud Computing: Early Definition and Experience[C]. The 10th IEEE International Conference on High Performance Computing and Communications. Dalian. 25-27 Sept. 2008:825-830
[25] Sanjay Ghemawat, Howard Gobioff, et.al. The Google file system[C]. Proceedings of the nineteenth ACM symposium on Operating systems principles. Oct.2003,(37)5:29-43
[26] Hadoop[EB/OL]. http://hadoop.apache.org/
[27] Yahoo! Hadoop Tutorial[EB/OL]. http://public.yahoo.com/gogate/hadoop-tutorial/start-tutorial.html
[28] Fay Chang, Jeffrey Dean, Sanjay Ghemawat et al. BigTable: a distributed storage system for structured data[C]. ACM Transactions on Computer Systems, June 1, 2008,26(2):4-30
[29] Kai Hwang, Deyi Li. Trusted Cloud Computing with Secure Resources and Data Coloring[J]. Internet Computing, IEEE , 2010,14(5) :14-22
[30] M. Blaze, J. Feigenbaum, M. Strauss, Compliance Cheeking in the Po1icy Maker Trust Management System[C]. Proceedings of the Second International Conference on Financial Cryptography table of contents, Springer-Verlag London, UK, 1998:254-274.
[31] L. Xiong, L. Liu. Peer Trust: Supporting Reputation-Based Trust for Peer-to-Peer ElectronicCommunities[J]. IEEE Transaction, Knowledge and Data Eng, July 2004:843-857.
[32] R. Zhou, K. Hwang. Power Trust: A Robust and Scalable Reputation System for Trusted Peer-to-Peer Computing[J]. IEEE Transaction. Parallel and Distributed Systems, Apr. 2007: 460-473.
[33] Consultation Cofnmittee, X. The Directory Authentication Framework, International Telephone and Telegraph [C]. International Telecommunication Union. Geneva, 1989,(8):48-81.
[34] Tian Liqin, Lin Chuang, Ji Tieguo. Quantitative analysis of trust evidence in Internet[C]. 2006 IEEE International Conference on Communication Technology, 2006:1-5
[35]冀铁果,田立勤,胡志兴,孙锦霞.可信网络中一种基于AHP的用户行为评估方法[J].计算机工程与应用, 2007,43(19):123-126.
[36]林齐宁.决策分析[M].北京:北京邮电大学出版社, 2003.
[37]汪应络.系统工程[M].北京:机械工业出版社, 2003.
[38]牛景春,申利民,于家新.分布式系统安全模型研究[J].微计算机信息, 2008,24(7-3):66-68
[39]王东安.网格计算中信任管理模型及其应用研究[D].北京:中国科学院计算所,2006.
[40] TCG[EB/OL]. https://www.trustedcomputinggroup.org.
[2] W.Itani, A.Kayssi, A.Chehab, Privacy as a Service: Privacy-Aware Data Storage and Processing in Cloud Computing Architectures[C]. Dependable, Autonomic and Secure Computing, 2009. IEEE International Conference 2009:711-716
[3] Amazon. Amazon Elastic Compute Cloud Developer Guide, 2009[EB/OL]. http://docs.amazonwebservices.com/AWSEC2/lastest/DeveloperGuide/
[4] Amazon. Amazon S3 Developer Guide,2009[EB/OL]. http://docs.amazonwebservers.com/AmazonS3/latest/
[5] Sanjay Ghemawat, Howard Gobioff, Shun-Tak Leung. The Google File System[C], Procceedings of 19th ACM Symposium on Operating Systems Principles, 2003:20-43
[6] IBM.蓝云解决方案[EB/OL]. http://www-900.ibm.com/ibm/ideasfromibm/cn/cloud/solutions/index.shtml
[7] D.Chappell, Introducing Windows Azure, 2009.01[EB/OL]. http://www.microsoft.com/azure/whitepaper.mspx
[8] Survey: Cloud Computing‘No Hype’, But Fear of Security and Control Slowing Adoption[EB /OL]. http://www.circleid.com/posts/20090226_cloud_computing_hype_security/.
[9] K. Hwang. S. Kulkarni, Y. Hu. Cloud Security with Virtualized Defense and Reputation-Based Trust Management[C]. IEEE Int’l Conf. Dependable, Autonomic, and Secure Computing (DASC 09), IEEE CS Press, 2009:717-722
[10] Kandukuri, B.R. Paturi, V.R. Rakshit, A. Cloud Security Issues[C]. Services Computing, 2009. IEEE International Conference, 2009:517-520
[11]国际电信联盟组织ITU[EB/OL]. http://www.itu.int/en/pages/default.aspx
[12]结构化信息标准促进组织[EB/OL]. http://www.oasis-open.org/
[13]分布式管理任务组DMTF[EB/OL]. http://www.dmtf.org/home
[14]云安全联盟标准组织[EB/OL]. http://www.cloudsecurityalliance.org/
[15] Cloud Security Alliance. Security Guidance for Critical Areas of Focus in Cloud Computing V2.1[EB/OL]. 2009.
[16] Kaufman, L.M. Data Security in the World of cloud computing[J]. Security & Privacy, IEEE , 2009,7(4):61-64
[17] L. Wang et al. Scientific Cloud Computing: Early Definition and Experience[C] .Proc. 10th Int’l Conf. High-Performance Computing and Communications (HPCC 08), IEEE CS Press, 2008:825-830.
[18] Stephen B. Google and the Wisdom of Clouds[N]. Businessweek, 2007-12-13(2)
[19]刘鹏.云计算[M].北京:电子工业出版社, 2010.
[20] L M Vaquero, L Rodero-Merino, etal. A Break in the Clouds: Towards a Cloud Definition[J]. ACM SIGCOMM Computer Communication Review, 2009, 39(1):50-55.
[21]陈康,郑伟民.云计算:系统实例与研究现状[J].软件学报, 2009,20 (5):1337-1348.
[22]邓倩妮,陈全.云计算及其关键技术[J].高性能计算发展与应用, 2009(1):2-6
[23] Randal E. Bryant. Data-Intensive supercomputing: the case for DISC[R]. CMU Technical Report CMU-CS-07-128.May 10, 2007.
[24] Lizhe Wang, Jie Tao, Marcel Kunze. Scientific Cloud Computing: Early Definition and Experience[C]. The 10th IEEE International Conference on High Performance Computing and Communications. Dalian. 25-27 Sept. 2008:825-830
[25] Sanjay Ghemawat, Howard Gobioff, et.al. The Google file system[C]. Proceedings of the nineteenth ACM symposium on Operating systems principles. Oct.2003,(37)5:29-43
[26] Hadoop[EB/OL]. http://hadoop.apache.org/
[27] Yahoo! Hadoop Tutorial[EB/OL]. http://public.yahoo.com/gogate/hadoop-tutorial/start-tutorial.html
[28] Fay Chang, Jeffrey Dean, Sanjay Ghemawat et al. BigTable: a distributed storage system for structured data[C]. ACM Transactions on Computer Systems, June 1, 2008,26(2):4-30
[29] Kai Hwang, Deyi Li. Trusted Cloud Computing with Secure Resources and Data Coloring[J]. Internet Computing, IEEE , 2010,14(5) :14-22
[30] M. Blaze, J. Feigenbaum, M. Strauss, Compliance Cheeking in the Po1icy Maker Trust Management System[C]. Proceedings of the Second International Conference on Financial Cryptography table of contents, Springer-Verlag London, UK, 1998:254-274.
[31] L. Xiong, L. Liu. Peer Trust: Supporting Reputation-Based Trust for Peer-to-Peer ElectronicCommunities[J]. IEEE Transaction, Knowledge and Data Eng, July 2004:843-857.
[32] R. Zhou, K. Hwang. Power Trust: A Robust and Scalable Reputation System for Trusted Peer-to-Peer Computing[J]. IEEE Transaction. Parallel and Distributed Systems, Apr. 2007: 460-473.
[33] Consultation Cofnmittee, X. The Directory Authentication Framework, International Telephone and Telegraph [C]. International Telecommunication Union. Geneva, 1989,(8):48-81.
[34] Tian Liqin, Lin Chuang, Ji Tieguo. Quantitative analysis of trust evidence in Internet[C]. 2006 IEEE International Conference on Communication Technology, 2006:1-5
[35]冀铁果,田立勤,胡志兴,孙锦霞.可信网络中一种基于AHP的用户行为评估方法[J].计算机工程与应用, 2007,43(19):123-126.
[36]林齐宁.决策分析[M].北京:北京邮电大学出版社, 2003.
[37]汪应络.系统工程[M].北京:机械工业出版社, 2003.
[38]牛景春,申利民,于家新.分布式系统安全模型研究[J].微计算机信息, 2008,24(7-3):66-68
[39]王东安.网格计算中信任管理模型及其应用研究[D].北京:中国科学院计算所,2006.
[40] TCG[EB/OL]. https://www.trustedcomputinggroup.org.