详细信息    本馆镜像全文|  推荐本文 |  |   获取CNKI官网全文
With the evolution of high performance computing from the traditional host to thenetworked cluster, the traditional host-based storage systems can not meet therequirements of the aggregate access and data storage of the cluster which with hundredsof servers, and becomes the I/O bottleneck. Following the networked clustering directionof the host, the traditional host-based storage architecture has gradually developed tonetworked storage. As the result of the developing of network storage technology, storingis no longer a purely local behavior. It is combined with the network closely, and becomesa part of network. Because the network is an open system, and there are security flawsexisting in the network protocols and software systems, so inevitably there are somesecurity risks in network systems. As a member of the network system, the networkstorage system is exposed to the intruder as well. Once the attacker successfully invades adata storage device, he can get confidential data, or even can hinder access of thelegitimate users, and lead to incalculable losses. Comparing to the mature study on thenetwork security, the research on the network storage security is still in the initial stage. Incurrent, the research results of the network storage security are mainly come from researchinstitutions and large enterprises of USA and the other developed countries. It is still at thebeginning of the study in China, and there is no key technology in this field. Therefore, toresearch and develop the technologies and products of network storage security withindependent intellectual property rights, makes strategic significance to China’sinformation security infrastructure.
     This paper focus on the security issues of the object-based storage, such as the activeprotection of the object-based storage, the access security of the object-based storage, thedata encryption mechanism with high efficiency and so on, proposes some valid schemesand achieves some research results. The main researches and achievements in the paperare as follows:
     (1) Research on the initiative protection mechanisms of the object-based storage. Inorder to avoid the stored object being stolen or damaged results from the compromisedhost system, this paper presents a scheme of initiative protection of the object-basedstorage. Because many intrusions would lead to read/write access to the storage, theintrusions can be found if there is IDS in the storage system. In the object-based storageenvironment, the IDS even can capture data and attributes for analysis according to theneeds with the support of intelligent storage devices. The scheme takes full advantage ofcharacteristics of the object-based storage and the existing IDS technology, embeddingIDS into object-based storage device-OSD to monitor the behavior of the applicationprograms accessing the storage devices,therefore protects the OSD from the intrusions,and raises the security of the object-based storage. By using the improved unsupervisedclustering and support vector machine algorithm for intrusion detection, the IDS candetect intrusions more accurately and efficiently, and can detect the unknown intrusionseffectively. At the same time, it adopts the double-layer structure and the alert fusion technology based on multiplicative increase linearly decreasing algorithm, and reduces thefalse alarm rate. As it is simple to realize and has very small performance impact onsystem, this scheme is very practical.
     (2) Research on the security access mechanism of object-based storage. According tothe characteristic of the object-based storage system, this paper proposes a new securityaccess mechanism based on ECC-based two-way authentication and key exchangeprotocol. It has different protocols algorithm for different relationships between thedevices of object-based storage system. The protocols run with no need of secure channel,but can guarantee the security of key exchange and achieve the certification status of themutual communication parties. According to the safety analysis, each sub-protocol canresistant against intermediaries' attacks and other kinds of network attacks. Meanwhile, themain keys are randomly generated and temporarily effective, so they have no need ofspecific conservation and management. Therefore, compared to the existing accesssecurity mechanisms of the object-based storage, this new mechanism not only enhancethe security of the access of the object-based storage, but also reduce the difficulty of keymanagement and the requirements of secure channels, the complexity of the protocols arenot high as well.
     (3) Research on the encryption mechanism of the object-based dada. As the accesscontrol and the intrusion detection mechanism are used to prevent attacks coming from thenetwork, but they are unable to prevent the internal data theft or data leakage caused bystorage device theft. To protect the data security better, the data encryption in storagedevices has become an essential security measures. The traditional encrypting file systemshas big encryption overhead and user-revoke overhead, because they encrypt all data andexpose the sharing keys to every user. The problems not only cause loss on the systemperformance, but also cause great inconvenience to the legitimate users. This paperproposes a scheme of non-continuous efficient sharing encryption file system. In thescheme, only the tender contents would be encrypted to reduce the encryption overhead.At the same time, a user is revoked by setting the user’s certification invalid, and whichcan avoid the big overhead on re-encryption of data and the overhead on the distributionand re-distribution of sharing keys because of revoking user. And so that it allows largescale users’ efficient sharing the encryption file system. Because the keys and the user’scertifications are managed by the non-centralized owner of the file group, the security riskof the system is dispersed, and the creditability requirement for the server is reduced.
     The proposed initiative protection mechanisms of the object-based storage, the securityaccess mechanism of object-based storage based on ECC-based two-way authenticationand key exchange protocol, and the encryption mechanism of the object-based dada, havecertain reference for constructing high-security object-based storage system.
    [2] Molero X, Silla F, Santonja V, et al. On the Interconnection Topology for StorageArea Networks. in: Proceedings of15th Parallel and Distributed ProcessingSymposium.2001.1648-1656
    [3] Harry Hulen, Otis Graf, Keith Fitzgerald, Richard W. Watson. Storage AreaNetworks and the High Performance Storage System. in: Proceedings of the19thIEEE/10th NASA Goddard Conference on Mass Storage Systems andTechnologies, April15-18,2002.225-240
    [4] Wang P, Gilligan R. E, Green, et al. IP SAN-from iSCSI to IP-AddressableEthernet Disks. in: Proceedings of the20th IEEE/11th NASA Goddard Conferenceon Mass Storage Systems and Technologies. April7-10,2003.189-193
    [5] Gibson G A, Nagle D F, Amiri K, et al. A Cost-effective, high-bandwidth storagearchitecture. in: Proceedings of the8thInternational Conference on ArchitecturalSupport for Program Languages and Operating Systems (ASPLOS), October,1998.92-103
    [6] Gibson G A, Nagle D F, Amiri K, et al. File server scaling with network-attachedsecure disks. in: Proceedings of the ACM International Conference onMeasurement and Modelling of Computer System, June,1997.272-284.
    [7] Alain Azagury, Vladimir Dreizin, Michael Factor, et al. Towards an Object Store. in:Proceedings of the20th IEEE/11th NASA Goddard Conference on Mass StorageSystems and Technologies(MSS’03),2003.165-176
    [8] Gibson G A, Nagle D F, Courtright W, et al. NASD scalable storage systems. in:Proceedings of1999USENIX Annual Technical Conference, June,1999.
    [9] SCSI Object-Based Storage Device Commands-2(OSD-2). Project T10/1721-D,Revision0. T10Technical Committee NCITS, October,2004.
    [10] Menon J, Pease D A, Rees R, et al. IBM Storage Tank-A heterogeneous scalableSAN file system. IBM SYSTEMS JOURNAL,2003,42(2):250-267
    [11] Peter J Braam. The Lustre Storage Architecture. Cluster File Systems, Inc,http://www.clusterfs.com, March,2004.
    [12] David Nagle, Denis Serenyi, Abbie Matthews. The Panasas ActiveScale StorageCluster-Delivering Scalable High Bandwidth Storage. in: Proceedings of the2004ACM/IEEE conference on Supercomputing,November,2004.53
    [13] Mesnier M, Ganger G R, Riedel E. Object-Based Storage. CommunicationsMagazine, IEEE, August,2003,41(8):84-90
    [14] Rodeh O, Schonfeld U, Teperman, A. zFS-a scalable distributed file system usingobject disks.in: Proceedings20th IEEE/11th NASA Goddard Conference on MassStorage Systems and Technologies, April,2003.207-218
    [15] Andy Hospodor, Ethan L Miller. Interconnection Architectures for Petabyte-scaleHigh-performance Storage Systems. in: Proceedings of the21st IEEE/12th NASAGoddard Conference on Mass Storage Systems and Technologies, April,2004.101-109
    [16] Peter J. Braam. The Lustre Storage Architecture. March2004. http://www. lustre.org.
    [17] Panasas Inc. Object-based Storage: Enabling Peta-scale Computing. November2003. Http://www. panasas. com/docs.
    [18] Kubiatowicz J, Bindel David, Yan Chen, et al. OceanStore: An Architecture forGlobal-Scale Persistent Storage. in: Proceedings of the ACM InternationalConference on Architectural Support for Programming Languages and OperatingSystems,November,2000.190-201
    [19] For Wei-Khing, Xi Wei-Ya. Adaptive Extents-based File System for Object-basedStorage Devices. in: Proceedings of the23th IEEE/14th NASA GoddardConference on Mass Storage Systems and Technologies, May,2006.
    [20] Xi Weiya, For Wei-Khing, Wang Donghong, et al. OSDsim-a Simulation andDesign Platform of an Object-based Storage Device. in: Proceedings of the23thIEEE/14th NASA Goddard Conference on Mass Storage Systems andTechnologies, May,2006.
    [21] Renuga Kanagavelu, Yong Khai Leong. A Bit-Window based Algorithm forBalanced and Efficient Object Placement and Lookup in Large-Scale Object basedStorage Cluster. in: Proceedings of the23th IEEE/14th NASA Goddard Conferenceon Mass Storage Systems and Technologies, May,2006.
    [27] Wang F, Zhang S, Feng D, et al. A Hybrid Scheme for Object Allocation in aDistributed Object-storage System. in: Proceedings of the6thInternationalConference on Computational Science, UK, May,2006.
    [28] Goodson.G R, Wylie.J J, Ganger.G R, et al. Efficient Byzantine-tolerant Erasure-coded Storage. in: International Conference on Dependable Systems and Networks,July,2004.135-144
    [29] Strunk. J D, Goodson. G R, Scheinholtz. M L. Self-Securing Storage: ProtectingData in Compromised Systems. in: Proceedings of the4th Symposium onOperating Systems Design and Implementation, San Diego, CA, October,2000.165-180
    [30] Craig A.N. Soules, Garth R. Goodson, John D. Strunk, et al. Metadata Efficiency inVersioning File Systems. in: Proceedings of FAST’03:2nd USENIX Conferenceon File and Storage Technologies, San Francisco, CA, Mar,2003.43-58
    [31] Eu-Jin Goh, Hovav Shacham, Nagendra Modadugu, et al. SiRiUS: SecuringRemote Untrusted Storage. in: Proceedings of Network and Distributed SystemsSecurity (NDSS) Symposium2003,2003.131-145
    [32] Kevin Fu, M. Frans Kaashoek, David Mazières. Fast and Secure Distributed Read-only File System. ACM Transactions on Computer Systems,2002,20(1):1-24
    [33] Ethan L. Miller, William E. Freeman, Darrell D. E. Long, et al. Strong Security forNetwork-Attached Storage (2002). in: Proceedings of the2002Conference on Fileand Storage Technologies (FAST),2002,1-13
    [34] Mahesh K, Erik R, Ram S, et al. Plutus: Scalable secure file sharing on untrustedstorage. in: Proceedings of the2nd Conference on File and Storage Technologies(FAST’03), USENIX, Berkeley, CA, Mar,2003.29–42
    [38] John D. Strunk, Garth R. Goodson, Adam G. Pennington, et al. IntrusionDetection, Diagnosis, and Recovery with Self-Securing Storage (2002).CMU-CS-02-140, May,2002.
    [39] Adam G. Pennington, John D. Strunk, John Linwood Griffin, et al. Storage-basedIntrusion Detection: Watching storage activity for suspicious behavior. in:Proceedings of the12th USENIX Security Symposium Washington, DC, August,2003.182-196
    [40] Mohammad Banikazemi, Dan Poff, Bulent Abali, et al. Storage-Based IntrusionDetection for Storage Area Networks (SANs). in: Proceedings of22nd IEEE/13thNASA Goddard Conference on Mass Storage Systems and Technologies,2005.11-14
    [44] SCSI Obbject-Based Storage Device Commands-2(OSD-2). Project T10/1721-D,Revision0, T10Technical Committee NCITS, October2004.
    [45] Yao Di, Feng Dan. Intrusion Detection for Object-Based Storage System. in: The9th International Conference for Young Computer Scientists, ICYCS2008,November,2008.218-222
    [46] Nell C, John S. An Introduction to Support Vector Machines and OtherKernel-based Learning Methods. Cambridge University Press,2000.
    [47] Daniel Boley, Vivian Borst, Maria Gini. An Unsupervised Clustering Tool forUnstructured Data. in: Papers of the Workshop on Machine Learning forInformation Filtering at IJCAI-99,1999.20-24
    [48] Downs T, Gates K E, Masters A. Exact Simplification of Support Vector Solutions.Journal of Machine Learning Research,2001,12(2):293-297
    [49] Lee Yuh-jye, Mangasarian Olvi L. RSVM: Reduced support vector machines. DataMining Institute, Computer Sciences Department, University of Wisconsin,2001.00-07
    [50] Kuan-ming Lin, Chih-jen Lin. A Study on Reduced Support Vector Machines.IEEE TRANSACTIONS ON NEURAL NETWORKS,2003,14(6):1449—1459
    [51] Gene H.Kim, Eugene H. Spaffod. The design and implementation of Tripwire: Afile system integrity checker. Proceedings of the2ndACM Conference on Computerand Communications Security,1994
    [52] Chen ZW, Wang KY, Jiang JG. Design of Alert Merging Algorithm of Network-based Intrusion Detection System. Information and Electronic Engineering,2005,3(3):182185
    [53] Mohammad Banikazemi, Dan Poff, Bulent Abali. Storage-based IntrusionDetection for Storage Area Networks. in: Proceedings of the22ndIEEE/13thNASAGoddard Conference on Mass Storage Systems and Technologies (MSST2005),2005.11-14
    [54] Ann Chervenak, Vivekanand Vellanki, Zachary Kurmas. Protect File System: ASurvey of Backup Techniques. in: Proceedings of the Joint NASA and IEEE MassStorage Conference,1998. URL citeseer.ist.psu.edu/chervenak98protecting.html.
    [55] Burrows M, Abadi M, Needham R. A Logic of Authentication. ACMTRANSACTIONS ON COMPUTER SYSTEMS,1990,8(1):18-36
    [56] Diffie W, Oorschot P.C, Wiener M.J. Authentication and authenticated keyexchange. Designs, Codes, and Cryptography,1992,2:107-125
    [57] Bind R, Gopal I, Herzberg A, et al. Systematic design of two-party authenticationprotocols. Proceedings of CRYPTO’91, Lecture Notes in Computer Science,Springer,1992,576:44-61
    [58] Shannon C. E. A Mathematical Theory of Communication. Bell System TechnicalJournal, July-October,1948,27:379-423
    [59] Diffie W., Hellman M. E. New Directions in Cryptography. IEEE Transactions onInformation Theory, November,1976, IT-22(6):644-654
    [60] Laurie Law, Alfred Menezes, Minghua Qu, et al. An Efficient Protocol forAuthenticated Key Agreement. Designs, Codes and Cryptography,1998,28(2):119-134
    [61] Antoine Joux. A one-round protocol for tripartite Diffie-Hellman. in: Proceedingsof4thInternational Symposium on Algorithmic Number Theory. Lecture Notes inComputer Science,2000,1838:385-393
    [62] Burmester M, Desmedt Yvo G. Efficient and secure conference-key distribution.Lecture Notes in Computer Science,1997,1189:119-129
    [63] Menezes A, Qu M, and Vanstone S. Some new key agreement protocols providingimplicit authentication. in: Proceedings of the Second Workshop on Selected Areasin Cryptography (SAC '95), Ottawa, May18-19,1995.22-32
    [64] Bellare M, Rogaway P. Entity authentication and key distribution. in: Proceedingsof CRYPTO’93, Lecture Notes in Computer Science, Springer,1994,773:232-249
    [65] Blake-Wilson S, Menezes A. Authenticated Diffie-Hellman key agreementprotocols. Proceedings of5thAnnual International Workshop, SAC’98. LectureNotes in Computer Science, Springer,1998,1556:339-361
    [66] Needham R M, Schroeder M D. Using encryption for authentication in largenetworks of computers. Communications of the ACM,1978,21(12):993-999
    [67] Carlsen Ulf. Optimal privacy and authentication on a portable communicationsystem. ACM SIGOPS Operating Systems Review,1994,28(3):16-23
    [68] Aziz A, Diffie W. Privacy And Authentication For Wireless Local Area Networks(1994). IEEE Personal Communications,1994,1(1):25-31
    [69] Boyd C, Mathuria A. Protocols for Authentication and Key Establishment. Springer,2003
    [70] Katz J, Ostrovsky R, Yung M. Efficient password-authenticated key exchangeusing human-memorable passwords. in: Proceedings of the InternationalConference on the Theory and Application of Cryptographic Techniques: Advancesin Cryptology, Lecture Notes in Computer Science, Springer Berlin,2001,2045:475-494
    [71] Bellar M, Yacobi Y. Fully-fledged two-way public key authentication and keyagreement for low-cost terminals. Electronics Letters.1993,29(11):999-1001
    [72] Al-Riyami SS, Patersor KG. Tripartite Authenticated Key Agreement Protocol fromPairing. in: Proceedings of IMA Conference on Cryptography and Coding. UKCirencester,2002.192-201
    [73] Popescu C. A Secure Authenticated Key Agreement Protocol. in: Proceedings ofthe12thIEEE Mediterranean Electrotechnical Conference. MELECON,2004,2:783-786
    [74] Arthur Evans.Jr, Kantrowitz W, Weiss E. A User Authentication Scheme notRequiring Secrecy in the Comuuter. Communications of the ACM.1974,17(8):437-442
    [75] Lamport L. Password Authenticated with Inscure Communication.Communications of the ACM.1981,24(11):770-772
    [76] Bellovin S.M, Merritt M. Encrypted key exchange: password-based protocolssecure against dictionary attacks. in: Proceedings of1992IEEE Computer SocietySymposium on Research in Security and Privacy, May,1992.72-84
    [77] Feng Hao, Peter Ryan. Password Authenticated Key Exchange by Juggling. in:Proceedings of the16th International Workshop on Security Protocols,2008.
    [78] Erik De Win, Bart Preneel. Elliptic Curve Public Key Cryptosystems-anintroduction. Course of LNCS,1997,1528:(131-141)
    [79] Hankerson D, Menezes A, Vanstone S. Guide to Elliptic Curve Cryptography.Springer-Verlag New York, USA,1993
    [80] Laurie Law, Alfred Menezes, Minghua Qu, et al. An Efficient Protocol forAuthenticated Key Agreement. Designs, Codes and Cryptography,1998.
    [81] Aydos M, Sunar B. An elliptic curve cryptography based authentication and keyagreement protocol for wireless communication. in:2ndinternational workshop onDiscrete Algorithms and Methods for Mobile Computing and Communications,Dallas, TX,1998
    [82] Sun Hung-Min, Hsieh Bin-Tsan, Tseng Shin-Mu. Cryptanalysis of Aydos et al’sECC-Based Wireless Authentication Protocol. in: Proceedings of the2004IEEEInternational Conference on E-Technology, E-Commere and E-Service. LosAlamitos: IEEE Computer Society Press,2004.563-566
    [83] Mangipudi K, Malneedi N, Katti R. Attack and solutions on Aydos-Savas-Koc’swireless authentication protocol. Global Telecommunications Conference,2004.2229-2234
    [84] Liu zhimeng,Zhao yanli, Fanhui. A Secure MAKAP for wireless communication.Wuhan University Journal of Natural Sciences,2006,11(6):1749-1752
    [85] Seo D, Sweeney E. Simple authenticated key agreement algorithm. ElectronicsLetters,1999,35(13):1073-1074
    [88] Fahiem Bacchus. Representing and Reasoning with Probabilistic Knowledge: ALogical Approach. MIT Press,1990.
    [89] Ethan Miller, Darrell Long, William Freeman, et al. Strong Security for DistributedFile Systems. In Proceedings of the20th IEEE International Performance,Computing, and Communications Conference,2002.34-40
    [90] Modi D, Agrawalla R.K, Moona R. TransCryptDFS: A secure distributedEncrypting File System.2010International Congress on Ultra ModernTelecommunications and Control Systems and Workshops (ICUMT), Oct,2010.187-194
    [91] Matt Blaze. Key Management in an Encrypting File System. In Proceedings of theSummer1994USENIX Conference,1994.27-35
    [92] Shamir A. How to share a secret. Communications of the ACM,1979,22(11):612-613.
    [93] Stefan Miltchev, Vassilis Prevelakis, Sotiris Ioannidis, et al. Secure and FlexibleGlobal File Sharing. in Proceedings of the USENIX2003Annual TechnicalConference, Freenix Track,2003.165-178
    [94] Backes M, Cachin C, Oprea. A Lazy Revocation in Cryptographic File Systems. in:Proceedings of the Third IEEE International Security in StorageWorkshop(SISW’05), San Francisco, December,2005.1-11
    [96] Thomas E. Anderson, Michael D. Dahlin, Jeanna M. Neefe, et al. ServerlessNetwork File Systems. ACM Transactions on Computer Systems,1995.109-126
    [97] Mazires D, Kaminsky M, Kaashoek M. Separating key management from filesystem security. in: SOSP, December,1999.124-139
    [98] Mazires D, Shasha D. Don't trust your file server. in: Proceedings of the EighthWorkshop on Hot Topics in Operating Systems, May,2001.113-118
    [99] E Zadok, L Badulesscu, A Shender. Cryptfs: A stackable vnode level encryption filesystem. Technical Report CUCS-021-98, Computer Science Department, ColumbiaUniversity,1998.
    [100] Blaze M. A Cryptographic File System for Unix. in: Proceeding of the1st ACMConference on Communications and Computing Security, Fairfax, VA, November,1993.
    [101] Emelindo Maurello. TCFS: Transparent Cryptogarphic File System, LinnuxJournal,1997.
    [102] G.Cattaneo, L.Catuogno, A.Del.Sorbo,etc. The Design and Implementation of aTransparent Cryptogarphic File System for Unix. in: Proceedings of the AnnualUSENIX Technical Conference, FREENIX Track, June,2001.199-212
    [103] Microsoft Corporation. Encrypting File System for Windows2000. White Paper,July,1999.
    [104] Fu K. Group sharing and random access in cryptographic storage file system.
    [Master Thesis]. Massachusetts Institute of Technology,1999.
    [105] Scott A. Banachowski, Zachary N. J. Peterson, Ethan L. Miller, et al. Intra-fileSecurity for a Distributed File System. in: Proceedings of the10thGoddardConference on Mass Storage systems and technologies, in cooperation with the19TH IEEE SYMPOSIUM on Mass Storage systems, College Park, MD, April,2002.153-163

© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号

地址:北京市海淀区学院路29号 邮编:100083

电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700