| As the development of network technology, storage systems have become networked. The threats of network are also the threats of storage systems. It goes without saying the importance of storage security. However, security and efficiency is a contradiction body. High security will reduce the efficiency of data access and efficient data access needs to sacrifice security. So how to protect the security of network storage systems at the same time improving the efficiency of data access is a very meaningful topic.Cryptographic techniques play an important role in protecting network storage systems. In the network storage systems, cryptographic techniques can provide secure access control, data confidentiality, integrity protection. And digital signature can provide non-repudiation. However, the operations of cryptography are computationally expensive, especially public key cryptography which is much more expensive than symmetric cryptography. In order to reduce the impact of security mechanism on efficiency, it should try to avoid using public key cryptography. The existing storage systems are usually based on a hybrid scheme. In order to improve efficiency, a set of schemes based on non-public-key cryptography are proposed. And then a non-public-key cryptography based network storage system is designed and implemented. Its security and performance are analyzed. The results indicate that the schemes provide security while improving the efficiency of data access.When revoking users from encryption storage systems, it needs to re-generate file keys to re-encrypt files and re-issue the new keys to unrevoked users. It will introduce a large number of cryptography operations, which are computationally expensive. Because the file keys have exposed to revoked users, it needs to re-encrypt files. If the file keys have not exposed to revoked users, it won't need to re-encrypt file. So a black-box model is proposed to avoid re-encryption when revoking users. It requires that the file keys won't be exposed to any user, but the users can use the file keys to decrypt files. In the implementation, the FPGA/ASIC hardware module is used to act as the black-box, which stores all secret keys and performs all cryptography related operations of the file keys, so the file keys will not be exposed to users. Using hardware module to perform cryptography related operations can improve performance and simplify the key management. This method can be implemented in the form of module. And then the module can be inserted into any available file system.The ultimate goal of network storage is to provide file services. In traditional file service systems, they use program code to represent security and management mechanism. When the security and management mechanism change, it needs to re-program. And the system often ignores external factors, such as user behavior. This will lead to the system lack of adaptability in the complex and ever-changing environment. The policy will enable the system to adapt to environmental change. If the system needs to adjust some features, it only needs to update the policy. It also makes system more flexible and allows re-using the policy in different environments. Therefore, a set of security policies for file services are propsed, including credential based access control policy, priviliges customizing policy. The application occasions of these policies are discussed, which will help to select the appropriate security policy. Finally, all these policies will be applied to the WAN file service system U-Stor.A secure and efficient WAN file service system, namely U-Stor, is designed and implemented. U-Stor uses credential-based access control. A session-based access control model (SACM) is proposed based on the characteristics of U-Stor, which is simple, intuitive, timeliness and secure. The U-Stor file service security protocol is established. And its security is analized in formal. The result indicates that it can resist various attacks. Finally, the performance is analyzed and evaluated. SACM, public key based and non-public-key based schemes are compared. The results indicate that the public key based scheme is the most computationally expensive, and SACM can improve performance efficiently.
|
PDF Full Text Request