Research On Several Security Mechanisms For Cloud Storage Service

Cloud storage service is one of important services provided by cloud ser-vice provider. The security of cloud storage service has become a hot spot of research along with a wide range of user requirements. With the cloud storage service, users could host personal data to the cloud. Nevertheless, they lose management and control of the data as a result of the cloud service transparency. Meanwhile, it is difficult to assess cloud service provider’s credibility for users. Therefore, on the basis of widely utiliz-ing the cloud storage service, an issue that how to design security mechanisms for cloud storage service needs to be tackled urgently.Firstly, ID authentication could lay a solid foundation for the security of all of cloud services. Nevertheless, at present, several problems are not solved in the proposed schemes, such as the security of terminal platform and accessing to the cloud service in multi-terminal device. Secondly, some user could share files with multi-user by utilizing cloud storage service, but the proposed schemes could not support fine-grained file shar-ing for multi-user. Thirdly, the shared data should not be tampered with in the processes of storage and utilization. However, the problem of collusion between the revoked user and the cloud is not solved in the presented schemes. Consequently, based on cloud stor-age service and the analysis of the typical security mechanisms for cloud storage services supported by several enterprises, we concentrate on improving flexibility of file sharing for multi-user and security of ID authentication and integrity verification for the shared data in this dissertation. Several schemes used for establishing security mechanism are proposed for the cloud storage service. Specifically, the contributions of this dissertation are mainly described as follows:(1) When some user wants to share data with the cloud storage service, his/her ID needs to be authenticated by the cloud. Besides, identity of cloud also should be authen-ticated in order to prevent malicious attackers from obtaining some valid user’s ID by impersonating the cloud. Therefore, bidirectional ID authentication between us-er and cloud could lay a solid foundation for the security of cloud storage service and data sharing. This dissertation applies the technology of trusted computing, combines portable Trusted Platform Module(TPM) with certificateless public key cryptography, presents a scheme used for bidirectional ID authentication between users and cloud. Firstly, both TPM and portable TPM could achieve secure and trusted terminal platform, which ensure the authentication result between every us-er and the cloud is correct and valid. Besides, portable TPM supports the objectives of account login and accessing to the cloud storage service in multi-trusted termi-nal device. Thirdly, both the certificate management problem of traditional public key cryptography and the key escrow problem of ID-based cryptography are solved by utilizing certificateless public key cryptography. Furthermore, with federated i-dentity management for the cloud environment, the unique identity of every entity could be guaranteed. Lastly, this proposed scheme is Existentially UnForgeable under adaptive Chosen Message Attacks(EUF-CMA) in the random oracle model. Compared with the existing schemes, it has higher efficiency in the process of ID authentication.(2) The important objective of utilizing cloud storage service is to improve the working efficiency by sharing data with multi-user. Due to the different access privileges a-mong multi-user sharing the same file in the cloud storage service, an efficient file sharing scheme for multi-user is presented on the basis of ElGamal encryption and proxy re-encryption. In this scheme, multi-user access to different contents of the same file encrypted once by the data owner is achieved. Compared with the previous proposals, this scheme has the advantages of remaining ciphertext space for storage no increments and improving computation efficiency of encrypt-ing/decrypting the shared file for the group users(including data owner and group general user). In the end, the security proof of this scheme is also given.(3) During the process of data sharing, data owner and group general user are able to append, delete and modify the shared data. Besides, group general user is also added and revoked. Therefore, for the sake of preventing the shared data being tampered with in these scenarios, it is important and significant that the process of integrity verification is performed. Based on Merkle Hash Tree(MHT) and proxy re-signature, a public integrity verification scheme for the dynamic shared data with a defense against collusion attacks is proposed. This scheme not only supports the function that any group user updates the content of shared data, but also solves the problems that shared data is tampered with and the verification result is forged, which are caused by the collusion between the revoked user and the cloud during the process of group user revocation. Furthermore, that correctness and feasibility are the characteristics of this scheme is exhibited by the experiment results on thebasis of the security proof.In summary, this dissertation takes the establishment of security mechanism for the cloud storage service as target to research the related security issues. To improve the performance, flexibility and security of security mechanism, several schemes with bet-ter flexibility and higher security are proposed for ID authentication, fine-grained data sharing and integrity verification of shared data respectively. The work is useful for pro-moting the secure applications and provides new idea for the implement of cloud storage service.