Research On Key Technology In Security Of Object-based Storage

With the evolution of high performance computing from the traditional host to thenetworked cluster, the traditional host-based storage systems can not meet therequirements of the aggregate access and data storage of the cluster which with hundredsof servers, and becomes the I/O bottleneck. Following the networked clustering directionof the host, the traditional host-based storage architecture has gradually developed tonetworked storage. As the result of the developing of network storage technology, storingis no longer a purely local behavior. It is combined with the network closely, and becomesa part of network. Because the network is an open system, and there are security flawsexisting in the network protocols and software systems, so inevitably there are somesecurity risks in network systems. As a member of the network system, the networkstorage system is exposed to the intruder as well. Once the attacker successfully invades adata storage device, he can get confidential data, or even can hinder access of thelegitimate users， and lead to incalculable losses. Comparing to the mature study on thenetwork security, the research on the network storage security is still in the initial stage. Incurrent, the research results of the network storage security are mainly come from researchinstitutions and large enterprises of USA and the other developed countries. It is still at thebeginning of the study in China, and there is no key technology in this field. Therefore, toresearch and develop the technologies and products of network storage security withindependent intellectual property rights, makes strategic significance to China’sinformation security infrastructure.This paper focus on the security issues of the object-based storage, such as the activeprotection of the object-based storage, the access security of the object-based storage, thedata encryption mechanism with high efficiency and so on, proposes some valid schemesand achieves some research results. The main researches and achievements in the paperare as follows:(1) Research on the initiative protection mechanisms of the object-based storage. Inorder to avoid the stored object being stolen or damaged results from the compromisedhost system, this paper presents a scheme of initiative protection of the object-basedstorage. Because many intrusions would lead to read/write access to the storage, theintrusions can be found if there is IDS in the storage system. In the object-based storageenvironment, the IDS even can capture data and attributes for analysis according to theneeds with the support of intelligent storage devices. The scheme takes full advantage ofcharacteristics of the object-based storage and the existing IDS technology, embeddingIDS into object-based storage device-OSD to monitor the behavior of the applicationprograms accessing the storage devices，therefore protects the OSD from the intrusions,and raises the security of the object-based storage. By using the improved unsupervisedclustering and support vector machine algorithm for intrusion detection, the IDS candetect intrusions more accurately and efficiently, and can detect the unknown intrusionseffectively. At the same time, it adopts the double-layer structure and the alert fusion technology based on multiplicative increase linearly decreasing algorithm, and reduces thefalse alarm rate. As it is simple to realize and has very small performance impact onsystem, this scheme is very practical.(2) Research on the security access mechanism of object-based storage. According tothe characteristic of the object-based storage system, this paper proposes a new securityaccess mechanism based on ECC-based two-way authentication and key exchangeprotocol. It has different protocols algorithm for different relationships between thedevices of object-based storage system. The protocols run with no need of secure channel,but can guarantee the security of key exchange and achieve the certification status of themutual communication parties. According to the safety analysis, each sub-protocol canresistant against intermediaries’ attacks and other kinds of network attacks. Meanwhile, themain keys are randomly generated and temporarily effective, so they have no need ofspecific conservation and management. Therefore, compared to the existing accesssecurity mechanisms of the object-based storage, this new mechanism not only enhancethe security of the access of the object-based storage, but also reduce the difficulty of keymanagement and the requirements of secure channels, the complexity of the protocols arenot high as well.(3) Research on the encryption mechanism of the object-based dada. As the accesscontrol and the intrusion detection mechanism are used to prevent attacks coming from thenetwork, but they are unable to prevent the internal data theft or data leakage caused bystorage device theft. To protect the data security better, the data encryption in storagedevices has become an essential security measures. The traditional encrypting file systemshas big encryption overhead and user-revoke overhead, because they encrypt all data andexpose the sharing keys to every user. The problems not only cause loss on the systemperformance, but also cause great inconvenience to the legitimate users. This paperproposes a scheme of non-continuous efficient sharing encryption file system. In thescheme, only the tender contents would be encrypted to reduce the encryption overhead.At the same time, a user is revoked by setting the user’s certification invalid, and whichcan avoid the big overhead on re-encryption of data and the overhead on the distributionand re-distribution of sharing keys because of revoking user. And so that it allows largescale users’ efficient sharing the encryption file system. Because the keys and the user’scertifications are managed by the non-centralized owner of the file group, the security riskof the system is dispersed, and the creditability requirement for the server is reduced.The proposed initiative protection mechanisms of the object-based storage, the securityaccess mechanism of object-based storage based on ECC-based two-way authenticationand key exchange protocol, and the encryption mechanism of the object-based dada, havecertain reference for constructing high-security object-based storage system.