Key Technology Research On Security Protection Mechnism Of Cloud Computing Service

In recent years, cloud computing, wich has the flexibility to service their combination, low-carbon energy consumption and integrated service delivery model,has been focused by domestic and foreign scholars and business. Cloud service resources has distributed storage structure and modular service model. Although it can provides users with convenient cloud services, but also includes some security risks. Cloud security has become the main problems for cloud computing technology development and application.In this paper, base on the security issues’ analysis, the main research work focus on the cross-domain service resources trust verification and the negotiation authorization. The detail research contents show as below.1. By analyzing the efficiency of remote attestation in trust computing, this paper study for the trust verification solution between cross-domain resources.The traditional remote attestation in trust computing has included Privacy-CA and DAA. Comparing with these two solutions by verification efficiency in cross-domain environment, a trust attestation method by attribute negotiation has been proposed.Adopted by ring-signature message signing, it can verify the identity anonymously without the third verify component. The safety property of service resources are described by attributes. It can avoid PCR information the in TPM with the leakage and tamper. Meanwhile, by attestation with verifiers directly, this method can establish the trust relationship between resources form different heterogeneous domains. By the proof in security model, the solution can satisfy the safety property. And then compare the performance with the other attestation solutions by efficiency. At last, the experiment in hadoop platform verify the validity and feasibility.2. Researched on trust verification in cross-domain service resources, the paper further studied for the authorization method on resources’ access control layer in cloud computing. Firstly, it establish an access control architecture for cross-domain resources by automated trust negotiation mechanism (ATN). In this architecture, the negotiation parties can trust with each other by negotiating their attributes and controlled by ATN policy. Secondly, for promoting attribute negotiation efficiency, the fine-grained attributes in heterogeneous domain is described as ontology language XACML(RDF). Thirdly, the XACML access control architecture is extended by adding the rule inference component and the attribute uniform structure.3. In extended XACML architecture, the rule inference engine is designed based on dynamic description logic (DDL).The attributes and authorizing rules expressed as XACML(RDF)-DL can easily formalize by DDL. The concept knowledge base, instance knowledge base and action knowledge base is built up by the DDL formalization. The research about inference problems is processed by these three knowledge bases for attributes’consistency and rules’satisfiability. Based on this research, the fine-grained attribute access control model has been established by DDL, which includes attribute concept sub-model, instance sub-model and action sub-model. Finally, the inference problem in XACML architecture can boil down the satisfiability of the sub-model.4. Based on the previous work, the further research has continued about the conflict problem in attributes authorizing rules.The results about role’s conflict is analyzed form two aspects, the concept layered structure and transfer authorization. Support by the DDL inference engine, the conflict checking method has been designed for the two conditions above. This method conducts the conflict checking problem to the verification for satisfiability of DDL sub-model. By the Tableau formula extending rule in DDL, the method is proved to be completed.5. Researched on ATN mechanism in resources, the attributes negotiation formalized model has been established by introducing the temporal operator. The achievable problem and attributes’ cyclic dependency problem about ATN influence the negotiation efficiency. In temporal DDL, these problems are transformed to be satisfiability of formula. Firstly, the ATN sequence is described by authorizing action trace. Each state in action trace includes the DDL model. Then, the inference engine can check satisfiability of the pro-condition’s formula by inference knowledge base on action trace. Furthermore,by checking the temporal formula, the existence of ATN trace can be predicted. Assistant with the state machine, a temple DDL satisfiability checking method has been proposed based on Tableau extend rules. And this method can be completed in polynomial time.