Research On Key Technologies Of Data Security Towards Cloud Computing

Cloud computing provides a large number of IT resources such as hardware and software as aservice to users through the network. In cloud computing service model, users host data andapplication to the cloud, due to the cloud service transparency, they lose control of the data. Becauseit is difficult to assess cloud provider’s credibility for users, data security has become the primaryconcern in cloud computing.Since cloud computing does related operations based on user’s service request,authentication between users and cloud providers can avoid illegal access from assumed identity.Whereas, due to the large number of users, how to realize safe and efficient authentication is themain concern for users and service providers. Having been authenticated, users can use thedata storage and computing services. Users upload large amounts of data to the cloud andcommission cloud service providers to calculate without the local copy stored. Although thecloud service provider is with strong technical strength and maintenance, it is not possible tocompletely prevent data damage or leakage occurs. For static storage of data, due to the mass ofdata, it is no longer applicable to verify integrity after downloading data to local in traditional way. Ifusers find data integrity is compromised, they can only pray the cloud service provider’s disasterrecovery mechanism works. Because of the characteristics of multi-tenant in the cloud, users accessdata and compute through the service process for dynamic data in computing service, the processcarrier of shared access become focal point of authority. But it is difficult to achieve effectiveisolation and control of different users’ data by shared permissions on OS level, data isolationmechanism of application solely is easily bypassed, so data confidentiality and integrity inmulti-tenant environment remain to be resolved. If the data disclosure really happens, it is a keyissue to charge service providers’ responsibility. Current accountability mechanisms need detailsof cloud services, which are related to cloud service providers’ trade secrets, consequently it isdifficult to achieve. In addition, due to the lack of trusted protection mechanism, securitymechanism may be attacked, tampered or bypassed, accordingly it fails.The essence of the cloud data security problem is the trust management between data ownerand service provider, certain data constraints should be formed between them. They achieve certain data useagreement through reputation and technical means of restraint, contribute to the legitimate use of data andprevent from destroying. Users can choose to rely on service provider side by reaching a mutually satisfactorysecurity mechanism to maximize safety and security, service providers will not have a place to live in once helost credibility. In this context, cloud service providers are willing to cooperate with users to take data securityprotection technology, and never do intentional destruction of user data, but they may hide data safetyaccident. From this point of view, the thesis studies on the authentication, static memory data protection, dynamic calculation data protection and trusted cloud computing, etc. are studied, toprovide comprehensive data security protection for cloud users.The main research work are as follows:1. A cross-cloud authentication scheme based on3PAKE (three-party passwordauthenticated key exchange) protocol is proposed and a provably secure authentication protocolis designed for the scheme. Users, the private cloud to which the users belong and the publiccloud correspond to the three parties of the3PAKE protocol which realizes cross-cloudauthentication. The authentication scheme based on our protocol is more computation efficientthan other cross-cloud authentication schemes. Traditional password authentication is vulnerableto password-guessing attacks and cannot generate a session key securely. To solve the problemsof password authentication, a protocol based on elliptic curve cryptosystem is put forward. Theprotocol is proved to be forward secure for session keys and defeat off-line password guessingattack in the random oracle model. Compared with the PKI or IBC authentication scheme, thisscheme is simple and of high security which realizes the efficiency, safety and fairnessbidirectional authentication process with public cloud.2. A static data storage scheme users can verify is put forward, which enables users torealize cloud data integrity verification, bug reparation and data leakage accountability. In orderto enable users to recover after finding data breaches, we present a multi-copy storagepreprocessing method on secret sharing and a storage method separating user identityinformation from available data, to prevent external attackers to collect the same user’s datablock to reconstruct the original file after obtaining owner’s information of data. Integrityverification methods supporting above multi-copy mechanism is proposed to verify the dataintegrity in time, compared with existing integrity verification method, it can determine the errordata block and support publicly verifiable from third-party and data dynamical update.Multi-copy integrity verification cannot guarantee data not leaked by cloud service provider, tosolve this problem, a data leaked accountability method using database watermark is presented,which is based on the good characteristics of the cloud model and chaotic sequence, and help theuser to investigate service provider’s dereliction of duty..3. Dynamic Data security protection system CA_DataGuarder is built based on thedispersion information flow model the CA_DIFC, which provides fine-grained data isolation andcontrol between multi tenants. In order to eliminate the ambiguity and integrity of the DIFC, wecomplete formal modeling for mark system and information flow rules based on propositionallogic, and prove CA_DIFC’s safety. Then we design a distributed file system protectionmechanisms, sensitive data object marking and tracking control implementation mechanism inCA_DataGuarder based on the rules and privileges constraints. On the programming language level, we propose a LPE(least privilege encapsulation) mechanism to guarantee that theimplementation of security strategy is easy to locate and monitor. On operating system layer, itsupports upper cloud application based on a unified DIFC security policy model, transfers userinformation as the application context semantic to OS layer, which realizes fine-grained datacontrol and protection.4. A trusted cloud computing platform is constructed based on virtualization-basedarchitecture, which provides a trusted execution environment to execute above data securityprotection mechanisms. First of all, we realize formal modeling and safety proving for thetransfer of platform trust chain and afford theoretical support. Given the openness of OS, in ordernot to increase the user’s security overhead, we enhance credibility in VMM (a virtual machinemonitor) layer, and propose a unordered trust chain transfer mode, which provides integritymeasurement and isolation protection for executable program for the upper VMs againstmalicious code tampering and destroy data security mechanism destroying. To reduce thesecurity overhead of cloud service providers, it is assumed that only part of the host cloudinfrastructure is enhanced, then we propose a credibility binding plan of virtual machine imagesand cloud computing environment.