Contract RBAC in cloud computing

Cloud computing is a fast growing field, which is arguably a new computing paradigm. In cloud computing, computing resources are provided as services over the Internet and users can access resources based on their payments. The issue of access control is an important security scheme in the cloud computing. In this paper, a Contract RBAC model with continuous services for user to access various source services provided by different providers is proposed. The Contract RBAC model extending from the well-known RBAC model in cloud computing is shown. The extending definitions in the model could increase the ability to meet new challenges. The Contract RBAC model can provide continuous services with more flexible management in security to meet the application requirements including Intra-cross cloud service and Inter-cross cloud service. Finally, the performance analyses between the traditional manner and the scheme are given. Therefore, the proposed Contract RBAC model can achieve more efficient management for cloud computing environments.     

云计算中跨域安全认证的关键技术研究

摘 要: 针对云计算环境中的数据访问,不仅要确保合法用户能快速访问到数据资源,而且要保证非法用户的访问权限受限,合理解决信任域内部的威胁以解决云计算技术带来的数据安全等问题,提出了一种能有效实现数据跨域访问的CDSSM模型,通过设置代理者Agent,首先区分首次跨域安全身份认证和重复跨域安全认证,巧妙优化了数据跨域安全身份认证的流程,然后通过充分利用身份认证中消息加密的密钥,将数据分块加密存储,最后有效的解决了域内的安全威胁,保证了用户数据的安全性。最后,笔者实现了CDSSM模型,实验表明本方案中的密钥不可伪造,可有效避免重放攻击,重复跨域身份认证的效率在50%以上,100MB以下文件的读写性能较好,大大提高了数据存储在云端的可靠性和安全认证的有效性。     

A Cloud-Manager-Based Re-Encryption Scheme for Mobile Users in Cloud Environment: a Hybrid Approach

Cloud computing is an emerging computing paradigm that offers on-demand, flexible, and elastic computational and storage services for the end-users. The small and medium-sized business organization having limited budget can enjoy the scalable services of the cloud. However, the migration of the organizational data on the cloud raises security and privacy issues. To keep the data confidential, the data should be encrypted using such cryptography method that provides fine-grained and efficient access for uploaded data without affecting the scalability of the system. In mobile cloud computing environment, the selected scheme should be computationally secure and must have capability for offloading computational intensive security operations on the cloud in a trusted mode due to the resource constraint mobile devices. The existing manager-based re-encryption and cloud-based re-encryption schemes are computationally secured and capable to offload the computationally intensive data access operations on the trusted entity/cloud. Despite the offloading of the data access operations in manager-based re-encryption and cloud-based re-encryption schemes, the mobile user still performs computationally intensive paring-based encryption and decryption operations using limited capabilities of mobile device. In this paper, we proposed Cloud-Manager-based Re-encryption Scheme (CMReS) that combines the characteristics of manager-based re-encryption and cloud-based re-encryption for providing the better security services with minimum processing burden on the mobile device. The experimental results indicate that the proposed cloud-manager-based re-encryption scheme shows significant improvement in turnaround time, energy consumption, and resources utilization on the mobile device as compared to existing re-encryption schemes.     

基于上下文和角色的云计算访问控制模型

云计算环境的开放性和动态性容易引发安全问题,数据资源的安全和用户的隐私保护面临严峻考验。针对云计算中用户和数据资源动态变化的特性,提出了一种基于上下文和角色的访问控制模型。该模型综合考虑云计算环境中的上下文信息和上下文约束,将用户的访问请求和服务器中的授权策略集进行评估验证,能够动态地授予用户权限。给出用户访问资源的具体实现过程,经分析比较,进一步阐明该模型在访问控制方面具有较为突出的优点。该方案不仅能够降低管理的复杂性,而且能限制云服务提供商的特权,从而有效地保证云资源的安全。     

基于可信计算的云用户安全模型

随着云计算的发展,它的安全问题不容忽视。根据云用户所面临的数据安全及身份的隐私性问题,提出了基于可信计算的云用户安全模型。安全模型以可信计算技术为支撑,除了采用传统的安全策略外,提出了建立私有虚拟机,为用户提供一个私密的运行空间,防止其他恶意用户或管理员访问该虚拟机;给出了用户信息匿名化的方法,当高安全级用户申请服务和变更服务时保证用户身份信息的私密性,防止服务提供商恶意利用和泄露用户信息,为用户提供一个安全的运行环境。     

A policy-oriented secured service for the e-commerce applications in cloud

The communication process is very easy today due to the rapid growth of information technology. In addition, the development of cloud computing technology makes it easier than earlier days by facilitating the large volume of data exchange anytime and from anywhere in the world. E-businesses are successfully running today due to the development of cloud computing technology. Specifically in cloud computing, cloud services are providing enormous support to share the resources and data in an efficient way with less cost expenses for businessmen. However, security is an essential issue for cloud users and services. For this purpose, many security policies have been introduced by various researchers for enhancing the security in e-commerce applications. However, the available security policies are also failing to provide the secured services in the society and e-commerce applications. To overcome this disadvantage, we propose a new policy-oriented secured service model for providing the security of the services in the cloud. The proposed model is the combination of a trust aware policy scheduling algorithm and an effective and intelligent re-encryption scheme. Here, the dynamic trust aware policy-oriented service for allocating the cloud user’s request by the cloud service provider and an effective and re-encryption scheme is used that uses intelligent agent for storing the data in the cloud database securely. The proposed model assures the scalability, reliability, and security for the stored e-commerce data and service access.     

Privacy preserving security using biometrics in cloud computing

Cloud computing and the efficient storage provide new paradigms and approaches designed at efficiently utilization of resources through computation and many alternatives to guarantee the privacy preservation of individual user. It also ensures the integrity of stored cloud data, and processing of stored data in the various data centers. However, to provide better protection and management of sensitive information (data) are big challenge to maintain the confidentiality and integrity of data in the cloud computation. Thus, there is an urgent need for storing and processing the data in the cloud environment without any information leakage. The sensitive data require the storing and processing mechanism and techniques to assurance the privacy preservation of individual user, to maintain the data integrity, and preserve confidentiality. Face recognition has recently achieved advancements in the unobtrusive recognition of individuals to maintain the privacy-preservation in the cloud computing. This paper emphasizes on cloud security and privacy issues and provides the solution using biometric face recognition. We propose a biometrics face recognition approach for security and privacy preservation of cloud users during their access to cloud resources. The proposed approach has three steps: (1) acquisition of face images (2) preprocessing and extraction of facial feature (3) recognition of individual using encrypted biometric feature. The experimental results establish that our proposed recognition approach can ensure the privacy and security of biometrics data.

     

高效且可验证的多授权机构属性基加密方案

移动云计算对于移动应用程序来说是一种革命性的计算模式,其原理是把数据存储及计算能力从移动终端设备转移到资源丰富及计算能力强的云服务器.但是这种转移也引起了一些安全问题,例如,数据的安全存储、细粒度访问控制及用户的匿名性.虽然已有的多授权机构属性基加密云存储数据的访问控制方案,可以实现云存储数据的保密性及细粒度访问控制;但其在加密和解密阶段要花费很大的计算开销,不适合直接应用于电力资源有限的移动设备;另外,虽然可以通过外包解密的方式,减少解密计算的开销,但其通常是把解密外包给不完全可信的第三方,其并不能完全保证解密的正确性.针对以上挑战,本文提出了一种高效的可验证的多授权机构属性基加密方案,该方案不仅可以降低加密解密的计算开销,同时可以验证外包解密的正确性并且保护用户隐私.最后,安全分析和仿真实验表明了方案的安全性和高效性.     

云计算下基于动态用户信任度的属性访问控制

为便于对云中资源的管理,云计算环境通常会被划分成逻辑上相互独立的安全管理域,但资源一旦失去了物理边界的保护会存在安全隐患。访问控制是解决这种安全问题的关键技术之一。针对云计算环境多域的特点,提出了一种基于动态用户信任度的访问控制模型(CT-ABAC),以减少安全域的恶意推荐的影响并降低恶意用户访问的数量。在CT-ABAC模型中,访问请求由主体属性、客体属性、权限属性、环境属性和用户信任度属性组成,模型采用动态细粒度授权机制,根据用户的访问请求属性集合来拒绝或允许本次访问。同时,该模型扩展了用户信任度属性,并考虑时间、安全域间评价相似度、惩罚机制对该属性的影响。仿真实验结果表明,CT-ABAC模型能够有效地降低用户的恶意访问,提高可信用户的成功访问率。     

基于FANP的云用户行为信任评估优化机制

开放的云计算环境面临着安全挑战,传统的用户行为评估机制已经无法保障云端的安全性.为科学量化评估用户的行为信任,确保权重赋值科学合理,提高云平台下用户行为的安全可信度,设计出一种结合模糊网络分析法的信任评估优化机制.将模型中用户行为信任评估一个控制目标扩展为历史访问行为与当前访问环境两个控制目标模块,同时将历史访问行为模...     

Improved Cloud Storage Encryption Using Block Cipher-Based DNA Anti-Codify Model

When it comes to data storage, cloud computing and cloud storage providers play a critical role. The cloud data can be accessed from any location with an internet connection. Additionally, the risk of losing privacy when data is stored in a cloud environment is also increased. A variety of security techniques are employed in the cloud to enhance security. In this paper, we aim at maintaining the privacy of stored data in cloud environment by implementing block-based modelling to boost the privacy level with Anti-Codify Technique (ACoT) and block cipher-based algorithms. Initially, the cipher text is generated using Deoxyribo Nucleic Acid (DNA) model. Block-cipher-based encryption is used by ACoT, but the original encrypted file and its extension are broken up into separate blocks. When the original file is broken up into two separate blocks, it raises the security level and makes it more difficult for outsiders to cloud data access. ACoT improves the security and privacy of cloud storage data. Finally, the fuzzy-based classification is used that stores various access types in servers. The simulation results shows that the ACoT-DNA method achieves higher entropy against various block size with reduced computational cost than existing methods.     

一种基于任务角色的云计算访问控制模型

数据安全问题是云计算推广的一大阻碍,主要来源于数据共享带来的安全问题和云服务提供商的超级特权导致的潜在危险。为此,分析云计算中数据存储和用户群体的特点,提出一种基于任务角色的云计算访问控制模型,对不同访问主体采取不同访问控制策略,以提供分级的安全特性,使云服务提供商不再享有超级特权。分析结果表明,该访问控制模型使得云端数据访问安全无须依赖于服务器的绝对可信,为云计算提供了更为可靠的安全特性。     

SGX应用支持技术研究进展

安全与可信是云计算中极为重要的需求,如何保护用户在云平台上托管的应用程序代码和数据的安全、防止云服务提供商和其他攻击者窃取用户机密数据,一直是个难题.2013年,Intel公司提出了新的处理器安全技术SGX,能够在计算平台上提供一个用户空间的可信执行环境,保证用户关键代码及数据的机密性和完整性.SGX技术自提出以来,已...     

工业互联网中增强安全的云存储数据访问控制方案

在工业互联网应用中,由于异构节点计算和存储能力的差异,通常采用云方案提供数据存储和数据访问服务.云存储中的访问控制如扩展多权限的云存储数据访问控制方案(NEDAC-MACS),是保证云存储中数据的安全和数据隐私的基石.给出了一种攻击方法来证明NEDAC_MACS中,被撤销的用户仍然可以解密NEDAC-MACS中的新密文;并提出了一种增强NEDAC-MACS安全性的方案,该方案可以抵抗云服务器和用户之间的合谋攻击;最后通过形式密码分析和性能分析表明,该方案能够抵抗未授权用户之间以及云服务器与用户之间的合谋攻击,保证前向安全性、后向安全性和数据保密性.     

云计算环境下的网络安全技术

云计算机具有强大的数据处理功能,能够满足安全高效信息服务及高吞吐率信息服务等多种应用需求,且可以根据需要对存储能力与计算能力进行扩展。但在网络环境下云计算机同样面临许多网络安全问题,因此本文对云计算机环境下常见的网络安全问题进行了探讨,包括拒绝服务安全攻击、中间人安全攻击、SQL注入安全攻击、跨站脚本安全攻击及网络嗅探;同时分析了云计算机环境下的网络安全技术,包括用户端安全技术,服务器端安全技术,用户端与云端互动时的安全技术。     

Security policy verification for multi-domains in cloud systems

The cloud is a modern computing paradigm with the ability to support a business model by providing multi-tenancy, scalability, elasticity, pay as you go and self-provisioning of resources by using broad network access. Yet, cloud systems are mostly bounded to single domains, and collaboration among different cloud systems is an active area of research. Over time, such collaboration schemas are becoming of vital importance since they allow companies to diversify their services on multiple cloud systems to increase both uptime and usage of services. The existence of an efficient management process for the enforcement of security policies among the participating cloud systems would facilitate the adoption of multi-domain cloud systems. An important issue in collaborative environments is secure inter-operation. Stemmed from the absence of relevant work in the area of cloud computing, we define a model checking technique that can be used as a management service/tool for the verification of multi-domain cloud policies. Our proposal is based on NIST’s (National Institute of Standards and Technology) generic model checking technique and has been enriched with RBAC reasoning. Current approaches, in Grid systems, are capable of verifying and detect only conflicts and redundancies between two policies. However, the latter cannot overcome the risk of privileged user access in multi-domain cloud systems. In this paper, we provide the formal definition of the proposed technique and security properties that have to be verified in multi-domain cloud systems. Furthermore, an evaluation of the technique through a series of performance tests is provided.     

云储存中利用属性基加密技术的安全数据检索方案

本文提出了一种利用属性基加密(ABE)技术的安全数据检索方案。首先,利用ABE提供丰富的索引词表达能力,从而确保数据安全性;然后,通过平衡云服务提供商运行开销和其它用户参与基于云存储的信息检索服务;最后,使用加密运算替代穷尽搜索,使得搜索过程与现存数据库管理系统机制更加兼容。分析结果表明,相比其他几种较新的方案,本文方案在访问控制和快速搜索中具有更好的性能,且能在数据检索过程中确保数据安全性和用户隐私,适合应用于具有大量数据的云存储系统。     

高效可撤销的雾协同云访问控制方案

密文策略属性加密技术在实现基于云存储的物联网系统中数据细粒度访问控制的同时,也带来了用户与属性的撤销问题。然而,在现有的访问控制方案中,基于时间的方案往往撤销并不即时,基于第三方的方案通常需要大量重加密密文,效率较低且开销较大。为此,基于RSA密钥管理机制提出了一种高效的支持用户与属性即时撤销的访问控制方案,固定了密钥与密文的长度,借助雾节点实现了用户撤销,同时将部分加解密工作从用户端卸载到临近的雾节点,降低了用户端的计算负担。基于aMSE-DDH假设的安全性分析结果表明,方案能够抵抗选择密文攻击。通过理论分析和实验仿真表明,所提方案能够为用户属性变更频繁且资源有限的应用场景提供高效的访问控制。     

云环境中海量数据的并行分组密码体制研究

云计算环境中,飞速增长的海量数据的安全性越来越受到关注,分组密码算法是保证海量数据安全性的一个有效手段,但面对超大规模的数据量其效率是一个备受关注的问题。提出了一种基于MapReduce架构的并行分组密码机制,能够使标准的分组密码算法应用于大规模的集群环境中,通过并行化来提高海量数据加密与解密的执行效率,并设计了常用的几种并行工作模式。实验证明,提出的算法具有良好的可扩展性和高效的执行性能,能够适用于云计算环境中海量数据的安全保密,为进一步的研究工作奠定了基础。     

云计算访问控制技术研究综述

随着云计算规模化和集约化的发展,云安全问题成为云计算领域亟待突破的重要问题.访问控制技术是安全问题的重中之重,其任务是通过限制用户对数据信息的访问能力及范围,保证信息资源不被非法使用和访问.主要对目前云计算环境下的访问控制问题进行研究,首先介绍访问控制理论;然后分析了云计算环境下的访问控制技术体系框架,重点从云计算访问控制模型、基于ABE(attribute-based encryption)密码体制的云计算访问控制、云中多租户及虚拟化访问控制这3个方面对云计算环境下的访问控制问题进行综述,并且调研了工业界云服务提供商和开源云平台的访问控制机制;最后对未来的研究趋势进行了展望.