基于分布式代理的云资源调度中可信数据获取机制

Nowadays , an increasing number of persons choose to outsource their computing demands and storage demands to the Cloud. In order to ensure the integrity of the data in the untrusted Cloud, especially the dynamic files which can be updated online, we propose an improved dynamic provable data possession model. We use some homomorphic tags to verify the integrity of the file and use some hash values generated by some secret values and tags to prevent replay attack and forgery attack. Compared with previous works , our proposal reduces the computational and communication complexity from O (logn ) to O (1). We did some experiments to ensure this improvement and extended the model to file sharing situation.     

iCETD: An improved tag generation design for memory data authentication in embedded processor systems

Security becomes increasingly important in computing systems. Data integrity is of utmost importance. One way to protect data integrity is attaching an identifying tag to individual data. The authenticity of the data can then be checked against its tag. If the data is altered by the adversary, the related tag becomes invalid and the attack will be detected. The work presented in this paper studies an existing tag design (CETD) for authenticating memory data in embedded processor systems, where data that are stored in the memory or transferred over the bus can be tampered. Compared to other designs, this design offers the flexibility of trading-off between the implementation cost and tag size (hence the level of security); the design is cost effective and can counter the data integrity attack with random values (namely the fake values used to replace the valid data in the attack are random). However, we find that the design is vulnerable when the fake data is not randomly selected. For some data, their tags are not distributed over the full tag value space but rather limited to a much reduced set of values. When those values were chosen as the fake value, the data alteration would likely go undetected. In this article, we analytically investigate this problem and propose a low cost enhancement to ensure the full-range distribution of tag values for each data, hence effectively removing the vulnerability of the original design.     

An integrity verification scheme of completeness and zero‐knowledge for multi‐Cloud storage

To resist the attacks from the malicious Cloud service providers and the organizer, an integrality verification of completeness and zero‐knowledge property (IVCZKP) scheme for multi‐Cloud environment is proposed. First, the bilinear pairing maps are adopted as a basis of theoretical support for IVCZKP scheme. Second, the change of file blocks is recorded, and the hash value of each block is generated through the index‐hash table in the verification process. Finally, the hash value of each block is updated through this index‐hash table to support the dynamic updates to user's data, such as data modification, data insertion, and data deletion. Compared with the original scheme, IVCZKP scheme can resist the forgery attacks and has the completeness and zero‐knowledge property. Theory analysis and the experimental results show that this scheme can reduce the computation time and has more performance on integrity verification in multi‐Cloud environment.     

基于确定/概率性文件拥有证明的机密数据安全去重方案

为解决云存储系统中机密数据去重面临的密文重复性检测与拥有性证明、针对数据机密性的攻击等难题,提出了基于Merkle散列树的MHT-Dedup方案和基于同态MAC的hMAC-Dedup方案。两者均通过对密文文件的拥有证明进行跨用户文件级重复性检测,并通过检查数据块明文的摘要进行本地数据块级重复性检测,避免了跨用户文件级客户端重复性检测中hash-as-a-proof方法存在的安全缺陷。MHT-Dedup方案通过数据块密文的标签生成的验证二叉树提供确定性的文件拥有证明,具有较低的计算和传输开销,而hMAC-Dedup方案则通过对抽样数据块密文和其标签进行同态MAC运算提供概率性的文件拥有证明,具有较低的额外存储开销。分析与比较表明,本方案在同时支持两级客户端机密数据安全去重和抵抗对数据块的暴力搜索攻击方面具有明显优势。     

Provisioning virtualized Cloud services in IP/MPLS-over-EON networks

Cloud computing enables the provisioning of resources in a reliable and on-demand manner. With the increasing importance of the network bandwidth in the Cloud environment, the networking related resources need to be optimally allocated together with the traditional Cloud computing resources. In addition, the significant growth of the global data center traffic raises the challenge of supporting demands with large bandwidth requirements for the Cloud provider. In our paper, we consider the network-efficient virtualized cloud infrastructure provisioning problem in IP over elastic optical network (IP-over-EON) based on the data center as a service model. The elastic optical network is adopted to provide spectrum and cost-efficient networking resources for large bandwidth requests in our work. We develop mixed integer linear programming formulations to construct the mathematic model for this problem and propose a cost-optimized heuristic to solve this problem. To investigate the cost and blocking rate for the served demands, different modulation formats are compared in the EON layer, and the sliceable bandwidth-variable transponders and optical traffic grooming technology are considered. The experimental results show that different modulation formats that are adopted in the EON layer will have different impacts on the total cost and demand blocking rate for the same data set size. Also the use of SBVT will reduce the total cost no matter which modulation format is adopted, and the reduction is related to the bandwidth requirement of the demands.     

Design of a Guitar Shaped UWB Antenna with Wide Band Notched Characteristics for Wireless Applications

Cloud storage is a cloud based service which delivers scalable on demand on line storage of data and eliminates the need of maintaining local data centre. Storage of data in cloud brings many advantages such as lower-cost, metered service, scalable and ubiquitous access. However, it also raises concerns to its integrity; to save the storage space cloud service provider may delete some rarely access data. Data privacy is another issue which must be addressed to increase data owner’s trust. To address above issues, many researchers have proposed public auditing schemes to validate the integrity of data using third party auditor. These schemes generate metadata using data files on the owner side and store these metadata on the cloud storage along with the file data, which helps in auditing. These schemes address many concerns which arise due to remote data storage. However, computation cost involved for metadata generation at the data owner side is not properly addressed; another issue which is not properly addressed is an iniquitous third party auditor may be the source of denial of service attack by issuing constantly large number of audit request. Our scheme solves these issues by lowering the computation cost at data owner side and controlling the number of times a third party auditor can issue an audit request to the cloud storage. Our Scheme also supports secure access of data using conditional proxy re-encryption scheme and delegation of auditing task by the authorized third party auditor to another auditor for the specified period of times in the case of unavailability of authorized third party auditor.

     

适用于移动云计算的抗中间人攻击的SSP方案

低功率蓝牙（BLE）专为资源受限的设备设计,但现有的研究已经指出其安全简单配对方案（SSP）存在中间人攻击（MITM）漏洞.文章指出造成MITM漏洞的根本原因是：配对信息被篡改以及JW模式自身的漏洞.为此文章中提出了两个适用于移动云计算（MCC）中BLE设备的SSP改进方案,所提出的方案基于哈希函数并利用MCC技术提高SSP的安全性.方案1适用于支持PE或者OOB模式的BLE设备,其利用哈希函数确保配对信息的真实性、可靠性.方案2通过哈希序列来解决仅支持JW模式的BLE设备的MITM攻击漏洞.文章分别从安全角度和性能角度对所提出的方案进行分析,以表明方案在不同级别敌手的攻击下可以提供MITM攻击防护能力.     

基于Kademlia的云存储系统数据冗余方案研究

云存储是分布式存储技术与虚拟化技术结合的产物,是分布式存储技术的最新发展。云存储意味着存储可以作为一种服务,通过互联网提供给用户。相对于当前各种C/S计算模式的GFS、HDFS、Sector等云存储文件系统,提出了一种基于对等计算模式的云存储文件系统通用模型,并采用Kademlia算法构建了原型系统MingCloud。主要进行了存储系统冗余方案的选择与设计,实验中采用Cauchy Codes作为编码算法,分别从K桶大小对系统可用性影响、文件分块数量对系统可用性的影响、相同的冗余度下系统可用性比较等方面对系统进行了评估。与完全副本冗余模式相比,纠删码冗余模式能获得较理想的系统可用性,更适合应用于提议的对等云存储系统。     

基于联盟链的云存储完整性审计机制研究

针对云存储完整性审计公正性问题,提出一种基于联盟区块链的云存储完整性审计模型(CSACB,Cloud Storage Integrity Auditing Model Based on Consortium Blockchains).首先,该模型以树型结构描述审计联盟(AC,Audit Consortium)构成,同时利用层级证书链(LCC,Layer Certificate Chain)对联盟成员进行身份标识和权限控制.其次,采用完整性审计链与动态操作链的双链形式支持可变云存储审计.最后,利用智能合约(SC,Smart Contract)并结合数据块标签索引机制构建公正的动态操作审计模型,理论分析和实验结果表明该模型在安全性和性能上具备明显优势.     

A Practical Implementation Attack on Weak Pseudorandom Number Generator Designs for EPC Gen2 Tags

The Electronic Product Code Generation 2 (EPC Gen2) is an international standard that proposes the use of Radio Frequency Identification (RFID) in the supply chain. It is designed to balance cost and functionality. As a consequence, security on board of EPC Gen2 tags is often minimal. It is, indeed, mainly based on the use of on board pseudorandomness, used to obscure the communication between readers and tags; and to acknowledge the proper execution of password-protected operations. In this paper, we present a practical implementation attack on a weak pseudorandom number generator (PRNG) designed specifically for EPC Gen2 tags. We show that it is feasible to eavesdrop a small amount of pseudorandom values by using standard EPC commands and using them to determine the PRNG configuration that allows to predict the complete output sequence.