基于L-DHT的多租户虚拟域隔离构建方法

曹利峰; 卢新; 高振升; 杜学绘

doi:10.11959/j.issn.1000-436x.2020088

您当前的位置：

首页 >

文章列表页 >

基于L-DHT的多租户虚拟域隔离构建方法

学术通信 | 更新时间：2024-06-05

- 基于L-DHT的多租户虚拟域隔离构建方法
- Multi-tenant virtual domain isolation construction method based on L-DHT
- 通信学报 2020年41卷第6期页码：184-201
- 作者机构：
  
  信息工程大学密码工程学院，河南郑州 450001
- 作者简介：
  
  [ "曹利峰（1981- ），男，河南禹州人，信息工程大学副教授，主要研究方向为网络安全、信息安全等" ]
  [ "卢新（1995- ），男，山东济南人，信息工程大学硕士生，主要研究方向为信息安全、云计算安全" ]
  [ "高振升（1995- ），男，河南洛阳人，信息工程大学硕士生，主要研究方向为信息安全、区块链安全" ]
  [ "杜学绘（1968- ），女，博士，河南辉县人，信息工程大学教授，主要研究方向为信息安全、空天网络安全、云计算与大数据安全" ]
- 基金信息：
  
  国家自然科学基金资助项目(61502531);国家自然科学基金资助项目(61702550);国家重点研发计划基金资助项目(2018YFB0803603);国家重点研发计划基金资助项目(2016YFB0501901)
- DOI：10.11959/j.issn.1000-436x.2020088
  中图分类号： TP393
- 网络出版日期：2020-06，
  
  纸质出版日期：2020-06-25
- 稿件说明：
移动端阅览
曹利峰, 卢新, 高振升, 等. 基于L-DHT的多租户虚拟域隔离构建方法[J]. 通信学报, 2020,41(6):184-201.

Lifeng CAO, Xin LU, Zhensheng GAO, et al. Multi-tenant virtual domain isolation construction method based on L-DHT[J]. Journal on communications, 2020, 41(6): 184-201.
曹利峰, 卢新, 高振升, 等. 基于L-DHT的多租户虚拟域隔离构建方法[J]. 通信学报, 2020,41(6):184-201. DOI： 10.11959/j.issn.1000-436x.2020088.

Lifeng CAO, Xin LU, Zhensheng GAO, et al. Multi-tenant virtual domain isolation construction method based on L-DHT[J]. Journal on communications, 2020, 41(6): 184-201. DOI： 10.11959/j.issn.1000-436x.2020088.

摘要

针对云环境下多租户数据的安全隔离的问题，提出了一种基于 L-DHT 的多租户虚拟域隔离构建方法。首先，通过设计一种基于标签 Hash 映射的多租户隔离映射算法，构建了租户资源的均衡映射机制，实现对租户资源的分布式管理；然后，针对映射到同一存储节点上租户数据间的安全隔离与访问，基于谓词加密机制，通过安全标签和租户数据的有效绑定，给出了一种基于标签谓词加密的租户数据隔离存储算法；最后，通过设计多维度的租户数据隔离控制规则，利用对安全标签的解析与认证，层次化地构建起租户间相互独立、逻辑、安全的虚拟域。安全性分析表明，所提方法构建了相互间安全无干扰的租户虚拟域。仿真实验结果表明，映射算法能够更好地实现负载的动态平衡，并通过数据检索效率与访问安全性的对比分析，验证了租户访问数据的安全性与高效性。

Abstract

Aiming at the problem of security isolation of multi-tenant data in cloud environment

a tenant virtual domain isolation construction method based on L-DHT was proposed.Firstly

through the design of multi-tenant isolation mapping algorithm based on label-hash mapping

the balanced mapping mechanism of tenant resources was constructed to realize the distributed management of tenant resources.Secondly

for the security isolation and access between tenant data mapped to the same storage node

based on the predicate encryption mechanism

through the effective binding of security labels and tenant data

a tenant data isolation storage algorithm based on label predicate encryption was designed.Finally

by the design of multi-dimensional tenant data isolation control rules and using the analysis and authentication of security labels

independent

logical and secure virtual domains between tenants were built hierarchically.The security analysis shows that the method constructs tenant virtual domains which are secure and non-interference with each other.The simulation results show that the mapping algorithm can achieve a better dynamic load balance.The efficiency and security of data access are verified by the comparative analysis of tenant data retrieval efficiency and authentication access security.

关键词

Keywords

references

LELE A . Cloud computing,in book:disruptive technologies for the militaries and security [M ] . Berlin : SpringerPress , 2018 .

COOK A , ROBINSON M , FERRAG M A , et al . Internet of cloud:security and privacy issues,in book cloud computing for optimization:foundations,applications,and challenges [M ] . Berlin : SpringerPress , 2018 .

WALIA M K , HALGAMUGE M N , HETTIKANKANAMAGE N , et al . Cloud computing security issues of sensitive data,in book:handbook of research on the IoT,cloud computing,and wireless network optimization [M ] . Hershey : IGI GlobalPress , 2019 .

石勇 , 郭煜 , 刘吉强 , 等 . 一种透明的可信云租户隔离机制研究 [J ] . 软件学报 , 2016 , 27 ( 6 ): 1538 - 1548 .

SHI Y , GUO Y , LIU J Q , et al . Trusted cloud tenant separation mechanism supporting transparency [J ] . Journal of Software , 2016 , 27 ( 6 ): 1538 - 1548 .

李顺东 , 窦家维 , 王道顺 . 同态加密算法及其在云安全中的应用 [J ] . 计算机研究与发展 , 2015 , 52 ( 6 ): 1378 - 1388 .

LI S D , DOU J W , WANG D S . Survey on homomorphic encryption and its applications to cloud security [J ] . Journal of Computer Research and Development , 2015 , 52 ( 6 ): 1378 - 1388 .

杨艳 , 陈性元 , 杜学绘 . 多机构身份及属性加密机制综述 [J ] . 通信学报 , 2018 , 39 ( 10 ): 118 - 129 .

YANG Y , CHEN X Y , DU X H . Survey of multi-authority identity-based and attribute-based encryption scheme [J ] . Journal on Communications , 2018 , 39 ( 10 ): 118 - 129 .

杨丹婷 . 谓词加密的理论研究及推广应用 [D ] . 南京:南京理工大学 , 2015 .

YANG D T . Research on predicate encryption theory and its popularization [D ] . Nanjing:Nanjing University of Science ＆ Technology , 2015 .

SUKMANA M I.H , TORKURA K A. , GRAUPNER H , et al . Unified cloud access control model for cloud storage broker [C ] // 2019 International Conference on Information Networking (ICOIN) . Piscataway:IEEE Press , 2019 : 60 - 65 .

ZHOU H Z , BA H H , WANG Y J . Tenant-oriented monitoring for customized security services in the cloud [J ] . Symmetry , 2019 11 ( 2 ),252

易倍汀 . 基于SaaS平台的多租户间数据共享机制的设计与实现 [D ] . 北京:北京邮电大学 , 2014 .

YING B T . The design and implementation on multi-tenant data sharing mechanism based on SaaS platform [D ] . Beijing:Beijing University of Posts and Telecommunications , 2014 .

ZHANG D F , WANG Y , SUH G E , et al . A hardware design language for timing-sensitive information-flow security [J ] . ACM Sigplan Notices , 2015 , 50 ( 4 ): 503 - 516 .

YOON M K , SALAGEGHEH N , CHEN Y , et al . PIFT:predictive information-flow tracking [C ] // ACM SIGARCH Computer Architecture News . New York:ACM Press , 2016 : 246 - 253 .

郑显义 , 史岗 , 孟丹 . 系统安全隔离技术研究综述 [J ] . 计算机学报 , 2017 , 40 ( 5 ): 1057 - 1079 .

ZHENG X Y , SHI G , MENG D . A survey on system security isolation technology [J ] . Chinese Journal of Computers , 2017 , 40 ( 5 ): 1057 - 1079 .

ROY I , PORTER D E , BOND M D , et al . Laminar:practical fine-grained decentralized information flow control [C ] // Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation . New York:ACM Press , 2009 : 63 - 74 .

杨永娇 , 严飞 , 于钊 , 等 . 一种基于VT-d技术的虚拟机安全隔离框架研究 [J ] . 信息网络安全 , 2015 ( 11 ): 7 - 14 .

YANG Y J , YAN F , YU Z , et al . Research on VT-d based virtual machine isolation framework [J ] . Netinfo Security , 2015 ( 11 ): 7 - 14 .

MALKA M , AMIT N ， BEN-YEHUDA M , et al . rIOMMU:efficient IOMMU for I/O devices that employ ring buffers [J ] . ACM SIGPLAN Notices , 2015 , 50 ( 4 ): 355 - 368 .

吴泽智 , 陈性元 , 杜学绘 , 等 . 基于双层信息流控制的云敏感数据安全增强 [J ] . 电子学报 , 2018 , 46 ( 9 ): 2245 - 2250 .

WU Z Z , CHEN X Y , DU X H , et al . Enhancing sensitive data security based-on double-layer information flow controlling in the cloud [J ] . Acta Electronica Sinica , 2018 , 46 ( 9 ): 2245 - 2250 .

JITHIN R , CHANDRAN P . Virtual Machine Isolation [C ] // International Conference on Security in Computer Networks and Distributed Systems . Berlin:Springer , 2014 : 91 - 102 .

缪天翔 . 虚拟化环境下操作系统安全性和性能的研究 [D ] . 上海:上海交通大学 , 2015 .

MIAO T X . Research on operating system security and performance in virtualized environments [D ] . Shanghai:Shanghai Jiao Tong University , 2015 .

QIN G , ROY G , GROOKS D , et al . Cluster optimisation using cgroups at a Tier-2 [J ] . Journal of Physics:Conference Series , 2016 , 762 ( 1 ):012010.

RANJBAR A , ANTIKANINEN M , AURA T . Domain isolation in a multi-tenant software-defined network [C ] // IEEE/ACM 8th International Conference on Utility and Cloud Computing (UCC) . Piscataway:IEEE Press , 2015 : 16 - 25 .

黄世轩 . 基于SDN的数据中心网络流量优化策略的研究 [D ] . 西安:西安电子科技大学 , 2017 .

HUANG S X . Research of traffic optimization strategy in data center network based on SDN [D ] . Xi’an:Xidian University , 2017 .

SALAH K , CALERO J M A , ZEADALLY S , et al . Using cloud computing to implement a security overlay network [J ] . IEEE Security and Privacy , 2013 , 11 ( 1 ): 44 - 53 .

KINOSHITA J , MAEDA K , YABUSAKI H , et al . Realization of VXLAN gateway-based data center network virtualization [C ] // 5th IIAI International Congress on Advanced Applied Informatics(IIAI-AAI 2016) . Piscataway:IEEE Press , 2016 : 884 - 887 .

AMAMOU A , HADDADOU K , PUGOLLE G . A TRILL-based multi-tenant data center network [J ] . Computer Networks , 2014 , 68 ( 8 ): 35 - 53 .

严立宇 , 祖立军 , 叶家炜 , 等 . 云计算网络中多租户虚拟网络隔离的分布式实现研究 [J ] . 计算机应用与软件 , 2016 , 33 ( 11 ): 93 - 98 .

YAN L Y , ZU L J , YE J Y , et al . Research on distributed virtual network isolation in multi-tenant cloud-computing network [J ] . Computer Applications and Software , 2016 , 33 ( 11 ): 93 - 98 .

孙延涛 , 位月 , 耿岚岚 , 等 . 一种基于DHT的数据中心网络租户隔离技术 [J ] . 北京交通大学学报(自然科学版) , 2018 , 42 ( 5 ): 55 - 60 .

SUN Y T , WEI Y , GENG L L , et al . A data center network tenant isolation technology based on DHT [J ] . Journal of Beijing Jiaotong University(Science Edition) , 2018 , 42 ( 5 ): 55 - 60 .

李满 . 面向 SAAS 多租户的数据隔离模式系统研究与实现 [D ] . 成都:西南交通大学 , 2018 .

LI M . Research and implementation of data isolation mode customization system for SaaS multi-tenants [D ] . Chengdu:Southwest Jiaotong University , 2018 .

GENTRY C , . Fully homomorphic encryption using ideal lattices [C ] // 41st Annual ACM Symposium on Theory of Computing (STOC 2009) . New York:ACM Press , 2009 : 169 - 178 .

光焱 , 祝跃飞 , 费金龙 , 等 . 利用容错学习问题构造基于身份的全同态加密体制 [J ] . 通信学报 , 2014 , 35 ( 2 ): 111 - 117 .

GUANG Y , ZHU Y F , FEI J L , et al . Identity-based fully homomorphic encryption from learning with error problem [J ] . Journal on Communications , 2014 , 35 ( 2 ): 111 - 117 .

段然 , 顾纯祥 , 祝跃飞 , 等 . NTRU 格上高效的基于身份的全同态加密体制 [J ] . 通信学报 , 2017 , 38 ( 1 ): 66 - 75 .

DUAN R , GU C X , ZHU Y F , et al . Efficient identity-based fully homomorphic encryption over NTRU [J ] . Journal on Communications , 2017 , 38 ( 1 ): 66 - 75 .

杜瑞忠 , 王少泫 . 基于封闭环境加密的云存储方案 [J ] . 通信学报 , 2017 , 38 ( 7 ): 1 - 10 .

DU R Z , WANG S X . Cloud storage scheme based on closed-box encryption [J ] . Journal on Communications , 2017 , 38 ( 7 ): 1 - 10 .

IIYA A S , SERGEY V Z . An access control model for cloud storage using attribute-based encryption [C ] // 2017 IEEE Conference of Russian Young Researchers in Electrical and Electronic Engineering (EIConRus) . Piscataway:IEEE Press , 2017 : 578 - 581 .

GOGUEN J A , MESEGUER J . Inference control and unwinding [C ] // 1984 IEEE Symposium on Security and Privacy . Piscataway:IEEE Press , 1984 : 75 - 86 .

MEYDEN R V D , . What,indeed,is intransitive noninterference? [C ] // 12th European Symposium On Research In Computer Security (ESORICS 2007) . Berlin:Springer , 2007 : 235 - 250 .

吕从东 . 基于无干扰模型的云计算中信息流安全研究 [D ] . 北京:北京交通大学 , 2016 .

LYU C D . Research on information flow security of cloud computing based on noninterference models [D ] . Beijing:Beijing Jiaotong University , 2016 .

ESTRIN D , HANDLEY M , HELMY A , et al . A dynamic bootstrap mechanism for rendezvous-based multicast routing [C ] // IEEE Conference on Computer Communications . Piscataway:IEEE Press , 1999 : 1090 - 1098 .

DENIEL E E , CHENG Y , CARLO C , et al . Maglev:a fast and reliable software network load balancer [C ] // Proceedings of the 13th Usenix Conference on Networked Systems Design and Implementation . New York:ACM Press , 2016 . 523 - 535 .

王小明 , 付红 , 张立臣 . 基于属性的访问控制研究进展 [J ] . 电子学报 , 2010 , 38 ( 7 ): 1660 - 1667 .

WANG X M , FU H , ZHANG L C . Research progress on attribute-based access control [J ] . Acta Electronica Sinica , 2010 , 38 ( 7 ): 1660 - 1667 .

浏览量

755

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于虚拟机的OpenSSH秘钥数据隔离方法