| Abstract: | 雲端運算(Cloud Computing)提供大量的運算能力與儲存空間讓使用者可依個人需求動態 地增減軟硬體需求。這些優點讓中小型企業不再需要去購買與維護設備、聘僱技術人員操作 與維修,只需要專注於開發系統程式,也減少了各方面的成本支出。其中的雲端儲存服務 (Cloud Storage Service)除了用於一般個人的資料儲存,也是讓企業或資料擁有者(Data Owner, DO)方便分享資料的服務。但是當DO 想分享特定資料,尤其是機密檔案給特定群組或個人 時,資料的存取控制與金鑰管理等資訊安全技術就需要考量進來。 因此,本計畫將研究並實作一個基於雲端儲存服務的高效率存取控制與金鑰管理機制, 以達到雲端儲存服務之檔案安全性及機密性。在金鑰管理機制,我們將使用階層式 (Hierarchical)的金鑰管理、分享金鑰樹(Shared Key Tree, SKT)與更新金鑰訊息(Renewed Key Message)來達成DO 與存取檔案的使用者能個別只存一把密鑰,卻可讓DO 能導出所有的加 密檔案金鑰,也能讓使用者導出具有存取權限的加密檔案金鑰,進而使金鑰更新與存取控制 更具效率。 除了存取控制與金鑰管理之外,當DO 使用雲端儲存服務後,資料正確性與完整性也 需要定期做驗證與確認,但DO 的計算能力在雲端情境中相對弱(即僅有瀏覽器)。因此,降低 DO 與資料接收者的計算複雜度也是一項重要的議題。本計畫依上述問題分為三大主軸: (1) 存取控制與金鑰管理 (2) 保護隱私的公開稽核 (3) 保護機密的雲端代理運算。
Cloud computing provide abundant computing ability and storage that users can accord their demand to add/cancel software/hardware requirement dynamically. These advantages let Small and Medium Business (SMB) didn’t need to purchase and maintain equipments hire technical staffs for operation and repair it, only need to focus on development of system and program, and this way can reduce many kinds of cost. In Cloud, the Cloud Storage Services not only a general storage for user, but also a convenient share data service for enterprise and Data Owner (DO). But when DO want to share a specific data, especially confidential data, for specific group or users, there need to consider and include access control and key management of data. Therefore, this project will design and implement a high efficiency access control and key management mechanism based on Cloud Storage Services to approach security and confidentiality of data stored in Cloud Storage Services. In the key management mechanism, we use hierarchical key management with Shared Key Tree (SKT) and renewed key message to achieve DO and user can only store one secret key respectively, then DO can generate all encrypt file key, and user can derive the encrypt file key which he/she has the access right, and then achieve more efficiency key update and access control. In addition to access control and key management, when DO start to rely on Cloud Storage Service, correctness and integrity of data are also need to check and verify regularly. But DO’s computing ability in Cloud scenario may no longer stronger as usual, i.e. only has browser. Therefore, reducing computing complexity of DO and data receiver is also an important issue. According to above problems, this project has been divided into three main parts: (1) Access control and key management (2) Protect privacy of public auditing data (3) Protect confidentiality of Cloud proxy computing |
