KR20180036093A - Cloud Data Management Method for Cloud Service - Google Patents

Abstract

The present invention relates to a cloud data management method for a cloud service to perform effective key management with a small number of keys, to reduce delay time for cloud computing and to maintain the confidentiality of the cloud service. More particularly, the cloud data management method includes a step (A) of authenticating data requiring the cloud service of a user or an administrator at a web service authentication center; a step (B) of encrypting the authenticated data and storing the encrypted data in a cloud server database (CSDB); a step (C) of allowing a cloud service resource database to provide the data stored in the CSDB when the cloud service is requested.

Description

[0002] Cloud Data Management Method for Cloud Service [

The present invention relates to a cloud data management method for a cloud service capable of reducing delay time for cloud computing and maintaining the confidentiality of the cloud service by enabling efficient key management with a small number of keys.

Cloud Computing is a computing service that borrows computing resources such as hardware and software that exist in an intangible form and borrows them as much as they need, and provides a computing service in which computing resources existing in different physical locations To integrate and provide virtualization technology. According to cloud computing, users receive IT-related services such as data storage, processing, network, and content usage from servers on the Internet, which are expressed in the cloud, using various IT devices such as desktop, tablet computer, laptop, netbook and smartphone . Users can build and destroy virtual hardware in just a few minutes, so it's good enough to be agile, pay only for what they use, and they can buy and install servers, update costs, Software purchasing costs, as well as saving time and manpower, and contributing to energy savings. If data is stored on a PC, the data may be lost due to a hard disk failure. However, since the data is stored in an external server in a cloud computing environment, it is possible to securely store the data, overcome the limitation of the storage space, You can view and modify documents you have worked on.

Despite these advantages, cloud computing services are not particularly active in areas that deal with sensitive data such as finance and healthcare. This is because when the server is hacked or the administrator of the cloud service having access to the information of the data has malicious intent, the user's important data may leak. In addition, cloud computing uses the Internet to use cloud services, and data is stored on cloud servers in the Internet environment, which threatens data confidentiality due to Internet characteristics. That is, in the wired and wireless Internet environment, the storage and transmission and reception of data are performed through a large number of host computers, sub-computers, and networks, and the contents of the data may be seized, altered, or falsified in the process.

Data encryption and access control have been studied to solve these problems. However, techniques for confidentiality protection in various computer systems for access control, identity management, end-to-end data confidentiality, and integrity verification for previous data protection It is difficult to apply to open-managed cloud computing systems. Therefore, in order to increase confidence in the confidentiality of data in the cloud service, it is essential to provide a data confidentiality appropriate to the cloud environment.

Recently, for security in cloud computing, a method of encrypting and storing all the digital data stored by the user has been introduced by the data owner. However, since the encryption key used to encrypt the digital data exists in the management server of the database, it is useless that the digital data of the user is encrypted when the encryption key is leaked. In order to solve this problem, V. EI-khoury et al. And A. Zych et al. In this case, the role of the data owner is to identify the set of keys that the user needs to access the data, and the data owner has the advantage that the user is not directly involved in querying the encrypted database. However, the method proposed by V. EI-khoury et al. Does not distribute the same key to each user belonging to the group because the key update is performed by the user group. Therefore, since the key is copied and stored, The management is not perfect and the key generation can not be solved smoothly due to the revocation of the user's right. A. Zych et al. Do not require the same data to be encrypted many times with other user or group key, so when the user access right changes, the key update is easy, but each user stores a single key and focuses on access control, Is not enough to manage the key of. C. Blundo et al. Used a key derivation principle to minimize the total key sum distributed to users, but a solution is needed to protect resource confidentiality. In addition, when the user right is withdrawn, a problem arises that the database encryption key must be distributed to the user.

In order to provide confidentiality of data in cloud computing, there is a common method of encrypting data, but using too much key to apply it to big data in a cloud environment, key management is not effective. Therefore, there is a need for a cloud data management method that can ensure efficient key management and data confidentiality based on the cloud service.

 V. EI-khoury et al., "Distributed Key Management in Dynamic Outsourced Databases: A Trie-based Approach," DBKDA'09 Proc. of the 2009 First International Conference on Advances in Databases, Knowledge, and Data Applications, IEEE Computer Society, Washington, DC, USA, pp. 56-61, 2009. A. Zych et al., "Efficient Key Management for Cryptographically Enforced Access Control," Computer Standard and Interfaces, Vol. 30, issue 6, pp. 410-417, Aug. 2008. C. Blundo et al., "Efficient Key Management for Enforcing Access Control in Outsourced Scenarios," SEC, pp. 364-375, 2009.

Disclosure of Invention Technical Problem [8] The present invention has been made in order to solve the problems of the related art as described above, and it is an object of the present invention to provide a cloud data management system and a data management method capable of safely managing user contents by maintaining confidentiality of data in cloud computing, And a method thereof.

According to an aspect of the present invention, there is provided a method for providing a cloud service, the method comprising: (A) authenticating data required by a user or a manager in a web service authentication center; (B) encrypting the authenticated data and storing the encrypted data in a cloud server database (CSDB); And (C) when the cloud service is requested, the cloud service resource database provides data stored in the CSDB.

 The data stored in the cloud server database is classified according to the type of service to create a cluster, and the cluster becomes a classification unit of the cloud server database for key management.

In the present invention, a distributed self-proxy server in a cloud environment can be used as a key management server.

As described above, according to the cloud data management method of the present invention, since data authentication is performed before data is stored in the cloud database, user contents can be stably managed.

Also, in the cloud data management method of the present invention, the key can be regenerated even when there is an attack by the cloud server, the number of keys can be reduced by the cluster configuration for the cloud service, and the key calculation can be efficiently performed. The delay time can be greatly shortened.

FIG. 1 is a conceptual diagram illustrating a method for managing cloud data based on a cloud service of the present invention. FIG.
2 is a conceptual diagram illustrating a process of storing data in a cloud database for key management based on the cloud service of the present invention.
3 is a conceptual diagram of a key management method based on the cloud service of the present invention.
4 is a self-proxy server-based key self-generated protocol according to the present invention.
FIG. 5 is a graph showing the processing delay time of the cloud computing according to the present invention and the prior art.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, the present invention will be described in detail with reference to the accompanying drawings and embodiments. However, the drawings and the embodiments are only illustrative of the contents and scope of the technical idea of the present invention, and the technical scope of the present invention is not limited or changed. It will be apparent to those skilled in the art that various changes and modifications can be made within the scope of the technical idea of the present invention based on these examples.

1 is a diagram illustrating a method for managing cloud data in the present invention. In the present invention, a method for managing cloud data is a term encompassing storage and provision of cloud data. A cloud data management method of the present invention comprises the steps of: (A) authenticating data requiring a cloud service of a user or an administrator in a web service certification center (WSCC); (B) encrypting the authenticated data and storing the encrypted data in a cloud server database (CSDB); (C) providing, at the request of a user or an administrator, data stored in the CSDB by a Cloud Service Source DataBase. In the prior art, when a user or an administrator needs data, the CSSDB merely fetches necessary data from the CSDB. In contrast, in the present invention, only data that has been authenticated first is stored in the CSDB. If previously unused data is needed, the cloud service provider (CSP) generates data by the user's request and authenticates at the WSCC, stores it in the CSDB, and supports it in the cloud service through the CSSDB do. At this time CSSDB communicates with self-proxy server SPSn for key management by cloud service type based on cloud service in order to provide safe user query result.

In the present invention, it is assumed that the user, the cloud service provider and the key manager (KM) are trusted, the data is moved to the encrypted state, and the key movement is performed through the distributed self-proxy server in the cloud environment.

FIG. 2 is a diagram illustrating a process of storing data in a cloud database for key management based on the cloud service described in steps (A) and (B). In the present invention, when service data is requested from a user or an administrator, the data owner receives the encrypted data required for the cloud service from the WSCC. In FIG. 2, an example of an authentication method is exemplified by SAML (Security Assertion Markup Language) based on XML, but the present invention is not limited thereto. The authenticated data is stored in the CSDB, and the stored data can be classified according to the type of service.

FIG. 3 relates to key management in the Claus service, and the cluster in FIG. 3 is data classified according to the type of cloud service stored in the cloud server. The cluster is used as a data classification unit of the CSDB for key management. For authenticated data, the key manager generates a group key CS _k based on the cloud service, and sends it to the cloud server (CS, Cloud Server) and the data owner (DO, Data Owner) for sharing.

Then, when the cloud service is requested, the timer is operated so that the connection time and the end time are checked, and before the timer expires, the cloud server creates the cluster according to the type of the cloud service. The key manager generates and assigns two keys (Pub _c , Pri _c ), a public key and a secret key, to the cluster using a clustering mechanism, and then transmits the key to the cloud server. The cluster notifies the neighboring cluster group of the two keys assigned to it, and the key manager XORs the secret key Pri _c of the clusters to generate a cloud service secret key (Pub _cs , Pri _cs ). Then, the cloud server and the cloud service To two keys (Pub _cs , Pri _cs ). The cloud service is reconfigured through a clustering mechanism for a cluster added to the cloud service, and then the group key (Pub _cs , Pri _cs ) is broadcasted to the clusters so that the clusters can share the group key.

The cloud service encrypts the cloud service resources with the public key Pub _cs and sends them to the cloud server. The cloud server decrypts the cloud service resource with the secret key Pri _cs of the cloud service received from the key manager, and confirms that it is true. The cloud service resource is decrypted with the group key CS _k based on the cloud service to confirm whether or not it is true. If both are true, proceed with the cloud service and stop either if not true.

The key server manager detects the compromised cloud service to stop the cloud service, and then removes the service list if compromised with the cluster in the cloud service. The key server manager sends a revocation request message to the cloud server when the cloud service withdrawal occurs. The cloud server updates the group key belonging to the cloud service to be withdrawn, and forwards the group key to the cluster in the cloud service. The cluster in the cloud service receives the received group key from the cloud server, and then performs a new clustering. After the clustering process, the cloud service sends a new group key (Pub ' _cs , Pri' _cs ) to the cloud server when a new group key is created. The cloud server that receives the new group key informs the key manager.

In the present invention, the role of the key management server may be implemented by a Self Proxy Server (SPS). The SPS is an autonomous key management server for a cloud service. The SPS is a server that supports active key management in a cloud environment and can replace a cloud key server when a problem occurs, Service-based key management is supported.

In the present invention, the SPS can be selected for active re-encryption when the user requests data dependent on the physical location. In this case, the other cloud sharing the same data is managed by the same SPS, so the calculation value for data management can be reduced. Distributed server SPS _n for cloud services can also provide real-time key management for distributed data management.

On the other hand, the database responds to user queries by interacting with the distributed server SPS _n whenever necessary.

In the present invention, a key self-generated algorithm using SPS is as follows. Key manager sends a proxy (proxy) a key _n to generate, without checking whether the respective SPS _n distributed proxy server who distributed to each server SPS key _n a _n for each of the distributed servers SPS _n. In addition, the key manager scans all n servers to encrypt the data, encrypts the user-generated query q, and stores it in the cloud server together with each SPS _i . At this time, the encrypted data is decrypted with a proxy key a _n after all n servers are scanned.

A self-generated key generation protocol based on the SPS of the present invention will be described with reference to FIG. First, the user u generates a query q , encrypts it with the local β _u , and then broadcasts the message E _βu [q] to each SPS _i server. Every SPS _i in the key server constructs a ring to encrypt the message E _βu [q] with a proxy key a _i ( E _ai [ E _βu (q), SPS _i ). _N last SPS server is a proxy key to decrypt a _n, send to the user u _βu E [q], the user sends a query q decoded in the region β _u key database (DBMS).

, SPS_i]를 복호화한다. 이때,

는 SPS의 처음 i-1에 의한 부분적 복호화 γ_q를 나타낸다. 마지막 SPS_n 는 사용자 u에게 E _βu [γ_q]를 보낸 후, 사용자는 지역 키 β _u 로 E _βu [γ_q]를 복호화하여 질의 결과 γ_q를 얻는다. 상기 과정을 다시 정리하면 다음과 같다.When the query result of the encrypted database is γ _q , the database encrypts it with the proxy key a _i ( E _αi [γ _q ]) and sends it to the user u . The user encrypts it with the local key β _u and sends it to the SPS _i server. The SPS _i- server uses E _ßu [

, SPS _i ]. At this time,

Represents the partial decryption gamma _q by the first i-1 of the SPS. _N is the last SPS after a user u E _βu [γ _q], the user can decode the E _βu [γ _q] as local key β _u query result to obtain the γ _q. The process is summarized as follows.

_{(1) u i → SPS i} : E βu [q]

(2) For i = 1, n, SPS _i : E _ai [ E _{硫 u} (q), SPS _i ]

(3) SPS _n → u _i : E _βu [q]

(4) u _i ? DBMS: q

_{(5) DBMS → u i:} E αi [γ q]

(6) u _i → SPS _i : E _βu [ E _αi (γ _q )]

, SPS_i](7) for i = 1, n, SPS _i : D E _βu [

, SPS _i ]

(8) SPS _n → u _i : E _βu [γ _q ]

(9) u _i : D E _βu [ E _βu (γ _q )]

In the cloud data management method of the present invention, the distributed SPS is used as a key management server for data protection of the cloud service, and the key for protecting the data related to the cloud service necessarily passes through the distributed SPS. The keys used here are copied and stored in the cloud key server and managed by real-time maintenance and revocation.

The SPS of the present invention has a mechanism for regenerating a key even if there is an attack by the cloud server, and thus the encrypted data of the cloud database can be used for the cloud service by the user query. In addition, since the data authentication is performed in the WSCC before the data storage of the cloud database, the user contents can be managed safely.

FIG. 5 compares the processing latency per unit time with the prior art cloud computing system in the same size data. The environment for cloud simulation was determined by the number of tasks, the average processing of tasks, processing deviations, task load, and so on, using Amazon CloudFront. The prior art to be compared is as follows. As can be seen from FIG. 5, the method of processing cloud data according to the present invention shows that the delay time is significantly shortened as compared with the prior art.

A. Verma et al., "Bi-Criteria Priority based Particle Swarm Optimization Workflow Scheduling Algorithm for Cloud," Proc. of 2014 Recent Advances in Engineering and Computational Sciences (RAECS), pp. 1-6, Mar. 2014.

Lizheng Guo, etc., "Multi-Objective Task Assignment in Cloud Computing by Particle Swarm Optimization," 2012 8 th International Conference on Wireless Communications, Networking and Mobile Computing (WiCOM), IEEE, pp. 1-4, 2012.

S. Pandey et al., &Quot; A Particle Swarm Optimization-based Heuristic for Scheduling Workflow Applications in Cloud Computing Environments, "24th IEEE International Conference on Advanced Information Networking and Applications, pp. 400-407, 2010.

S. Selvarani et al., "Improved Cost-based Algorithm for Task Scheduling in

Cloud Computing, "Computational Intelligence and Computing Research (IEEE), pp. 1-5, 28-29 Dec. 2010.

Claims (6)

(A) authenticating, at a web service authentication center, data requiring a cloud service of a user or an administrator;
(B) encrypting the authenticated data and storing the encrypted data in a cloud server database;
(C) upon request of a cloud service, providing a cloud service resource database with data stored in said cloud server database;
And managing the cloud data.
The method according to claim 1,
Wherein the data stored in the cloud server database is classified according to a type of the cloud service to generate a cluster, and the cluster is a classification unit of a cloud server database for key management.
3. The method of claim 2,
(a) the key manager generates a group key CS _k for the data authenticated in the step (B) and distributes the group key CS _k to the cloud server and the data owner,
(b) when requesting the cloud service in the step (C), the cloud server creates a cluster according to the type of the cloud service,
(c) The key manager creates and attaches two keys (Pub _c , Pri _c ) to the cluster, transmits the key to the cloud server,
(Pub _cs , Pri _cs ) generated by the XOR operation of the secret key Pri _c of the clusters, and transmits the generated cloud service secret keys (Pub _cs , Pri _cs ) to the cloud server and the cloud service, respectively.
(d) The cloud service encrypts the cloud service resources with the public key Pub _cs and sends them to the cloud server,
(e) The cloud server provides the cloud service only when the result of decoding and decrypting the cloud service resource with the secret key Pri _cs and CS _k is both true.
The method of claim 3,
If at least one of the decoded values of (d) is false,
The key manager requests that the cloud server be withdrawn from the cloud service,
The cloud server updates the group key belonging to the cloud service to the cluster in the cloud service,
After receiving the renewed group key, the cluster in the cloud service generates a new group key (Pub ' _cs , Pri' _cs ) by new clustering and transmits it to the cloud server,
Wherein the cloud server notifies the key manager of the delivery of (Pub ' _cs , Pri' _cs ).
5. The method according to any one of claims 2 to 4,
And the key management is performed by the distributed self-proxy server.
6. The method of claim 5,
A self-generating key of a key using a self-proxy server is characterized by the following.
_{(1) u i → SPS i} : E βu [q]
(2) For i = 1, n, SPS _i : E _ai [ E _{硫 u} (q), SPS _i ]
(3) SPS _n → u _i : E _βu [q]
(4) u _i ? DBMS: q
_{(5) DBMS → u i:} E αi [γ q]
(6) u _i → SPS _i : E _βu [ E _αi (γ _q )]
(7) for i = 1, n, SPS _i : D E _βu [

, SPS _i ]
(8) SPS _n → u _i : E _βu [γ _q ]
(9) u _i : D E _βu [ E _βu (γ _q )]
In this case, u is the user, SPS is the self-proxy server, q is the query, DBMS is the database, γ _q is the query result,

Represents the partial decryption gamma _q by the first i-1 of the SPS.

Images