面向分布式存储的高性能可重构加密方案

doi:10.11959/j.issn.2096-109x.2023072

摘要/Abstract

摘要：

全球进入以数字经济为主导的信息社会，数据成为关键生产要素，当今越来越多的数据被收集、处理和存储，分布式存储系统作为一种高效的存储架构在各数据领域得到广泛应用。然而，随着数据存储规模的不断扩大，分布式存储面临着信息泄露、数据破坏等更深层次的安全风险挑战。这些挑战将推动大数据分布式存储安全技术的创新变革，促进了国产密码技术和计算存储技术的融合。针对分布式存储节点数据信息泄露等安全问题，考虑到分布式存储加密性能与灵活性等需求，提出一种动态可重构加密存储解决方案。该方案设计了基于bio映射框架的高性能可重构密码模块，在此基础上构建多个配用不同密码算法的存储池，实现高性能硬盘数据加解密操作和存储池密码算法动态切换，并开发了具有密码算法和密钥远程在线加载功能的密码协议，满足各存储节点可重构密码模块统一管理与便捷安全更新需求，实现基于密码重构技术的数据细粒度加密保护和逻辑安全隔离功能。实验结果表明，该方案对存储数据进行加密保护与安全隔离的性能损耗约10%，可为分布式存储系统达到GB/T 39786-202《1 信息安全技术信息系统密码应用基本要求》第三级及以上在设备和计算安全、应用和数据安全等方面提出的密码应用技术要求提供技术途径。

关键词: 分布式存储加密, 可重构加密技术, 块设备加密, 算法在线加载, 逻辑安全隔离

Abstract:

As the world embraces the digital economy and enters an information society, data has emerged as a critical production factor.The collection, processing, and storage of data have become increasingly prevalent.Distributed storage systems, known for their efficiency, are widely used in various data fields.However, as the scale of data storage continues to expand, distributed storage faces more significant security risks, such as information leakage and data destruction.These challenges drive the need for innovative advancements in big data distributed storage security technology and foster the integration of domestic cryptographic technology with computing storage technology.This work focused on addressing security issues, particularly information leakage, in distributed storage nodes.A dynamic and reconfigurable encryption storage solution was proposed, which considered the requirements for encryption performance and flexibility.A high-performance reconfigurable cryptographic module was designed based on the bio mapping framework.Based on this module, multiple storage pools equipped with different cryptographic algorithms were constructed to facilitate high-performance encryption and decryption operations on hard disk data.The scheme also enabled dynamic switching of cryptographic algorithms within the storage pools.A cryptographic protocol with remote online loading functions for cryptographic algorithms and keys was developed to meet the unified management and convenient security update requirements of reconfigurable cryptographic modules in various storage nodes.Furthermore, the scheme implemented fine-grained data encryption protection and logical security isolation functions based on cryptographic reconstruction technology.Experimental results demonstrate that the performance loss of this scheme for encryption protection and security isolation of stored data is approximately 10%.It provides a technical approach for distributed storage systems to meet the cryptographic application technology requirements outlined in GB/T 39786-2021 “Information Security Technology-Basic Requirements for Cryptography Applications” Level 3 and above in terms of device and computing security, application and data security.

Key words: distributed storage encryption, reconfigurable encryption technology, block device encryption, algorithm online loading, logical safety isolation

中图分类号:

TP309

冯志华, 张宇轩, 罗重, 王佳宁. 面向分布式存储的高性能可重构加密方案[J]. 网络与信息安全学报, 2023, 9(5): 59-70.

Zhihua FENG, Yuxuan ZHANG, Chong LUO, Jianing WANG. High-performance reconfigurable encryption scheme for distributed storage[J]. Chinese Journal of Network and Information Security, 2023, 9(5): 59-70.

图/表 11

表1

图1

图2

图3

图4

图5

图6

图7

图8

图9

图10

参考文献 22

[1]	LI Y . Intelligent cryptography approach for secure distributed big data storage in cloud computing[J]. Information Ences, 2016: 103-115.
[2]	KAPUSTA K , MEMMI G . Enhancing data protection in a distributed storage environment using structure-wise fragmentation and dispersal of encrypted data[C]// IEEE International Conference on Big Data Science and Engineering; IEEE International Conference on Trust,Security and Privacy In Computing and Communications. 2017.
[3]	桑杰, 许雪姣, 刘硕 ,等. 基于国密算法的分布式加密存储研究[J]. 数据通信, 2020,(1): 4.
	SANG J , XU X J , LIU S ,et al. Research on distributed encrypted storage based on national security algorithm[J]. Data Communication, 2020,(1): 4.
[4]	杨锦江 . 基于可重构计算的密码处理器关键技术研究[D]. 南京:东南大学, 2018.
	YANG J J . Research on key technologies of reconfigurable cryptographic processors[D]. Nanjing:Southeast University, 2018.
[5]	FT A , ASA B , AA C ,et al. A new lightweight cryptographic algorithm for enhancing data security in cloud computing-sciencedirect[J]. Global Transitions Proceedings, 2021.
[6]	SMITH A , RILEY J , SYED M ,et al. Exploring untrusted distributed storage for high performance computing[C]// The Practice and Experience in Advanced Research Computing. 2019.
[7]	ABDEL-KADER R F , EL-SHERIF S H , RIZK R Y . Efficient two-stage cryptography scheme for secure distributed data storage in cloud computing[J]. International Journal of Electrical and Computer Engineering, 2020(3).
[8]	MARYAM K , SHAHZAD A , FARIA F ,et al. Privacy-aware genetic algorithm based data security framework for distributed cloud storage[J]. Microprocessors and Microsystems, 2022(94).
[9]	杜瑞忠, 王少泫, 田俊峰 . 基于封闭环境加密的云存储方案[J]. 通信学报, 2017,38(7): 10.
	DU R Z , WANG S X , TIAN J F . Cloud storage scheme based on closed-box encryption[J]. Journal on Communications, 2017,38(7): 10.
[10]	袁航 . 动态可重构密码芯片关键技术研究[D]. 北京:清华大学, 2019.
	YUAN H . Research on key technologies of dynamic reconfigurable cryptographic chip[D]. Beijing:Tsinghua University, 2019.
[11]	SAYILAR G , CHIOU D . Cryptoraptor:high throughput reconfigurable cryptographic processor[C]// IEEE/ACM International Conference on Computer-aided Design. 2014.
[12]	BULENS P , STANDAERT F X , QUISQUATER J J ,et al. Implementation of the AES-128 on Virtex-5 FPGAs[C]// DBLP. 2008.
[13]	LI X , CAO C , LI P ,et al. Energy-efficient hardware implementation of LUKS PBKDF2 with AES on FPGA[C]// Trustcom/Bigdatase/Ispa. 2017.
[14]	SMEKAL D , HAJNY J , MARTINASEK Z . Comparative analysis of different implementations of encryption algorithms on FPGA network cards[C]// IFAC Conference on Programmable Devices and Embedded Systems. 2018.
[15]	NISHIKAWA N , IWAI K , KUROKAWA T . High-performance symmetric block ciphers on multicore CPU and GPU[J]. International Journal of Networking ＆ Computing, 2012,2(2): 251-268.
[16]	RAHIMUNNISA K , KARTHIGAIKUMAR P , CHRISTY N ,et al. PSP:parallel sub-pipelined architecture for high throughput AES on FPGA and ASIC[J]. Central European Journal of Computer Science, 2013,3(4): 173-186.
[17]	BOS J W , OSVIK D A , STEFAN D . Fast implementations of AES on various platforms[J]. IACR Cryptology Eprint Archive, 2009:501.
[18]	王博 . 高能效可重构密码芯片架构及其抗物理攻击技术研究[D]. 北京:清华大学, 2018.
	WANG B . Energy efficient architecture and physical attack countermeasures for reconfigurable cryptographic processors[D]. Beijing:Tsinghua University, 2018.
[19]	张包铨 . 内核态时序数据存储系统设计与实现[D]. 成都:电子科技大学, 2022.
	ZHANG B S . Design and implementation of time series data storage system in kernel space[D]. Chengdu:University of Electronic Science and Technology of China, 2022.
[20]	赵南雨, 陈莉君 . 一种面向Hadoop中间数据存储的混合存储系统[J]. 信息技术, 2017(11): 161-166.
	ZHAO N Y , CHEN L J . Hybrid storage system focus on Hadoop intermediate storing[J]. Information Technology, 2017(11): 161-166.
[21]	周山东, 宋新芳, 金波 ,等. 基于TCM的全盘加密系统的研究与实现[J]. 计算机工程与设计, 2012,33(9): 6.
	ZHOU S D , SONG X F , JIN B ,et al. Research and implementation of trusted full disk encryption system based on TCM[J]. Computer Engineering and Design, 2012,33(9): 6.
[22]	BERRYMAN A , CALYAM P , HONIGFORD M ,et al. VDBench:a benchmarking toolkit for thin-client based virtual desktop environments[C]// IEEE Second International Conference on Cloud Computing Technology ＆ Science. 2010.

类型	架构型号	工艺/nm	峰值性能/Gbit.s^-1	实测性能/Gbit.s^-1	功耗/W	能量效率/Gbit/(s.W)^-1
CGRA	本文	28	25	9.37	3.50	7.14
	Cryptoratpor^[11]	45	128	—	6.18	20.72
	Virtex-5^[12]	65	58.75	—	1.40	42.02
FPGA	zedboard^[13]	—	—	0.564	2.18	—
	Virtex-7^[14]	—	49.66	—	—	—
ASIC	定制设计^[15]	45	53	—	0.16	341.94
	定制设计^[16]	130	25.60	—	0.04	627.14
GPU	Gtx295^[17]	55	59.6	—	288.96	0.21
注：文献中未说明的密码芯片的相关数据在表格中用“—”标明。