Mengqi Zeng,Dawu Gu,Fangyong Hou,Yuanyuan Zhang,Tao Cheng

DOI: https://doi.org/10.1109/NAS.2009.70

2009-01-01

Abstract:Self-securing storage devices prevents intruders from undetectably tampering with or permanently deleting stored data. To accomplish this, we design an efficient self-securing disk architecture, which is based on traditional self-securing storage prototype S4: 1) On the confidentiality protection side, authenticated encryption mode GCM is adapted to process disk block in parallel ,and authentication latency is overlapped with disk access latency so that our scheme is more efficient and secure than Windows BitLocker. 2) On the integrity protection side, GHASH proposed in GCM is used to generate MAC which is more efficient than SHA-1, MD5. Moreover, ldquoMinimum Integrity Verification Treerdquo is put forward to decrease performance loss at a maximum. 3) On the access control protection side, we propose a cryptographically featured capability based access control model, which is based on existing OSD access control model. We use hybrid hard drive as an instance to build a self-securing disk prototype which is implemented by simulation. The encryption/authentication overheads are significantly reduced due to buffer techniques and combined GCM/Flash scheme. According to the simulation results, the performance overhead is less than 18%, which is efficient and practical.

黄益民,平玲娣,潘雪增

DOI: https://doi.org/10.3785/j.issn.1008-973x.2001.06.005

2001-01-01

Abstract:After study of existing security models; analysis of information flow model, Bell-LaPadula(BLP) access control model and Biba access control model; and collation and comparison of their advantages and disadvantages, an improved model is put forward that satisfies the actual demands of information security. An implementation strategy is put forward that ensures information security, reliability, practicality and compatibility in the designed security system. An implementation scheme of this security system and its components and functions is provided. This system combines the following functions: mandatory access contro1, privilege separation, security audit, identity authentication and self-protection. It achieves the level 3 of national information security standard and level B1 of TCSEC standard. It was implemented in the Windows NT and Linux operating system and has yielded good resultsin application.

MAO Weifeng,PING Lingdi,JIANG Li,CHEN Xiaoping

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.12.068

2006-01-01

Abstract:SECOS is a secure operating system with independent intellectual property right,which accords with the requirements of level 4 secure operation system technology.This paper illustrates some key issues of the system,including design method for enchancement of security,improved model from the Bell-La Padula MAC(mandatory access control) implementation,the realization of the model,formal method during the system development,conversiion channel analysis and its prevention,and secure deletion.The performance evaluation shows the design and implementation of SECOS is effective.

Fangyong Hou,Dawu Gu,Nong Xiao,Yuhua Tang

DOI: https://doi.org/10.1109/cit.2008.4594711

2008-01-01

Abstract:To protect data privacy and integrity, it encrypts each protected disk sector and creates hash tree upon all the protected sectors to resist against any possible attacks. To make it an appropriate way for disk protection, it designs the required solutions of disk layout, performance optimizing and consistency maintaining. Disk layout uses a fixed disk region to preserve hash tree nodes; performance optimizing utilizes system memory to buffer those frequently used hash tree nodes to offload the big working cost; and consistency maintaining logs disk modifications to recovery the valid result after unexpected failures. The implementation cost is low and running performance is satisfiable. Analysis and experimental simulations show that it is a practical and available way to build secure disk.

Jie Lin,Yunliang Zhang,Zhiyong Tan,Yiqi Dai

2009-01-01

Abstract:The paper proposes a novel secure distributed disk system. By dynamically exploiting file-system semantics of on-disk data blocks and sensing activities of the local file system, the disk system can be integrated with the current file systems seamlessly without changing the standard block interface between them and can efficiently manage accesses to the files from multiple hosts. And the disk system adopts a new data distribution scheme to ensure confidentiality, reliability and availability of data, and a credibility evaluation strategy to prevent some attacks from malicious clients and data servers.

Fangyong Hou,Dawu Gu,Nong Xiao,Zhiping Cai

DOI: https://doi.org/10.1109/iscc.2008.4625600

2008-01-01

Abstract:Approach that integrates encryption and verification is proposed to protect hard disk data. For each data sector, MAC is calculated and the (data sector, MAC) pair is encrypted through the encryption key deduced from the secret root key and a unique nonce. By assuring the nonce to be trusted or untampered through hash tree, data can then be properly decrypted and authenticated. To achieve satisfiable performance, it applies stream cipher to offload the encryption cost, and adopts special structure hash tree with hot-access-windows to fulfill nonce checking efficiently. Ultimately, it can provide data protection with characteristics like solid resistance against any attacks, online working mode, low-level protecting, and high performance. Related model, approaches and system realization are elaborated, as well as testing results. Theoretical analysis and experimental simulations show that it is a practical and available way to build secure disk.

YANG Bo,ZHANG Ji-zheng,JIA Hui-bo

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.04.028

2006-01-01

Abstract:Self-securing mechanism means the shift of storage security functionality into the storage device's firmware,which guarantees the availability and integrity of data storage in the case of host systems or client systems are compromised.With the popularization of the embedded processor,erecting security perimeter on storage device will direct the development of storage system.

Mais Nijim,Xiao Qin,Tao Xie

DOI: https://doi.org/10.1145/1210596.1210598

2006-01-01

ACM Transactions on Storage

Abstract:Since security is of critical importance for modern storage systems, it is imperative to protect stored data from being tampered with or disclosed. Although an increasing number of secure storage systems have been developed, there is no way to dynamically choose security services to meet disk requests' flexible security requirements. Furthermore, existing security techniques for disk systems are not suitable to guarantee desired response times of disk requests. We remedy this situation by proposing an adaptive strategy (referred to as AWARDS) that can judiciously select the most appropriate security service for each write request, while endeavoring to guarantee the desired response times of all disk requests. To prove the efficiency of the proposed approach, we build an analytical model to measure the probability that a disk request is completed before its desired response time. The model also can be used to derive the expected value of disk requests' security levels. Empirical results based on synthetic workloads as well as real I/O-intensive applications show that AWARDS significantly improves overall performance over an existing scheme by up to 358.9% (with an average of 213.4%).

Wu Dianshuang,Liu Hang,He Dequan

DOI: https://doi.org/10.16526/j.cnki.11-4762/tp.2009.05.031

2009-01-01

Abstract:To transparently encrypt the data stored in solid state disk (SSD) and enhance the integration of the whole secure storage system, a method to integrate hardware encryption function into SSD was proposed after analyzing the architecture of SSD. The scheme of encrypted SSD was also given. Then, the hardware encryption module (HEM) to be embedded into the SSD was designed and implemented based on FPGA. Finally, the encrypted SSD was implemented with the HEM, common ATA flash disk controller and NAND flash chips. The testing and experimental results show that the encrypted SSD can encrypt all the data stored in it and the integration of the encryption function doesn't lead to decrease of performance due to hardware implementation, high speed and no use of system resources of HEM.

LI Dong,GUO Jin,ZHANG JIZHENG,JIA Huibo

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.11.066

2005-01-01

Abstract:Security mechanisms for survivability used in current storage systems are divided into two classes, including distributed data copies on wide scale and self-security storage devices. The data center now this paper deploys employs the method resembling the latter, which sets up access patterns database to identify possible attacks. The paper predicts as storage device becomes more intelligent self-security storage device and combination of different security mechanisms will direct the development of survivable storage system.

Minal Moharir,A. V. Suresh

DOI: https://doi.org/10.48550/arXiv.1109.4565

2011-08-26

Abstract:The main objective of the paper is to study and develop an efficient method for Hard Disk Drive(HDD) Security using Full Disk Encryption (FDE) with Advanced Encryption Standards(AES) for data security specifically for Personal Computers(PCS) and Laptops . The focus of this work is to authenticate and protect the content of HDD from illegal use. The paper proposes an adaptive methods for protecting a HDD based on FDE. The proposed method is labeled as DiskTrust. FDE encrypts entire content or a single volume on your disk. DiskTrust implements Symmetric key cryptography with, Advanced Encryption Standards. Finally, the applicability of these methodologies for HDD security will be evaluated on a set of data files with different key sizes.

Cryptography and Security

LIN Hao-xiang,DONG Yuan,ZHANG Wei,ZHANG Su-qin,HU Chang-jun

DOI: https://doi.org/10.3969/j.issn.1000-1220.2007.01.026

2007-01-01

Abstract:Recently it has been a focus to protect personal sensitive information. Using cryptographic technique is a promising way. This paper describes the design and implementation of Waycryptic, a versatile cryptographic file system for Linux. By integrating cryptographic technique into file system level, users obtain transparent, dynamic, efficient and secure encryption function without modifying their applications. Encrypted files could be saved on any physical file system which supports extended attributes (XATTR). Waycryptic also permits encrypted files to be shared among multi users and to be easily recovered by designating an account in advance. The results of Iozone and Bonnie benchmarks show that Waycryptic is comparatively efficient and is suitable for personal or multi-user systems which require enhanced security.

Luo Hui,Guan Haibing,Bai Yingcai

DOI: https://doi.org/10.3969/j.issn.1000-386X.2007.08.062

2007-01-01

Abstract:Secure network file system can secure the stored data and provide confidence and integrity in opening environment.It should consider such factors as security,performance and convenience when designing a secure file system.The design and implementation of a secure network file system:SecNFS,including its design idea,system architecture,key management,security analysis,share schema and implementation techniques is described.

张辉,王春露,张悠慧

DOI: https://doi.org/10.16208/j.issn1000-7024.2008.16.019

2008-01-01

Abstract:It is illustrated the technology of how to use a single file system to backup the crucial data which is saved on it and how to restore the important data when it is ruined.As the same time,the hard disk or mobile storage device which serves a single file system as storage system makes sure that when the disk of device is lost the confidential data is safe by the technology of encryption.

Zijian Deng,Xuejia Lai

DOI: https://doi.org/10.1109/sitis.2007.38

2008-01-01

Abstract:How to protect the sensitive information from unauthorized disclosure is one of the problems in computer security. In this paper we present a new method for preventing the sensitive file from unauthorized disclosure, Security File Management (SFM). SFM relies on Dual-Core technology, Extensible Firmware Interface and Trusted computing to provide a much high level of security than current solutions. All operations of sensitive files are run in Trusted Boundary. In this paper, we present the architecture of SFM, the initial designer and the security analysis.

DAI Wei,ZHANG Shen-sheng

DOI: https://doi.org/10.3969/j.issn.1006-9348.2005.04.050

2005-01-01

Abstract:There is a file protection mechanism called Disk Partitions Encrypti on on FreeBsd system. When one disk partition is set to encrypted state, all fil es p laced on the partition will be automatically encrypted and people are never cons cious of the fact that the files had been encrypted. When one file placed on the partition is opened and the operator has enough privilege to open the file, the file will be automatically decrypted and people are not conscious of it. If th e hard disk are lost or stolen ,the data saved on the encrypted disk partition w ill not let out. The paper mainly describes on Windows System how to realize a p rotected partition or protected file directory through an encrypt agent and a de crypt agent, like the Disk Partitions Encryption on FreeBsd system. The files ca n be easily dragged to the partition or file directory that have been set to enc rypted state and be automatically encrypted .The files on the partition or file directory can be freely opened , read or modified . Once the files are saved to disk ,they will be automatically decrypted .

Jiwu Shu,Zhirong Shen,Wei Xue,Yingxun Fu

DOI: https://doi.org/10.1109/ASPDAC.2013.6509625

2013-01-01

Abstract:With the rapid development of cloud storage, data security in storage receives great attention and becomes the top concern to block the spread development of cloud service. In this paper, we systematically study the security researches in the storage systems. We first present the design criteria that are used to evaluate a secure storage system and summarize the widely adopted key technologies. Then, we further investigate the security research in cloud storage and conclude the new challenges in the cloud environment. Finally, we give a detailed comparison among the selected secure storage systems and draw the relationship between the key technologies and the design criteria.

Fangyong Hou,Dawu Gu,Nong Xiao,Yuhua Tang

DOI: https://doi.org/10.1109/NAS.2008.48

2008-01-01

Abstract:Storage systems are more distributed and more subject to attacks. Cryptographic file system gives a promising way to mitigate the danger of exposing data by using encryption and integrity protection methods and guarantee end-to-end security to clients. This paper describes SRSAE, a generic approach to cryptographic file system, as well as its realization in a distributed data storage environment. SRSAE applies authenticated encryption to each data block transferred between clients and the remote block devices. It provides strong data confidentiality and integrity protections through trusted IV (Initialization Vector) and MAC (Message Authentication Code) comparison. Performance is optimized by buffering IV and MAC locally. Integration into original file system is presented with specific implementation. Related model, approach and system realization are elaborated, as well as testing results. Theoretical analysis and experimental simulations show that it is a practical and available way to build secure network storage system.

纪丰伟,陈恳,刘敏,于晓强

DOI: https://doi.org/10.3321/j.issn:1004-132x.2002.02.019

2002-01-01

Abstract:On the basis of function framework of PDM, this paper proposes a method to build PDM security system, and discusses stressly how to keep security of data and process in PDM system. In the end of the paper, some tools or methods about data encryption, digital signature, etc, are described.

周敬利,杨光,余胜生,曾东

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.02.060

2005-01-01

Abstract:This article focuses on the security problems in iSCSI application. By detailed researching and analyzing the two security mechanisms presented by iSCSI protocol, it brings forward a security project for a system application which is and implemented as an iSCSI storage sysetm model. Then the contrast performance data of iSCSI system with/without security, is got.