云边协同下基于SGX的云数据安全去重方法  

作　　者：卜时磊 谢雨来[1,2,3] 曹周 王杰 郑俊[1,2] 冯丹[3,4] Shilei BU;Yulai XIE;Zhou CAO;Jie WANG;Jun ZHENG;&Dan FENG(School of Cyber Science and Engineering,Huazhong University of Science and Technology,Wuhan 430074,China;Hubei Key Laboratory of Distributed System Security,Huazhong University of Science and Technology,Wuhan 430074,China;Key Laboratory of Information Storage System,Ministry of Education of China,Huazhong University of Science and Technology,Wuhan 430074,China;Wuhan National Laboratory for Optoelectronics,Wuhan 430074,China)

机构地区：[1]华中科技大学网络空间安全学院,武汉430074 [2]华中科技大学分布式系统安全湖北省重点实验室,武汉430074 [3]华中科技大学信息存储系统教育部重点实验室,武汉430074 [4]武汉光电国家研究中心,武汉430074

出　　处：《中国科学:信息科学》2025年第3期528-541,共14页Scientia Sinica(Informationis)

基　　金：国家重点研发计划青年科学家(批准号:2022YFB4501300)资助项目。

摘　　要：数据的不断增长对云的存储空间、安全、性能等的需求与日俱增.安全去重技术能够有效减少云存储空间需求的同时保障数据去重的安全性.然而,当前主流云安全去重方案依赖于可信第三方来进行密钥安全性保障,这引入了额外的信任假设和密钥管理开销.而两方的去重方案在安全和传输开销方面面临较大挑战.针对该问题,本文提出了一种基于英特尔软件防护扩展(Intel software guard extension, Intel SGX)的云数据安全去重方法,该方法的主要创新在于:(1)设计基于边缘端去重的云边协同安全体系架构,减少了云边之间的传输开销,使用SGX可信执行环境保障了云和边缘端数据和密钥的安全,无需不可信的第三方密钥服务器;(2)提出低开销的密钥安全生成协议,通过云边协同生成密钥,为每个边缘端用户生成唯一的加密密钥,而非为每个数据生成单独的密钥;(3)设计高效的基于标签流行度的标签查询机制.通过计算标签频率,实现冷热标签分离,在提高标签查询效率的同时避免标签误检.安全性理论证明和系统实验测试表明,本文的方案在安全性方面优于最新方法,并大大减少了密钥管理开销和标签查询开销,其中密钥存储开销可节省48.72%~98.72%.The continuous growth of data places increasing demands on cloud storage space,security,and performance.Safe deduplication technology can effectively reduce storage space requirements while ensuring the security of data deduplication for cloud computing.However,the current mainstream cloud security deduplication solutions rely on trusted third parties to ensure key security,introducing additional trust assumptions and key management overhead.And the deduplication schemes of the two parties are facing challenges in terms of security and transmission costs.In response to this issue,this article proposes a software protection extension based on the Intel software guard extension(Intel SGX)cloud data security deduplication method,the main innovation of which lies in:(1)designing an edge-based cloud edge collaborative security architecture for deduplication which reduces transmission overhead between cloud and edges,and the use of SGX trusted execution environment ensures the security of data and keys in cloud and edge.This does not require an untrusted third-party key server.(2)Propose a low-cost key security generation protocol,which generates keys through cloud edge collaboration,generating unique encryption keys for each edge user instead of individual keys for each data.(3)Design an efficient tag query mechanism based on tag popularity.By calculating the tag frequency,the separation of hot and cold tags can be achieved.This can improve tag inquiry efficiency while avoiding label misidentification.Theoretical proof of security and system experimental testing indicate that the proposed solution in this paper is superior to other security deduplication methods.It greatly reduces the cost of key management and label query without compromising security,among which the cost of key storage can be saved 48.72%∼98.72%.

关 键 词：云边协同 云存储 安全去重 英特尔软件防护扩展 标签流行度 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]