Outline
- Cloud Computing
- Security issues
6.1 Cloud Computing
| Name |
名字 |
| Network Computing |
网络计算 |
| Cluster Computing |
集群计算 |
| Grid Computing |
格网计算 |
| Utility Computing |
效用计算 |
| Cloud Computing |
云计算 |
| Name |
名字 |
| Shared pool of configurable computing resources |
可配置计算资源的共享池 |
| On-demand network access |
按需网络访问 |
| Provisioned by the Service Provider |
由服务提供者提供 |
| hide the complexity |
隐藏底层的复杂性 |
| anywhere, anytime and any place |
|
| Pay for use |
按需支付 |
| hardware and software service |
|
- pros and cons of Cloud Computer
| pros |
中文翻译 |
| Easy to conceptualize |
容易概念化 |
| Easy to deploy |
容易部署(服务器) |
| Easy to backup |
容易备份 |
| any application/service can be run from this type of setup |
兼容性强 |
| cons |
中文翻译 |
| Expensive to acquire and maintain hardware |
获取和维护硬件费用高 |
| Not very scalable |
不是很可伸缩 |
| Difficult to replicate |
难以复制 |
| Vulnerable to hardware outages |
容易出现硬件中断 |
Virtual Server
- Concepts
① Virtual servers seek to encapsulate the server software away from the hardware.
虚拟服务器试图将服务器软件封装在硬件之外.
② A virtual server can be serviced by one or more hosts, and one host may house more than one virtual server.
一个虚拟服务器可以由一个或多个主机提供服务,一个主机可以容纳多个虚拟服务器。
③ If the environment built correctly, virtual servers will not be affected by the loss of a host.
如果环境构建正确,虚拟服务器不会受到主机丢失的影响。
④ Can be scaled out easily.
可以很容易地扩展。
- Advantages
① Run operating systems where the physical hardware is unavailable.
运行物理硬件不可用的操作系统
② Easier to create new machines, backup machines, etc.,
更容易创建新机器,备份机器等,
③ Software testing using “clean” installs of operating systems and software,
使用“干净”安装的操作系统和软件进行软件测试
④ Emulate more machines than are physically available
仿真比实际可用的更多的机器
⑤ Timeshare lightly loaded systems on one host
一个主机上的分时系统负载很轻
⑥ Debug problems (suspend and resume the problem machine)
调试问题(挂起并恢复问题机器),
⑦ Easy migration of virtual machines
轻松迁移虚拟机
⑧ Run legacy systems!
遗留系统运行!
- Pros and cons of virtualization
| pros |
中文翻译 |
| Resource pooling |
资源池 |
| Highly redundant |
高度冗余 |
| Highly available |
高可用性 |
| Rapidly deploy new servers |
快速部署新服务器 |
| Easy to deploy |
易于部署 |
| Reconfigurable while services are running |
服务运行时可重新配置 |
| Optimizes physical resources by doing more with less |
通过用更少的资源做更多的事情来优化物理资源 |
| cons |
中文翻译 |
| harder to conceptualize |
难以概念化 |
| more costly |
贵 |
Layers of Cloud Service 云计算层结构
| layer |
service |
功能 |
| Client |
|
|
| Application |
SaaS |
为客户制作并维护应用程序 |
| Platform |
PaaS |
为客户提供平台,API |
| Infrastructure |
IaaS |
为客户提供硬件资源 |
| Server |
|
|
SaaS
use provider’s applications running on provider's cloud infrastructure.
使用运行在提供商云基础设施上的提供商应用程序。
PaaS
can create custom applications using programming tools supported by the provider and deploy them onto the provider's cloud infrastructure.
可以使用提供商支持的编程工具创建自定义应用程序,并将它们部署到提供商的云基础设施上。
IaaS
provisions computing resources within provider's infrastructure upon which they can deploy and run arbitrary software, including OS and applications.
在提供商的基础设施中提供计算资源,他们可以在这些资源上部署和运行任意软件,包括操作系统和应用程序。
知名云服务商
① Google Cloud
② VMware Cloud
③ IBM-Google Cloud
④ Salesforce Cloud
Hadoop
用户可以在不了解分布式底层细节的情况下,开发分布式程序。充分利用集群的威力进行高速运算和存储。
| framework |
功能 |
| Hadoop Distributed File System (HDFS) |
provide storage |
| MapReduce |
provide processing |
6.2 Security Issue
Computer Security
integrity(完整性), availability(可用性) and confidentiality(保密性) of information system resources
保护信息系统资源的完整性、可用性和保密性
Authenticity and Accountability 真实性和问责制
| Key Objectives |
具体体现 |
翻译 |
| Confidentiality |
Concealment of information or resources |
信息或资源的隐瞒 |
|
Data Confidentiality |
数据保密性 |
|
Privacy |
隐私 |
| Integrity |
Trustworthiness of data or resources |
数据或资源的可靠性 |
|
Data Integrity |
数据完整性 |
|
System Integrity |
系统的完整性 |
| Availability |
Service not denied to authorized users |
未拒绝授权用户的服务 |
|
Ability to use information or resources |
能够使用信息或资源 |
| Authenticity |
being genuine, verified or trust |
真实的,能够被核实或信任的 |
|
verifying the users |
验证用户 |
| Accountability |
can be traced uniquely to that entity |
唯一地追溯到该实体 |
Computer Security Challenges
- not simple
- must consider potential attacks
必须考虑潜在的攻击
- procedures used counter-intuitive
程序使用反直觉的
- involve algorithms and secret info
涉及算法和秘密信息
- must decide where to deploy mechanisms
必须决定在何处部署机制
- battle of wits between attacker/administrator
攻击者/管理员之间的斗智斗勇
- not perceived to be a benefit until fails
直到失败才被认为是有益的
- requires regular monitoring
需要定期监测
- too regarded as impediment to efficient and user friendly use of system
也被认为是高效和用户友好使用系统的障碍
- often an after-thought
往往恍然大悟
OSI Security Architecture OSI安全体系结构
The OSI security architecture focuses on security attacks, mechanisms and services.
OSI的安全架构关注于安全攻击、机制和服务。
| Cryptography Goals |
翻译 |
| confidentiality |
保密 |
| data integrity |
数据完整性 |
| entity authentication |
身份验证 |
| Non-repudiation |
不可抵赖性 |
要背的概念
- Security Attack: Any action (active or passive) that compromises the security of information
安全攻击:危害信息安全的任何行为(主动或被动)
- Security Mechanism: A mechanism that is designed to detect, prevent, or recover from a security attack.
安全机制:用于检测、防止或从安全攻击中恢复的机制。
- Security Service: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms.
安全服务:提高数据处理系统和信息传输安全性的服务。安全服务使用一个或多个安全机制。
- Threat: a potential for violation of security or a possible danger that might exploit a vulnerability
威胁: 潜在的安全威胁或可能利用漏洞的危险.
- Attack: an intelligent act that is a deliberate attempt to evade security services and violate the security policy of a system.
攻击: 一种故意逃避安全服务和违反系统安全策略的智能行为。
- 填空
A Safeguard is a countermeasure to protect against a threat.
防护措施是防范威胁的对策。
A weakness in a safeguard is called a vulnerability.
安全防护中的弱点称为“漏洞”。
Damage to any IT-based system or activity can result in severe disruption of services and losses.
任何基于it的系统或活动的损坏都可能导致服务的严重中断和损失。
Security Attacks
- Interruption: This is an attack on availability
中断:这是对可用性的攻击
- Interception: This is an attack on confidentiality
拦截:这是对保密性的攻击
- Modification: This is an attack on integrity
修改:这是对完整性的攻击
- Fabrication: This is an attack on authenticity
捏造:这是对真实性的攻击
Security Threats
- Disclosure: unauthorized access to information
披露-未经授权的信息访问
- Deception: acceptance of false data
欺骗-接受虚假资料
- Disruption: interruption or prevention of correct operation
中断-正确操作的中断或预防
- Usurpation: unauthorized control of some part of a system
篡夺-对系统某些部分的未经授权的控制
Passive and Active Attacks 被动攻击和主动攻击
- Passive: attempts to learn or make use of information from the system, but does not affect system resources.
被动:尝试从系统中学习或利用信息,但不影响系统资源。
- Active: attempts to alter system resources or affect their operation.
主动:试图改变系统资源或影响它们的操作。
Security Services
- enhance security of data processing systems and information transfers of an organization
提高数据处理系统和组织信息传输的安全性
- intended to counter security attacks
为了对抗安全攻击
- use one or more security mechanisms
使用一个或多个安全机制
- often replicate functions normally associated with physical documents
经常复制通常与物理文档相关的功能
- have signatures, dates; need protection from disclosure, tampering, or destruction; are notarized or witnessed;
有签名,日期;需要保护以免泄露、篡改或销毁;
Security Services Examples
| Examples |
解释 |
翻译 |
| uthentication |
(who created or sent the data) |
身份验证 (谁创建或发送数据) |
| Access control |
(prevent misuse of resources) |
访问控制 (防止资源滥用) |
| Confidentiality |
(privacy) |
机密性 (隐私) |
| Integrity |
(has not been altered) |
完整性 (未更改) |
| Non-repudiation |
(the order is final) |
不可抵赖性 (订单为最终) |
| Availability |
(permanence, non-erasure) |
可用性 (永久性、非擦除) |
Security Machanism
- feature designed to detect, prevent, or recover from a security attack
用于检测、防止或从安全攻击中恢复的特性
- no single mechanism that will support all services required
没有一种机制可以支持所有需要的服务
- however one particular element underlies many of the security mechanisms in use: cryptographic techniques
然而,在使用的许多安全机制的基础上有一个特殊的元素:密码技术
Security Machanism Examples
- Specific mechanisms existing to provide certain security services
提供某些保安服务的特定机制
| Examples |
翻译 |
| encryption used for authentication |
用于身份验证的加密 |
| digital signatures |
数字签名 |
| access controls |
访问控制 |
| data integrity |
数据完整性 |
| authentication exchange |
身份验证交换 |
| traffic padding |
流量填充 |
| routing control |
路由控制 |
| notarization |
公证 |
- Pervasive mechanisms which are general mechanisms incorporated into the system and not specific to a service
无处不在的机制,是纳入系统的一般机制,而不是特定于服务
| Examples |
翻译 |
| security audit trail |
安全审计跟踪 |
| trusted functionality |
信任的功能?? |
| security labels |
安全标签 |
| event detection |
事件检测 |
| security recovery |
安全恢复 |
Two Types of Program Threats
- Information access threats:
信息访问的威胁
Intercept or modify data on behalf of users who should not have access to that data.
代表不应该访问该数据的用户拦截或修改数据。
E.g. corruption of data by injecting malicious code
例如,注入恶意程式码破坏资料
- Service threats:
服务的威胁
Exploit service flaws in computers to inhibit use by legitimate uses.
利用电脑上的服务漏洞,禁止合法使用。
Viruses and worms are examples of software attacks
病毒和蠕虫是软件攻击的例子
Public-Key Cryptosystems 公钥密码体制
| categories |
翻译 |
| Encryption/decryption |
加密/解密 |
| Digital signature |
数字签名 |
| Key exchange |
密钥交换 |
Advantage of Symmetric key 对称密钥的优点
- It can be designed for high rates of data throughput, may be using hardware implementations
-它可以设计为高数据吞吐率,可以使用硬件实现
- Key lengths are relatively short
-密钥长度相对较短
- Can be used to produce stronger ciphers
-可用于产生更强的密码
Disadvantage of Symmetric key 对称密钥的缺点
- Key must remain secret at both ends
钥匙两端必须保密
- In a large network, there are many key pairs to be managed. Effective key management requires use of an unconditionally trusted third party.
在大型网络中,有许多密钥对需要管理。有效的密钥管理需要使用一个无条件信任的第三方。
- Digital signature schemes using private key cryptography requires large key.
使用私钥加密的数字签名方案需要大密钥。
Advantage of Public key cryptography 公钥密码学的优点
- Only the private key to be kept secret
只有私钥要保密
- The administration of key requires only a functionally trusted TTP.
密钥的管理只需要一个功能可靠的TTP。
- A private/public key pair may remain unchanged for a long time.
私钥/公钥对可能长时间保持不变。
- Gives relatively efficient digital signature schemes
提供相对有效的数字签名方案
Disadvantages of public key cryptography 公钥密码学的缺点
- Several orders of magnitudes slower
慢了几个数量级
- Key sizes are larger.
钥匙尺寸更大。
- No public-key cryptosystem is proven to
secure.
没有公钥密码系统被证明是安全的。
