Cloud Computing and Big Data Chapter 5 Cloud Computing Security Question Bank and Answers

Chapter 5 Cloud Computing Security Exercises

5.1 Multiple choice questions

1. Cloud computing security issues mainly come from (D).

A. Wrongdoing by legitimate cloud computing users B. Negligence in provider management  

C. Provider abuse of authority D. All of the above

2. Which of the following is not a typical security problem of cloud computing (C).

A. Security attack problem B. Credibility problem C. System vulnerability D. Multi-tenancy hidden danger

3. Which of the following is a cloud computing security goal (D).

A．Safeguard legal access behavior B. Avoid unauthorized access C. Prohibition of illegal access D. All of the above

4. The first hurdle for users to legally obtain cloud services is (A).

A. Identity authentication B. Isolation mechanism C. Data encryption D. Data integrity guarantee

5. The security technology that avoids mutual influence between different users and reduces the security risk of being attacked is (B).

A. Identity authentication mechanism B. Isolation mechanism C. Data encryption technology D. Data integrity protection technology

6. Which of the following does not belong to the type of identity authentication scheme (D).

A．Identity authentication based on secret information B. Authentication based on trusted objects     

C．Biometric-based authentication D. Authentication based on user management

      

7. The following access control mechanism that does not require a trusted server is (C).

A. XACML         B. SAML         C. CP-ABE           D. KP-ABE

8. The key difference between KP-ABE and CP-ABE is (B).

A. Secure administrative access B. Reliance on trusted servers

C. Client-side encryption controls D. Hybrid encryption key management

      

9. The isolation security of multi-tenants when sharing resources mainly includes (D).

A. Isolation security of the data plane B. Isolation security of the program plane 

C. Isolation security of the network plane D. All of the above

 

10. The data integrity verification based on the blockchain is passed (B) Calculate the hash value and judge whether it is consistent with the root hash value.

A. TEA B. Merkle Hash Tree C. Elliptic Curve Cryptography D. CSP

11. The main operation of TEA is (C).

A. Multiplication B. Negation C. Shift and XOR D. All of the above

12. The compliance mechanism to demonstrate that activities in cloud computing systems meet internal or external requirements is (C).

A. Data encryption technology B. Data integrity verification C. Cloud computing audit D. Elliptic curve encryption

      

5.2 Fill in the Blank

1. (Access control mechanism) is used to allow or limit the user's ability and scope of access to information resources through some means after identifying the user's legal identity.

2. The feature of CP-ABE (does not require a trusted server) has great advantages in the cloud storage environment, which can realize different users' access and processing of different permissions for specific data stored on untrusted servers provided by cloud service providers .

3. The isolation security of multi-tenants when sharing resources can be divided into (isolation security of data plane), (isolation security of program plane), (isolation security of network plane).

4. (Basic cloud security services) Provide common information security services for various cloud applications, which is an important means to support cloud applications to meet user security goals.

5.3 Short answer questions

1. Please briefly describe the main cloud computing security technologies.

answer:

1. Identity authentication mechanism. Cloud computing identity authentication is the process for cloud service providers to verify the identity of service users. In the Internet, the digital identity owned by users is represented by a set of specific data, and cloud service providers will authenticate and authorize this digital identity. Different from each person's unique physical identity, digital identity may be subject to attacks such as duplication and substitution. Cloud service providers need to identify real authorized users and provide services for them.
2. access control mechanism. Cloud computing access control is used to allow or limit the user's ability and scope of access to information resources, especially the access to key resources, after identifying the user's legal identity, to prevent unauthorized users from invading or legal users from illegal operations. cause havoc.
3. isolation mechanism. The cloud computing isolation mechanism enables user services to run in a closed and secure environment, which is convenient for cloud service providers to manage users; from the user's point of view, it can avoid mutual influence between different users and reduce the security risk of being attacked by illegal users.
4. Data encryption technology. Cloud computing data encryption technology can encrypt data during data transmission, storage, and use through encryption algorithms suitable for cloud computing to ensure data privacy.
5. Data integrity assurance technology. Cloud computing data integrity assurance technology is used to ensure that it is not damaged or lost during data transmission, storage and processing. If it is damaged or lost, it can also be found and recovered in time.
6. Audit and security traceability technology. Cloud computing audit and security traceability technology is used to record the activities of each user and management in the cloud computing system for later query. When an exception is found, security traceability and repair can be performed by querying the system log.

2. The cloud computing system uses the digital security identity management and control module to achieve the purpose of centralized identity management and unified identity authentication. What requirements should it mainly meet?

answer:

1. Single sign-on is supported.
2. Integrate multiple authentication and password services.
3. Provide authentication methods with different strengths.
4. Support distributed and scalable architecture.
5. Support for identity lifecycle management.

3. Please briefly describe typical cloud security basic services.

answer:

1. Cloud identity authentication and management services. Cloud identity authentication and management services mainly involve identity creation, logout, and identity authentication processes. .
2. Cloud access control and isolation service. The realization of cloud access control and isolation services depends on how to properly integrate traditional access control models (such as role-based access control, attribute-based access control, mandatory/voluntary access control models, etc.), and various authorization policy language standards ( Such as SAML, etc.) are extended and transplanted into the cloud computing system.
3. Cloud audit and security traceability services. Due to the lack of security management and proof capabilities of users, cloud service providers are required to provide necessary support to clarify the responsibility for security incidents. Therefore, audits performed by third parties are particularly important.
4. Cloud encryption and data integrity verification service. Various applications and data in cloud computing systems generally have encryption/decryption requirements. In addition to the most basic encryption/decryption algorithm services, cloud encryption services, key management and distribution, certificate management and distribution in cryptographic operations can all exist in the form of cloud security basic services.

5.4 Answer questions

1. OpenID is an open and decentralized network identity authentication system. What are the main components of OpenID? When a user logs in with OpenID, what steps are included in the system's authentication process?

answer:

OpenID is mainly composed of an identifier (Identifer), a relying party (Relying Party, RP) and an OpenID provider (OpenID Provider, OP). Among them, the identifier is a URI in the form of "http/https" or an extensible resource identifier (eXtensible Resource Identifier, XRI). XRI is an abstract identifier system compatible with URI. RP is a web system or protected online resource that needs to verify the identity of the visitor, and relies on the identity authentication service provided by the OP. As an OpenID authentication server, OP not only provides and manages identifiers for users, but also provides online identity authentication services for users, which is the core of the entire OpenID system.

The OpenID authentication process is as follows:

(1) The user requests the RP of OpenID and chooses to log in with OpenID.

(2) The RP agrees with the user to log in with OpenID.

(3) The user logs in again with OpenID, and asks the RP to provide the identifier to itself.

(4) The RP standardizes the identifier, and normalizes the user's identifier into the format determined by the OP.

(5) Establish the association between RP and OP, and establish a secure key exchange channel in the network.

(6) The OP processes the association request of the RP.

(7) The RP sends the identity authentication request to the OP, and at the same time redirects the user to the identity authentication entrance of the OP.

(8) If the user is authenticating for the first time, the OP requires the user to submit the necessary authentication information in order to verify their identity.

(9) The user logs in and submits the necessary authentication information to the OP.

(10) After passing the user's identity authentication, the OP notifies the RP of the result, and caches the user's login information to achieve single sign-on.

(11) The RP judges the OP's feedback and decides whether to allow the user to access its resources.

(12) After passing the identity authentication, the user can use the services provided by the RP.

Within a reasonable time frame (according to the interaction requirements between the user and the system, set by the OP), when the user logs in to other RPs protected by the OP in the security logical domain, the OP finds that the user's login information has been In the cache area and associated with it, the user is no longer required to submit authentication information, but directly informs the RP of the result, thereby realizing single sign-on.

2. Which parties are involved in the ABE-based cloud access control model? Please further describe the workflow of the ABE-based cloud access control model.

answer:

The cloud access control model based on ABE algorithm includes four participants: data provider, trusted authorization center, cloud storage server, and user.

Workflow of cloud access control model based on ABE algorithm:

(1) The trusted authorization center generates the master key and public parameters, and transmits the system public key to the data provider.

(2) After receiving the system public key, the data provider uses the policy tree and system public key to encrypt the file, and uploads the ciphertext and policy tree to the cloud server.

(3) After the user joins the system, he uploads his attribute set to the trusted authorization center and submits a private key application. to the user.

(4) The user downloads the data of interest. If its attribute set satisfies the policy tree structure of the ciphertext data, the ciphertext can be decrypted; otherwise, accessing the data fails.