中文摘要：

可信云架构为云计算用户提供了安全可信的云服务执行环境,保护了用户私有数据的计算与存储安全.然而在移动云计算高速发展的今天,仍然没有移动终端接入可信云服务的安全解决方案.针对上述问题,提出了一种可信移动终端云服务安全接入方案.方案充分考虑了移动云计算应用背景,利用ARM Trust Zone硬件隔离技术构建可信移动终端,保护云服务客户端及安全敏感操作在移动终端的安全执行.结合物理不可克隆函数技术,给出了移动终端密钥与敏感数据管理机制.在此基础上,借鉴可信计算技术思想设计了云服务安全接入协议.协议兼容可信云架构,提供云服务端与移动客户端间的端到端认证.分析了方案具备的6种安全属性,给出了基于方案的移动云存储应用实例,实现了方案的原型系统.实验结果表明：可信移动终端TCB较小,方案具有良好的可扩展性和安全可控性,整体运行效率较高.

英文摘要：

Trusted cloud architecture provides isolated execution environment for trusted and secure cloud services, which protects the security of cloud users＇ data computation and storage. However, with the rapid development of mobile cloud computing, there is currently no secure solution for mobile terminals accessing trusted cloud architecture. To address this issue, this research proposes a secure access scheme of cloud services for trusted mobile terminals. By fully considering the background of mobile cloud computing, an architecture of trusted mobile terminal is constructed using ARM Trust Zone hardware-based isolation technology that can prevent the cloud service client and security-sensitive operations on the terminal from malicious attacks. Leveraging physical unclonable function（PUF）, the key and sensitive data management mechanism is presented. Based on the trusted mobile terminal and by employing trusted computing technology, the secure access protocol is designed. The protocol is compatible with trusted cloud architecture and establishes an end-to-end authenticated channel between mobile cloud client and cloud server. Six security properties of the scheme are analyzed and an instance of mobile cloud storage is provided. Finally a prototype system is implement. The experimental results indicate that the proposed scheme has good expandability and secure controllability. Moreover, the scheme achieves small TCB for mobile terminal and high operating efficiency for cloud users.