1 / 14

Metadata Issues in a Cryptographic File System

Metadata Issues in a Cryptographic File System. David Bindel IRAM/ISTORE/OceanStore Retreat. Overview. Untrusted infrastructure assumption Cryptography review Cryptography in storage systems Securing metadata ECFS Conclusions. Untrusted Infrastructure. “Trust No One”.

huslu
Download Presentation

Metadata Issues in a Cryptographic File System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Metadata Issuesin aCryptographic File System David Bindel IRAM/ISTORE/OceanStore Retreat

  2. Overview • Untrusted infrastructure assumption • Cryptography review • Cryptography in storage systems • Securing metadata • ECFS • Conclusions

  3. Untrusted Infrastructure “Trust No One”

  4. Review: Encryption • Protect privacy of data on insecure channel • Shared key • Same key used to encrypt and decrypt • Public key • Mathematically related public and private keys • Public key used to encrypt • Private key used to decrypt

  5. Signatures and MACs Private Key • Specify responsibility for document • Depends on document: prevent transfer • Depends on private key: prevent forgery • Signatures verified using public key • MACs verified using private key Document MessageDigest Signature Securehash Sign Algorithm

  6. Encrypting Storage • Where to encrypt stored data? • In file system • In device driver • Why not in user tools? • Users make mistakes • It’s inconvenient • Encryption should be transparent!

  7. Cryptography and Permissions • What policy are we enforcing? • Conventional file systems support • Read and write permissions • Separate permissions for user, group, world • More complicated permissions (eg AFS) • Existing cryptographic file systems support • All-or-nothing access

  8. Protecting Metadata / private usr encrypted-flag bin journal KFC-recipe rsh ssh • Any new journal entries are public! • Now running “ssh” is insecure! rsh data ssh data

  9. Heirarchical Signatures Metadata (uid, gid, ctime, …) “usr”, /usr address “etc”, /etc address ... / , sign(/usr) , sign(/etc) Metadata “bin”, /usr/bin address ... /usr , sign(/usr/bin data) /etc ... Metadata “vi”, /usr/bin/vi address ... /usr/bin , sign(/usr/bin/vi data) Data block 0 of /usr/bin/vi Metadata Index of block 0 Index of block 1 ... , sign(data block 0) , sign(data block 1) Replace with virus loader? /usr/bin/vi Data block 1 of /usr/bin/vi

  10. Globally Unique IDs Metadata (uid, gid, ctime, …) “usr”, /usr unique ID “etc”, /etc unique ID ... / Metadata Unique ID for /usr “bin”, /usr/bin unique ID ... /usr Sign(/ data) /etc ... Sign(/usr data) Metadata Unique ID for /usr/bin “vi”, /usr/bin/vi unique ID ... Replace with data for /usr/bin/emacs? /usr/bin Replace with virus loader? Sign(/usr/bin data) Metadata Unique ID for /usr/bin/vi Index of block 0 Index of block 1 ... Data block 0 of /usr/bin/vi Sign(/usr/bin/vi ID, 0, data in block) /usr/bin/vi (v 5.0) Data block 1 of /usr/bin/vi Sign(/usr/bin/vi ID, 0, data in block) Sign(/usr/bin/vi data above) Replace with data block 1 (v 4.0)?

  11. ECFS • Extended version of CFS • Class project for architecture and systems • David Bindel, Monica Chew, Chris Wells • Goal: Support more flexible permissions • Allow public data (eg .forward files) • Protect integrity using MACs

  12. ECFS Architecture User Application Plaintext No MACs Kernel NFS client ECFS daemon Ciphertext MACs Kernel file system client Underlying filesystem Metadata database

  13. ECFS Lessons • Signatures can be integrated into the FS • Handling metadata right is tricky! • A cryptographic “layer” is awkward • Support should be built in from outset

  14. Back to OceanStore • OceanStore supports more general lookup structures than directory tree • Conflict resolution interacts with security in potentially subtle ways • Lots of other subtle issues come up • Handling denial of service attacks • Key management and distribution

More Related