1 / 24

Decentralized Access Control in Distributed File Systems

Decentralized Access Control in Distributed File Systems. Andrew Lewis. Introduction. Problem: Two corporate users on two different domains want to share access to files However, Each user is restricted to there own domain, and there is no secure way to share files. Existing Methods.

lassie
Download Presentation

Decentralized Access Control in Distributed File Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Decentralized Access Control in Distributed File Systems Andrew Lewis

  2. Introduction • Problem: Two corporate users on two different domains want to share access to files • However, Each user is restricted to there own domain, and there is no secure way to share files

  3. Existing Methods • 1) One of the user’s could be given an account on the other domain. • 2) Share an account password • 3) Use an online method such as FTP • 4) Exchange the File over email similar protocol

  4. Distributed File Systems • A DFS could be used to solve the data sharing problem • To evaluate different DFS’s, a set of parameters are define which would make the DFS ideal for solving the problem • Authentication • Authorization • Granularity • Autonomous Delegation • Revocation

  5. Authentication • Typically maintain a centralized database of users for authentication purposes • Seek a DFS with a decentralized authentication mechanism, or rely on indirect means of authentication.

  6. Authorization • Defines which users can access which files • access control lists (ACL) typical method of storing rights

  7. Granularity • Defines how the directory structure is maintained • Typically a “tree” structure with a root and all others branching from one place

  8. Autonomous delegation • Ability to pass rights from one user the next

  9. Revocation • Once all is said and one, the ablity to remove all the given rights • Restore original access to the status before any delegation took place

  10. Current Distributed File Systems • Breakdown of current distributed file systems and there evaluation based on the defined parameters • Including • NFS • Andrews File System • Common Internet File System

  11. NFS • One of the most common DFS • Authentication: UNIX-style authentication (user ID and group ID) • Authorization: standard UNIX mode bits associated with the file. • Granularity: See Figure • No autonomous delegation • Revocation is easy

  12. Andrews File System • Authentication: Cell based Systems users only have access to there cell • Authorization: ACLs associated with directories • Users can transfer rights to one another but not across cells • Revocation is easy

  13. Common Internet File System • Authentication: Allows for Different Methods • Share Level and User Level • Authorization: Based on underlying file system • FAT(older system) • NTFS (Full ACL Support) • Revocation: Possible

  14. Experimental DFS • Experimental DFS’s are prototypes that are not currently used in any wide scale application

  15. Bayou • First DFS to try and implement autonomous delegation • Authentication: • User has a public/private key • Server uses a challenge/Response protocol to authenticate • Authorization: 3 types of certificates • access granting certificates grant different types of access • delegation certificates pass access granting certificates to other users • revocation certificates allow for removing delegated certificates

  16. WebFS • Authentication: Done by certificates • Authentication: each file had an associated list of users authorized to read, write or execute • Autonomous delegation: done though passing certificates, but can only be passed to users with auth. Certificate for that domain • Transfers could be chained, passed from one user to the next • Revocation: relies on a timeout protocol

  17. CapaFS • Authentication: none, only knowledge of the name of the file is required • Autonomous delegation: Full support, only have to pass the name of the file along • Very susceptible to man-in-the-middle attacks • Revocation: rename the file

  18. Fileteller • Authentication: Public Keys • Pay/Get Paid scheme • Delegation: See figure • Network Users (NUs) • Network Storage Providers (NSPs) • Check Guarantors (CGs) • Revocation: Time Based “Run out of Money”

  19. Overview

  20. Autonomous delegation • Breakdown of the individual features of DFS’s with Autonomy

  21. Observations • Public-Key -necessary for having third-party users -key can be distributed • Pure and complete autonomous delegation is not secure • CapaFS • ACL’s don’t scale outside of organizational boundaries

  22. Observations Cnt. • Authorization certificates closes to providing both secure and full autonomous delegation • Revocation is harder in without have ACL to modify

  23. Conclusion • No real support for cross-organization support of file transfer in in-use distributed file system • Several prototype file systems have some abilities of autonomous delegation, giving them cross-organization support • Always trade offs between security, autonomous and revocation

  24. Reference • “Decentralized Access Control in Distributed File Systems” • STEFAN MILTCHEV. JONATHAN M. SMITH et. All.

More Related