Download - Metadata Issues in a Cryptographic File System David Bindel IRAM/ISTORE/OceanStore Retreat
![Page 1: Metadata Issues in a Cryptographic File System David Bindel IRAM/ISTORE/OceanStore Retreat](https://reader035.vdocuments.us/reader035/viewer/2022062715/56649d815503460f94a65a86/html5/thumbnails/1.jpg)
Metadata Issuesin a
Cryptographic File System
David Bindel
IRAM/ISTORE/OceanStore Retreat
![Page 2: Metadata Issues in a Cryptographic File System David Bindel IRAM/ISTORE/OceanStore Retreat](https://reader035.vdocuments.us/reader035/viewer/2022062715/56649d815503460f94a65a86/html5/thumbnails/2.jpg)
Overview
• Untrusted infrastructure assumption
• Cryptography review
• Cryptography in storage systems
• Securing metadata
• ECFS
• Conclusions
![Page 3: Metadata Issues in a Cryptographic File System David Bindel IRAM/ISTORE/OceanStore Retreat](https://reader035.vdocuments.us/reader035/viewer/2022062715/56649d815503460f94a65a86/html5/thumbnails/3.jpg)
Untrusted Infrastructure
“Trust No One”
![Page 4: Metadata Issues in a Cryptographic File System David Bindel IRAM/ISTORE/OceanStore Retreat](https://reader035.vdocuments.us/reader035/viewer/2022062715/56649d815503460f94a65a86/html5/thumbnails/4.jpg)
Review: Encryption
• Protect privacy of data on insecure channel
• Shared key– Same key used to encrypt and decrypt
• Public key– Mathematically related public and private keys– Public key used to encrypt– Private key used to decrypt
![Page 5: Metadata Issues in a Cryptographic File System David Bindel IRAM/ISTORE/OceanStore Retreat](https://reader035.vdocuments.us/reader035/viewer/2022062715/56649d815503460f94a65a86/html5/thumbnails/5.jpg)
Signatures and MACs
• Specify responsibility for document– Depends on document: prevent transfer– Depends on private key: prevent forgery
• Signatures verified using public key
• MACs verified using private key
Message DigestSecure hash
SignatureDocument
Private Key
Sign Algorithm
![Page 6: Metadata Issues in a Cryptographic File System David Bindel IRAM/ISTORE/OceanStore Retreat](https://reader035.vdocuments.us/reader035/viewer/2022062715/56649d815503460f94a65a86/html5/thumbnails/6.jpg)
Encrypting Storage
• Where to encrypt stored data?– In file system– In device driver
• Why not in user tools?– Users make mistakes– It’s inconvenient
• Encryption should be transparent!
![Page 7: Metadata Issues in a Cryptographic File System David Bindel IRAM/ISTORE/OceanStore Retreat](https://reader035.vdocuments.us/reader035/viewer/2022062715/56649d815503460f94a65a86/html5/thumbnails/7.jpg)
Cryptography and Permissions
• What policy are we enforcing?
• Conventional file systems support– Read and write permissions– Separate permissions for user, group, world– More complicated permissions (eg AFS)
• Existing cryptographic file systems support– All-or-nothing access
![Page 8: Metadata Issues in a Cryptographic File System David Bindel IRAM/ISTORE/OceanStore Retreat](https://reader035.vdocuments.us/reader035/viewer/2022062715/56649d815503460f94a65a86/html5/thumbnails/8.jpg)
Protecting Metadata/
private usr
bin
rsh ssh
rsh data
ssh data
encrypted-flag
journal KFC-recipe
•Any new journal entries are public!
•Now running “ssh” is insecure!
![Page 9: Metadata Issues in a Cryptographic File System David Bindel IRAM/ISTORE/OceanStore Retreat](https://reader035.vdocuments.us/reader035/viewer/2022062715/56649d815503460f94a65a86/html5/thumbnails/9.jpg)
Heirarchical SignaturesMetadata (uid, gid, ctime, …)“usr”, /usr address“etc”, /etc address...
Metadata“bin”, /usr/bin address...
Metadata“vi”, /usr/bin/vi address...
MetadataIndex of block 0Index of block 1...
/
/usr
/usr/bin
/usr/bin/vi
Data block 0 of /usr/bin/vi
Data block 1 of /usr/bin/vi
, sign(data block 0), sign(data block 1)
, sign(/usr/bin/vi data)
Replace with virus loader?
, sign(/usr/bin data)
, sign(/usr), sign(/etc)
/etc ...
![Page 10: Metadata Issues in a Cryptographic File System David Bindel IRAM/ISTORE/OceanStore Retreat](https://reader035.vdocuments.us/reader035/viewer/2022062715/56649d815503460f94a65a86/html5/thumbnails/10.jpg)
Globally Unique IDsMetadata (uid, gid, ctime, …)“usr”, /usr unique ID“etc”, /etc unique ID...
MetadataUnique ID for /usr“bin”, /usr/bin unique ID...
MetadataUnique ID for /usr/bin“vi”, /usr/bin/vi unique ID...
MetadataUnique ID for /usr/bin/viIndex of block 0Index of block 1...
//usr
/usr/bin
/usr/bin/vi
Data block 0 of /usr/bin/vi
Data block 1 of /usr/bin/vi
/etc ...
Replace with virus loader?
Sign(/usr/bin/vi ID, 0, data in block)
Sign(/usr/bin/vi ID, 0, data in block)
Replace with data for /usr/bin/emacs?
(v 5.0)
Replace with data block 1 (v 4.0)?Sign(/usr/bin/vi data above)
Sign(/usr/bin data)
Sign(/usr data)
Sign(/ data)
![Page 11: Metadata Issues in a Cryptographic File System David Bindel IRAM/ISTORE/OceanStore Retreat](https://reader035.vdocuments.us/reader035/viewer/2022062715/56649d815503460f94a65a86/html5/thumbnails/11.jpg)
ECFS
• Extended version of CFS– Class project for architecture and systems– David Bindel, Monica Chew, Chris Wells
• Goal: Support more flexible permissions– Allow public data (eg .forward files)– Protect integrity using MACs
![Page 12: Metadata Issues in a Cryptographic File System David Bindel IRAM/ISTORE/OceanStore Retreat](https://reader035.vdocuments.us/reader035/viewer/2022062715/56649d815503460f94a65a86/html5/thumbnails/12.jpg)
ECFS Architecture
User Application
ECFS daemon
Underlying filesystemMetadata database
Kernel NFS client
Kernel file system client
PlaintextNo MACs
CiphertextMACs
![Page 13: Metadata Issues in a Cryptographic File System David Bindel IRAM/ISTORE/OceanStore Retreat](https://reader035.vdocuments.us/reader035/viewer/2022062715/56649d815503460f94a65a86/html5/thumbnails/13.jpg)
ECFS Lessons
• Signatures can be integrated into the FS
• Handling metadata right is tricky!
• A cryptographic “layer” is awkward– Support should be built in from outset
![Page 14: Metadata Issues in a Cryptographic File System David Bindel IRAM/ISTORE/OceanStore Retreat](https://reader035.vdocuments.us/reader035/viewer/2022062715/56649d815503460f94a65a86/html5/thumbnails/14.jpg)
Back to OceanStore
• OceanStore supports more general lookup structures than directory tree
• Conflict resolution interacts with security in potentially subtle ways
• Lots of other subtle issues come up– Handling denial of service attacks– Key management and distribution