security for network-attached storage
DESCRIPTION
Security for Network-Attached Storage. Vishal Kher 14 March 2003. Malicious Clients. How Things Were. Fileserver protects critical information resources Requests go through the fileserver Every request is inspected Malicious requests never read the disk. Authentication Server. - PowerPoint PPT PresentationTRANSCRIPT
Security for Network-Attached Security for Network-Attached StorageStorageVishal KherVishal Kher
14 March 200314 March 2003
2
How Things Were..How Things Were..• Fileserver protects critical information resourcesFileserver protects critical information resources• Requests go Requests go through through the fileserverthe fileserver• Every Every request is inspectedrequest is inspected• Malicious requests never read the diskMalicious requests never read the disk
Client NetworkClient Network
File ServerFile Server
Authentication Authentication ServerServer
ClientsClients
Malicious ClientsMalicious Clients
Disks
3
How NASD Changed Things...How NASD Changed Things...• Performance bottleneck at the file serverPerformance bottleneck at the file server• File manager is File manager is not not on the datapathon the datapath
Client NetworkClient Network
NASDFile Manager
NASD
NASDArray
ClientsClients
Malicious ClientsMalicious ClientsAuthentication Authentication
ServerServer
4
Security IssuesSecurity Issues• AuthorizationAuthorization
– How to authenticate the usersHow to authenticate the users– How to control access on the deviceHow to control access on the device
• How to secure data on link and on the deviceHow to secure data on link and on the device– End to end encryptionEnd to end encryption
• RevocationRevocation
5
OutlineOutline• MotivationMotivation• Authorization SchemesAuthorization Schemes
– Network-Attached Secure Disks (NASD)Network-Attached Secure Disks (NASD)– Secure Authentication for Remotely Encrypted Devices Secure Authentication for Remotely Encrypted Devices
(SCARED)(SCARED)• Data Encryption SchemeData Encryption Scheme
– Secure Network-Attached Disks (SNAD)Secure Network-Attached Disks (SNAD)• ConclusionConclusion
6
• Key TypesKey Types– Capability keysCapability keys
• Client receives KClient receives KCC = H(capArgs, K) = H(capArgs, K)
– Identity KeysIdentity Keys• Client receives KClient receives Ki i == H(Client ID, K)H(Client ID, K)
General PictureGeneral Picture
Client NetworkClient Network
File Manager
D e v i c eClientsClients
Authentication Authentication ServerServer
Request
Key
Key, RequestResponse
7
Security in NASDSecurity in NASD• Developed at PDL, CMUDeveloped at PDL, CMU• File manager makes the policy decisionsFile manager makes the policy decisions• Passes access rights to the drive through Passes access rights to the drive through
cryptographic capabilitiescryptographic capabilities• Device doesn’t need to know the identity of the Device doesn’t need to know the identity of the
clientclient• User proves his identity and access rights using User proves his identity and access rights using
capability key capability key and and capability arguments capability arguments – These are passed by the File manager to the clientThese are passed by the File manager to the client
• Scheme for revocationScheme for revocation
10Reply, NonceIN,
Reply, NonceIN,
MACMAC
capkey
capkey (Reply, NonceIN)
(Reply, NonceIN)
Protocol DetailsProtocol Details
DeviceDeviceSecret Key KSecret Key K(working key)(working key)
Secret Key KSecret Key K(working key)(working key)
M=CapArgs, Req, NonceIN,
M=CapArgs, Req, NonceIN,
MACMAC
capkey
capkey (M, NonceIN)
(M, NonceIN)
Request For AccessRequest For AccessPrivate CommunicationPrivate Communication
Access Control Version (AV)Access Control Version (AV)Stored on the device and FM,Stored on the device and FM,
Used for revocationUsed for revocation
ClientClient FMFM
CapKey = MACCapKey = MACKK(CapArgs, AV)(CapArgs, AV)
CapArgs= ObjID, Version, Rights, Expiry,..CapArgs= ObjID, Version, Rights, Expiry,..
11
NASD ConclusionNASD Conclusion• Capability is acquired per open requestCapability is acquired per open request
– Still overhead on the file managerStill overhead on the file manager– File manager needs to be online File manager needs to be online – File manager (FM) is a central point of failureFile manager (FM) is a central point of failure– Potential for DoSPotential for DoS
• Object migration, replication or stripingObject migration, replication or striping– Multiple capabilities are requiredMultiple capabilities are required
• Very fast revocation Very fast revocation • URL : URL : http://www.pdl.cmu.edu/NASD/http://www.pdl.cmu.edu/NASD/
12
SCAREDSCARED• Extension of NASDExtension of NASD• Developed at IBM AlmadenDeveloped at IBM Almaden• Allows clients to share keysAllows clients to share keys
– Bob receives Bob receives KK11 = H(data = H(data11, K), K)– Bob gives Alice Bob gives Alice KK22 = H(data = H(data11 + data + data22, K, K11))– K is the key shared between the storage and FMK is the key shared between the storage and FM– Public part (dataPublic part (data11) depends on the type of the key used) depends on the type of the key used
• FM does not need to be onlineFM does not need to be online
13
Protocol DetailsProtocol Details• SettingSetting
– Client has two keys KClient has two keys Kaa, K, Krr, and corresponding, and corresponding DDaa, D, Drr
– KKaa is the access key and K is the access key and Kr r is the response keyis the response key
• Step 1: Freshness GuaranteeStep 1: Freshness Guarantee– C S: C S: M = {Frequest, FM = {Frequest, Fcc, D, Drr}, MAC}, MACKKrr(M)(M)
– S C: S C: M = {Fresponse, FM = {Fresponse, Fcc, F, Fss}, MAC}, MACKKrr(M)(M)
– FFs s is the initial session counteris the initial session counter
• Counter based or Timer basedCounter based or Timer based
14
Protocol DetailsProtocol Details• Request C S:Request C S:
– M = {Oper, data, DM = {Oper, data, Daa, D, Drr, F, Fcc, F, Fss}, MAC}, MACKKa+Kra+Kr(M)(M)
• Response S CResponse S C: : – M = {Response, FM = {Response, Fcc, F, Fss}, MAC}, MACKrKr(M)(M)
• Capability KeysCapability Keys– FM has ACLFM has ACL– Device verifies that the client has the ability to perform a Device verifies that the client has the ability to perform a
transactiontransaction• Identity KeysIdentity Keys
– ACL with object on the DeviceACL with object on the Device– Device has to verify the identityDevice has to verify the identity
15
SCARED VS NASDSCARED VS NASD
SCAREDSCARED NASDNASDKeys could be long livedKeys could be long lived Keys per open requestKeys per open request
Revocation difficultRevocation difficult Fast revocationFast revocation
Mutual authenticationMutual authentication NegativeNegative
FM does not need to be FM does not need to be onlineonline
FM has to be onlineFM has to be online
Freshness timestamp Freshness timestamp based or counter basedbased or counter based
Time stamp basedTime stamp based
16
SNAD Design GoalsSNAD Design Goals• Encrypt data on the diskEncrypt data on the disk
– Drives lack information to decrypt dataDrives lack information to decrypt data• End to end encryptionEnd to end encryption
– Restrict access to authorized usersRestrict access to authorized users– Super user should not be able to access the dataSuper user should not be able to access the data– Reduces load on the disk CPUReduces load on the disk CPU
• Data integrityData integrity• Avoid other attacksAvoid other attacks
– Replay attack based on time stamp (time drifting?)Replay attack based on time stamp (time drifting?)
17
SNAD Data StructuresSNAD Data Structures
Secureblock
Secureblock
Secureblock
File object
Certificate object
File object
File object
Secureblock
Secureblock
Secureblock
Key object
Key object
18
SNAD Data StructuresSNAD Data Structures• Secure BlocksSecure Blocks
– Basic unit of data read or writtenBasic unit of data read or written• Block ID - Unique id for the blockBlock ID - Unique id for the block• User ID - Creator of the secure blockUser ID - Creator of the secure block• Timestamp - Timestamp - Used to prevent reply attack Used to prevent reply attack • Data encrypted using the RC5 keyData encrypted using the RC5 key• Key stored in Key objectKey stored in Key object
Block Block Security Security
InformationInformationBlock_IDBlock_ID USER_IDUSER_ID TimestampTimestamp Encrypted DataEncrypted Data
19
SNAD Data StructuresSNAD Data Structures• File ObjectsFile Objects
– Contains normal metadata Contains normal metadata • Example: Block pointers, file sizeExample: Block pointers, file size
– In addition contains a pointer to key objectIn addition contains a pointer to key object– One or more secure blocksOne or more secure blocks– No encryption… Do we need to?No encryption… Do we need to?
• At least whole directory structure will be known to insiderAt least whole directory structure will be known to insider• A directory and/or file name itself can mean somethingA directory and/or file name itself can mean something• MS bookmark informationMS bookmark information
20
SNAD Data StructuresSNAD Data Structures• Key Object Key Object
– Reference count to know when to delete the key objectReference count to know when to delete the key object– Signature – Signature –
• User hashes the entire object and signs with his private keyUser hashes the entire object and signs with his private key
– Rows store information per user or groupRows store information per user or group• Created by the user upon creation of a file or a file groupCreated by the user upon creation of a file or a file group• K is RC5 key encrypted with users public keyK is RC5 key encrypted with users public key
Key file IDKey file ID User IDUser ID SignatureSignature Ref CountRef Count
User ID EPKi(K) PermissionsPermissions
User ID EPKi(K) PermissionsPermissions
…………..Group ID EPKi(K) PermissionsPermissions
21
SNAD Data StructuresSNAD Data Structures• Certificate ObjectCertificate Object
– One per diskOne per disk– Public Key Stored forPublic Key Stored for
• ConvenienceConvenience• Scheme 1Scheme 1
– HMAC key HMAC key • Used in Scheme 2 and Scheme 3Used in Scheme 2 and Scheme 3• Stored encrypted with decryption key held in non-volatile memory Stored encrypted with decryption key held in non-volatile memory
on disk! on disk! • HMAC keys decrypted during disk startup HMAC keys decrypted during disk startup • Timestamp is updated for each writeTimestamp is updated for each write
User IDUser ID Public KeyPublic Key HMAC KeyHMAC Key TimestampTimestamp
User IDUser ID Public KeyPublic Key HMAC KeyHMAC Key TimestampTimestamp
22
SNAD Scheme1SNAD Scheme1
EK(M
)
H
S
EK(M
)
EK(M
)
H
Client WriteClient Write
V
Reject
N
CompareCompare
Y
Disk CPU/ Client readDisk CPU/ Client read
23
SNAD Scheme1SNAD Scheme1• Expensive operations on client and disk sideExpensive operations on client and disk side• Vulnerable to DOS attacksVulnerable to DOS attacks
OperationsOperationsReadRead WriteWrite
ClientClient NASNAS ClientClient NASNAS
En/DecryptEn/Decrypt XX XX
HashHash XX XX XX
SignSign
VerifyVerify XX XX XX
24
SNAD Scheme 2 SNAD Scheme 2
EK(M
)
H
S
EK(M
)
ClientClient Disk CPUDisk CPU
Disk CPU:Compare
H
HMACK’
EK(M
)
Write
H
HMACK’
H
25
SNAD Scheme 2SNAD Scheme 2ClientDisk CPU
EK(M
)
EK(M
)
H
V
Reject
N
CompareCompare
Y
Read
26
SNAD Scheme 2SNAD Scheme 2• Expensive operations on client specially on a writeExpensive operations on client specially on a write• Vulnerable to DOS attacksVulnerable to DOS attacks
OperationsOperationsReadRead WriteWrite
ClientClient NASNAS ClientClient NASNAS
En/DecryptEn/Decrypt XX XX
HashHash XX XX XX
SignSign
VerifyVerify XX XX
27
SNAD Scheme 3SNAD Scheme 3
EK(M
)
EK(M
)
EK(M
)H
HMACK’
H
Compare
HMACK’
Client
Write
Disk CPU
28
SNAD Scheme 3SNAD Scheme 3
EK(M
)
EK(M
)
EK(M
)H
HMACK’
H
Compare
HMACK’
ClientDisk CPU
Read
29
ConclusionConclusion• AuthorizationAuthorization
– NASDNASD– SCAREDSCARED– ImprovementsImprovements
• RevocationRevocation• Reduce number of keysReduce number of keys• Reduce frequency of access to the FMReduce frequency of access to the FM• Support compound objects and object mobilitySupport compound objects and object mobility
• EncryptionEncryption– SNADSNAD– Improvements?Improvements?
• RevocationRevocation• Group key managementGroup key management