Metadata Issuesin a
Cryptographic File System
David BindelIRAM/ISTORE/OceanStore Retreat
Overview
• Untrusted infrastructure assumption• Cryptography review• Cryptography in storage systems• Securing metadata• ECFS• Conclusions
Untrusted Infrastructure
“Trust No One”
Review: Encryption
• Protect privacy of data on insecure channel• Shared key
– Same key used to encrypt and decrypt• Public key
– Mathematically related public and private keys– Public key used to encrypt– Private key used to decrypt
Signatures and MACs
• Specify responsibility for document– Depends on document: prevent transfer– Depends on private key: prevent forgery
• Signatures verified using public key• MACs verified using private key
Message DigestSecure hash
SignatureDocument
Private Key
Sign Algorithm
Encrypting Storage
• Where to encrypt stored data?– In file system– In device driver
• Why not in user tools?– Users make mistakes– It’s inconvenient
• Encryption should be transparent!
Cryptography and Permissions
• What policy are we enforcing?• Conventional file systems support
– Read and write permissions– Separate permissions for user, group, world– More complicated permissions (eg AFS)
• Existing cryptographic file systems support– All-or-nothing access
Protecting Metadata/
private usr
bin
rsh ssh
rsh data
ssh data
encrypted-flag
journal KFC-recipe
•Any new journal entries are public!•Now running “ssh” is insecure!
Heirarchical SignaturesMetadata (uid, gid, ctime, …)“usr”, /usr address“etc”, /etc address...
Metadata“bin”, /usr/bin address...
Metadata“vi”, /usr/bin/vi address...
MetadataIndex of block 0Index of block 1...
/
/usr
/usr/bin
/usr/bin/vi
Data block 0 of /usr/bin/vi
Data block 1 of /usr/bin/vi
, sign(data block 0), sign(data block 1)
, sign(/usr/bin/vi data)
Replace with virus loader?
, sign(/usr/bin data)
, sign(/usr), sign(/etc)
/etc ...
Globally Unique IDsMetadata (uid, gid, ctime, …)“usr”, /usr unique ID“etc”, /etc unique ID...
MetadataUnique ID for /usr“bin”, /usr/bin unique ID...
MetadataUnique ID for /usr/bin“vi”, /usr/bin/vi unique ID...
MetadataUnique ID for /usr/bin/viIndex of block 0Index of block 1...
//usr
/usr/bin
/usr/bin/viData block 0 of /usr/bin/vi
Data block 1 of /usr/bin/vi
/etc ...
Replace with virus loader?
Sign(/usr/bin/vi ID, 0, data in block)
Sign(/usr/bin/vi ID, 0, data in block)
Replace with data for /usr/bin/emacs?
(v 5.0)
Replace with data block 1 (v 4.0)?Sign(/usr/bin/vi data above)
Sign(/usr/bin data)
Sign(/usr data)Sign(/ data)
ECFS
• Extended version of CFS– Class project for architecture and systems– David Bindel, Monica Chew, Chris Wells
• Goal: Support more flexible permissions– Allow public data (eg .forward files)– Protect integrity using MACs
ECFS Architecture
User Application
ECFS daemon
Underlying filesystemMetadata database
Kernel NFS client
Kernel file system client
PlaintextNo MACs
CiphertextMACs
ECFS Lessons
• Signatures can be integrated into the FS• Handling metadata right is tricky!• A cryptographic “layer” is awkward
– Support should be built in from outset
Back to OceanStore
• OceanStore supports more general lookup structures than directory tree
• Conflict resolution interacts with security in potentially subtle ways
• Lots of other subtle issues come up– Handling denial of service attacks– Key management and distribution