CryptosFS: Fast Cryptographic Secure NFS
Download Item:
Abstract:
The issue of security in file-systems is as relevant today as when the first file system was
developed. Current file system implementations rely heavily on centralised security
mechanisms such as access control lists. The problem of security in file systems was made
more complicated by the introduction of remote access to files. Storing information on a
remote server has the potential to introduce additional security weaknesses into the file
system model. The client, the communication links and the server make up the file system
model.
The Network File System (NFS) is a widely used and oft maligned file system. Developed
by Sun Microsystems in the 1980s it introduced a means to access files remotely. It is by no
means the only distributed file systems but it is one of the most widely used. Serious
security limitations were identified in the NFS protocol, as the original design did not
include a security aspect. Security was added to the NFS protocol by the introduction of
secure RPC. The security added was in the form of authentication of users. The distributed
file system model that NFS uses is susceptible to attack in the following ways.
1. An attacker who can gain control of the NFS client has the ability to read data and can
compromise the confidentiality of the data. If the NFS client has write access, an
attacker can also compromise the integrity of the data stored on the server.
2. An attacker who can gain access to the NFS server can compromise the confidentiality
of the data stored on the server. The attacker can also compromise the integrity of the
data by modifying the data stored on the server.
3. An attacker who can gain access to the network can compromise the confidentiality of
data passing over the network. If a client is performing a write operation, the attacker
VI
can modify the data associated with the write operation and affect the integrity of the
operation. The authenticity of information passing between a client and a server is not
guaranteed as an attacker who can compromise the integrity of the information can also
compromise the authenticity of the information by modifying the data on the fly.
CryptosFS is a distributed file system prototype that uses a combination of cryptographic
techniques to provide confidentiality, integrity and authenticity of information. Blowfish
symmetric-key cryptography is used to encrypt file system data and meta-data. The
symmetric-key cryptography provides information confidentiality. Asymmetric-key
cryptography and MD5 message digests are used to create digital signatures. Validation of
the digital signatures provides authentication and integrity.
Authenticity and integrity are ensured by the validation of digital signatures by the NFS
server. The NFS server possesses the public-key for each file allowing it to verify read and
write requests received from clients. Integrity of the information on the remote server is
preserved by not storing the symmetric-keys to encrypt the file data on the server.
Author: O'Shanahan, Declan
Advisor:
Jensen, ChristianQualification name:
Master of Science (M.Sc.)Collections
Availability:
Full text availableKeywords:
Computer ScienceMetadata
Show full item recordLicences: