Metadata Issuesin a

Cryptographic File System

David Bindel

IRAM/ISTORE/OceanStore Retreat

Overview

• Untrusted infrastructure assumption

• Cryptography review

• Cryptography in storage systems

• Securing metadata

• ECFS

• Conclusions

Untrusted Infrastructure

“Trust No One”

Review: Encryption

• Protect privacy of data on insecure channel

• Shared key– Same key used to encrypt and decrypt

• Public key– Mathematically related public and private keys– Public key used to encrypt– Private key used to decrypt

Signatures and MACs

• Specify responsibility for document– Depends on document: prevent transfer– Depends on private key: prevent forgery

• Signatures verified using public key

• MACs verified using private key

Message DigestSecure hash

SignatureDocument

Private Key

Sign Algorithm

Encrypting Storage

• Where to encrypt stored data?– In file system– In device driver

• Why not in user tools?– Users make mistakes– It’s inconvenient

• Encryption should be transparent!

Cryptography and Permissions

• What policy are we enforcing?

• Conventional file systems support– Read and write permissions– Separate permissions for user, group, world– More complicated permissions (eg AFS)

• Existing cryptographic file systems support– All-or-nothing access

Protecting Metadata/

private usr

bin

rsh ssh

rsh data

ssh data

encrypted-flag

journal KFC-recipe

•Any new journal entries are public!

•Now running “ssh” is insecure!

Heirarchical SignaturesMetadata (uid, gid, ctime, …)“usr”, /usr address“etc”, /etc address...

Metadata“bin”, /usr/bin address...

Metadata“vi”, /usr/bin/vi address...

MetadataIndex of block 0Index of block 1...

/

/usr

/usr/bin

/usr/bin/vi

Data block 0 of /usr/bin/vi

Data block 1 of /usr/bin/vi

, sign(data block 0), sign(data block 1)

, sign(/usr/bin/vi data)

Replace with virus loader?

, sign(/usr/bin data)

, sign(/usr), sign(/etc)

/etc ...

Globally Unique IDsMetadata (uid, gid, ctime, …)“usr”, /usr unique ID“etc”, /etc unique ID...

MetadataUnique ID for /usr“bin”, /usr/bin unique ID...

MetadataUnique ID for /usr/bin“vi”, /usr/bin/vi unique ID...

MetadataUnique ID for /usr/bin/viIndex of block 0Index of block 1...

//usr

/usr/bin

/usr/bin/vi

Data block 0 of /usr/bin/vi

Data block 1 of /usr/bin/vi

/etc ...

Replace with virus loader?

Sign(/usr/bin/vi ID, 0, data in block)

Sign(/usr/bin/vi ID, 0, data in block)

Replace with data for /usr/bin/emacs?

(v 5.0)

Replace with data block 1 (v 4.0)?Sign(/usr/bin/vi data above)

Sign(/usr/bin data)

Sign(/usr data)

Sign(/ data)

ECFS

• Extended version of CFS– Class project for architecture and systems– David Bindel, Monica Chew, Chris Wells

• Goal: Support more flexible permissions– Allow public data (eg .forward files)– Protect integrity using MACs

ECFS Architecture

User Application

ECFS daemon

Underlying filesystemMetadata database

Kernel NFS client

Kernel file system client

PlaintextNo MACs

CiphertextMACs

ECFS Lessons

• Signatures can be integrated into the FS

• Handling metadata right is tricky!

• A cryptographic “layer” is awkward– Support should be built in from outset

Back to OceanStore

• OceanStore supports more general lookup structures than directory tree

• Conflict resolution interacts with security in potentially subtle ways

• Lots of other subtle issues come up– Handling denial of service attacks– Key management and distribution