overview of cryptographic file system for unix (cfs)

Overview of Cryptographic File Overview of Cryptographic File System for Unix (CFS)System for Unix (CFS)

Vishal KherVishal Kher

Friday, October 11, 2002Friday, October 11, 2002

Department of Computer ScienceDepartment of Computer Science

University of MinnesotaUniversity of Minnesota

2

IntroductionIntroduction• Title of the paper Title of the paper

– ““A Cryptographic File System for Unix”A Cryptographic File System for Unix”

• AuthorAuthor– Matt Blaze (Bell Labs)Matt Blaze (Bell Labs)

• AbstractAbstract– Add encryption services to the file system Add encryption services to the file system – Users associate a key with the directories they wish to Users associate a key with the directories they wish to

encryptencrypt– Files and their pathnames in this directory are encrypted Files and their pathnames in this directory are encrypted

using the user specified keyusing the user specified key– Clear text is never stored on the diskClear text is never stored on the disk– Encrypted files are not specialEncrypted files are not special

3

OutlineOutline

• Security issuesSecurity issues• Cryptographic building blocksCryptographic building blocks• Why file system level security?Why file system level security?• CFS design goalsCFS design goals• CFS functionality CFS functionality • CFS file encryption schemeCFS file encryption scheme• CFS architectureCFS architecture

4

Security IssuesSecurity Issues

• AuthenticationAuthentication– Specific to the security objective, which one is trying to Specific to the security objective, which one is trying to

achieveachieve– IdentificationIdentification– Data origin authentication or message authenticationData origin authentication or message authentication– Access controlAccess control– Data IntegrityData Integrity

• Data SecrecyData Secrecy– Keep data encryptedKeep data encrypted– Keep metadata encrypted Keep metadata encrypted – Secure data transfer and backupsSecure data transfer and backups

• Should we trust the super user?Should we trust the super user?

5

Cryptographic Building BlocksCryptographic Building Blocks

• Block CipherBlock Cipher– Breaks plaintext into block of fixed lengthBreaks plaintext into block of fixed length– Encrypts one block at a timeEncrypts one block at a time

• Data Encryption Standard (DES)Data Encryption Standard (DES)– Symmetric key block cipherSymmetric key block cipher– 56-bit key, 64-bit plaintext and ciphertext56-bit key, 64-bit plaintext and ciphertext– Four modesFour modes– Not very secureNot very secure

• Advance Encryption Standard (AES)Advance Encryption Standard (AES)– New standardNew standard– Better security and faster than DESBetter security and faster than DES– Variable key lengthVariable key length

6

Electronic Codebook Mode (ECB)Electronic Codebook Mode (ECB)• Plaintext is handled 64-bits at a time Plaintext is handled 64-bits at a time • Each block is encrypted/decrypted independentlyEach block is encrypted/decrypted independently• Identical plaintext (under the same key) result in Identical plaintext (under the same key) result in

identical ciphertextidentical ciphertext• Bit errors in a single ciphertext affects decryption of Bit errors in a single ciphertext affects decryption of

that block particular blockthat block particular block

DES DES encryptencrypt

DES DES decryptdecrypt

PP11

KK

CC11

PP11



PP22

KK

CC22

PP22

7

Cipher Block Chaining Mode (CBC)Cipher Block Chaining Mode (CBC)

• CCii = E = EKK[C[Ci-1i-1PPii], C], C0 0 = IV= IV

• PPi = i = CCi-1i-1DDKK[C[Cii], C], C0 0 = IV= IV

• A single bit error in A single bit error in CCii affects decryption of affects decryption of CCii,C,Ci+1i+1

• Self-synchronizing: error CSelf-synchronizing: error C ii (not C (not Ci+1i+1, C, Ci+2i+2) is correctly ) is correctly

decrypted to Pdecrypted to Pi+2i+2



PP11

KK

CC11

CC22

CC11

IVIVPP22


KK

PP11

IVIV

CC22


PP22

KK

KK

8

Cipher Feedback Mode (CFB)Cipher Feedback Mode (CFB)• Re-ordering CRe-ordering Ci i blocks affects decryptionblocks affects decryption• Bit errors in any single r-bit CBit errors in any single r-bit Cjj affects decryption of next affects decryption of next n/rn/r

blocksblocks• Self-synchronizing, needs Self-synchronizing, needs n/rn/r blocks to recover blocks to recover

r

Shift register

E

Oj

Pj Cj

K

Encrypt

r

Shift register

Cj Pj

K

Decrypt

E

Ojr

r

r

r r r

9

Output Feedback Mode (OFB)Output Feedback Mode (OFB)• Keystream is plaintext-independentKeystream is plaintext-independent• Bit errors affects the decipherment of only that Bit errors affects the decipherment of only that

charactercharacter

Shift register

Oj

Pj Cj

K

Encrypt

Shift register

Cj Pj

K

Decrypt

E

Oj

E

r

r r r r

r

10

Why File System Level Security? Why File System Level Security? • User-Level CryptographyUser-Level Cryptography

– User tools or programs (Unix crypt program)User tools or programs (Unix crypt program)• User could fail to encrypt the fileUser could fail to encrypt the file• Need to supply keys several timesNeed to supply keys several times• File is in clear form till the user encrypts itFile is in clear form till the user encrypts it• If the disk is on remote server data needs to be sent in clear over If the disk is on remote server data needs to be sent in clear over

the networkthe network

– Encryption in application software (text editors)Encryption in application software (text editors)• Each program needs to support to functionalityEach program needs to support to functionality• Need to supply key to each applicationNeed to supply key to each application• Encryption is spread among multiple applications, need to trust Encryption is spread among multiple applications, need to trust

each applicationeach application• Same file could be opened in different applicationsSame file could be opened in different applications• Applications could be remoteApplications could be remote

– CumbersomeCumbersome

11

Why File System Level Security?Why File System Level Security?

• Hardware-Level CryptographyHardware-Level Cryptography– Specialized hardware to encrypt and decrypt filesSpecialized hardware to encrypt and decrypt files– Specialized hardware to perform end-end encryptionSpecialized hardware to perform end-end encryption– ProblemsProblems

• Each client and server need the specialized hardwareEach client and server need the specialized hardware• How to share files?How to share files?• Files cannot be decrypted if the hardware is not availableFiles cannot be decrypted if the hardware is not available• Each file access requires two cryptographic operations by the Each file access requires two cryptographic operations by the

server, once for the network and once for the diskserver, once for the network and once for the disk

• Solution is file system level securitySolution is file system level security

12

CFS Design GoalsCFS Design Goals• Protection of file contents and meta-dataProtection of file contents and meta-data• Protection of network connectionsProtection of network connections• Keys should not have to be supplied more than Keys should not have to be supplied more than

onceonce• Encrypted files should not behave differently from Encrypted files should not behave differently from

other non-encrypted filesother non-encrypted files• Low performance penalty due to encryption schemeLow performance penalty due to encryption scheme• Good key management techniquesGood key management techniques• Concurrent access to encrypted filesConcurrent access to encrypted files• Provide secure file services in a seamless mannerProvide secure file services in a seamless manner

13

CFS FunctionalityCFS Functionality• Provides a virtual file system on the “client’s Provides a virtual file system on the “client’s

machine”machine”• Typically mounted in Typically mounted in /crypt/crypt, users access , users access

encrypted files through this directoryencrypted files through this directory• ““User’s give an attach commandUser’s give an attach command” to create an entry ” to create an entry

in in /crypt/crypt• Each entry in the Each entry in the /crypt/crypt associates a associates a

cryptographic key with a directory located cryptographic key with a directory located elsewhere (in encrypted format) elsewhere (in encrypted format)

• The underlying encrypted directories can reside on The underlying encrypted directories can reside on any file system including remote file systemsany file system including remote file systems

14

CFS FunctionalityCFS Functionality

• Keys are supplied by the user in the form of Keys are supplied by the user in the form of ASCII passphrases (at least 16 characters long)ASCII passphrases (at least 16 characters long)

• Contents in Contents in /crypt /crypt appear in clear text to the appear in clear text to the owner of the fileowner of the file

• To create an encrypted directory /To create an encrypted directory /usr/mab/hideusr/mab/hide$$ cmkdir /usr/mab/hidecmkdir /usr/mab/hide

$ Key:$ Key: (enter passphrase, which does not echo)(enter passphrase, which does not echo)

$ Again$ Again:: (same phrase entered again(same phrase entered again))

15


• To “use” an encrypted directory, attach the To “use” an encrypted directory, attach the encrypted directory to a local virtual directoryencrypted directory to a local virtual directory

• For example, to attach the directory created above For example, to attach the directory created above to the name to the name /crypt/matt /crypt/matt perform the following,perform the following,

$ cattach /usr/mab/hide matt$ cattach /usr/mab/hide matt

$ Key$ Key:: (same key used in the cmkdir command)(same key used in the cmkdir command)

• If the key is supplied correctly, the user “sees” If the key is supplied correctly, the user “sees” /crypt/matt /crypt/matt as a normal directory; all standard as a normal directory; all standard operations work as expectedoperations work as expected

• The actual files are stored encrypted under The actual files are stored encrypted under /usr/mab/hide/usr/mab/hide, which are not used directly, which are not used directly

16


• To create a single encrypted fileTo create a single encrypted file$ ls -l /crypt$ ls -l /crypt

total 1total 1

drwx------ 2 mab 512 Apr 1 15:56 mattdrwx------ 2 mab 512 Apr 1 15:56 matt

$ echo "murder" > /crypt/matt/crimes$ echo "murder" > /crypt/matt/crimes

$ ls -l /crypt/matt$ ls -l /crypt/matt

total 1total 1

-rw-rw-r-- 1 mab 7 Apr 1 15:57 crimes-rw-rw-r-- 1 mab 7 Apr 1 15:57 crimes

$ cat /crypt/matt/crimes$ cat /crypt/matt/crimes

murdermurder

17

CFS FunctionalityCFS Functionality• List contents of /usr/mab/hideList contents of /usr/mab/hide

$ ls -l /usr/mab/hide$ ls -l /usr/mab/hidetotal 1total 1-rw-rw-r-- 1 mab 15 Apr 1 15:57-rw-rw-r-- 1 mab 15 Apr 1 15:578b06e85b870911248b06e85b87091124$ cat -v /usr/mab/hide/8b06e85b87091124$ cat -v /usr/mab/hide/8b06e85b87091124M-Z,kˆ]ˆBˆVM-VM-6A˜uM-LM-_M-DM-ˆ[M-Z,kˆ]ˆBˆVM-VM-6A˜uM-LM-_M-DM-ˆ[

• Once done remove entry under Once done remove entry under /crypt /crypt using using cdetach mattcdetach matt

• Only the user who issued the Only the user who issued the cattach cattach command command can see the clear text filecan see the clear text file

• After After cattach cattach the user does not need to provide the user does not need to provide the key, access is based on the the key, access is based on the uiduid

18


• ProblemProblem– If the user’s account is compromised, the attacker can If the user’s account is compromised, the attacker can

see all the encrypted filessee all the encrypted files

• SolutionSolution– Mark the file as Mark the file as obscure, obscure, files marked files marked obscure obscure do not do not

appear in a listing of appear in a listing of /crypt/crypt

• The The ccat ccat programprogram– Decrypts files if CFS is unavailableDecrypts files if CFS is unavailable– User should provide the keysUser should provide the keys

19

CFS File Encryption SchemeCFS File Encryption Scheme

• CFS uses DES in ECB+OFB modeCFS uses DES in ECB+OFB mode• Why ECB+OFB?Why ECB+OFB?

– Only ECB modeOnly ECB mode• A given block of plaintext encrypts to the same ciphertextA given block of plaintext encrypts to the same ciphertext

– Chaining modesChaining modes• A write to a middle of a file could require reading and re-A write to a middle of a file could require reading and re-

encrypting the preceding cleartextencrypting the preceding cleartext• And then rewriting the following dataAnd then rewriting the following data• Difficult for random read or writeDifficult for random read or write

– DES with 56-bit key encryption is vulnerable to exhaustive DES with 56-bit key encryption is vulnerable to exhaustive search of the key spacesearch of the key space

20


• Lets solve the problems in the ECB modeLets solve the problems in the ECB mode– Identical plaintext blocks in a file will encrypt to the same Identical plaintext blocks in a file will encrypt to the same

cipher textcipher text• Use file block numbers to identify each block uniquelyUse file block numbers to identify each block uniquely

– But, there is one more problem, identical blocks in But, there is one more problem, identical blocks in different files present at the same place if encrypted with different files present at the same place if encrypted with the same keys, will give the same ciphertextthe same keys, will give the same ciphertext

• Use inode and the block number together to identify a unique file Use inode and the block number together to identify a unique file and a unique block in the fileand a unique block in the file

• OFB is used to generate a pseudo-random bit mask OFB is used to generate a pseudo-random bit mask and provides an additional round of encryptionand provides an additional round of encryption

21

CFS File Encryption SchemeCFS File Encryption Scheme• Encryption SchemeEncryption Scheme

– The passphrase entered by the user is used to create two The passphrase entered by the user is used to create two 56-bit keys, K56-bit keys, K11 and K and K22

– Pre-compute a 0.5MB long pseudo-random bit mask Pre-compute a 0.5MB long pseudo-random bit mask using Kusing K11 and DES with OFB mode and DES with OFB mode

r

Shift register

Oj

K1 E

O1 O2 On……

r

22


• EEpp = DES(K = DES(K22,D,DppOOp%mp%m))– Where,Where,

• p is the byte offsetp is the byte offset• m is the length of the pre-computed bit maskm is the length of the pre-computed bit mask

• EEpp is the ciphertext block of a file at offset p is the ciphertext block of a file at offset p

• % is modulo% is modulo

• OOii is the i is the ith th OFB output blockOFB output block

• To eliminate identical blocks at the same offset but To eliminate identical blocks at the same offset but from different files to encrypt to the same ciphertextfrom different files to encrypt to the same ciphertext– EEpp = DES(K = DES(K22,D,DppOOp%m p%m i)i)

– Where,Where,• i is IV generated from the inode number at creation timei is IV generated from the inode number at creation time

23


• ProblemsProblems– While calculating p%m more than one p can map the the While calculating p%m more than one p can map the the

same valuesame value

– For example, pFor example, p11 = 10, p = 10, p22 = 30, m = 20 = 30, m = 20

• PP11%m = p%m = p22%m = 10%m = 10

– The i node number can change after backup or restore The i node number can change after backup or restore operations operations

• Need to store IV along with the fileNeed to store IV along with the file

24

CFS File Encryption SchemeCFS File Encryption Scheme• IV could be storedIV could be stored

• At the beginning of the file, this will shift the contents from block At the beginning of the file, this will shift the contents from block boundariesboundaries

• As a block in the file, this will waste spaceAs a block in the file, this will waste space• In the inode itself, but CFS sits above NFS and cannot add new In the inode itself, but CFS sits above NFS and cannot add new

file attributesfile attributes• Use existing fields in the inodeUse existing fields in the inode

• CFS offers two modesCFS offers two modes– Without IV, less secureWithout IV, less secure– With IVWith IV

• IV is stored in the IV is stored in the gid gid field of inodefield of inode• CFS reports the group ownership of the root directory as the CFS reports the group ownership of the root directory as the

group of files in this directorygroup of files in this directory• Small risk, group could be changed outside CFSSmall risk, group could be changed outside CFS

– Data cannot be recoveredData cannot be recovered

25

Vnode File System ArchitectureVnode File System Architecture

Any Program

Sys Call interface

Sys Call interface

Disk

System Calls

User-LevelApplication

UnixKernel(local)

FS interface (local or remote)

File System(local or remote)

FS Client

26

CFS ArchitectureCFS Architecture

Program

C E

localhost

FS Server

DiskSys. Callinterface

FS Client

Encrypt- Decrypt

cfsd

Sys. Callinterface

FS Client

27

CFS ArchitectureCFS Architecture• CFS prototype is implemented at user levelCFS prototype is implemented at user level• Communication with the Unix kernel via NFS Communication with the Unix kernel via NFS

interfaceinterface• Each client machine runs a NFS server (cfsd) that Each client machine runs a NFS server (cfsd) that

interprets CFS requestsinterprets CFS requests• NFS client initiates the requestsNFS client initiates the requests• NFS client – cfsd communication using RPCNFS client – cfsd communication using RPC• CFS uses Unix system calls for read and write (after CFS uses Unix system calls for read and write (after

decrypting or encrypting them)decrypting or encrypting them)• For each file accessed through attach point a file For each file accessed through attach point a file

handle is generatedhandle is generated

28

CFS ArchitectureCFS Architecture

• cfsd maintains a table of handles and their cfsd maintains a table of handles and their corresponding encrypted namescorresponding encrypted names

• To avoid repeated To avoid repeated open open and and closeclose, cfsd maintains a , cfsd maintains a cachecache

• cfsd accepts RPCs that originate from a privileged cfsd accepts RPCs that originate from a privileged port to avoid spoofingport to avoid spoofing

• Provides E2E encryptionProvides E2E encryption• ProblemsProblems

– No message authenticationNo message authentication– No data integrityNo data integrity– Does not support file sharingDoes not support file sharing

29

Questions?Questions?

Wake up, this is the last slide!Wake up, this is the last slide!

Thank YouThank You

overview of cryptographic file system for unix (cfs)

Documents

decryption of ci

file system users

error ci

applicationsame file

key result

security objective

block of fixed lengthencrypts

super user