overview of cryptographic file system for unix (cfs)
DESCRIPTION
Overview of Cryptographic File System for Unix (CFS). Vishal Kher Friday, October 11, 2002 Department of Computer Science University of Minnesota. Introduction. Title of the paper “A Cryptographic File System for Unix” Author Matt Blaze (Bell Labs) Abstract - PowerPoint PPT PresentationTRANSCRIPT
Overview of Cryptographic File Overview of Cryptographic File System for Unix (CFS)System for Unix (CFS)
Vishal KherVishal Kher
Friday, October 11, 2002Friday, October 11, 2002
Department of Computer ScienceDepartment of Computer Science
University of MinnesotaUniversity of Minnesota
2
IntroductionIntroduction• Title of the paper Title of the paper
– ““A Cryptographic File System for Unix”A Cryptographic File System for Unix”
• AuthorAuthor– Matt Blaze (Bell Labs)Matt Blaze (Bell Labs)
• AbstractAbstract– Add encryption services to the file system Add encryption services to the file system – Users associate a key with the directories they wish to Users associate a key with the directories they wish to
encryptencrypt– Files and their pathnames in this directory are encrypted Files and their pathnames in this directory are encrypted
using the user specified keyusing the user specified key– Clear text is never stored on the diskClear text is never stored on the disk– Encrypted files are not specialEncrypted files are not special
3
OutlineOutline
• Security issuesSecurity issues• Cryptographic building blocksCryptographic building blocks• Why file system level security?Why file system level security?• CFS design goalsCFS design goals• CFS functionality CFS functionality • CFS file encryption schemeCFS file encryption scheme• CFS architectureCFS architecture
4
Security IssuesSecurity Issues
• AuthenticationAuthentication– Specific to the security objective, which one is trying to Specific to the security objective, which one is trying to
achieveachieve– IdentificationIdentification– Data origin authentication or message authenticationData origin authentication or message authentication– Access controlAccess control– Data IntegrityData Integrity
• Data SecrecyData Secrecy– Keep data encryptedKeep data encrypted– Keep metadata encrypted Keep metadata encrypted – Secure data transfer and backupsSecure data transfer and backups
• Should we trust the super user?Should we trust the super user?
5
Cryptographic Building BlocksCryptographic Building Blocks
• Block CipherBlock Cipher– Breaks plaintext into block of fixed lengthBreaks plaintext into block of fixed length– Encrypts one block at a timeEncrypts one block at a time
• Data Encryption Standard (DES)Data Encryption Standard (DES)– Symmetric key block cipherSymmetric key block cipher– 56-bit key, 64-bit plaintext and ciphertext56-bit key, 64-bit plaintext and ciphertext– Four modesFour modes– Not very secureNot very secure
• Advance Encryption Standard (AES)Advance Encryption Standard (AES)– New standardNew standard– Better security and faster than DESBetter security and faster than DES– Variable key lengthVariable key length
6
Electronic Codebook Mode (ECB)Electronic Codebook Mode (ECB)• Plaintext is handled 64-bits at a time Plaintext is handled 64-bits at a time • Each block is encrypted/decrypted independentlyEach block is encrypted/decrypted independently• Identical plaintext (under the same key) result in Identical plaintext (under the same key) result in
identical ciphertextidentical ciphertext• Bit errors in a single ciphertext affects decryption of Bit errors in a single ciphertext affects decryption of
that block particular blockthat block particular block
DES DES encryptencrypt
DES DES decryptdecrypt
PP11
KK
CC11
PP11
DES DES encryptencrypt
DES DES decryptdecrypt
PP22
KK
CC22
PP22
7
Cipher Block Chaining Mode (CBC)Cipher Block Chaining Mode (CBC)
• CCii = E = EKK[C[Ci-1i-1PPii], C], C0 0 = IV= IV
• PPi = i = CCi-1i-1DDKK[C[Cii], C], C0 0 = IV= IV
• A single bit error in A single bit error in CCii affects decryption of affects decryption of CCii,C,Ci+1i+1
• Self-synchronizing: error CSelf-synchronizing: error C ii (not C (not Ci+1i+1, C, Ci+2i+2) is correctly ) is correctly
decrypted to Pdecrypted to Pi+2i+2
DES DES encryptencrypt
DES DES encryptencrypt
PP11
KK
CC11
CC22
CC11
IVIVPP22
DES DES decryptdecrypt
KK
PP11
IVIV
CC22
DES DES decryptdecrypt
PP22
KK
KK
8
Cipher Feedback Mode (CFB)Cipher Feedback Mode (CFB)• Re-ordering CRe-ordering Ci i blocks affects decryptionblocks affects decryption• Bit errors in any single r-bit CBit errors in any single r-bit Cjj affects decryption of next affects decryption of next n/rn/r
blocksblocks• Self-synchronizing, needs Self-synchronizing, needs n/rn/r blocks to recover blocks to recover
r
Shift register
E
Oj
Pj Cj
K
Encrypt
r
Shift register
Cj Pj
K
Decrypt
E
Ojr
r
r
r r r
9
Output Feedback Mode (OFB)Output Feedback Mode (OFB)• Keystream is plaintext-independentKeystream is plaintext-independent• Bit errors affects the decipherment of only that Bit errors affects the decipherment of only that
charactercharacter
Shift register
Oj
Pj Cj
K
Encrypt
Shift register
Cj Pj
K
Decrypt
E
Oj
E
r
r r r r
r
10
Why File System Level Security? Why File System Level Security? • User-Level CryptographyUser-Level Cryptography
– User tools or programs (Unix crypt program)User tools or programs (Unix crypt program)• User could fail to encrypt the fileUser could fail to encrypt the file• Need to supply keys several timesNeed to supply keys several times• File is in clear form till the user encrypts itFile is in clear form till the user encrypts it• If the disk is on remote server data needs to be sent in clear over If the disk is on remote server data needs to be sent in clear over
the networkthe network
– Encryption in application software (text editors)Encryption in application software (text editors)• Each program needs to support to functionalityEach program needs to support to functionality• Need to supply key to each applicationNeed to supply key to each application• Encryption is spread among multiple applications, need to trust Encryption is spread among multiple applications, need to trust
each applicationeach application• Same file could be opened in different applicationsSame file could be opened in different applications• Applications could be remoteApplications could be remote
– CumbersomeCumbersome
11
Why File System Level Security?Why File System Level Security?
• Hardware-Level CryptographyHardware-Level Cryptography– Specialized hardware to encrypt and decrypt filesSpecialized hardware to encrypt and decrypt files– Specialized hardware to perform end-end encryptionSpecialized hardware to perform end-end encryption– ProblemsProblems
• Each client and server need the specialized hardwareEach client and server need the specialized hardware• How to share files?How to share files?• Files cannot be decrypted if the hardware is not availableFiles cannot be decrypted if the hardware is not available• Each file access requires two cryptographic operations by the Each file access requires two cryptographic operations by the
server, once for the network and once for the diskserver, once for the network and once for the disk
• Solution is file system level securitySolution is file system level security
12
CFS Design GoalsCFS Design Goals• Protection of file contents and meta-dataProtection of file contents and meta-data• Protection of network connectionsProtection of network connections• Keys should not have to be supplied more than Keys should not have to be supplied more than
onceonce• Encrypted files should not behave differently from Encrypted files should not behave differently from
other non-encrypted filesother non-encrypted files• Low performance penalty due to encryption schemeLow performance penalty due to encryption scheme• Good key management techniquesGood key management techniques• Concurrent access to encrypted filesConcurrent access to encrypted files• Provide secure file services in a seamless mannerProvide secure file services in a seamless manner
13
CFS FunctionalityCFS Functionality• Provides a virtual file system on the “client’s Provides a virtual file system on the “client’s
machine”machine”• Typically mounted in Typically mounted in /crypt/crypt, users access , users access
encrypted files through this directoryencrypted files through this directory• ““User’s give an attach commandUser’s give an attach command” to create an entry ” to create an entry
in in /crypt/crypt• Each entry in the Each entry in the /crypt/crypt associates a associates a
cryptographic key with a directory located cryptographic key with a directory located elsewhere (in encrypted format) elsewhere (in encrypted format)
• The underlying encrypted directories can reside on The underlying encrypted directories can reside on any file system including remote file systemsany file system including remote file systems
14
CFS FunctionalityCFS Functionality
• Keys are supplied by the user in the form of Keys are supplied by the user in the form of ASCII passphrases (at least 16 characters long)ASCII passphrases (at least 16 characters long)
• Contents in Contents in /crypt /crypt appear in clear text to the appear in clear text to the owner of the fileowner of the file
• To create an encrypted directory /To create an encrypted directory /usr/mab/hideusr/mab/hide$$ cmkdir /usr/mab/hidecmkdir /usr/mab/hide
$ Key:$ Key: (enter passphrase, which does not echo)(enter passphrase, which does not echo)
$ Again$ Again:: (same phrase entered again(same phrase entered again))
15
CFS FunctionalityCFS Functionality
• To “use” an encrypted directory, attach the To “use” an encrypted directory, attach the encrypted directory to a local virtual directoryencrypted directory to a local virtual directory
• For example, to attach the directory created above For example, to attach the directory created above to the name to the name /crypt/matt /crypt/matt perform the following,perform the following,
$ cattach /usr/mab/hide matt$ cattach /usr/mab/hide matt
$ Key$ Key:: (same key used in the cmkdir command)(same key used in the cmkdir command)
• If the key is supplied correctly, the user “sees” If the key is supplied correctly, the user “sees” /crypt/matt /crypt/matt as a normal directory; all standard as a normal directory; all standard operations work as expectedoperations work as expected
• The actual files are stored encrypted under The actual files are stored encrypted under /usr/mab/hide/usr/mab/hide, which are not used directly, which are not used directly
16
CFS FunctionalityCFS Functionality
• To create a single encrypted fileTo create a single encrypted file$ ls -l /crypt$ ls -l /crypt
total 1total 1
drwx------ 2 mab 512 Apr 1 15:56 mattdrwx------ 2 mab 512 Apr 1 15:56 matt
$ echo "murder" > /crypt/matt/crimes$ echo "murder" > /crypt/matt/crimes
$ ls -l /crypt/matt$ ls -l /crypt/matt
total 1total 1
-rw-rw-r-- 1 mab 7 Apr 1 15:57 crimes-rw-rw-r-- 1 mab 7 Apr 1 15:57 crimes
$ cat /crypt/matt/crimes$ cat /crypt/matt/crimes
murdermurder
17
CFS FunctionalityCFS Functionality• List contents of /usr/mab/hideList contents of /usr/mab/hide
$ ls -l /usr/mab/hide$ ls -l /usr/mab/hidetotal 1total 1-rw-rw-r-- 1 mab 15 Apr 1 15:57-rw-rw-r-- 1 mab 15 Apr 1 15:578b06e85b870911248b06e85b87091124$ cat -v /usr/mab/hide/8b06e85b87091124$ cat -v /usr/mab/hide/8b06e85b87091124M-Z,kˆ]ˆBˆVM-VM-6A˜uM-LM-_M-DM-ˆ[M-Z,kˆ]ˆBˆVM-VM-6A˜uM-LM-_M-DM-ˆ[
• Once done remove entry under Once done remove entry under /crypt /crypt using using cdetach mattcdetach matt
• Only the user who issued the Only the user who issued the cattach cattach command command can see the clear text filecan see the clear text file
• After After cattach cattach the user does not need to provide the user does not need to provide the key, access is based on the the key, access is based on the uiduid
18
CFS FunctionalityCFS Functionality
• ProblemProblem– If the user’s account is compromised, the attacker can If the user’s account is compromised, the attacker can
see all the encrypted filessee all the encrypted files
• SolutionSolution– Mark the file as Mark the file as obscure, obscure, files marked files marked obscure obscure do not do not
appear in a listing of appear in a listing of /crypt/crypt
• The The ccat ccat programprogram– Decrypts files if CFS is unavailableDecrypts files if CFS is unavailable– User should provide the keysUser should provide the keys
19
CFS File Encryption SchemeCFS File Encryption Scheme
• CFS uses DES in ECB+OFB modeCFS uses DES in ECB+OFB mode• Why ECB+OFB?Why ECB+OFB?
– Only ECB modeOnly ECB mode• A given block of plaintext encrypts to the same ciphertextA given block of plaintext encrypts to the same ciphertext
– Chaining modesChaining modes• A write to a middle of a file could require reading and re-A write to a middle of a file could require reading and re-
encrypting the preceding cleartextencrypting the preceding cleartext• And then rewriting the following dataAnd then rewriting the following data• Difficult for random read or writeDifficult for random read or write
– DES with 56-bit key encryption is vulnerable to exhaustive DES with 56-bit key encryption is vulnerable to exhaustive search of the key spacesearch of the key space
20
CFS File Encryption SchemeCFS File Encryption Scheme
• Lets solve the problems in the ECB modeLets solve the problems in the ECB mode– Identical plaintext blocks in a file will encrypt to the same Identical plaintext blocks in a file will encrypt to the same
cipher textcipher text• Use file block numbers to identify each block uniquelyUse file block numbers to identify each block uniquely
– But, there is one more problem, identical blocks in But, there is one more problem, identical blocks in different files present at the same place if encrypted with different files present at the same place if encrypted with the same keys, will give the same ciphertextthe same keys, will give the same ciphertext
• Use inode and the block number together to identify a unique file Use inode and the block number together to identify a unique file and a unique block in the fileand a unique block in the file
• OFB is used to generate a pseudo-random bit mask OFB is used to generate a pseudo-random bit mask and provides an additional round of encryptionand provides an additional round of encryption
21
CFS File Encryption SchemeCFS File Encryption Scheme• Encryption SchemeEncryption Scheme
– The passphrase entered by the user is used to create two The passphrase entered by the user is used to create two 56-bit keys, K56-bit keys, K11 and K and K22
– Pre-compute a 0.5MB long pseudo-random bit mask Pre-compute a 0.5MB long pseudo-random bit mask using Kusing K11 and DES with OFB mode and DES with OFB mode
r
Shift register
Oj
K1 E
O1 O2 On……
r
22
CFS File Encryption SchemeCFS File Encryption Scheme
• EEpp = DES(K = DES(K22,D,DppOOp%mp%m))– Where,Where,
• p is the byte offsetp is the byte offset• m is the length of the pre-computed bit maskm is the length of the pre-computed bit mask
• EEpp is the ciphertext block of a file at offset p is the ciphertext block of a file at offset p
• % is modulo% is modulo
• OOii is the i is the ith th OFB output blockOFB output block
• To eliminate identical blocks at the same offset but To eliminate identical blocks at the same offset but from different files to encrypt to the same ciphertextfrom different files to encrypt to the same ciphertext– EEpp = DES(K = DES(K22,D,DppOOp%m p%m i)i)
– Where,Where,• i is IV generated from the inode number at creation timei is IV generated from the inode number at creation time
23
CFS File Encryption SchemeCFS File Encryption Scheme
• ProblemsProblems– While calculating p%m more than one p can map the the While calculating p%m more than one p can map the the
same valuesame value
– For example, pFor example, p11 = 10, p = 10, p22 = 30, m = 20 = 30, m = 20
• PP11%m = p%m = p22%m = 10%m = 10
– The i node number can change after backup or restore The i node number can change after backup or restore operations operations
• Need to store IV along with the fileNeed to store IV along with the file
24
CFS File Encryption SchemeCFS File Encryption Scheme• IV could be storedIV could be stored
• At the beginning of the file, this will shift the contents from block At the beginning of the file, this will shift the contents from block boundariesboundaries
• As a block in the file, this will waste spaceAs a block in the file, this will waste space• In the inode itself, but CFS sits above NFS and cannot add new In the inode itself, but CFS sits above NFS and cannot add new
file attributesfile attributes• Use existing fields in the inodeUse existing fields in the inode
• CFS offers two modesCFS offers two modes– Without IV, less secureWithout IV, less secure– With IVWith IV
• IV is stored in the IV is stored in the gid gid field of inodefield of inode• CFS reports the group ownership of the root directory as the CFS reports the group ownership of the root directory as the
group of files in this directorygroup of files in this directory• Small risk, group could be changed outside CFSSmall risk, group could be changed outside CFS
– Data cannot be recoveredData cannot be recovered
25
Vnode File System ArchitectureVnode File System Architecture
Any Program
Sys Call interface
Sys Call interface
Disk
System Calls
User-LevelApplication
UnixKernel(local)
FS interface (local or remote)
File System(local or remote)
FS Client
26
CFS ArchitectureCFS Architecture
Program
C E
localhost
FS Server
DiskSys. Callinterface
FS Client
Encrypt- Decrypt
cfsd
Sys. Callinterface
FS Client
27
CFS ArchitectureCFS Architecture• CFS prototype is implemented at user levelCFS prototype is implemented at user level• Communication with the Unix kernel via NFS Communication with the Unix kernel via NFS
interfaceinterface• Each client machine runs a NFS server (cfsd) that Each client machine runs a NFS server (cfsd) that
interprets CFS requestsinterprets CFS requests• NFS client initiates the requestsNFS client initiates the requests• NFS client – cfsd communication using RPCNFS client – cfsd communication using RPC• CFS uses Unix system calls for read and write (after CFS uses Unix system calls for read and write (after
decrypting or encrypting them)decrypting or encrypting them)• For each file accessed through attach point a file For each file accessed through attach point a file
handle is generatedhandle is generated
28
CFS ArchitectureCFS Architecture
• cfsd maintains a table of handles and their cfsd maintains a table of handles and their corresponding encrypted namescorresponding encrypted names
• To avoid repeated To avoid repeated open open and and closeclose, cfsd maintains a , cfsd maintains a cachecache
• cfsd accepts RPCs that originate from a privileged cfsd accepts RPCs that originate from a privileged port to avoid spoofingport to avoid spoofing
• Provides E2E encryptionProvides E2E encryption• ProblemsProblems
– No message authenticationNo message authentication– No data integrityNo data integrity– Does not support file sharingDoes not support file sharing
29
Questions?Questions?
Wake up, this is the last slide!Wake up, this is the last slide!
Thank YouThank You