Metadata Issues
in a
Cryptographic File System
David Bindel
IRAM/ISTORE/OceanStore Retreat
Overview
• Untrusted infrastructure assumption
• Cryptography review
• Cryptography in storage systems
• Securing metadata
• ECFS
• Conclusions
Untrusted Infrastructure
“Trust No One”
Review: Encryption
• Protect privacy of data on insecure channel
• Shared key
– Same key used to encrypt and decrypt
• Public key
– Mathematically related public and private keys
– Public key used to encrypt
– Private key used to decrypt
Signatures and MACs
Private Key
Document Message Signature
Secure hash Digest Sign Algorithm
• Specify responsibility for document
– Depends on document: prevent transfer
– Depends on private key: prevent forgery
• Signatures verified using public key
• MACs verified using private key
Encrypting Storage
• Where to encrypt stored data?
– In file system
– In device driver
• Why not in user tools?
– Users make mistakes
– It’s inconvenient
• Encryption should be transparent!
Cryptography and Permissions
• What policy are we enforcing?
• Conventional file systems support
– Read and write permissions
– Separate permissions for user, group, world
– More complicated permissions (eg AFS)
• Existing cryptographic file systems support
– All-or-nothing access
Protecting Metadata
/
private usr
encrypted-flag
bin
journal KFC-recipe
•Any new journal entries are public! rsh ssh
•Now running “ssh” is insecure!
rsh ssh
data data
Heirarchical Signatures
Metadata (uid, gid, ctime, …)
“usr”, /usr address , sign(/usr) /
“etc”, /etc address , sign(/etc)
...
Metadata
/usr “bin”, /usr/bin address, sign(/usr/bin data) /etc ...
...
Metadata
/usr/bin “vi”, /usr/bin/vi address , sign(/usr/bin/vi data)
...
Data block 0 of /usr/bin/vi
Metadata
Index of block 0 , sign(data block 0) Replace with virus loader?
/usr/bin/vi Index of block 1 , sign(data block 1)
...
Data block 1 of /usr/bin/vi
Globally Unique IDs
Metadata (uid, gid, ctime, …)
Metadata “usr”, /usr unique ID /
/usr Unique ID for /usr “etc”, /etc unique ID
“bin”, /usr/bin unique ID ...
... Sign(/ data)
Sign(/usr data) /etc ...
Metadata
Replace with data for /usr/bin/emacs?
/usr/bin Unique ID for /usr/bin
“vi”, /usr/bin/vi unique ID
... Replace with virus loader?
Sign(/usr/bin data)
Metadata Data block 0 of /usr/bin/vi
Unique ID for /usr/bin/vi Sign(/usr/bin/vi ID, 0, data in block)
/usr/bin/vi Index of block 0
Index of block 1 Data block 1 of /usr/bin/vi (v 5.0)
... Sign(/usr/bin/vi ID, 0, data in block)
Sign(/usr/bin/vi data above)
Replace with data block 1 (v 4.0)?
ECFS
• Extended version of CFS
– Class project for architecture and systems
– David Bindel, Monica Chew, Chris Wells
• Goal: Support more flexible permissions
– Allow public data (eg .forward files)
– Protect integrity using MACs
ECFS Architecture
User Application
Kernel NFS client Plaintext
No MACs
ECFS daemon
Kernel file system client Ciphertext
MACs
Underlying filesystem
Metadata database
ECFS Lessons
• Signatures can be integrated into the FS
• Handling metadata right is tricky!
• A cryptographic “layer” is awkward
– Support should be built in from outset
Back to OceanStore
• OceanStore supports more general lookup
structures than directory tree
• Conflict resolution interacts with security in
potentially subtle ways
• Lots of other subtle issues come up
– Handling denial of service attacks
– Key management and distribution