Strong Security for Distributed File Systems Group A3 Ka Hou Wong Jahanzeb Faizan Jonathan Sippel.

Slides:



Advertisements
Similar presentations
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Advertisements

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
PIS: Unit III Digital Signature & Authentication Sanjay Rawat PIS Unit 3 Digital Sign Auth Sanjay Rawat1 Based on the slides of Lawrie.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Digital Signatures and Hash Functions. Digital Signatures.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.
Online Security Tuesday April 8, 2003 Maxence Crossley.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Wired Equivalent Privacy (WEP)
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.
CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Chapter 31 Network Security
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
1 Cryptography Cryptography is a collection of mathematical techniques to ensure confidentiality of information Cryptography is a collection of mathematical.
.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.
IT 221: Introduction to Information Security Principles Lecture 6:Digital Signatures and Authentication Protocols For Educational Purposes Only Revised:
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.
Cryptography, Authentication and Digital Signatures
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
10. Key Management. Contents Key Management  Public-key distribution  Secret-key distribution via public-key cryptography.
4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.
Module 3 – Cryptography Cryptography basics Ciphers Symmetric Key Algorithms Public Key Algorithms Message Digests Digital Signatures.
Network Security Lecture 23 Presented by: Dr. Munam Ali Shah.
IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.
Key Mangement Marjan Causevski Sanja Zakovska. Contents Introduction Key Management Improving Key Management End-To-End Scheme Vspace Scheme Conclusion.
Internet-security.ppt-1 ( ) 2000 © Maximilian Riegel Maximilian Riegel Kommunikationsnetz Franken e.V. Internet Security Putting together the.
Encryption Questions answered in this lecture: How does encryption provide privacy? How does encryption provide authentication? What is public key encryption?
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
Based on Bruce Schneier Chapter 8: Key Management Dulal C Kar.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Data Integrity Proofs in Cloud Storage Author: Sravan Kumar R and Ashutosh Saxena. Source: The Third International Conference on Communication Systems.
Electronic Commerce School of Library and Information Science PGP and cryptography I. What is encryption? Cryptographic systems II. What is PGP? How does.
1 Session 4 Module 6: Digital signatures. Digital Signatures / Session4 / 2 of 18 Module 4, 5 - Review (1)  Java 2 security model provides a consistent.
Electronic Mail Security Prepared by Dr. Lamiaa Elshenawy
SECURITY IN DISTRIBUTED FILE SYSTEMS Tejaswini Kalluri, Venkata Prudhvi Raj Konda, Kanna Karri.
Network Security Celia Li Computer Science and Engineering York University.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
Cryptography CSS 329 Lecture 13:SSL.
CRYPTOGRAPHY Cryptography is art or science of transforming intelligible message to unintelligible and again transforming that message back to the original.
Fundamentals of Network Security Ravi Mukkamala SCI 101 October 6, 2003.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Fourth Edition by William Stallings Lecture slides by Lawrie Brown
 Introduction  History  What is Digital Signature  Why Digital Signature  Basic Requirements  How the Technology Works  Approaches.
Computer Communication & Networks
Secure Sockets Layer (SSL)
NET 311 Information Security
Presentation transcript:

Strong Security for Distributed File Systems Group A3 Ka Hou Wong Jahanzeb Faizan Jonathan Sippel

Introduction Presenter: Ka Hou Wong

Introduction Security is important because a violation could cost billions of dollars As network-attached disks are getting popular, we need to improve existing file systems to support security This paper presents Secure Network- Attached Disks (SNAD)

Features Store and transfer all data encrypted Decrypt data only in a client workstation If the disk is physically stolen, the thief cannot access the information Ability to detect forged data Little overhead because the disk performs secure hashes only

Shortcomings of Existing File Systems Store information in clear text Rely upon trusted file servers not to alter the original information Do not deal with issues such as sharing files between users

Design Goals End-to-end encryption of all file system data and metadata Only authorized people can access the data Data integrity Ability to detect modified data Flexibility Easy to share files Performance and scalability No one wants to use a file system as slow as a turtle

Basic Mechanisms Encrypt all data at client Server has sufficient info to authenticate the writer Reader has sufficient information to verify the end-to-end integrity of the data Uses standard cryptographic tools Public-key cryptography Extensive use of cryptographic hashes and keyed hashes such as Hashed Message Authentication Codes (HMAC)

SNAD Data Structures Presenter: Jahanzeb Faizan

SNAD Data Structures Four basic structures Data Objects File Objects Key Objects Certificate Objects Storage Contiguous blocks of data, or Data (actual) in file system and remainder in some special structures (I-nodes in UNIX)

Secure Data Object (SDO) Minimum unit of data that can be read or written Corresponds to a file block Block Security Info Block ID User IDs Timestamp Initialization Vector Data 32 Bytes Uniquely identifies each block (File ID and Block offset) Creator of SDO and security RC5 encrypted data Prevent replay attacks Prevent data blocks encrypted with the same key from encrypting to the same cipher text

File Object Composed of one or more data objects along with per file metadata Metadata consists of Block pointers File size Time stamping Pointer to a key object

Key Object Uses encryption key to encrypt files Used for more than one file Corresponds to a UNIX group

Key Object (cont.) Key File IDUser IDSignature User IDEncrypted KeyPermission User IDEncrypted KeyPermission User IDEncrypted KeyPermission Unique Identifier for block on system Private key of user or group Last user to modify key object RC5 key encrypted with user’s public key (cannot be decrypted without private key which is never sent to disk) On write, user hashes object and signs it with his private key On read, used to verify data integrity To determine if user is allowed to write the key object

Certificate Object Each server contains a single Certificate Object Contains administrative and cryptographic information about each SNAD user Used to authenticate users and do basic storage management

Certificate Object (cont.) User IDPublic KeyHMAC KeyTimestamp User IDPublic KeyHMAC KeyTimestamp User IDPublic KeyHMAC KeyTimestamp User or group the tuple belongs to Stored on disk for two reasons: 1.No need to consult key server 2.Writer authentication To prevent replay attacksTo verify identity of user writing data (encrypted)

Overall Organization Certificate object File object Data object Key object File object Data object Key object File object Data object File objects sharing a single key object (the two files have the same access controls)

Overhead Data bytes,depending on scheme used Header Data Object Data objects and Metadata Header Pointer to Key object File Object Data 72 bytes Header Key Object 72 bytes * no. of users Certificate object <100 bytes per user

SNAD Security Schemes Presenter: Jonathan Sippel

SNAD Security Schemes Goal To provide authenticated, encrypted storage Problem Encryption/decryption times are not easily reduced Solution Symmetric algorithms are relatively fast Different methods of authentication are available which vary in security and speed

SNAD Security Schemes (cont.) Reading and writing of authenticated data User is required to give a private key to the client User opens the file and reads the key object Appropriate field of key object is decrypted to obtain symmetric encryption key for the file Symmetric encryption key is used to encrypt data before sending it to the server and after receiving it from the server

Scheme 1 Most secure Requires the user to sign the checksum of every block written using public-key encryption Requires the server to authenticate every block before writing it Allows the system to track the writer for each block Signature generation and checking are slow

Scheme 1 (cont.) Read Server operations are not required Client verification of hash and signature Write Client encrypts each data block Client computes a hash over entire data object Client signs hash using the user’s private key Server compares recomputed hash against signed hash

Scheme 1 (cont.) OperationReadWrite ClientNASClientNAS En/DecryptXX HashXXX SignatureX VerificationXX

Scheme 2 Signature check on server is replaced with a Message Authentication Code (MAC) check Client still generates a signature and checks it upon reading a block Server is freed from time consuming verification Overall performance is improved

Scheme 2 (cont.) Read Server operations are not required Client verification of hash and signature Write Client performs a cryptographic hash on the block and signs it Client calculates a HMAC on the SDO using the shared secret HMAC key Server computes HMAC using shared secret key from the certificate object and compares it to the one received from the client

Scheme 2 (cont.) OperationReadWrite ClientNASClientNAS En/DecryptXX HashXXX SignatureX VerificationX

Scheme 3 Signatures are eliminated Cryptographic hashes are used to insure data integrity Considerably faster because no signature generation/checking is involved Not possible to verify who wrote the block last

Scheme 3 (cont.) Read Server calculates the HMAC using the key provided by the user requesting the data Client verifies the hash and performs a checksum on the decrypted data Write Client encrypts the SDO and calculates a HMAC over the encrypted data Server authenticates the write by computing the HMAC using the shared secret key from the certificate object

Scheme 3 (cont.) OperationReadWrite ClientNASClientNAS En/DecryptXX HashXXXX Signature Verification

Performance Results

Conclusions SNAD Solves many performance and security problems found today Provides user confidentiality and integrity Performs better and is more reliable than centralized file servers Improves performance and scalability with decentralized security functionality Eliminates a single point of failure

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.