Cryptree A Folder Tree Structure for Cryptographic File Systems

advertisement
Cryptree
A Folder Tree Structure for
Cryptographic File Systems
Dominik Grolimund, Luzius Meisser, Stefan Schmid, Roger Wattenhofer
Computer Engineering and Networks Laboratory (TIK), ETH Zurich
SRDS 06
October 3, Leeds, UK
Distributed
Computing
Group
Cryptree
- A key management scheme developed for Kangoo,
our distributed file system
- Manages encryption keys of files and folders
- Leverages the file systems folder hierarchy to achieve
intuitive semantics and efficiency
2 / 25
Outline





Motivation
Basics
Cryptree
Performance
Discussion
3 / 25
Motivation
Kangoo: a large-scale distributed file system
(comparable to OceanStore, Celeste, CFS…)
Problem: Enforcement & management of access rights
on untrusted (but reliable) storage
 We cannot trust the storage device to keep our data
secret
 Everything needs to be encrypted
 We need a clever key management scheme
4 / 25
Motivation
Existing ideas:
- Server enforces access rights  not feasible here
- Classic Access Control List (CACL) Approach,
found in systems like Plutus, SiRiUs, OceanStore (?)
- Many papers about hierarchical key management in
general,
focus on crypographic aspects
5 / 25
Talk Outline





Motivation
Basics
Cryptree
Performance
Discussion
6 / 25
Basics: Access Control with Keys
- Read Access Control: Items are encrypted such that
only legitimate accessors can decrypt them
- Write Access Control: A sign/verify key pair is used to
prove the legitimacy of write operations
7 / 25
Basics: Lazy Revocation
When someone loses access to an item, that item
needs to be encrypted with a new key in order to
prevent the former accessor to access the item in
future.
Lazy revocation allows to postpone this (expensive)
reencryption until the next update of the item.
 Better performance at the price of slightly lower
security. An adversary and former accessor of an
item could continue to access it if he has kept a copy
of the encryption key. Without lazy revocation, he
would have had to keep a copy of the item itself to do
8 / 25
so.
Basics: CACL-Approach
The classic, access-control-list based approach:
Bob
projects
alice
audio
sunset.jpg
jeep.jpg
cancun
trip
images
egypt
maya.jpg
Access control is managed for each item individually.
To grant Bob access to an item, the access key is encrypted with Bobs public key
and attached to that item.
9 / 25
Basics: CACL-Approach
Problems with CACL:
- When granting u users access to f files, n*f access
control list entries need to be created
- On structural changes, access rights need to be
adjusted or they will get scattered
- No confidentiality of access rights
10 / 25
Outline





Motivation
Basics
Cryptree
Performance
Discussion
11 / 25
Cryptree: Semantics
Dynamic Inheritance of Access Rights
Bob
projects
alice
audio
sunset.jpg
trip
images
Inheritance
jeep.jpg
cancun
egypt
maya.jpg
Downwards: full, recursive
Upwards: limited, ancestor names
12 / 25
Cryptree: Cryptographic Links
Knowing K1 and the link allows to derive K2
K1
K2
Symmetric Link: symmetric cryptography, requires knowledge of K1 to update
K1
K2
Asymmetric Link: asymmetric cryptography, K2 can be replaced without knowing K1
 More flexible than symmetric link, but expensive
13 / 25
Cryptree: Read Access
Bob
CK
CK
CK
Clearance Key, revealed to grant access
SK
SK
SK
Subfolder Key  Subfolders
FK
FK
FK
Files Key  Files in folder
BK
BK
BK
Backlink Key
DK
DK
DK
Data Key  Folder name
Folder
/images
Folder
/cancun
Folder
/trip
14 / 25
Cryptree: Read Access
Bob
CK
CK
CK
SK
SK
SK
•Grant recursive access by only revealing
one key
FK
FK
FK
•Anonymous access, even writers do not
need to know other accessors
BK
BK
BK
DK
DK
DK
Folder
/images
Folder
/cancun
Folder
/trip
Benefits:
•Access rights are implicitely updated
when structure changes
15 / 25
Cryptree: Read Access
Whole read access structure
CK
CK
SK
SK
SK
SK
GK
GK
GK
FK
FK
FK
CK
RK
BK
BK
BK
BK
PK
DK
DK
DK
DK
Root
User
Folder
Folder
File
/kangoo
/alice
/images
/taipei
/metro.jpg
16 / 25
Write Access Cryptree
Similar to read access tree
WCK
WCK
WCK
WSK
WSK
WSK
Ksign
Ksign
Ksign
Kverify
Kverify
Kverify
Folder
Folder
Folder
/images
/holiday
/lima
17 / 25
Cryptree: Operations
Bob
Bob
Alice
Alice
d
b
a
b
c
a
e
Claire
d
c
e
Claire
When someone loses read access as a result of an
operation, the involved items need to be reencrypted. We do
this lazily on their next change (lazy revocation).
18 / 25
Outline





Motivation
Basics
Cryptree
Evaluation
Discussion
19 / 25
Performance
Besides its semantical advantages, the Cryptree should
also perform better than the CACL-Approach.
We wrote sandbox implementations of different
approaches and let them perform a given set of
operations.
Test set: 30‘000 files (avg. size 2.5 MB), 2‘500 folders,
1‘000‘000 operations (ordered by likelihood: read,
create, delete, move, modify, grant access, revoke
access, grant write access, revoke write access)
20 / 25
Performance
Time spent for key management per operation
ms / operation
30
20
10
0
CACL
Lazy CACL
Cryptree
21 / 25
Performance
Total processing time spent for cryptography per
operation
ms / operation
200
Overhead
Inevitable
100
0
CACL
Lazy CACL
Cryptree
22 / 25
Outline





Motivation
Basics
Cryptree
Performance
Discussion
23 / 25
Discussion: Conclusions
We have leveraged the file systems folder hierarchy
for key management and achieved
- Intuitive Access Control Semantics
- Efficiency
- Simplicity, no elaborate cryptographic knowledge
required
24 / 25
Discussion: Questions
?
25 / 25
Download