Cryptree
25
A Folder Tree Structure for Cryptographic File Systems Dominik Grolimund, Luzius Meisser, Stefan Schmid, Roger Wattenhofer Computer Engineering and Networks Laboratory (TIK), ETH Zurich SRDS 06 October 3, Leeds, UK Cryptree Distributed Computing Group
description
Cryptree. A Folder Tree Structure for Cryptographic File Systems. Dominik Grolimund, Luzius Meisser , Stefan Schmid, Roger Wattenhofer Computer Engineering and Networks Laboratory (TIK), ETH Zurich SRDS 06 October 3, Leeds, UK. D istributed C omputing G roup. Cryptree. - PowerPoint PPT Presentation
Transcript of Cryptree
A Folder Tree Structure forCryptographic File Systems
Dominik Grolimund, Luzius Meisser, Stefan Schmid, Roger Wattenhofer
Computer Engineering and Networks Laboratory (TIK), ETH Zurich
SRDS 06
October 3, Leeds, UK
Cryptree
DistributedComputing
Group
2 / 25
Cryptree
- A key management scheme developed for Kangoo, our distributed file system
- Manages encryption keys of files and folders- Leverages the file systems folder hierarchy to
achieve intuitive semantics and efficiency
3 / 25
Outline
Motivation Basics Cryptree Performance Discussion
4 / 25
Motivation
Kangoo: a large-scale distributed file system(comparable to OceanStore, Celeste, CFS…)
Problem: Enforcement & management of access rights on untrusted (but reliable) storage
We cannot trust the storage device to keep our data secret
Everything needs to be encryptedWe need a clever key management scheme
5 / 25
Motivation
Existing ideas:- Server enforces access rights not feasible
here- Classic Access Control List (CACL) Approach,
found in systems like Plutus, SiRiUs, OceanStore (?)
- Many papers about hierarchical key management in general,focus on crypographic aspects
6 / 25
Talk Outline
Motivation Basics Cryptree Performance Discussion
7 / 25
Basics: Access Control with Keys
- Read Access Control: Items are encrypted such that only legitimate accessors can decrypt them
- Write Access Control: A sign/verify key pair is used to prove the legitimacy of write operations
8 / 25
Basics: Lazy Revocation
When someone loses access to an item, that item needs to be encrypted with a new key in order to prevent the former accessor to access the item in future.
Lazy revocation allows to postpone this (expensive) reencryption until the next update of the item.
Better performance at the price of slightly lower security. An adversary and former accessor of an item could continue to access it if he has kept a copy of the encryption key. Without lazy revocation, he would have had to keep a copy of the item itself to do so.
9 / 25
Basics: CACL-Approach
The classic, access-control-list based approach:
Access control is managed for each item individually.To grant Bob access to an item, the access key is encrypted with Bobs public key and attached to that item.
egypt
images
cancun
projectsalice
sunset.jpg
trip
jeep.jpg
maya.jpg
audio
Bob
10 / 25
Basics: CACL-Approach
Problems with CACL:- When granting u users access to f files, n*f
access control list entries need to be created- On structural changes, access rights need to
be adjusted or they will get scattered- No confidentiality of access rights
11 / 25
Outline
Motivation Basics Cryptree Performance Discussion
12 / 25
Cryptree: Semantics
Dynamic Inheritance of Access Rights
Bob
egypt
images
cancun
projects
alicesunset.jpg
trip
jeep.jpg
maya.jpg
audio
Inheritance
Downwards: full, recursive
Upwards: limited, ancestor names
13 / 25
Cryptree: Cryptographic Links
Knowing K1 and the link allows to derive K2
K2K1
Symmetric Link: symmetric cryptography, requires knowledge of K1 to update
K2K1
Asymmetric Link: asymmetric cryptography, K2 can be replaced without knowing K1 More flexible than symmetric link, but expensive
14 / 25
Cryptree: Read Access
BK
FK
SK
DK
Folder/cancun
CK
BK
FK
SK
DK
Folder
CK
BK
FK
SK
DK
Folder
CK
/trip/images
Bob
Clearance Key, revealed to grant access
Subfolder Key Subfolders
Files Key Files in folder
Backlink Key
Data Key Folder name
15 / 25
Cryptree: Read Access
BK
FK
SK
DK
Folder/cancun
CK
BK
FK
SK
DK
Folder
CK
BK
FK
SK
DK
Folder
CK
/trip/images
Bob
Benefits:
•Grant recursive access by only revealing one key
•Anonymous access, even writers do not need to know other accessors
•Access rights are implicitely updated when structure changes
16 / 25
Cryptree: Read Access
Whole read access structure
BK
FK
SK
DK
Folder
CK
BK
FK
SK
DK
Folder
CK
BK
FK
SK
DK
User
BK
DK
File
/metro.jpg
CK
/alice /images /taipei/kangoo
PK
SK
Root
RK
GKGKGK
17 / 25
Write Access Cryptree
WSK WSK
Ksign
WSK
Kverify
Ksign
Kverify
Ksign
Kverify
Folder Folder Folder
/images /holiday /lima
WCK WCKWCK
Similar to read access tree
18 / 25
Cryptree: Operations
b
ec
da
Bob
Alice
Claire
b
e
c
d
a
Bob
Alice
Claire
When someone loses read access as a result of an operation, the involved items need to be reencrypted. We do this lazily on their next change (lazy revocation).
19 / 25
Outline
Motivation Basics Cryptree Evaluation Discussion
20 / 25
Performance
Besides its semantical advantages, the Cryptree should also perform better than the CACL-Approach.
We wrote sandbox implementations of different approaches and let them perform a given set of operations.
Test set: 30‘000 files (avg. size 2.5 MB), 2‘500 folders, 1‘000‘000 operations (ordered by likelihood: read, create, delete, move, modify, grant access, revoke access, grant write access, revoke write access)
21 / 25
Performance
Time spent for key management per operation
0
10
20
30
CACL Lazy CACL Cryptree
ms
/ o
pe
rati
on
22 / 25
Performance
Total processing time spent for cryptography per operation
0
100
200
CACL Lazy CACL Cryptree
ms
/ op
era
tio
n
Overhead
Inevitable
23 / 25
Outline
Motivation Basics Cryptree Performance Discussion
24 / 25
Discussion: Conclusions
We have leveraged the file systems folder hierarchy for key management and achieved
- Intuitive Access Control Semantics
- Efficiency
- Simplicity, no elaborate cryptographic knowledge required
25 / 25
Discussion: Questions
?
