Cryptree

25
A Folder Tree Structure for Cryptographic File Systems Dominik Grolimund, Luzius Meisser, Stefan Schmid, Roger Wattenhofer Computer Engineering and Networks Laboratory (TIK), ETH Zurich SRDS 06 October 3, Leeds, UK Cryptree Distributed Computing Group

description

Cryptree. A Folder Tree Structure for Cryptographic File Systems. Dominik Grolimund, Luzius Meisser , Stefan Schmid, Roger Wattenhofer Computer Engineering and Networks Laboratory (TIK), ETH Zurich SRDS 06 October 3, Leeds, UK. D istributed C omputing G roup. Cryptree. - PowerPoint PPT Presentation

Transcript of Cryptree

Page 1: Cryptree

A Folder Tree Structure forCryptographic File Systems

Dominik Grolimund, Luzius Meisser, Stefan Schmid, Roger Wattenhofer

Computer Engineering and Networks Laboratory (TIK), ETH Zurich

SRDS 06

October 3, Leeds, UK

Cryptree

DistributedComputing

Group

Page 2: Cryptree

2 / 25

Cryptree

- A key management scheme developed for Kangoo, our distributed file system

- Manages encryption keys of files and folders- Leverages the file systems folder hierarchy to

achieve intuitive semantics and efficiency

Page 3: Cryptree

3 / 25

Outline

Motivation Basics Cryptree Performance Discussion

Page 4: Cryptree

4 / 25

Motivation

Kangoo: a large-scale distributed file system(comparable to OceanStore, Celeste, CFS…)

Problem: Enforcement & management of access rights on untrusted (but reliable) storage

We cannot trust the storage device to keep our data secret

Everything needs to be encryptedWe need a clever key management scheme

Page 5: Cryptree

5 / 25

Motivation

Existing ideas:- Server enforces access rights not feasible

here- Classic Access Control List (CACL) Approach,

found in systems like Plutus, SiRiUs, OceanStore (?)

- Many papers about hierarchical key management in general,focus on crypographic aspects

Page 6: Cryptree

6 / 25

Talk Outline

Motivation Basics Cryptree Performance Discussion

Page 7: Cryptree

7 / 25

Basics: Access Control with Keys

- Read Access Control: Items are encrypted such that only legitimate accessors can decrypt them

- Write Access Control: A sign/verify key pair is used to prove the legitimacy of write operations

Page 8: Cryptree

8 / 25

Basics: Lazy Revocation

When someone loses access to an item, that item needs to be encrypted with a new key in order to prevent the former accessor to access the item in future.

Lazy revocation allows to postpone this (expensive) reencryption until the next update of the item.

Better performance at the price of slightly lower security. An adversary and former accessor of an item could continue to access it if he has kept a copy of the encryption key. Without lazy revocation, he would have had to keep a copy of the item itself to do so.

Page 9: Cryptree

9 / 25

Basics: CACL-Approach

The classic, access-control-list based approach:

Access control is managed for each item individually.To grant Bob access to an item, the access key is encrypted with Bobs public key and attached to that item.

egypt

images

cancun

projectsalice

sunset.jpg

trip

jeep.jpg

maya.jpg

audio

Bob

Page 10: Cryptree

10 / 25

Basics: CACL-Approach

Problems with CACL:- When granting u users access to f files, n*f

access control list entries need to be created- On structural changes, access rights need to

be adjusted or they will get scattered- No confidentiality of access rights

Page 11: Cryptree

11 / 25

Outline

Motivation Basics Cryptree Performance Discussion

Page 12: Cryptree

12 / 25

Cryptree: Semantics

Dynamic Inheritance of Access Rights

Bob

egypt

images

cancun

projects

alicesunset.jpg

trip

jeep.jpg

maya.jpg

audio

Inheritance

Downwards: full, recursive

Upwards: limited, ancestor names

Page 13: Cryptree

13 / 25

Cryptree: Cryptographic Links

Knowing K1 and the link allows to derive K2

K2K1

Symmetric Link: symmetric cryptography, requires knowledge of K1 to update

K2K1

Asymmetric Link: asymmetric cryptography, K2 can be replaced without knowing K1 More flexible than symmetric link, but expensive

Page 14: Cryptree

14 / 25

Cryptree: Read Access

BK

FK

SK

DK

Folder/cancun

CK

BK

FK

SK

DK

Folder

CK

BK

FK

SK

DK

Folder

CK

/trip/images

Bob

Clearance Key, revealed to grant access

Subfolder Key Subfolders

Files Key Files in folder

Backlink Key

Data Key Folder name

Page 15: Cryptree

15 / 25

Cryptree: Read Access

BK

FK

SK

DK

Folder/cancun

CK

BK

FK

SK

DK

Folder

CK

BK

FK

SK

DK

Folder

CK

/trip/images

Bob

Benefits:

•Grant recursive access by only revealing one key

•Anonymous access, even writers do not need to know other accessors

•Access rights are implicitely updated when structure changes

Page 16: Cryptree

16 / 25

Cryptree: Read Access

Whole read access structure

BK

FK

SK

DK

Folder

CK

BK

FK

SK

DK

Folder

CK

BK

FK

SK

DK

User

BK

DK

File

/metro.jpg

CK

/alice /images /taipei/kangoo

PK

SK

Root

RK

GKGKGK

Page 17: Cryptree

17 / 25

Write Access Cryptree

WSK WSK

Ksign

WSK

Kverify

Ksign

Kverify

Ksign

Kverify

Folder Folder Folder

/images /holiday /lima

WCK WCKWCK

Similar to read access tree

Page 18: Cryptree

18 / 25

Cryptree: Operations

b

ec

da

Bob

Alice

Claire

b

e

c

d

a

Bob

Alice

Claire

When someone loses read access as a result of an operation, the involved items need to be reencrypted. We do this lazily on their next change (lazy revocation).

Page 19: Cryptree

19 / 25

Outline

Motivation Basics Cryptree Evaluation Discussion

Page 20: Cryptree

20 / 25

Performance

Besides its semantical advantages, the Cryptree should also perform better than the CACL-Approach.

We wrote sandbox implementations of different approaches and let them perform a given set of operations.

Test set: 30‘000 files (avg. size 2.5 MB), 2‘500 folders, 1‘000‘000 operations (ordered by likelihood: read, create, delete, move, modify, grant access, revoke access, grant write access, revoke write access)

Page 21: Cryptree

21 / 25

Performance

Time spent for key management per operation

0

10

20

30

CACL Lazy CACL Cryptree

ms

/ o

pe

rati

on

Page 22: Cryptree

22 / 25

Performance

Total processing time spent for cryptography per operation

0

100

200

CACL Lazy CACL Cryptree

ms

/ op

era

tio

n

Overhead

Inevitable

Page 23: Cryptree

23 / 25

Outline

Motivation Basics Cryptree Performance Discussion

Page 24: Cryptree

24 / 25

Discussion: Conclusions

We have leveraged the file systems folder hierarchy for key management and achieved

- Intuitive Access Control Semantics

- Efficiency

- Simplicity, no elaborate cryptographic knowledge required

Page 25: Cryptree

25 / 25

Discussion: Questions

?