Secure and Flexible Global File Sharing - Distributed Credential File System (DisCFS) By Stefan Miltchev, et al

1
Secure and Flexible Global File Sharing -
Distributed Credential File System (DisCFS)
By Stefan Miltchev,
et al

• Course CS895
• Advisor Dr. Ravi Mukkamala
• Speaker Weiying Zhu
• Date 03/26/2004

2
Table of Contents

• Introduction
• Motivation
• Prior and Related Work
• DisCFS Design
• Implementation Details
• Experimental Evaluation
• Conclusions
• References

3
Introduction

• The Internet offers the possibility of global
  information sharing and collaboration.
• Existing file-sharing systems and their access
  control models works in closed administrative
  domains (e.g., NIS domains or Kerberos realms),
  where an administrator create a user account and
  assigns access rights to it.
• Example Alice wishes to share her files with
  Bob.
• Limitations (1) A (relatively) small set of
  users have read/write access to files. (2) May
  create administrative and legal problems, and may
  conflict with local policies.

4
Introduction (Cont.)

• The Distributed Credential File System (DisCFS)
  uses trust management credentials to identify
  files being stored, users, and conditions under
  which their file access is allowed.
• This mechanism allow Alice, without the
  intervention of any centralized administrative
  authority, to authorize Bob to access her files
  this is done by having Alice create a credential
  that contains Bobs key, the DisCFS file handle
  and the permissions. Alice sign the credentials,
  and confers to Bob the authority to access the
  file. By combining Alices credential with one
  signed by himself, Bob may further delegate
  access to the file.
• We show the mechanism is secure and scalable.

5
Motivation

• Two typical examples of information sharing
• Alice, a salesperson, would like her best clients
  to have access to advance information about a
  product.
• Alex is given the authority to store his personal
  photographs on a server. Apart from Alex, access
  to this information may be restricted to small
  groups of users.
• For the above types of activity to be feasible,
  the system must meet the following conditions
• Should be able to cope with large number of
  files/users.
• Administrator involvement should be eliminated.
• Delegation is extremely important for the system.
• Server side policies must be enforced.
• Should maintain as little additional state as
  possible.
• The access mechanism should work for both
  centralized servers and in a distributed
  environment.

6
Prior and Related Work

• File systems
• NFS/AFS crossing administrative boundaries
  creates numerous administrative problems (e.g.,
  merging distinct Kerberos realms or NIS domains).
• WebFS associated with each file are access
  control lists (ACLs) that enumerate users and RWE
  permission on individual files.
• SFS collaboration is possible only if the client
  and the server have common root for their
  Certification Authorities.
• DisCFS is a more general and scalable approach.
• Operating systems
• Some operating systems (e.g., Taos, Exokernel)
  are limited by the fact that permissions are
  hardwired into the system.
• DisCFS is easily portable and more flexible.
• Other protocols
• FTP and HTTP flexibility is greatly reduced in
  the case where file context is sensitive and
  authentication is required.

7
DisCFS Design

• System architecture
• DisCFS uses a direct binding between a public key
  and a set of authorizations. This results in a
  decentralized authorization system that is
  flexible enough to cope with a large varity of
  authentication scenarios.
• Requests are signed with requesters key and must
  be accompanied by other credentials that form a
  chain of trust linking the requesters key to a
  key that is trusted by the system.
• Credential caching can reduce the number of
  credentials that have to be exchanged.
• Credential revocation is fairly straightforward
  to achieve by notifying the server about bad keys
  or credentials.
• DisCFS uses KeyNote for policy definition.

8
DisCFS Design (Cont.)

• Example Alice wishes to share her files with Bob

Figure 1 Delegation of privileges, from the
administrator to Alice, and from Alice to Bob.
The administrator grants Alice full access by
issuing her the first certificate. Alice can
then delegate read access to Bob by issuing him
the second certificate. To be granted access Bob
must present a certificate chain consisting of
both certificates.
9
DisCFS Design (Cont.)

• Example Arbitrarily complex graphs of trust

Figure 2 Delegation in KeyNote, starting from a
set of trusted keys. The dotted lines indicate a
delegation path from a trusted public key (the
administrators) to the user making a request.
If all the credentials along that path authorize
the request, it will be granted. Intermediate
credentials can only refined the authority
granted to them (i.e., they can never allow a
request that was denied by policy).
10
DisCFS Design (Cont.)

• Example Access control in DisCFS

Authorizer ltAdministrators Public
Keygt Licensees ltAlices Public
Keygt Conditions (app_domain DisCFS)
(HANDLE 666240) -gt RWX Comment
testdir Signature Signature by Administrator
Figure 3 Credential granting user Alice (as
identified by her public key), in the Licensees
field to access to directory testdir. The keys
and signatures have been omitted in the interest
of readability.
Authorizer ltAlices Public Keygt Licensees
ltBobs Public Keygt Conditions (app_domain
DisCFS) (HANDLE 666240)
(localtime gt 20021106000001) (localtime lt
20021106235959) -gt RWX Comment
testdir Signature Signature by Alice
Figure 4 Credential by user Alice granting
(delegating) user sotiris access to directory
testdir for one day. Again, the keys and
signatures have been omitted in the interest of
readability.
11
Implementation Details

• DisCFS over NFS
• The DisCFS is implemented over NFS.
• Like NFS, the DisCFS system consists of a client
  and a server. The client runs on the user
  workstation and establishes a connection to the
  DisCFS server.
• The mutual authentication will be done for the
  connection
• The client can authenticate the server, because
  the file access credential contains the server
  key.
• The server only proceeds with the connection if
  the submitted credentials allow access to the
  requested file.
• When a file is stored in DisCFS, the server
  generates a credential containing information
  that allows the future retrival of the file
  contents, as well as information about the file
  creator.
• DisCFS closedly follows NFS semantics, it appears
  to the user as another mounted file system.
  Files for which credentials have been supplied
  appear under the mount point of the DisCFS file
  system. The client may then use file I/O
  requests similar to NFS.
• The semantics of some of the procedures defined
  by the NFS protocol change in the implementation.

12
Experimental Evaluation

• Use micro-benchmarks and macro-benchmarks to
  obtain first-order quantification of performance,
  as well as identification of overhead introduced
  by the access control mechanism.
• Use the Bonnie benchmark to evaluate performance
  when writing and reading a large file.
• Use the PostMark benchmark to simulate heavy
  small-file system loads (typical of most web
  applications, email, etc.).
• A more representative test compile OpenBSD
  kernel.
• Evaluate how different cache sizes affect DisCFS
  performance.
• General speaking, DisCFS performance remains the
  same in relation to NFSv2.
• User and Administrator Experiences.
• Administrators were happy to be relieved of
  dealing with users after the initial setup.
• Users create and sign credentials can be
  streamlined with tools.

13
Conclusions

• A completely credential-based mechanism for
  authentication and access control of files.
• The mechanism is flexible and scalable.
• It is straightforward to implement and deploy
  because it uses components that exist in common
  operating systems and support traditional Unix
  file system semantics.
• In normal usage, the DisCFS-imposed overhead is
  negligible.

14
References

• "Secure and Flexible Global File Sharing by
  Stefan Miltchev, Vassilis Prevelakis, Sotiris
  Ioannidis, John Ioannidis, Angelos D. Keromytis,
  and Jonathan M. Smith. In Proceedings of the
  USENIX Annual Technical Conference, Freenix
  Track, pp. 165 - 178. June 2003, San Antonio, TX.
• http//www1.cs.columbia.edu/angelos/Papers/discf
  s.pdf
• 2. DisCFS souce code is available for download
  at
• http//www.seas.upenn.edu/miltchev/discfs/