Title: Secure and Flexible Global File Sharing - Distributed Credential File System (DisCFS) By Stefan Miltchev, et al
1Secure and Flexible Global File Sharing -
Distributed Credential File System (DisCFS)
By Stefan Miltchev,
et al
- Course CS895
- Advisor Dr. Ravi Mukkamala
- Speaker Weiying Zhu
- Date 03/26/2004
2Table of Contents
- Introduction
- Motivation
- Prior and Related Work
- DisCFS Design
- Implementation Details
- Experimental Evaluation
- Conclusions
- References
3Introduction
- The Internet offers the possibility of global
information sharing and collaboration. - Existing file-sharing systems and their access
control models works in closed administrative
domains (e.g., NIS domains or Kerberos realms),
where an administrator create a user account and
assigns access rights to it. - Example Alice wishes to share her files with
Bob. - Limitations (1) A (relatively) small set of
users have read/write access to files. (2) May
create administrative and legal problems, and may
conflict with local policies.
4Introduction (Cont.)
- The Distributed Credential File System (DisCFS)
uses trust management credentials to identify
files being stored, users, and conditions under
which their file access is allowed. - This mechanism allow Alice, without the
intervention of any centralized administrative
authority, to authorize Bob to access her files
this is done by having Alice create a credential
that contains Bobs key, the DisCFS file handle
and the permissions. Alice sign the credentials,
and confers to Bob the authority to access the
file. By combining Alices credential with one
signed by himself, Bob may further delegate
access to the file. - We show the mechanism is secure and scalable.
5Motivation
- Two typical examples of information sharing
- Alice, a salesperson, would like her best clients
to have access to advance information about a
product. - Alex is given the authority to store his personal
photographs on a server. Apart from Alex, access
to this information may be restricted to small
groups of users. - For the above types of activity to be feasible,
the system must meet the following conditions - Should be able to cope with large number of
files/users. - Administrator involvement should be eliminated.
- Delegation is extremely important for the system.
- Server side policies must be enforced.
- Should maintain as little additional state as
possible. - The access mechanism should work for both
centralized servers and in a distributed
environment.
6Prior and Related Work
- File systems
- NFS/AFS crossing administrative boundaries
creates numerous administrative problems (e.g.,
merging distinct Kerberos realms or NIS domains). - WebFS associated with each file are access
control lists (ACLs) that enumerate users and RWE
permission on individual files. - SFS collaboration is possible only if the client
and the server have common root for their
Certification Authorities. - DisCFS is a more general and scalable approach.
- Operating systems
- Some operating systems (e.g., Taos, Exokernel)
are limited by the fact that permissions are
hardwired into the system. - DisCFS is easily portable and more flexible.
- Other protocols
- FTP and HTTP flexibility is greatly reduced in
the case where file context is sensitive and
authentication is required.
7DisCFS Design
- System architecture
- DisCFS uses a direct binding between a public key
and a set of authorizations. This results in a
decentralized authorization system that is
flexible enough to cope with a large varity of
authentication scenarios. - Requests are signed with requesters key and must
be accompanied by other credentials that form a
chain of trust linking the requesters key to a
key that is trusted by the system. - Credential caching can reduce the number of
credentials that have to be exchanged. - Credential revocation is fairly straightforward
to achieve by notifying the server about bad keys
or credentials. - DisCFS uses KeyNote for policy definition.
8DisCFS Design (Cont.)
- Example Alice wishes to share her files with Bob
Figure 1 Delegation of privileges, from the
administrator to Alice, and from Alice to Bob.
The administrator grants Alice full access by
issuing her the first certificate. Alice can
then delegate read access to Bob by issuing him
the second certificate. To be granted access Bob
must present a certificate chain consisting of
both certificates.
9DisCFS Design (Cont.)
- Example Arbitrarily complex graphs of trust
Figure 2 Delegation in KeyNote, starting from a
set of trusted keys. The dotted lines indicate a
delegation path from a trusted public key (the
administrators) to the user making a request.
If all the credentials along that path authorize
the request, it will be granted. Intermediate
credentials can only refined the authority
granted to them (i.e., they can never allow a
request that was denied by policy).
10DisCFS Design (Cont.)
- Example Access control in DisCFS
-
Authorizer ltAdministrators Public
Keygt Licensees ltAlices Public
Keygt Conditions (app_domain DisCFS)
(HANDLE 666240) -gt RWX Comment
testdir Signature Signature by Administrator
Figure 3 Credential granting user Alice (as
identified by her public key), in the Licensees
field to access to directory testdir. The keys
and signatures have been omitted in the interest
of readability.
Authorizer ltAlices Public Keygt Licensees
ltBobs Public Keygt Conditions (app_domain
DisCFS) (HANDLE 666240)
(localtime gt 20021106000001) (localtime lt
20021106235959) -gt RWX Comment
testdir Signature Signature by Alice
Figure 4 Credential by user Alice granting
(delegating) user sotiris access to directory
testdir for one day. Again, the keys and
signatures have been omitted in the interest of
readability.
11Implementation Details
- DisCFS over NFS
- The DisCFS is implemented over NFS.
- Like NFS, the DisCFS system consists of a client
and a server. The client runs on the user
workstation and establishes a connection to the
DisCFS server. - The mutual authentication will be done for the
connection - The client can authenticate the server, because
the file access credential contains the server
key. - The server only proceeds with the connection if
the submitted credentials allow access to the
requested file. - When a file is stored in DisCFS, the server
generates a credential containing information
that allows the future retrival of the file
contents, as well as information about the file
creator. - DisCFS closedly follows NFS semantics, it appears
to the user as another mounted file system.
Files for which credentials have been supplied
appear under the mount point of the DisCFS file
system. The client may then use file I/O
requests similar to NFS. - The semantics of some of the procedures defined
by the NFS protocol change in the implementation.
12Experimental Evaluation
- Use micro-benchmarks and macro-benchmarks to
obtain first-order quantification of performance,
as well as identification of overhead introduced
by the access control mechanism. - Use the Bonnie benchmark to evaluate performance
when writing and reading a large file. - Use the PostMark benchmark to simulate heavy
small-file system loads (typical of most web
applications, email, etc.). - A more representative test compile OpenBSD
kernel. - Evaluate how different cache sizes affect DisCFS
performance. - General speaking, DisCFS performance remains the
same in relation to NFSv2. - User and Administrator Experiences.
- Administrators were happy to be relieved of
dealing with users after the initial setup. - Users create and sign credentials can be
streamlined with tools.
13Conclusions
- A completely credential-based mechanism for
authentication and access control of files. - The mechanism is flexible and scalable.
- It is straightforward to implement and deploy
because it uses components that exist in common
operating systems and support traditional Unix
file system semantics. - In normal usage, the DisCFS-imposed overhead is
negligible.
14References
- "Secure and Flexible Global File Sharing by
Stefan Miltchev, Vassilis Prevelakis, Sotiris
Ioannidis, John Ioannidis, Angelos D. Keromytis,
and Jonathan M. Smith. In Proceedings of the
USENIX Annual Technical Conference, Freenix
Track, pp. 165 - 178. June 2003, San Antonio, TX. - http//www1.cs.columbia.edu/angelos/Papers/discf
s.pdf - 2. DisCFS souce code is available for download
at - http//www.seas.upenn.edu/miltchev/discfs/