| ¡¡ | Chinese Journal of Computers Full Text |
| Title | Design and Implementation of a Group Key Server-Based Cryptographic File System |
| Authors | XIAO Da SHU Ji-Wu XUE Wei LIU Zhi-Cai ZHENG Wei-Min |
| Address | (Department of Computer Science and Technology, Tsinghua University, Beijing 100084) (Key Laboratory for Information Science and Technology, Tsinghua University, Beijing 100084) |
| Year | 2008 |
| Issue | No.4(600¡ª610) |
| Abstract & Background | Abstract Network storage techniques facilitate data sharing but also introduce new vulnerabilities. Cryptographic file systems provide the confidentiality and integrity of file data stored on servers that are not under users¡¯ direct control by cryptographic methods. The key management schemes for current shared cryptographic file systems cannot satisfy the security, flexibility and efficiency requirements simultaneously. This paper proposes a cryptographic file system called CKS-CFS. A trusted Group Key Server (GKS) is introduced to manage file encryption keys in a centralized manner and to enable the employment of flexible access control policies. The computation and storage requirement for GKS is reduced through the use of access control blocks and lockboxes so that the function of GKS can be implemented by hardware to provide strong security. The overhead of revocation is reduced by block granularity encryption and key versioning technique. The authors have implemented a prototype of GKS-CFS based on Luster and evaluated its performance. Compared with other systems, the cryptographic cost in common file operations in GKS-CFS is reduced by an order of magnitude by avoiding the usage of public-key cryptography; Bonnie++ benchmark test shows that the performance of sequential read/write and random file operations are reduced on average by 42.0% and 8.4% respectively. keywords cryptographic file system£» confidentiality£» integrity£» key management£» tamper-resistant hardware background This paper addresses the problem of key management in cryptographic file systems. A secure and efficient key management scheme is the one of the most important factors to put cryptographic file systems into practical use. However, this problem is not addressed well by existing solutions. Two key management schemes have been proposed: The file group based scheme and the user public/private key based scheme. But neither of them can satisfy the security, flexibility and efficiency requirements simultaneously. They either suffer from poor performance due to the use of public-key cryptography or fail to provide flexibility and security due to the coarse-grained key management based on file groups. This paper proposes a key management scheme for cryptographic file system based on a trusted group key server(GKS) that securely and flexibly manages keys in a centralize manner. We also present the design and implementation of a cryptographic file system call GKS-CFS that adopts this scheme. In the design of GKS-CFS, we make efforts to reduce the computation and storage requirement for GKS so that is the function of GKS can be implemented by tamper-resistant hardware, guaranteeing strong security. Efficiency is also achieved by avoiding the usage of public-key cryptography. The work of this paper is part of the project "Study of the on-demand deployment model and quality of service (QoS) for the next-generation internet-based storage" supported by the National Grand Fundamental Research 973 Program of China under grant No.2004CB318205. This project aims to provide theoretic models and key techniques for the construction of the next-generation networked storage. Our research group has been conducting research on several areas related to storage QoS, which include data distribution, storage virtualization and storage management, storage security, etc. Our group has proposed techniques and developed systems to enhance various aspects of QoS for storage, including performance, reliability, flexibility, manageability and security. We have published a number of high-quality papers in these research areas and some of the systems developed by us have been used by governments and enterprises as their information infrastructure, such as the Beijing police office and the National Audit Office, etc. Research on cryptographic file systems is an important area in the field of storage security, which provides confidentiality and integrity for data stored on entrusted storage by using cryptographic techniques. The work of this paper contributes to our research on storage security by presenting key techniques for key management in cryptographic file systems and by designing and implementing a real cryptographic file system based on our techniques. |