1 / 29

Design and Implementation of a Secure File System

Design and Implementation of a Secure File System. Btech Project Name: Dipanjan Sengupta Guided by : Prof. I. Sengupta. FIVE GOLDEN OBJECTIVES. Data security Transparent access semantics

jens
Télécharger la présentation

Design and Implementation of a Secure File System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Design and Implementation of a Secure File System Btech Project Name: Dipanjan Sengupta Guided by : Prof. I. Sengupta

  2. FIVE GOLDEN OBJECTIVES • Data security • Transparent access semantics • Compatibility with various underlying system services • Good system performance • Limited trust

  3. Why File System-Level Cryptography ? • User-Level Cryptography • Encryption tools • Open to attack while the file is in clear form • Mistakes from user side • Integrated encryption in application • Need for same encryption engine • Performance penalty User-Level Encryption Tool Deleting Plain Text Data still present in Plain text User forgot to delete the plain Text Plain Text Encrypted File

  4. Flow of Control in Current Linux File System

  5. PROPOSEDSECURE FILE SYSTEM • At Kernel Level Application Program System Call SECURE FILESYSTEM LAYER • Handles all system calls related to filesystem • Abstraction layer between Appl Prog & Filesystem Implementation • Not too far from the user trust Virtual File System Ext2 MS-DOS Hardening of Linux Kernel

  6. ARCHITECTURE Application Program FILE SYSTEM INTERFACE SECURE FILESYSTEM LAYER ACCESS CONTROLLER Digestof HACL Encryption Key HKEY ACL CRYPT ENGINE FILE SYSTEM INTERFACE UNDERLYING FILESYSTEM System Call Crypt File HKEY ACL DHACL Encrypted File Hardening of Linux Kernel

  7. Implementations

  8. Public & Private Keys

  9. IMPLEMENTATIONS • Population of the Public Key Table, a kernel data structure for storing the public keys of related users • The loadable module loadpubkey inserts the public key table containing uid, name of user and user’s public key into the kernel

  10. Population of Public Key Table loadpubkey module linked to the kernel

  11. dmesg after PKTable Population Publickey Table with N and E values for each user(uid)

  12. SFS Functionality& User Interface

  13. IMPLEMENTATIONS • Population of the Public Key Table, a kernel data structure for storing the public keys of related users • Implementation of a tool(setaccesscontrol) for the generation of AccessFilein the directory, with the prefix ‘ecrypt’, containing encrypted files • AccessFile contains the uids of the users granted right to access files in the particular directory

  14. Set Access Control Uids of users granted right to access the files in ecryptdir Displaying uids of the users granted access to the files in ecryptdir

  15. IMPLEMENTATIONS • Population of the Public Key Table, a kernel data structure for storing the public keys of related users • Implementation of a tool(setaccesscontrol) for the generation of AccessFilein the directory, with the prefix ‘ecrypt’, containing encrypted files • Implementation of user level utilities (entersecuresession and exitsecuresession) to enter and exit a secure session

  16. Entersecure Session and File Creation in SFS Entering a secure session by supplying the private key (D & N pair) to the system Exiting Secure Session A user not given access to the files in ecryptdir failed to open testSecret.c

  17. File Access in SFS User granted access to files in ecryptdir could open testSecret.c

  18. How these tools work ? • Implementation of a new system call syscall_storeprivatekey • Making an entry in the system call table for each supported architecture .long sys_ <syscall_name> # • Defining syscall number in <asm/unistd.h> for each supportd architcture #define __NR_<syscall_name> # • Compiling the kernel

  19. ARCHITECTURE Application Program FILE SYSTEM INTERFACE SECURE FILESYSTEM LAYER ACCESS CONTROLLER Digestof HACL Encryption Key HKEY ACL CRYPT ENGINE FILE SYSTEM INTERFACE UNDERLYING FILESYSTEM System Call Crypt File HKEY ACL DHACL Encrypted File Hardening of Linux Kernel

  20. COMPONENT FUNCTIONALITY • ACCESS CONTROLLER • Gets access related information • Public key of users granted access rights file structure dentry structure ecryptdir pathname Read {{7, 187}, {17,3233}, {3, 17947}, {13,437}, {13, 437}, {11, 247}} Pub_key List PKTABLE ACCESSFILE Hardening of Linux Kernel

  21. ACCESS CONTROLLER Contd… • Generate random symmetric key(KEY) for file encryption calling get_random_bytesfunction • Encrypt the KEYwith public keys extracted(RSA) & prepare the Access Control List (ACL) HKEY ACL DHACL Encrypted File KEY_11 KEY_22 KEY_44 KEY_55 PUB_22 PUB_44 PUB_11 PUB_55 KEY

  22. Contd… • Create hash of the Key (HKEY) • Create Hash of ACL (HACL) • Create digest of HACL (DHACL) by private key of owner • CRYPT ENGINE • Encrypt the file with the KEY (AES) • Attach ACL to the encrypted file • Attach the HKEY in front of the file • CRYPT FILE Structure HKEY ACL DHACL Encrypted File

  23. Reading a File DKEY_44 HKEY ACL DHACL Encrypted File Plain Text KEY_11 KEY_22 KEY_44 KEY_55 Decrypt using priv_key supplied by user DKEY_11 DKEY_22 DKEY_44 Hash of DKEY_XX HDKEY_11 HDKEY_22 HDKEY_44 ⊕ ⊕ ⊕ Match Not Found…continue Match Not Found…continue Match Found…break

  24. SFS Write dmesg Randomly generated Key No. of users granted access Max no. of users in the PKTABLE KEY encrypted with the Pub_key of uid 11 KEY encrypted with the Pub_key of uid 22

  25. Continued… KEY encrypted with the Pub_key of uid 44 KEY encrypted with the Pub_key of uid 55 Hash of KEY(HKEY)

  26. SFS Read dmesg Reading the hash of KEY(HKEY) Pub_key11 decrypted with user supplied private Key Pub_key22 decrypted with user supplied private Key Pub_key44 decrypted with user supplied private Key Hash of the decrypted key matched with HKEY…Access Granted !!!

  27. RESULTS • Found working perfectly with many application program like • text editors like vi, Kdevelop, kedit • image file applications like GIMP • System performance compared with Linux 2.6.22 filesystem • Check Parameters: • number of files accessed • file size

  28. System Performance

  29. Future Work • Key Management issues • RSA for arbitrarily long Public and Private keys • Generalizing the implementation rather than using ‘ecrypt’ prefix directories • Improving the user interface • Implementation of data compression algorithm at the kernel level

More Related