.Net Remoting - Syracuse University
Download
Report
Transcript .Net Remoting - Syracuse University
Encrypted File System (EFS)
Sankara Narayanan.
CSE 785 Computer Security,
Syracuse University, NY
Spring 2003 – 2004
What will be covered!!!
refer inline comments
EFS– What is this? A user’s Perspective.
Objective
Motivation
Related Work and Papers
Top Notch Encryption Algorithms
Design and Implementation Ideas Proposed
Design Issues – An Area to be really looked
on
Sample EFS Demo Sites.
EFS—A users perspective.
Encrypted File System (EFS) provides the core file
encryption technology used to store encrypted files
on the File System.
Corporate world is very competitive, so any code,
system specifications, often needs to be controlled.
We have to share data among many users or
groups, the potential risk for a computer security
from a users perspective.
Password Security – Does nothing to preventing a
disk being mounted on a different system and
reading the contents.
Why EFS– User’s
Perspective..Continued…
The need for Encryption Technology arises
from the perspective of an user.
Now many universities and organizations
have an EFS design for this reason.
WELCOME TO THE WORLD OF EFS.
Objectives..
The Disk Encryption reduce risk of data exposure
in a specific, if uncommon, scenario.
To avoid system risks such as:
Computer is bodily stolen.
Someone inside the company is trying to compromise
information.
The system is cracked while attached to a network or
with some malicious software.
The primary benefit of the encrypted disk system is
defense against device theft, and making your
system a more secured one. Though, the risks are
partially mitigated.
Motivation—Why EFS?
Security—First and Foremost
Privacy
Ensure that private data is not accessed by other users (
may not be malicious).
Reliability – An integral component
Secures Data from being accessed by any malicious user /
hacker.
Only responsible people are provided access to important
data
Resource Sharing
Many users can use the same system and still can work
independently.
Related Work and Papers
StegFS: A Steganographic File System for Linux,
University of Cambridge.
CFS: Cryptographic File System, Temple University.
SFS: Secure File system, University of Minnesota
and StorageTek.
TCFS: Transparent Cryptographic File System,
University of Salerno (Italy).
Cryptfs: A Stackable Vnode Level Encryption File
system, University of Columbia.
CFS: Cryptographic File system
refer inline
comments
CFS File System is implemented on the
Debian Distribution.
Completely implemented at the user level.
CFS runs a daemon “cfsd”which uses the
system calls to read and write the file
contents.
Encrypted before reading and decrypted
before writing.
Simple and Easy to understand.
TCFS: Transparent Cryptographic File
System.
TCFS (Transparent Cryptographic File
System) has been developed at the
University of Salerno (Italy) and is currently
available for Linux.
TCFS is like an extended NFS. It acts just
like NFS, but allows a user to protect his/her
files using encryption.
TCFS works as a layer under the VFS
(Virtual File system Switch) layer, making it
completely transparent to the applications.
TCFS: Continued…
refer inline comments
The security is guaranteed by means of the DES
(data encryption standard) algorithm.
A TCFS user trust only the kernel and the super
user of the client machine accessing the data.
Application areas where TCFS is used: a network of
workstations with limited disk space, each used
almost exclusively by a limited number of users (you
can even think of each user as the super user of
his/her own workstation) and a remote file server
sharing files with all the workstations
TCFS: Continued…
The security mechanism must guarantee that secure
files are not readable:
refer inline comments
by any user other than the legitimate owner.
by tapping the communication lines between the user and
the remote file system server.
by the super user of the file system server.
In TCFS, security acts in a transparent way. Secure
files can be accessed in the same way as local files-the user has only to authenticate himself to TCFS
before starting to work.
Working of TCFS
Files stored on
Encrypted form in server
Each user has a different
Encryption key to access
TCFS Login Utility – Provides
Encryption key
Read a block of data from
Server – NFS Protocol
Requested block is decrypted first
and then passed to application
Data block written by application is
first encrypted with user’s key and then passed to server
StegFS: Steganographic File System
First, like any file system, it is able to manage
the storage of files on a disk.
Second, it provides a mechanism for hiding
files. This allows a user to plausibly deny the
number of files stored on disk.
Third, it provides a mechanism for accessing
files that have been hidden.
Continued..StegFS
The file system implementation is installed along
side the normal Ext2fs, Minix etc drivers between
the VFS interface and blockbuffer cache.
StegFS contains the full functionality for Ext2fs
driver for compatible access to non-hidden files.
StegFS distinguishes regular files and directory files.
StegFS also has a block allocation table (same as
block allocation bitmap) for storing encrypted
checksums for each block.( for detecting overwritten
blocks).
Functionality of StegFS
The confidentiality of all hidden files are
guaranteed.
Deletion of hidden or non-hidden leads
automatically to their secure destruction.
Users can plausibly deny the number of files
stored on the disk.
Lower layers can be voluntarily compromised
without revealing the higher layers.
Top Notch Encryption Algorithms…
AES – Advanced Encryption Standard
(Rijndael).
DES - Data Encryption Standard (DES)
algorithm, adopted by the U.S. government in
1977.
3DES – Triple DES.
Blowfish
General Kernel Architecture.
open(), read(), write(), etc
User Process
System Call Interface
VFS
Minix FS
Kernel
Ext2fs
Buffer Cache
Device Driver
Disk Controller
Hardware
Design and Implementation Ideas..
Many of the Implementation that we have
seen here, has a kernel level implementation
of the file system.
Certain implementations have also user level
daemons running that call the kernel level
programs ( e.g.: NFS)
I am just describing one system architecture,
each of the project team has to come up with
their own creative designs.
Example -- General System
Architecture
KeyID
Each Blocks max
Data size
Block Size
This blocks data
size
Encrypted Data
Area
User Accessible Memory
read()
write()
Key DB
Key
Encryption and
Decryption
Process
Design Issues..An area to be looked
on...
The file pointer issues.
Buffer overflow problems – how are you going to
deal with this.
Key Management – An area worth thinking about
how you will manage your keys.
What effect does the process like read and write
have on the files?
How are you going to define your system policy?
Problems related with revocation, change ownership
etc.
Sample EFS Demo Sites.
You can run and see how the EFS works, I
am listing some sample sites:
http://www.geocities.com/openpgp/linux_en.html
http://www.linux.se/doc/lasg-www/encryption/
Conclusion.
Thank You.