Cryptographic Security for a High-Performance Distributed File System

[attachment=18232]

INTRODUCTION :

Security is quickly becoming a mandatory feature of data storage systems. Today, storage space is typically provided by complex networked systems. These networks have traditionally been confined to data centers in physically secured locations.
With the availability of high-speed LANs and storage networking protocols such as FCIP and iSCSI , these networks are becoming virtualized and open to access from user machines. Hence clients may access the storage devices directly, and the existing static security methods no longer make sense.
Therefore ,new dynamic security mechanisms and secure storage system are required for protecting stored data in virtualized and networked storage systems to ensure confidentiality and the integrity of the stored data.


EXISTING SYSTEM :

DISADVANTAGES:
These systems contain a distributed file system that works with untrusted storage server.
It guarantees that clients can detect any violation of integrity and consistency but cannot prevent modifications to the stored data by the server.
These systems do not contain an explicit security provider responsible for key management, in which per-user master keys to protect per-file keys are maintained.



ADVANTAGES :
A cryptographic file system has been implemented using secure network-attached disks (SNAD) . SNAD storage devices are a hybrid design, providing traditional block storage as well as strong client authentication for any operation.
Provides confidentiality protection by data encryption and integrity protection by means of hash trees.
Data is encrypted by the clients before sending it to the SNAD and authenticated using per-block digital signatures or per-block secret-key authentication .



A CLIENT DRIVER:
The cryptographic extensions are located in the client driver.
It performs the cryptographic operations on the bulk data.
It consists of two main parts:
1.Storage Tank File System :
The STFS module contains the platform-dependent layer of the driver and implements the interface to the VFS layer of the Linux kernel. It handles reading and writing of file data from and to the page cache and the block devices.
2.Client State Manager :
The CSM is the part of the driver that interacts with the MDS using the SAN.FS protocol. It maintains the object attributes, including the cryptographic attributes.



THE META-DATA SERVER(MDS) :
This allows the administrator to specify a uniform policy for the cryptographic protection applied to the file system.
The MDS can also generate an encryption key upon creation of a new file.
The MDS implementation takes an active role in setting the cryptographic attributes:
1. To mandate the choice of particular encryption and hash methods.
2. It can be configured to enforce that the encryption and integrity protection flags be turned on or off.



THE FILE ENCRYPTION(AES):



The Advanced Encryption Standard (AES) specifies a FIPS-approved cryptographic algorithm that can be used to protect electronic data.
The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information.
Encryption converts data to an unintelligible form called ciphertext; decrypting the cipher text converts the data back into its original form, called plaintext.
The AES algorithm is capable of using cryptographic keys of 128, 92, and 256 bits to encrypt and decrypt data in blocks of 128 bits.