Professional Documents
Culture Documents
Introdu tion
Design
2.1
fsd uses a le's inode number and a timestamp of last modi
ation as a seed of the le.
Ea
h entry is 4 bytes long, so the seed is 8 bytes
long (finode#, timestampg).
Key Management
Authenti ation
SC-CFS employs the same authenti
ation me
hanism as CFS. A \signature", whi
h is a 4 byte predened string
on
atenated with 4 byte random string,
en
rypted in a way des
ribed in the previous key
management se
tion, is stored in ea
h CFS dire
tory. When a user starts a
essing the dire
tory,
re
overs the predened string
orre
tly, the user has
entered the right password (in CFS) or used the
right smart
ard (in SC-CFS), so he is allowed to
enter the dire
tory.
Se urity Consideration
Ca hing
3.1
Model
Smart ard
A ba
king store for CFS or SCCFS. This may be any le system, e.g., a lo
al
le system or a network le system.
Ba king Store
Mallory (M)
3.2
An adversary.
Threats
In SC-CFS, a smart ard remembers a randomly generated master key, and generates le keys, eliminating this problem.
Storage Theft
3.3
Our prin
ipal
ipher is DES, whi
h is assumed impossible to
ompromise in reasonable
amount of time. This may not be a good assumption any more in the age of fast DES
ra
kers [7. DES should be repla
ed with
triple-DES in the future.
Also, our prin ipal hash fun tion, SHA1, is assumed to be ollision free.
Atta k
Key Theft
Pi
k a password.
Generate a sub key and random strings, as CFS
does.
Niels Provos has pointed out that virtual memory ba
king store may
ontain
riti
al se
rets even
though appli
ation programs delete them [23. By
reading a hard disk whi
h is used as the ba
king
store, Mallory is able to re
over se
rets.
In CFS, the user master key and the dire
tory keys
may be in virtual memory. In SC-CFS, the user
master key is in a smart
ard, so only the le keys
are vulnerable.
5 CFS
Implementation
Performan e Evaluation
5.1
The Andrew Ben
hmark (ABM), a standard le system ben
hmark test, is used to measure the overhead of SC-CFS. ABM has ve phases: MakeDir
(mkdir), Copy (
p), S
anDir (ls -l), ReadAll
(grep), and Make (
). Sour
e
ode of C programs
used in the Make phase is slightly modied from
the original Andrew Ben
hmark to make the test
runnable on Linux-2.2 6 . The results are shown below. The numbers are in se
onds.
Lo
al CFS (se
) SC-CFS (se
)
MakeDir 0
0.2
0.2
0.6
1.0
21.8
Copy
S
anDir 1.2
1.6
1.0
ReadAll 2.0
3.0
22.6
5.0
7.8
29.6
Make
SC-CFS works as e
iently as Lo
al and CFS when
it does not need to a
ess a smart
ard (MakeDir
and S
anDir 7 ). However, in the other
ases (Copy,
ReadAll, Make), SC-CFS is mu
h slower.
seed to the smart
ard and invokes the key generation method inside the smart
ard. The other is
get response, whi
h asks the smart
ard to return
the result of key generation. A smart
ard standard
ISO 7816-4 [12 denes the T=0
ommuni
ation proto
ol, whi
h Cyber
ex A
ess adopts, to be unidire
tional, i.e., a smart
ard
an either send or re
eive data in one APDU. Therefore, in addition to
generate key APDU, get response APDU is ne
essary. These two APDUs are sent to the smart
ard
onse
utively.
The following table shows the breakdown of the two
APDUs. \generate key APDU overhead" is time
spent for sending a seed to smart
ard, invoking the
method, and preparing a buer for returned data.
Be
ause this
annot be broken down further, it is
shown as one operation.
operation
time (se
)
Hash (SHA1) 24 byte into 20 byte 0.15
0.10
generate key APDU overhead
Sele
t root in le system
0.01
Sele
t key le \ke" in le system
0.01
Read 16 byte from key le
0.01
get response APDU (20 byte)
0.01
total
0.29
Detailed Look
8:
6 We
There exist several remotely keyed en
ryption algorithms. The remotely keyed en
ryption is a way to
en
rypt bulk data with a key in a smart
ard, where
only small amount of work is done on the smart
ard,
and the rest is done on a fast host. Our session key
generation s
heme is one of them. Other examples
in
lude RKEP by Matt Blaze [3, another one by
Blaze [2, ReMaRK [19 and ARK [18 by Lu
ks,
and one by Jakobsson et al. [15.
We have
hosen our keying s
heme be
ause this is
implemented the fastest on the smart
ard we used
(Cyber
ex A
ess). It is implemented with one
host. Readers interested in smart
ard
on
epts are advised
to
onsult a referen
e text [9.
requirements of an environment, middle ground implementation may be useful, e.g., \key per n les"
approa
h, or
a
hing le keys.
7
7.1
Con lusion
We have developed SC-CFS, whi h improves the se urity of CFS by integrating a smart ard as a personal se ure storage of a key.
Performan e Improvement
Performan
e evaluation in Se
tion 5 shows how important a fast smart
ard is. In re
ent years, smart
ards have matured in terms of fun
tionality and
reliability. However, we have not seen signi
ant
performan
e improvement, even though mi
ropro
essors have sped up by 5 to 10 times.
Availability
A
knowledgment
We thank Niels Provos for suggesting a high speed
key generation method. Peter Honeyman and Jim
Rees have advised us through this proje
t, and suggested a le
a
hing idea.
This work was partially supported by a resear
h
grant from S
hlumberger, In
.
Referen
es
[1 William A. Arbaugh, David J. Farber, and
Jonathan M. Smith. A se
ure and reliable bootstrap ar
hite
ture. In 1997 IEEE Symposium
on Se
urity and Priva
y, Oakland, CA, May
1997.
[2 M. Blaze. Key management in an en
rypting le system. In Pro
eedings of the USENIX
Summer 1994 Te
hni
al Conferen
e, pages 27{
35, Boston, MA, USA, 6{10 1994.
[3 M. Blaze. High-bandwidth en
ryption with
low-bandwdith smart
ards, 1996.
[4 Matt Blaze. A
ryptographi
le system for
UNIX. In Pro
eedings of 1st ACM Conferen
e