Matt Blaze
ABSTRACT
Although cryptographic techniques are playing an increasingly important role in modern computing system security, user-level tools for encrypting file data are cumbersome and suffer from a number of inherent vulnerabilities. The Cryptographic File System (CFS) pushes encryption services into the file system itself. CFS supports secure storage at the system level through a standard Unix file system interface to encrypted files. Users associate a cryptographic key with the directories they wish to protect. Files in these directories (as well as their pathname components) are transparently encrypted and decrypted with the specified key without further user intervention; cleartext is never stored on a disk or sent to a remote file server. CFS can use any available file system for its underlying storage without modification, including remote file servers such as NFS. System management functions, such as file backup, work in a normal manner and without knowledge of the key.
This paper describes the design and implementation of CFS under Unix. Encryption techniques for file system-level encryption are described, and general issues of cryptographic system interfaces to support routine secure computing are discussed.
- 1.Howard, J.H., Kazar, M.L., Menees, S.G., Nichols, D.A., Satyanaryanan, M. & Sidebotham, R.N. "Scale and Performance in Distributed File Systems." ACM Trans. Computing Systems, Vol. 6, No. 1, (February), 1988. Google Scholar
Digital Library
- 2.Kleiman, S.R., "Vnodes: An Architecture for Multiple File System Types in Sun UNIX." Proc. USENIX, Summer, 1986.Google Scholar
- 3.Lacy, J., Mitchell, D., and Schell, W., "CryptoLib: A C Library of Routines for Cryptosystems." Proc. Fourth USENIX Security Workshop, October, 1993.Google Scholar
- 4.Lai, X. and Massey, J. "A Proposal for a New Block Encryption Standard." Proc. EUROCRYPT 90, 389-404, 1990. Google ScholarDigital Library
- 5.National Bureau of Standards, "Data Encryption Standard." FIPS Publication #46, NTIS, Apr. 1977.Google Scholar
- 6.National Bureau of Standards, "Data Encryption Standard Modes of Operation." FIPS Publication #81, NTIS, Dec. 1980.Google Scholar
- 7.Reiher, P. et. al., "Security Issues in the Truffles File System." Proc. PSRG Workshop on Network and Distributed System Security, 1993.Google Scholar
- 8.Sandberg, R., Goldberg, D., Kleiman, S., Walsh, D., & Lyon, B. "Design and Implementation of the Sun Network File System." Proc. USENIX, Summer, 1985.Google Scholar
Index Terms
- A cryptographic file system for UNIX
Recommendations
The Zebra striped network file system
Zebra is a network file system that increases throughput by striping the file data across multiple servers. Rather than striping each file separately, Zebra forms all the new data from each client into a single stream, which it then stripes using an ...
Comments