Security for Network Attached Storage Devices

Abstract : This paper presents a novel cryptographic capability system addressing the security and performance needs of network attached storage systems in which file management functions occur at a different location than the file storage device. In our NASD system file managers issue capabilities to client machines, which can then directly access files stored on the network attached storage device without intervention by a file server. These capabilities may be reused by the client, so that interaction with the file manager is kept to a minimum. Our system emphasizes performance and scalability while separating the roles of decision maker (issuing capabilities) and verifier (validating a capability). We have demonstrated our system with adaptations of both the NFS and AFS distributed file systems using a prototype NASD implementation.

[1]  Richard F. Rashid,et al.  Extending a capability based system into a network environment , 1986, SIGCOMM '86.

[2]  David L. Mills Simple Network Time Protocol (SNTP) , 1992, RFC.

[3]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[4]  Robbert van Renesse,et al.  Using Sparse Capabilities in a Distributed Operating System , 1986, ICDCS.

[5]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[6]  William A. Wulf,et al.  HYDRA , 1974, Commun. ACM.

[7]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[8]  Li Gong,et al.  A secure identity-based capability system , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[9]  B. Clifford Neuman,et al.  Proxy-based authorization and accounting for distributed systems , 1993, [1993] Proceedings. The 13th International Conference on Distributed Computing Systems.

[10]  Jim Zelenka,et al.  File server scaling with network-attached secure disks , 1997, SIGMETRICS '97.

[11]  Maurice V. Wilkes,et al.  The Cambridge CAP computer and its operating system (Operating and programming systems series) , 1979 .

[12]  Eli Biham,et al.  TIGER: A Fast New Hash Function , 1996, FSE.

[13]  Dan Walsh,et al.  Design and implementation of the Sun network filesystem , 1985, USENIX Conference Proceedings.

[14]  Elliott I. Organick,et al.  A programmer's view of the intel 432 system. mcgraw hill , 1983 .

[15]  White Paper Secure Distributed and Parallel File Systems Based on Network-Attached Autonomous Disk Drives , 1998 .

[16]  Garth A. Gibson,et al.  Filesystems for Network-Attached Secure Disks, , 1997 .

[17]  Gregory G. Finn,et al.  Derived virtual devices: a secure distributed file system mechanism , 1996 .

[18]  J. Howard Et El,et al.  Scale and performance in a distributed file system , 1988 .

[19]  Derek McAuley,et al.  The desk area network , 1991, OPSR.

[20]  Joseph D. Touch,et al.  Performance analysis of MD5 , 1995, SIGCOMM '95.

[21]  Hans Eberle,et al.  A High-Speed DES Implementation for Network Applications , 1992, CRYPTO.

[22]  Bennet S. Yee,et al.  Secure Coprocessors in Electronic Commerce Applications , 1995, USENIX Workshop on Electronic Commerce.

[23]  John H. Hartman,et al.  The Zebra striped network file system , 1995, TOCS.