Decentralized Authentication Mechanisms for Object-based Storage Devices

Network-attached object-based storage separates data-path from control-path and enables direct interaction between clients and the storage devices. Clients interact with the file manager only to acquire the meta-data information and some cryptographic primitives, for example, access keys. Most of the current schemes rely on a centralized file manager to support these activities. This paper presents security mechanisms for decentralized authentication for object-based storage. The schemes are novel in several ways. First of all, they reduce the load on the file manager and free the system from central point of failure and denial of service attacks. We exploit Role-based Access Control (RBAC) to provide scalability and design authentication schemes that efficiently utilize RBAC. In most of the cases, the client needs to acquire only one access key from the file manager, which can be used by the client to further derive role-keys for the roles that he/she is permitted to play within an organization. Further, the number of cryptographic keys required for the purpose of authentication in these schemes is less as compared to the existing schemes. Finally, we also present two simple schemes that enable the clients to access objects stored on any device on the network using a single identity key.

[1]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[2]  John H. Howard,et al.  On Overview of the Andrew File System , 1988, USENIX Winter.

[3]  Mahadev Satyanarayanan,et al.  Integrating security in a large distributed system , 1989, TOCS.

[4]  Matt Blaze,et al.  A cryptographic file system for UNIX , 1993, CCS '93.

[5]  David F. Ferraiolo,et al.  An Examination of Federal and Commercial Access Control Policy Needs , 1993 .

[6]  Theodore Y. Ts'o,et al.  Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[7]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[8]  Hugo Krawczyk,et al.  Message Authentication using Hash Functions , 1996 .

[9]  Jim Zelenka,et al.  File server scaling with network-attached secure disks , 1997, SIGMETRICS '97.

[10]  Erez Zadok,et al.  Cryptfs: A Stackable Vnode Level Encryption File System , 1998 .

[11]  Garth A. Gibson,et al.  Security for a high performance commodity storage subsystem , 1999 .

[12]  Matthew O'Keefe A universal access smart-card-based secure file system , 1999 .

[13]  David Robinson,et al.  NFS version 4 Protocol , 2000, RFC.

[14]  Randal C. Burns,et al.  Authenticating Network-Attached Storage , 2000, IEEE Micro.

[15]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[16]  James P. Hughes,et al.  Architecture of the Secure File System , 2001, 2001 Eighteenth IEEE Symposium on Mass Storage Systems and Technologies.

[17]  E. Miller,et al.  Strong security for distributed file systems , 2001, Conference Proceedings of the 2001 IEEE International Performance, Computing, and Communications Conference (Cat. No.01CH37210).

[18]  Benjamin Reed,et al.  Security considerations when designing a distributed file system using object storage devices , 2002, First International IEEE Security in Storage Workshop, 2002. Proceedings..

[19]  Ran Canetti,et al.  A two layered approach for securing an object store network , 2002, First International IEEE Security in Storage Workshop, 2002. Proceedings..