Decentralized user authentication in a global file system

The challenge for user authentication in a global file system is allowing people to grant access to specific users and groups in remote administrative domains, without assuming any kind of pre-existing administrative relationship. The traditional approach to user authentication across administrative domains is for users to prove their identities through a chain of certificates. Certificates allow for general forms of delegation, but they often require more infrastructure than is necessary to support a network file system.This paper introduces an approach without certificates. Local authentication servers pre-fetch and cache remote user and group definitions from remote authentication servers. During a file access, an authentication server can establish identities for users based just on local information. This approach is particularly well-suited to file systems, and it provides a simple and intuitive interface that is similar to those found in local access control mechanisms. An implementation of the authentication server and a file server supporting access control lists demonstrate the viability of this design in the context of the Self-certifying File System (SFS). Experiments demonstrate that the authentication server can scale to groups with tens of thousands of members.

[1]  Mahadev Satyanarayanan,et al.  Scale and performance in a distributed file system , 1988, TOCS.

[2]  Martín Abadi,et al.  Authentication in distributed systems: theory and practice , 1991, SOSP '91.

[3]  Jacob R. Lorch,et al.  Farsite: federated, available, and reliable storage for an incompletely trusted environment , 2002, OSDI '02.

[4]  Christian D. Jensen,et al.  Capability File Names: Separating Authorisation From User Management in an Internet File System , 2001, USENIX Security Symposium.

[5]  Ian T. Foster,et al.  A National-Scale Authentication Infrastructur , 2000, Computer.

[6]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.

[7]  Ronald L. Rivest,et al.  SDSI - A Simple Distributed Security Infrastructure , 1996 .

[8]  Jeffrey I. Schiller,et al.  An Authentication Service for Open Network Systems. In , 1998 .

[9]  J. Howard Et El,et al.  Scale and performance in a distributed file system , 1988 .

[10]  Philip Zimmermann,et al.  PGP source code and internals , 1995 .

[11]  David Mazières,et al.  Separating key management from file system security , 2000, OPSR.

[12]  Mendel Rosenblum,et al.  The design and implementation of a log-structured file system , 1991, SOSP '91.

[13]  Morrie Gasser,et al.  The Digital Distributed System Security Architecture , 1989 .

[14]  Jon Howell,et al.  End-to-end authorization , 2000, OSDI.

[15]  Amin Vahdat,et al.  The CRISIS Wide Area Security Architecture , 1998, USENIX Security Symposium.

[16]  Roger M. Needham,et al.  Grapevine: an exercise in distributed computing , 1982, CACM.

[17]  Sun Microsystems,et al.  RPC: Remote Procedure Call Protocol specification: Version 2 , 1988, RFC.

[18]  Martín Abadi,et al.  Authentication in the Taos operating system , 1994, TOCS.

[19]  Alan O. Freier,et al.  The SSL Protocol Version 3.0 , 1996 .

[20]  Butler W. Lampson,et al.  Butler Lampson Microsoft , 1999 .

[21]  Ian T. Foster,et al.  A security architecture for computational grids , 1998, CCS '98.

[22]  Dwaine E. Clarke,et al.  SPKI/SDSI HTTP Server / Certificate Chain Discovery in SPKI/SDSI , 2001 .

[23]  Angelos D. Keromytis,et al.  Proceedings of the Freenix Track: 2003 Usenix Annual Technical Conference Secure and Flexible Global File Sharing , 2022 .

[24]  M. Kaminsky,et al.  REX : Secure , modular remote execution through file descriptor passing , 2003 .

[25]  Tatu Ylonen,et al.  SSH: secure login connections over the internet , 1996 .

[26]  Ben Y. Zhao,et al.  OceanStore: an architecture for global-scale persistent storage , 2000, SIGP.

[27]  John Kubiatowicz,et al.  Operating system services for wide-area applications , 1998 .

[28]  T. Dierks,et al.  The TLS protocol , 1999 .

[29]  Garret Swart,et al.  The Echo Distributed File System , 1996 .

[30]  Ian T. Foster,et al.  Globus: a Metacomputing Infrastructure Toolkit , 1997, Int. J. High Perform. Comput. Appl..

[31]  Butler W. Lampson,et al.  SPKI Certificate Theory , 1999, RFC.

[32]  Brent Callaghan,et al.  NFS Version 3 Protocol Specification , 1995, RFC.

[33]  Andrew S. Grimshaw,et al.  LegionFS: A Secure and Scalable File System Supporting Cross-Domain High-Performance Applications , 2001, International Conference on Software Composition.

[34]  Alexander Morcos,et al.  A Java implementation of simple distributed security infrastructure , 1998 .

[35]  Thomas D. Wu The Secure Remote Password Protocol , 1998, NDSS.

[36]  Butler W. Lampson,et al.  A Global Authentication Service without Global Trust , 1986, 1986 IEEE Symposium on Security and Privacy.