E. Zadok, I. Badulescu, and A. Shender. Cryptfs: A stackable vnode level encryption file system. Technical Report CUCS-021-98, Computer Science Department, Columbia University, June 1998.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....requires no knowledge of file system internals. 4.1 Blowfish Crypt Cryptographic techniques are becoming increasingly important in modern computing system security. However, user level tools are usually cumbersome. Adding cryptographic support at system level provides better transparency [19] [20]. With the current trends in storage pooling and outsourcing, data are increasingly being stored encrypted on devices. Secure storage on devices can be achieved in MVSS by using a filter applet that encrypts data blocks on writes and decrypts them on reads. Keys are specified during attach ....

E. Zadok, "Cryptfs: A Stackable vnode Level Encryption File System," Technical Report CUCS-021-98, Computer Science Dept., Columbia Univ., 1998.

....vith the file system so that files appearing any vhere in the file system can be transparently encrypted and decrypted upon access. Encryption is triggered by turning on a nev secure bit in the file protection bits, and keys are managed by a separate server process. Another system, called Cryptfs [20], offers functionality identical to the previous tvo, except that is it implemented as a stackable file system at the vnode layer. In all three systems, clients trust servers to be secure. Further, all sharing must occur vithin a single administrative domain. 5.2 Cross Domain Sharing SFS [9] ....

E. Zadok, L. Badulescu, and A. Shender. Cryptfs: A stackable vnode level encryption file system. Technical Report CUCS-021-98, Computer Science De- partment, Columbia University, 1998.

....eavesdroppers from obtaining file keys. Figure 1: Decrypting File Encrypting Keys not impose undue usability burdens or noticeably reduce file system performance. The main contribution of this paper is not the construction of a cryptographic file system. Blaze s CFS [1] Zadok s Cryptfs [32], and Microsoft s EFS [19] all address the architecture, administration, and cryptographic methods for a file system. However, none of these combine user authentication and encryption properly. Some systems, such as EFS, require the user to reauthenticate after certain events, such as suspension, ....

....further encoded in Base 64, ensuring that encrypted filenames use only printable characters. Otherwise, the underlying file system might reject encrypted file names as invalid. In exchange, limits on file and path name sizes are reduced by 25 . Cryptfs made the same decision for the same reasons [32]. The kernel module performs two additional tasks. First, the module prefetches fresh file keys to be used during directory creation. Second, the module manages the storage of encrypted keys. The underlying file system stores keys in a keyfile, but keyfiles are not visible within ZIA. This is ....

[Article contains additional citation context not shown here]

E. Zadok, I. Badulescu, and A. Shender. Cryptfs: A stackable vnode level encryption file system. Technical Report CUCS-021-98, Computer Science Department, Columbia University, 1998.

....with reads, and decrypted keys are cached for later reuse. With these optimizations, ZIA adds an overhead of under 10 for a modified Andrew Benchmark, and just over a factor of two for bulk data transfer. In both cases, the overheads imposed by ZIA are indistinguishable from those of Cryptfs [16], a cryptographic file system with a single key in effect for all files. In other words, the overheads are limited by cryptography, not key acquisition. Secure and Recover on People Time On token departure, ZIA encrypts each cached file block, and flushes each cached # # . ZIA does not evict ....

....conscious action on the part of the user. The one exception is iris recognition [10] but this scheme requires three separate cameras, a bulky and expensive proposition for mobile devices. There are a number of file systems that provide transparent encryption: Blaze s CFS [1] Zadok s Cryptfs [16], and Microsoft s EFS [8] None of these tie user authentication to the encryption process properly. Some systems, such as EFS, require the user to reauthenticate after certain events to bound the window of vulnerability. This increases security, but decreases usability. 6 Conclusion Computing ....

E. Zadok, I. Badulescu, and A. Shender. Cryptfs: A stackable vnode level encryption file system. Technical Report CUCS-021-98, Computer Science Department, Columbia University, 1998.

....era, there is no guarantee that a server will do this, so there must be a mechanism to ensure that the server has not maliciously altered the data. In addition, CFS does not discuss mechanisms for distributing keys among users for sharing files. A more recent cryptographic file system, Cryptfs [27] works in a similar way and has similar sharing and authentication issues. Recently, TCFS [6] has provided strong security and authentication for file system users. However, TCFS is relatively slow, reducing file system performance by more than 50 . The design of a trusted database system such ....

E. Zadok, I. Badulescu, and A. Shender. Cryptfs: A stackable vnode level encryption file system. Technical Report CUCS-021-98, Columbia University, 1998.

....file systems; their work discusses file systems and the security that each provides. Intra file security is not one of their criteria; although they do discuss the granularity of key protection, the minimum protection unit is a single file. 161 Some file systems, such as CFS [1] and Cryptfs [15], require users to manage their own keys. This approach is simple, but is not suitable for IFS because of the sheer number of keys required [12] Other systems such as SNAD [7] SFS and SUNDR [6, 5] and NASD [3] automatically manage encryption keys, though they do not permit partial file ....

E. Zadok, I. Badulescu, and A. Shender. Cryptfs: A stackable vnode level encryption file system. Technical Report CUCS-021-98, Columbia University, 1998. 163

....a secure file system may be used. Secure file systems generally fall into two categories: those that provide secrecy and those that provide tamperdetection. 4.3. 1 Encrypted File Systems Several file systems have been developed that provide secrecy by encrypting file system data and meta data [2, 14, 26]. Encrypting persistent data is fairly straightforward in DRM systems and most of the work on encrypted file systems 6 involves integration with legacy network file systems (such as NFS) and user authentication, which are not relevant for local file systems. 4.3.2 Tamper Detection File systems ....

E. Zadok, I. Babulescu, and A. Shender. Cryptfs: A stackable vnode level encryption file system. Technical Report CUCS021 -98, Computer Science Department, Columbia University, June 1998. 11

....already stored in encrypted form. Similarly, if written data is encrypted before it leaves the client and is stored encrypted, the server eliminates any decryption work. Storing data in encrypted form was originally proposed in Blaze s Cryptographic File System (CFS) and expanded in later systems [Blaze93, Cattaneo97, Zadok98, Hughes99], where it is used for a different purpose to protect data from untrusted servers. If data is stored on the server in encrypted form it is protected from leaking by the server (who does not know the key) and there is no need to encrypt data again when it is sent on the network. Encryption is ....

....user can collude with the storage server to attack the data. granularity . the local file system aggregates users into groups to authorize access, but there is no explicit decision on aggregating the keys used to encrypt data. long lived keys are used on a per directory basis. CryptFS [Zadok98] extends CFS to be more efficient by building it as a stackable file system rather than a user level server. It attempts to make the system more resilient to attacks due to corruption of individual users by using session IDs and user IDs to index into the key table, rather than using only ....

E. Zadok, I. Badulescu and A. Shender. Cryptfs: A stackable vnode level encryption file system. Technical Report CUCS-021-98, 1998.

....form. Similarly, if write data is encrypted before it leaves the client and is stored encrypted, the server eliminates any decryption work. As it happens, such storing of data in encrypted form was originally proposed in Blaze s Cryptographic File System (CFS) and expanded in later systems [Blaze93, Cattaneo97, Zadok98, Hughes99], where it is used for a different purpose to protect data from untrusted servers. If data is stored on the server in encrypted form it is protected from leaking by the server (who does not know the key) and there is no need to encrypt data again when it is sent on the network. Encryption is ....

....the revoked user can collude with the server to attack the data. granularity . the local filesystem aggregates users into groups to authorize access, but there is no explicit decision on aggregating the keys used to encrypt data. long lived keys are used on a per directory basis. CryptFS [Zadok98] extends CFS to be more efficient by building it as a stackable file system rather than a user level server. Additionally it attempts to make the system more resilient to attacks due to corruption of individual users, by using process ids and user ids to index into the key table, rather than using ....

E. Zadok, I. Badulescu and A. Shender. Cryptfs: A stackable vnode level encryption file system. Technical Report CUCS-021-98, 1998.

....the user authentication. Once the user logins the system successfully, the access to the encrypted le system requires no more password. The TCFS uses the NFS protocol and needs no kernel code modi cation. Zadok, Badulescu and Shender made the Cryptfs using the stackable le system technique [3] [5]. Instead of using the NFS server, Cryptfs directly manages the local le system. As the network protocol may be vulnerable, Cryptfs is more secure than the TCFS. Cryptfs shows better throughput than the TCFS because there is no network delay. It wraps the pre installed le system and ....

E. Zadok and I. Badulescu and A. Shender, Cryptfs: A Stackable Vnode Level Encryption File System, CUCS-021-98, http://www.cs.columbia.edu/ ezk/research/cryptfs/index.html

....are examples of file systems that use stackable layers and are discussed in A Stackable File System Interface For Linux [8] The Fiscus Replicated File System [10] describes how stackable layers provide replication of files. An implementation of a cryptographic file system in Linux, Cryptfs [11] demonstrates how stackable layers can be used to create a useful file system by leveraging the existing file system functionality. Stackable layers use 1 Adapted from A Stackable File System Interface for Linux [8] 9 the VFS interface and vnodes to layer functional operations one on top of ....

E. Zadok, I. Badulescu, and A. Shender, "Cryptfs: A Stackable Vnode Level Encryption File System," Columbia University 1998.

....platform, it does not allow him to grant local users read only access to cached data. The only way to share a file with a local user is to give him the encryption decryption keys. Sharing keys raises a num ber of issues that are not adequately addressed by existing cryptographic file systems [2, 4, 9]. In this paper, we identify some of these shortcomings and present the design of a sharable cryptographic file cache for roaming users. The rest of this paper is organized as follows: Section 2 presents our threat model, identifies the requirements for a cryptographic cache and analyses the ....

....the collaboration and may destroy the spontaneity. It is therefore important, in this context, to separate access control decisions from the authenticated identity of the requesting user. 2.5 Related Work Cryptographic file systems are not a new idea. Systems like CFS [2] TCFS [4] and Cryptfs [9] allow encrypted storage of files on disks. In these systems, files are transparently encrypted decrypted using a key stored in the memory of the process operating on the file. These systems use symmetric cryptography which means that encryption and decryption use the same key. This means that ....

E. Zadok, I. Badulescu, and A. Shender. Cryptfs: a stackable vnode level encryption file system. Technical report, Computer Science Department, Columbia University, 1998.

No context found.

E. Zadok, I. Badulescu, and A. Shender. Cryptfs: A stackable vnode level encryption file system. Technical Report CUCS-021-98, Computer Science Department, Columbia University, June 1998.

No context found.

E. Zadok, I. Badulescu, and A. Shender. Cryptfs: A stackable vnode level encryption file system. Technical Report CUCS-021-98, Computer Science Department, Columbia University, June 1998.

....useful for the Wrapfs template, and which were not. The encryption file system Cryptfs is the most involved file system we have designed and implemented based on Wrapfs. This section summarizes the design and implementation of Cryptfs. More detailed information is available in a separate report[31]. For an encryption algorithm we picked Blowfish[22] a 64 bit block cipher that was designed to be fast, compact, and simple. Blowfish is suitable in applications where the keys do not change often such as in automatic file decryptors. It can use variable length keys as long as 448 bits. We kept ....

....Cryptfs is anywhere from 43 to an order of magnitude faster than CFS. Since the encryption overhead is roughly 3.2 22.7 , we can assume that rest of the difference comes from the reduction in number of context switches. Details of these additional measurements are available in a separate report[31]. 5.3 Other Wrapfs Based File Systems The other file systems we developed using Wrapfs are simple, so we did not perform such rigorous performance measurements on them as we did with Wrapfs and Cryptfs. Only Rot13fs and Cryptfs have any significant impact on performance over that which was ....

E. Zadok, I. Badulescu, and A. Shender. Cryptfs: A Stackable Vnode Level Encryption File System. Technical Report CUCS-021-98. Computer Science Department, Columbia University, 28 July 1998. Available http://www.cs.columbia.edu/library/.

....can be developed independently and then stacked on top of each other to provide new functionality. Also, they are more portable and are easier to develop [29] For example, an encryption file system can be mounted on top of a native file system to provide secure and transparent data storage [27]. Unfortunately, generalpurpose SCAs have never been implemented in stackable file systems. The problem we set out to solve was how to support general purpose SCAs in a way that is easy to use, performs well, and is available for many file systems. We propose fast indexing as a solution for ....

E. Zadok, I. Badulescu, and A. Shender. Cryptfs: A Stackable Vnode Level Encryption File System. Technical Report CUCS-021-98. Computer Science Department, Columbia University, 1998.

....Vector 9 (IV) and one 128 bit key per mounted instance of Cryptfs. Cryptfs encrypts both file data and file names. After encrypting file names, Cryptfs also uuencodes them to avoid characters that are illegal in file names. Additional design and important details are available elsewhere[24]. The FiST implementation of Cryptfs shows three additional features: file data encoding, using ioctl calls, and using per VFS data. Cryptfs s FiST code uses all four sections of a FiST file. Most of the code for Cryptfs is: f #include blowfish.h g filter:data; filter:name; ....

....vary much depending on the actual actions defined in the FiST Rules and Additional C Code sections, since they allow developers to write arbitrarily complex code. For example, the overhead added by Cryptfs over Basefs is 9. 1 22.9 , and is due substantially to the cost of the Blowfish encryption[24, 25]. When testing Aclfs, we ran half of the tests as the owner of the test directories, and the rest as a user authorized (in the .acl file) to access these directories. Aclfs adds an overhead of 3 5 over Basefs, more than 80 of which is incurred when reading .acl files and repeating lookups. To ....

E. Zadok, I. Badulescu, and A. Shender. Cryptfs: A Stackable Vnode Level Encryption File System. Technical Report CUCS-021-98. Computer Science Department, Columbia University, 1998.

....overhead and development cost[10, 12, 25, 27, 31, 32] With stacking, file systems can be developed independently and then stacked on top of each other to provide new functionality. For example, an encryption file system can be stacked on top of a native file system to provide secure data storage[30]. While many stackable file systems have been developed, all of them share a common limitation in functionality. None of them are able to support size changing algorithms (SCAs) which are important and useful for many applications. Examples of such applications include compression which can save ....

E. Zadok, I. Badulescu, and A. Shender. Cryptfs: A Stackable Vnode Level Encryption File System. Technical Report CUCS-021-98. Computer Science Department, Columbia University, 1998.

....ISO 9660 3,000 6,000 Floppy PCFS, MS DOS 5,000 6,000 Table 1: Common Native Unix File Systems and Code Sizes for Each Medium performance is poor due to the extra context switches these file systems must incur. These context switches can affect performance by as much as an order of magnitude[26, 27]. Stackable file systems[19] promise to speed file system development by providing an extensible file system interface. This extensibility allows new features to be added incrementally. Several new extensible interfaces have been proposed and a few have been implemented[8, 15, 18, 22] To improve ....

....Vector (IV) and one 128 bit key per mounted instance of Cryptfs. Cryptfs encrypts both file data and file names. After encrypting file names, Cryptfs also uuencodes them to avoid characters that are illegal in file names. Additional design and important details are available elsewhere[26]. The FiST implementation of Cryptfs shows three additional features: file data encoding, using ioctl calls, and using per VFS data. Cryptfs s FiST code uses all four sections of a FiST file. Some of the more important code for Cryptfs is: f #include blowfish.h g filter:data; ....

E. Zadok, I. Badulescu, and A. Shender. Cryptfs: A Stackable Vnode Level Encryption File System. Technical Report CUCS-021-98. Computer Science Department, Columbia University, 1998.

No context found.

E. Zadok, I. Badulescu, and A. Shender. Cryptfs: a stackable vnode level encryption file system. Technical report, Computer Science Department, Columbia University, 1998.

No context found.

E. Zadok, I. Badulescu, and A. Shender. Cryptfs: A Stackable Vnode Level Encryption File System. In Proceedings of the USENIX Annual Technical Conference, June 2003.

No context found.

E. Zadok, I. Babulescu, and A. Shender. CryptFS: A stackable vnode level encryption file system. Technical Report CUCS-021-98, Computer Science Department, Columbia University, June 1998.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC