2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)
SeGShare: Secure Group File Sharing in the Cloud using Enclaves
Benny Fuhry Lina Hirschoff Samuel Koesnadi Florian Kerschbaum SAP Security Research SAP Security Research SAP Security Research University of Waterloo Karlsruhe, Germany Karlsruhe, Germany Karlsruhe, Germany Waterloo, Canada
Abstract—File sharing applications using cloud storage are in- ness. Based on these schemes, cryptographically protected file creasingly popular for personal and business use. Due to data pro- sharing systems were proposed [10], [16], [19]–[22]. The main tection concerns, end-to-end encryption is often a desired feature drawback of such systems is that users gain plaintext access of these applications. Many attempts at designing cryptographic solutions fail to be adopted due to missing relevant features. We to the file key. To achieve immediate permission revocation, present SeGShare, a new architecture for end-to-end encrypted, it is necessary to re-encrypt the corresponding file with a new group-based file sharing using trusted execution environments key. Depending on the scheme, this involves expensive cryp- (TEE), e.g., Intel SGX. SeGShare is the first solution to protect tographic operations and the new key has to be distributed to the confidentiality and integrity of all data and management many users. The problem is more severe on immediate group files; enforce immediate permission and membership revocations; support deduplication; and mitigate rollback attacks. Next to membership revocation, as many files require re-encryption. authentication, authorization and file system management, our This becomes a critical problem if members are removed and implementation features an optimized TLS layer that enables added frequently [23]. high throughput and low latency. The encryption overhead of our In recent years, researchers propose solutions that use a implementation is extremely small in computation and storage trusted execution environment (TEE) for secure file sharing resources. Our enclave code comprises less than 8500 lines of code enabling efficient mitigation of common pitfalls in deploying code systems [24]–[27]. TEEs provide an isolated environment to TEEs. — an enclave — to protect code and data in an untrusted environment. A TEE called Intel SGX [28]–[33] is integrated I. INTRODUCTION into (most) modern Intel CPUs and used by all of these In many applications, users want to share files with a group approaches. A-SKY [24] and IBBE-SGX [25] are based on of other users. For instance, employees of a company want cryptographic access control schemes and also suffer from to share files with colleagues. One option is to distribute user’s access to plaintext file keys. Nexus [26] proposes a the files to each group member individually. A better option client-side enclave, which is a severe drawback due to the is a local or remote central repository to store the files heterogeneity of end-user devices. and manage access control. A convenient remote repository We propose and implement SeGShare, a solution supporting is a cloud-based file sharing service as it can reduce cost, group file sharing in large and dynamic groups. SeGShare increase availability and enable seamless multi-device access is TEE-based without using a cryptographic access control to files. Many commercial vendors provide such a service, e.g., scheme. Via tokens, users authenticate themselves to the Google Drive [1], Dropbox [2], or WeTransfer [3]. However, enclave and establish a secure channel with it, which is used data at cloud services could be accessed by unauthorized for all subsequent communication. On every user access, the parties or exposed by internal attackers [4]–[6]. Frequently, enclave checks encrypted access control policies to enforce company policies prohibit to upload files to an untrusted cloud read and/or write access on files. Immediate permission or provider [7]. membership revocations only require an inexpensive modifi- Some cloud providers, e.g., MEGA [8] or Sync.com [9], cation of an encrypted file. Users can upload arbitrarily large encrypt files client-side using file keys and store these keys files through the secure channel directly into the enclave. If the protected with the user’s password. They also enable group upload is granted, the enclave encrypts the files with a random file sharing by encrypting file keys with a group key, which is key using probabilistic authenticated encryption and stores the encrypted with the public key of each group member. How- files in the untrusted environment. On each granted file request, ever, this does not scale well for large groups as an additional the file is decrypted inside the enclave and sent to the user key is required for each group member. Furthermore, files have over the secure channel. SeGShare separates authentication to be re-encrypted on permission or membership revocations. and authorization using identity information in the tokens. MEGA and Sync.com use so-called Hybrid Encryption As long as the identity information is preserved, no further (HE) [10] with public-key management to enforce access change is necessary if a user’s token is replaced or if a user control. Besides HE, many cryptographic schemes have been has different tokens for multiple devices. A comprehensive proposed [11]–[18] to improve access control policies regard- list of SeGShare’s features not mentioned so far is presented ing, e.g., key distribution, the number of keys, and expressive- in Table II. Among others, it protects the confidentiality and
978-1-7281-5809-9/20/$31.00 ©2020 IEEE 476 DOI 10.1109/DSN48063.2020.00061 integrity of all data and administration files; supports data Memory Isolation. In the current version, SGX dedicates deduplication; and mitigates rollback attacks. 128 MB of the system’s main memory (RAM) for the so-called This combination of features is not met by any related Processor Reserved Memory (PRM). All code and data in the work (see Table III) and we agree with the authors of A- PRM are encrypted while residing outside of the CPU and SKY [24], who state that “given the memory and computa- decrypted and integrity checked when the data is loaded into tional limitations of SGX enclaves (e.g., trusted computing the CPU. All other software on the system, including privi- base (TCB) size, trusted/untrusted transition latency), it is far leged software such as OS, hypervisor, and firmware, cannot from trivial to develop such a proxy service able to scale and access the PRM. The OS can swap out enclave pages and SGX sustain a high data throughput, considering dynamic access ensures integrity, confidentiality and freshness of swapped-out control operations.” The key to achieve a high throughput pages, but paging comes with a major performance overhead. under dynamic groups is that SeGShare does not require com- Every program using SGX consists of an enclave and an plex cryptographic operations on permission or membership untrusted part, and the host process can invoke the enclave changes. Besides that, we build an efficient SGX-enabled TLS only through a well-defined interface. stack, use switchless enclave calls for all network and file Attestation. SGX has a remote attestation feature, which traffic, and the enclave requires only a small, constant size allows verification of code integrity and authenticity on a buffer for each request. remote system. This verification is done by hashing (called The main contributions of SeGShare are: measuring in SGX terminology) the initial code and data • New architecture for efficient, end-to-end encrypted loaded into the enclave. The authenticity of the measurement group file sharing supporting large and dynamic groups as well as the fact that the measurement originates from a using a server-side TEE, e.g., Intel SGX. benign enclave is ensured by SGX’s attestation feature (refer • First file sharing system combining confidentiality and to [28] for details). The measurement can be provided to an integrity of all data and administration files; immediate external party to prove the correct creation of an enclave. revocations without expensive re-encryptions; data dedu- Furthermore, the remote attestation feature allows to establish plication; rollback protection; and separation of authenti- a secure channel between an external party and an enclave. cation and authorization. This secure channel can be used to deploy sensitive data, e.g., • Latency average of 2.39 s and 2.17 s to upload and cryptographic keys, directly into the enclave. download a 200 MB file — faster than a plaintext storing Data Sealing. Inherently, SGX enclaves are stateless, i.e., Apache WebDAV server in the same setup. Latency all of its contents are lost when the enclave is destroyed. To under 170 ms for membership and permission operations, preserve data for multiple enclave runs, SGX offers data seal- independent of file sizes, stored files in total, number of ing. This process uses a sealing key to encrypt and integrity- group members, number of user permissions, and groups protect data. Afterwards, the data can be stored outside of the sharing a file. enclave in untrusted memory, and only an enclave with the • Storage overhead of only 1,06% for encrypted storage same sealing key can unseal the data. of a file shared with more than 1000 groups containing Protected File System Library. This library is shipped with 200 MB plaintext data. the Intel SGX SDK and provides a subset of the regular C • SGX-enabled, optimized TLS implementation. file API, e.g., file creation, file writing, and file reading. On • Enclave with only 8441 lines of code, reducing the write, data is separated into 4kB chunks, the data’s integrity potential for security-relevant implementation errors, un- is ensured with a Merkle hash tree variant, and each chunk intended leakages, hidden malware, and side-channel is encrypted with AES-GCM before it is stored in untrusted leakages. memory. When file chunks are loaded back into the enclave, the confidentiality and integrity is verified. The encryption key II. BACKGROUND can be provided manually, or it can be derived automatically First, SeGShare uses a TEE, more specifically Intel SGX, from the sealing key. At any point, only one file handle can to provide an end-to-end secure file sharing system. Second, be open for writing, but many handles for reading. the stored files are encrypted with probabilistic authenticated Switchless Calls. A primary performance overhead of SGX encryption. Third, we use a specific file system model. In this applications are switches into and out of an enclave, because section, we review these three concepts. state has to be saved and restored. SGX’s SDK supports switchless calls, a technique to reduce this overhead. Calls into A. Intel Software Guard Extensions (SGX) the enclave are replaced by writing tasks into an untrusted Intel SGX is an instruction set extension that is available buffer and enclave worker threads asynchronously perform in Intel Core processors since the Skylake generation and the task. Calls out of the enclave are written into a separate Intel Xeon processors since the Kaby Lake generation making untrusted buffer and untrusted threads perform the tasks. it a widely available TEE. It provides a secure, isolated processing area, an enclave, which guarantees confidentiality B. Probabilistic Authenticated Encryption (PAE) and integrity protection to code and data, even in an untrusted PAE provides confidentiality, integrity, and authenticity of environment [28]–[33]. encrypted data. PAE Enc takes a secret key SK, a random
477 initialization vector IV and a plaintext value v as input no further change is necessary if a user’s authentication token and returns a ciphertext c. PAE Dec takes SK and c as is replaced or if a user has different authentication tokens for input and returns v iff v was encrypted with PAE Enc under multiple devices. the initialization vector IV and the secret key SK. With a Table I presents an overview of our access control model. random initialization vector per encryption, AES-128 in GCM A user u ∈ U is assigned to one group g ∈ G or multiple mode [34] can be used as a PAE implementation. groups. Additionally, each user u is part of its default group C. File System gu, i.e., a group that only contains u. Each g has a group owner (GO), which initially is the user u adding the first member to We use a generic file system model that fits to various g. GOs can change group memberships (rG) and extend the operating system (cf. [35]). A file system (FS) is composed of group ownership (rGO) to other groups. Every f ∈ FS has at files (FC ) and directories (FD). We also denote the former as least one file owner (FO), which initially is the user uploading content files and the latter as directory files as both are stored a file or creating a directory. For any file f and group g, the FO C ∈ C in files. Each f F contains a linear array of bytes that can extend the file ownership (rFO) and set file permissions D ∈ D can be read and written. Each f F is a collection of files (rP ). The permissions can either be a combination of read and/or further directories, and it stores a list of all its children. (pr) and write (pw), or access can be denied (pdeny). As a The directories form a tree with a root directory file (fDr )at result, a user’s permissions depend on the permissions of all ∈ the root of the tree. The parent directory of each f FS is groups he is member of. The main benefit of group-based specified by its parent in the tree. permission definitions is that a membership update is sufficient Each fD has a directory name. The directory name of fDr to provide or revoke a user’s access to many files instead of is defined as “/”, and all other directory names are flexible changing the permissions of all affected files individually. FOs excluding the character “/”. Each fD has a path that is can define that a file f ∈ FS should inherit permissions from specified by its location in the directory tree hierarchy: the its parent (rI ). This enables, for example, central permissions path is the concatenation of all directory names in the tree management of multiple files: create a directory, set the desired from fDr to fD delimited and concluded by “/”. Each fC has permissions for the directory, add files to the directory, and a filename, and fC ’s path is the concatenation of the path of define that the files should inherit permissions. its parent directory and its filename.
III. DESIGN CONSIDERATIONS TABLE I: SeGShare’s access control model. In this section, we first describe an ideal file sharing system Element Description to illustrate the features we expect from such a system, to introduce notation, and to introduce a formal access control U Set of individual users u model. Then, we describe the attacker model. Based on those G Set of individual groups g; each user u has a default group gu steps, we deduce a set of functional, performance and security P Set of individual permissions p ∈{pr,pw, objectives. Finally, we present related work showing that no pdeny} existing solution fulfills these objectives. FC Set of stored individual content files fC FD Set of stored individual directory files fD A. Ideal File Sharing System FS File system FS = FC ∪ FD ⊂ × ( ) ∈ A file system owner (FSO) has many users (U). Those rG U G u, g rG: user u is member of group g ⊂ × × ( ) ∈ users want to share files via a file sharing system hosted at a rP P G FS p, g, f rP : group g has permission p for file f cloud provider. The FSO has an authentication service, which rI ⊂ FS f ∈ rI : file f inherits permissions from provides an authentication token with identity information its parent to all users. W.l.o.g., we use a certificate authority (CA) rFO ⊂ G × FS (g, f) ∈ rFO: group g owns file f as authentication service and certificates as authentication rGO ⊂ G × G (g1,g2) ∈ rGO: group g1 owns group g2 tokens throughout this paper. To use the system, users only have to store the authentication token. They use this token for authentication while establishing a secure channel with We also expect the following features from the service. an enclave running at the cloud provider. Without any spe- (1) Immediate revocation, i.e., file permission or membership cial hardware, users use the established secure channel for updates, especially revocations, are enforced instantly without the following requests: create/update/move/download/remove time-consuming re-encryptions of files f ∈ FS. (2) A constant files; create/list/move/remove directories; set file/directory per- number of ciphertexts for each f ∈ FS, independent of missions for an individual user or a group; create groups; permissions and group memberships. (3) Confidentiality and and change group memberships. All requests do not require integrity protection of all content files, the file system struc- interaction with other users and authorization is done with ture, permissions, existing groups, and group memberships. the identity information contained in the authentication token, (4) Storage space reduction by deduplicating files and using which leads to a separation of authentication and authorization. the same encrypted files for different groups. (5) Rollback As a result, as long as the identity information is preserved, protection for individual files and the whole file system.
478 B. Attacker Model access. HE requires public-key management, e.g., by a PKI, to We consider the CA trusted, i.e., it securely creates certifi- establish a trusted connection between users and public keys. cates for users and securely provisions them. All users know Identity Based Encryption (IBE) [11], [12], [48] allows to and trust the CA, more specifically its public key, which is use arbitrary strings as public key for each user. given in many corporate environments. An attacker controlling Attribute Based Encryption (ABE) [13], [14], [49] enables multiple users should only have permissions according to the fine-grained access control by defining a set of attributes for union of permissions of the individual controlled users. At users and files. Files can only be decrypted if a defined number the cloud provider, we assume a malicious attacker, i.e., an of attributes match [13], the policy defined in the user’s attacker that does not need to follow the protocol and tries secret key matches the ciphertext’s attribute [14], or the policy to gain as much information as possible. Only the enclave defined in the ciphertext matches the user’s attributes [49]. data and code are protected by a TEE and not accessible The idea of Broadcast Encryption (BE) [15], [16], [50] by the attacker. The code is assumed not to have intentional is that a broadcaster encrypts messages, sends them via a data leakage and it contains a hard-coded copy of the CA’s broadcast channel, and only a permitted subset of users is public key. All other software is controlled by the attacker. able to decrypt the messages. BE can be used for file sharing As a result, she can monitor and/or change data on disk by considering the files as messages and the file system or in memory; rollback individual files or the whole file as broadcast channel. BE schemes have various tradeoffs system; send arbitrary requests to the enclave; view all network regarding private key, public key and ciphertext size, but no communications; and monitor communication between the scheme is constant in all sizes. untrusted and trusted software part. We do not protect the Identity-Based Broadcast Encryption (IBBE) [17], [18], [51] number of files, the file sizes, and the file access pattern. is a combination of IBE and BE. Messaged are encrypted We note that research has shown that SGX is vulnerable to under a public key for receivers that are identified by an various side-channel attacks, e.g., timing attacks [36], cache arbitrary string, and receivers can decrypt messages with their attacks [37], or page faults [38]. Other research mitigates side- private keys if their identity is part of the receiver set. As with channel attacks [39]–[41], detects side-channel attacks [42], or BE schemes, IBBE schemes are not constant in all keys. proposes a data oblivious file system [43]. Side-channel attacks File Sharing Systems. Cryptographically protected file and mitigations are orthogonal to our research and thus, we sharing systems use the just presented cryptographic access do not consider them further. Hardware attacks and Denial of control mechanisms and enrich them to file systems with, Service (DoS) are out of scope. e.g., key regression [19], integrity proofs [20], and data C. Design objectives deduplication [22]. Some TEE-based file sharing systems also use the cryptographic access control mechanisms to design an Based on the ideal file sharing system and the attacker anonymous file sharing system [24] or an IBBE scheme with model, Table II shows the functional, performance and security reduced encryption complexity [25]. NEXUS [26], Pesos [27] objectives that we expect from a secure and flexible file sharing and SeGShare are not based on the cryptographic access system. control mechanisms. D. Related Work All file sharing systems that are based on a cryptographic Conceptually, TEE-based key-value stores [44]–[47] are re- access control mechanism use HE or a combination of HE lated as they also use enclaves to authenticate users; to receive and IBE, ABE, BE, or IBBE. This, e.g., allows to remove and send encrypted data over a secure channel; and to guar- the public-key management, reduces the number of keys, antee confidentiality and integrity of data stored in untrusted and/or increase the expressiveness of access control policies. storage. However, they do not support the (overwhelming) However, permitted users gain plaintext access to the file key majority of objectives defined in Table II. Especially they do on each file access. Therefore, the following process has to be not support data sharing and dynamic (user- or group-based) executed to enforce immediate permission revocation: a new access control, which is the main focus of this paper. file key is generated, the file is re-encrypted with the new key, In the remainder of this section, we discuss related file the new key is encrypted for each user or group still having sharing systems, which we distinguish between pure crypto- access. On membership revocation, the just mentioned process graphically protected and TEE-supported file sharing systems. has to be performed for every file the group has access to. In Table III, we present to which extent those systems fulfill Objective P3 is not fulfilled by those file sharing systems. the defined objectives. If applicable, the table shows on which Additionally, Garrison et al. [23] state that (1) most IBE cryptographic access control mechanisms the systems are schemes are pairing-based, which is an order of magnitude based on. In the following, we first describe those mechanisms slower than public-key encryption used at HE, (2) ABE and then discuss highlights of Table III. incurs substantially higher costs than IBE, even for simple Cryptographic Access Control Mechanisms. A simple access control policies, (3) existing schemes for proxy re- access control mechanism is Hybrid Encryption (HE): a file is encryption [52], [53] do not solve the problem, and (4) crypto- encrypted with a unique, symmetric file key, and the file key graphic access controls lead to prohibitive computational cost is encrypted with the public key of each user that should have for practical, dynamic workloads.
479 TABLE II: Expected functional (Fx), performance (Px) and security objectives (Sx).
obj. Description obj. Description F1 File sharing with individual users / groups P3 File permissions / group membership revocations do not F2 Dynamic permissions / group memberships require re-encryption of content or directory files F3 Users set permissions P4 Constant number of ciphertexts for content and directory files F4 Separate read and write permissions P5 Different groups can access the same encrypted file F5 Users (and administrators) do not need special hardware S1 Protect confidentiality of content files / file system F6 Non-interactive permission / membership updates structure / permissions / existing groups / group memberships F7 Multiple file owners / group owners S2 Protect integrity of content files / file system structure / F8 Separation of authentication and authorization permissions / existing groups /group memberships F9 Deduplication of encrypted files S3 End-to-end protection of user files F10 Permissions can be inherited from parent directory S4 Immediate revocation P1 Constant client storage S5 Protection against rollback of individual files / whole file system P2 Group-based permission definition
TABLE III: Classification of SeGShare and related work based on objectives defined in Table II. The symbols represent that an objective is supported ( ), partially supported ( ), not supported ( ), or not part of the design (–). Note that some objectives in Table II have multiple sub-objectives separated by /, which are also used in this table.
based system F1 F2 F3 F4 F5 F6 F7 F8 F9 F10 P1 P2 P3 P4 P5 S1 S2 S3 S4 S5 on Pure Cryptographically Protected File Sharing Systems [10] HE /– /– /– /– /– – / / /–/– / / /–/– / [19] HE /– /– /– /– /– – / / /–/– / /–/–/– / [16] BE /– /– /– /– /– – / / /–/– / / /–/– / [23] IBE, ABE / / / / / / / / / / / / / / [20] BE /– /– /– /– /– – /–/ /–/– /–/ /–/– /– [22] ABE /– /– /– /– /– – / / /–/– / / /–/– / TEE-Supported File Sharing Systems [24] HE / / / / / / / / / / / / / / [25] IBBE / / / / / / / / / / / / / / [26] / / / / / / / / / / / / / / [27] / / / / / /–/ / / /–/ / / / SeGShare / / / / / / / / / / / / / /
Only Pesos [27] does support multiple file owners and IV. SEGSHARE DESIGN no system supports multiple group owners (F7). Only In this section, we discuss SeGShare’s design based on NEXUS [26] and Pesos [27] separate authentication and the components illustrated in Fig. 1. This design fulfills most authorization (F8). Deduplication of encrypted files (F9) is objectives presented in Table II. Any remaining objectives are only supported by REED [22], and no system supports permis- fulfilled by extensions discussed in the next section. We start sion inheritance (F10). Almost all cryptographically protected with the setup phase in which trust is established between file sharing systems do not support group-based permission users and the cloud provider, followed by the runtime phase definition (P2). Therefore, each objective related to groups is in which user requests are processed. not part of their design. Only the approach from Garrison et al. [23] and Pesos [27] support that different groups can A. Setup: Establish Trust between Users and Enclave access the same encrypted file (P5), which can significantly The setup phase of SeGShare establishes bilateral trust reduce the required storage for files shared with different between each user u ∈ U and the enclave running at the cloud groups. Only NEXUS [26] protects the confidentiality and provider. This phase is only executed once, and the established integrity of the file system (S1 and S2). Half of the systems trust is the basis for the end-to-end security of user files. perform immediate revocation (S4), and all others propose Establish user trust in enclave. The CA’s certificate service lazy-revocation, i.e., re-encryption is deferred until the next component connects to the untrusted certification component, file update. This opens a window of opportunity for security one external interface of SeGShare, to perform remote attes- breaches, as a revoked user can still access all files that are tation of the enclave (see Section II-A). The CA’s public key not updated. No related work provides a rollback protection for is hard-coded into the enclave. Thus, if the CA receives the individual files and the whole file system, which is enforced expected measurement, it is assured to communicate with an at every point in time (S5). enclave that was built specifically for this CA. During remote attestation, the CA establishes a secure channel that ends at the
480 User User Cloud Provider Application SeGShare Server SeGShare Enclave TLS TLS Request File Root Interface Interface Handler Manager Key Priv. Client File Key Cert. Certification Certification Access File Component Component Control Manager
CA Certification Service Server Key Memb. Group File ACL Cert. Pair List List Trusted Untrusted Fig. 1: SeGShare architecture. trusted certification component. This channel is used for the create/update a file; get file content or directory listing; set following message exchanges: (1) the CA requests a certificate file/directory permission for a group; and add/remove a user signing request (CSR); (2) the enclave generates a temporary to/from a group. Remember that each user is part of its default key pair and provides the CA with a CSR containing the group, and thus, permission requests also applies for individual public-key of the temporary key pair; and (3) the CA generates users. A request used to define that a file should inherit its and signs a server certificate and provides it to the enclave. The permissions is described in Section V-B. We do not discuss enclave checks the certificate’s validity. On success, it persists the following requests for brevity, but their implementation the server certificate in untrusted memory, seals the key pair is straightforward: remove file/directory; move file/directory; (see Section II-A), and triggers the trusted TLS interface to update ownership of file/directory; update group ownership; update its server certificate. The CA can request a new CSR and delete group. and subsequently replace the server certificate at any time. Notably, the user application does not require any special During runtime, the users receive the server certificate on hardware (F5), and it only needs to store a client certificate every connection. As the CA checks the validity of the enclave and the corresponding private key, independent of cloud stored and the users trust the CA, the users only have to verify the files, permissions or group memberships (P1). server certificate with the CA’s public key to be sure that TLS Interface. The TLS interface is partitioned into an they communicate with a trusted SeGShare enclave. Notably, untrusted and trusted part (inside the enclave). The untrusted remote attestation is not necessary. TLS interface terminates the network connection (e.g., TCP), Establish enclave trust in users. For each user u ∈ U,the because the enclave cannot perform I/O. All TLS records are CA validates u’s identity and provides a client certificate to u. forwarded to the trusted TLS interface, which first performs This certificate contains identity information, e.g., a user ID, the TLS handshake using the most recent server certificate. a mail address, and/or a full name. User u can check that the Next, it decrypts/encrypts all incoming/outgoing TLS records. certificate is signed by the trusted CA as u knows CA’s public As such, the trusted TLS interface is the endpoint of a secure key. During the TLS handshake, u’s applications present u’s channel from the user application to the enclave. client certificate to the enclave, which validates the certificate Request Handler. The request handler component parses using the CA’s public key. On success, the enclave can be sure each incoming request, checks the syntax, uses the identity that it communicates with a valid user of the system. information in the client certificate to allocate the request B. Runtime: Requests and Responses to a user u, and processes requests as outlined in Algo. 1. During processing, it uses internal operations (see Table IV), Each request starts and each response ends at a user appli- which are provided by the access control and file manager cation. Therefore, we introduce this component of SeGShare components described in the following sections. first and then explain which parts of the processing are done by the other components. SeGShare achieves separation of authentication and autho- User Application. The user application links the users’ lo- rization (F8) by allocating u based on the identity information cal file systems to the remote file system at the cloud provider. in the client certificate and using u for authorization decisions. For this link, it establishes a connection to SeGShare’s second Furthermore, the combination of operations outlined in Algo. 1 external interface, the untrusted TLS interface. This interface allow a user to share a file or directory with individual users is used to establish a secure TLS connection directly to the (using their default groups) and groups (F1, P2), dynamically trusted TLS interface. Details about the two TLS interfaces change permissions and group memberships (F2, F3), set are discussed in the next section. separate read and write permissions (F4). None of the listed After a TLS handshake, the user application can send operations requires any interaction with other users (F6). requests to the enclave. In the design section, we only Updates of file and group ownerships are not listed, but the discuss the following requests in detail: create a directory; operations only require a straightforward update of rFO and
481 Algorithm 1 SeGShare’s external requests.