-like Access Permissions in Fully Decentralized Systems

Johanna Amann∗ Thomas Fuhrmann Technische Universitat¨ Munchen¨ Technische Universitat¨ Munchen¨ [email protected] [email protected]

Current fully decentralized file systems just offer basic lic and a private part. World-readable files are stored access semantics. In most systems, there is no integrated in the public part of the group- in addition to access control. Every user can access a file system the owner’s user-directory. Files that are only readable can and sometimes even all data. Only few by the group are stored in the private part of the group- systems offer better protection. However, they usually directory. Files that are only readable by the owning user involve algorithms that do not scale well, e. g. certifi- are only stored in the owner’s user-directory. The private cates that secure the file access rights. Often they require group directory is secured with a group encryption key. online third parties. To the best of our knowledge all sys- This encryption key is distributed to the group members tems also lack the standard Unix access permissions, that using the subset difference encryption scheme. When a users have become accustomed to. file-owner writes a file, the copy in her user-directory is In this poster, we show a decentralized, cryptograph- updated. When a group-member updates a file, the copy ically secure, scalable, and efficient way to introduce in the group-directory is updated. Both places have to be nearly the full spectrum of Unix file system access per- checked on access for the most recent version. The file missions into distributed file systems. All access rights owner can set write permissions in her home directory. are enforced by symmetric cryptography only. - With this scheme we can support nearly all POSIX ac- over, we do not require online third parties. cess semantics. Problems only arise for some rarely used Our proposal is twofold. It consists of the integrity features of POSIX such as the possibility for non-owners protection of the file system and the confidentiality pro- to remove empty directories they do not have access to. tection of the individual files. To allow more flexible file permissions, POSIX ACLs For integrity protection, we create a new directory can be layered on top of our approach. However, as we structure. Each user and group has a dedicated directory can show, this introduces a significantly higher overhead hierarchy. All files and directories belonging to a user and requires the use of asymmetric cryptography. reside in the user’s own directory structure. The same Our approach can be implemented on every kind of holds true for groups. Every file or directory is refer- block or chunk oriented storage. We currently implement enced least two times in the directory structure: once it on top of IgorFs, a fully decentralized distributed file in the user directory hierarchy and once in the group hier- system developed in our research group. archy. Fig. ?? shows an example for this structure where IgorFs provides a decentralized storage backend for the traditional Unix directory structure is mapped onto variable-sized data chunks. Each file or directory is rep- this new directory structure. resented by one or more chunks. The different chunks A simple Merkle hash-tree secures the write- are identified by the hash values of their encrypted con- operations. The hash of the top-level directory is signed tent. To access a file system within IgorFs a user needs with a symmetric algorithm. Other users can validate the to know the hash and the encryption key of the file sys- current file system state by recomputing the hashes and tem root. From there, hash and encryption keys can be checking the signature. Using this approach we can guar- read recursively. Anybody can create a new file system antee fork-consistency, the highest level of consistency by creating a new (empty) root block. Multiple crypto- possible in a fully distributed system. graphically seperated file systems share the network and the underlying storage facilities. Nodes can subscribe For data protection, we each group into a pub- to file systems; changes are then propagated to the sub- ∗Student scribed nodes within a few seconds. invisible internal folder Entry point

visible folder / home internal link

superuser home amann group encrypted G

.users amann amann

root .groups staff public amann

directory entry private amann referenced entry G

Figure 1: Internal directory structure