sign in sign up
<<
Home , Encrypting File System

EFS: Encrypted

An Introduction & Final Project For CSE785: Computer Security Syracuse University Spring 2005

Overview:

 EFS: What? Why?  Related Work  Project Introduction  Background:  /Decryption algorithms  Mounting file system  Minix System Call  Project Requirement  Some design & implementation ideas  My session topics  Conclusion

1 EFS: what is it?

 Encrypted File System (EFS) provides the core file encryption technology used to store encrypted files on the File System.  Corporate world is very competitive, so any code, system specifications, often needs to be controlled.  We have to share data among many users or groups, the potential risk for a computer security from a users perspective.  Password Security œ Does nothing to preventing a disk being mounted on a different system and reading the contents.

EFS: why do we need it?

 Security–First and Foremost  Secures Data from being accessed by any malicious user / hacker.  Privacy  Ensure that private data is not accessed by other users ( may not be malicious).  Reliability œ An integral component  Only responsible are provided access to important data  Resource Sharing  Many users can use the same system and still can work independently.

2 EFS: benefits

 The reduce risk of data exposure in a specific, if uncommon, scenario.  To avoid system risks such as:  Computer is bodily stolen.  Someone inside the company is trying to compromise information.  The system is cracked while attached to a network or with some malicious software.  The primary benefit of the encrypted disk system is defense against device theft, and making your system a secured one. Though, the risks are partially mitigated.

EFS: a definition from whatis.com

 The Encrypting File System (EFS) is a feature of the that lets any file or folder be stored in encrypted form and decrypted only by an individual user and an authorized recovery agent. EFS is especially useful for mobile computer users, whose computer (and files) are subject to physical theft, and for storing highly sensitive data. EFS simply makes encryption an attribute of any file or folder. To store and retrieve a file or folder, a user must request a key from a program that is built into Windows 2000 .  Although an encrypting file system has existed in or been an add-on to other operating systems, its inclusion in Windows 2000 is expected to bring the idea to a larger audience.

3 Related work

 StegFS: A Steganographic File System for , University of Cambridge.

 CFS: Cryptographic File System , Temple University.

 SFS: Secure File system, University of Minnesota and StorageTek.

 TCFS :Transparent Cryptographic File System) University of Salerno (Italy).

Project Introduction

In this project, we would like you to

 Design a scheme to add security features to the existing file system and

 Devise ways to encrypt / decrypt files using the encryption algorithms

4 Background Knowledge Encryption/Decryption Algorithms

Two types of Encryption/Decryption Schemes

 Symmetric Key (Secret-key) Scheme  DES: Data Encryption Standard  AES: Advanced Encryption Standard

 Asymmetric Key (public-key) Scheme  RSA: reinvented by Rivest, Shamir , and Adleman  ECC: Elliptic Curve Cryptography

Symmetric Key Algorithms

 A symmetric-key algorithm is an algorithm for cryptography that uses the same cryptographic key to encrypt and decrypt the message. (Actually, it is sufficient for it to be easy to compute the decryption key from the encryption key and vice versa.)  Other terms for symmetric-key encryption are single-key and private-key encryption

5 AES Algorithm

 Advanced Encryption Standard , a symmetric 128- bit block data encryption technique developed by Belgian cryptographers Joan Daemen and Vincent Rijmen.  AES works multiple network layers simultaneously.  The U.S government adopted the algorithm as its encryption technique in October 2000, replacing the DES encryption it used.  The National Institute of Standards and Technology (NIST) of the U.S. Department of Commerce selected the algorithm, called Rijndael, out of a group of five algorithms under consideration, including one called MARS from a large research team at IBM .

Asymmetric Key Algorithms

 An encryption method that uses a two- part key: a public key and a private key .  To send an encrypted message to someone, you use the recipient's public key, which can be sent to you via regular e- or made available on any public Web site or venue.  To decrypt the message, the recipient uses the private key, which he or she keeps secret. Contrast with "secret key cryptography," which uses the same key to encrypt and decrypt  Usually we call it Public Key algorithms

6 Background Knowledge Mounting File System

 All files accessible in a Unix system are arranged in one big , the file hierarchy, rooted at /. These files can be spread out over several devices.  The mount command serves to attach the file system found on some device to the big file tree.  Conversely, the umount command will detach it again.

Background Knowledge System Call Implementation

 We expect the implementation in kernel level, so you should make use of system calls

 On how to implement system calls, please refer to materials in help session 3: system call creation & implementation

7 Project Requirements We expect you to design and implement a working encrypted file system for the Minix operating system, which includes:

 Individual users should have their keys for encrypting and decrypting files  Key management in the system  File management  Authenticate the user trying to login to the system

General Kernel Architecture.

open(), read(), write(), etc User Process

System Call Interface

VFS Kernel

Minix FS Ext2fs

Buffer Cache

Device Driver

Disk Controller Hardware

8 Design and Implementation Ideas..

 Many of the Implementation that we have seen here, has a kernel level implementation of the file system.  Certain implementations have also user level daemons running that call the kernel level programs ( e.g.: NFS)  I am just describing one system architecture, each of the project team has to come up with their own creative designs.

Example -- General System Architecture

KeyID This blocks data Each Blocks max size Data size Block Size Encrypted Data Area

User Accessible Memory read() Key DB write()

Key Encryption and Decryption Process

9 Design Issues..areas to be looked on...

 The file pointer issues.  Buffer overflow problems œ how are you going to deal with this.  Key Management œ An area worth thinking about how you will manage your keys.  What effect does the process like read and write have on the files?  How are you going to define your system policy?  Problems related with revocation, change ownership etc.

Refer to some other EFS systems

 As mentioned in the related work slide  StegFS: A Steganographic File System for Linux, University of Cambridge.  CFS: Cryptographic File System , Temple University.  SFS: Secure File system , University of Minnesota and StorageTek.  TCFS :Transparent Cryptographic File System University of Salerno (Italy).

10 Sample EFS demo sites

 You can run and see how the EFS works, I am listing some sample sites:  http://www.geocities.com/openpgp/linux_en.h tml  http://www.linux.se/doc/lasg-www/encryption/

My help session topics

 Temporarily, I have the following schedule for the help session before project due:  Location: Star Lab in CST 1-120  Time: The following afternoons 1:00~4:00pm  Schedule*:  04/14: AES algorithms  04/21: Mounting your file system  04/28: File system management  05/05: Last minute rush * May change according to your feedback

11 Thank you & Good luck!

12