Efficient Cryptographic Techniques for Securing Storage Systems Thesis Proposal Alina Oprea Carnegie Mellon University, Computer Science Department Abstract With the advance of storage technologies to networked-attached storage, a recently emerging ar- chitecture that provides higher performance and availability than traditional direct-attached disks, new security concerns arise. In these environments, clients can no longer rely only on the storage servers to provide security guarantees, since these become now easier to compromise. In consequence, clients have to play a more proactive role in protocols designed for data protection and work together with the storage servers to ensure the confidentiality and integrity of the data. For this purpose, traditional file systems have been augmented with client-side cryptographic operations, leading to a number of different cryptographic file systems solutions proposed recently. In this thesis, we propose new approaches for three different mechanisms that are currently employed in implementations of cryptographic file systems. First, we propose novel constructions that reduce the amount of additional storage required for integrity in block storage systems. These constructions are based on the observation that, in practice, distributions of block contents and of block access patterns are not random. As future work, we plan to extend our constructions to provide integrity of both data and metadata in cryptographic file systems. Secondly, we construct efficient key management schemes for cryptographic file systems in which the re-encryption of a file following a user revocation is delayed until the next write to that file, a model called lazy revocation. The encryption key evolves at each revocation and we devise an efficient al- gorithm to recover previous encryption keys with only logarithmic cost in the number of revocations supported. Thirdly, we address the problem of consistency of encrypted shared file objects used to im- plement cryptographic file systems abstractly. We provide sufficient conditions for the realization of a given level of consistency, when concurrent writes to both the file and encryption key objects are possi- ble. We plan to integrate our three novel mechanisms in an example architecture of a cryptographic file system, and implement it on top of NFS using the SFS toolkit. We also plan to evaluate the amount of storage needed for integrity, the latency overhead incurred by the encryption and the integrity mech- anisms, and the throughput offered by the file system upon concurrent writes compared against those offered by NFS. 1 Introduction Networked storage solutions, such as Network-Attached Storage (NAS) and Storage Area Networks (SAN), have emerged as an alternative to direct-attached storage. These modern architectures provide remote block- level data storage services for clients, preserving the same interface as a local disk to the client file system. 1 A storage area network service is often owned and managed by an organization other than the client’s, and it may additionally store other client organizations’ data using the same physical resources. While storing large amounts of data on high-speed, dedicated storage-area networks simplifies storage management and stimulates information sharing, it also raises security concerns. It is desirable that clients using a networked storage system have similar security guarantees to those offered by traditional storage systems. However, the storage servers in a NAS or SAN are more exposed than direct-attached disks. In these environments, the clients cannot rely on the storage servers for security guarantees, and, it is thus necessary that clients secure the stored data themselves in a manner transparent to the storage servers. For this purpose, cryptographic file systems augment file systems with client-side cryptographic operations that can be used to protect the confidentiality and integrity of stored data. Several security mechanisms are needed to implement cryptographic file systems, in particular prim- itives for data confidentiality and integrity, access control methods to enable sharing of information, key management schemes that support user revocation, and methods for guaranteeing consistency of encrypted data, detailed below: Data Confidentiality. In order to prevent access to stored data by unauthorized parties, data confidentiality can be maintained using either a standard block cipher (e.g., AES) in one of the standard modes of operation (e.g., CBC) or a tweakable cipher [50, 33, 34]. Tweakable ciphers were designed following a call for algorithms for block level encryption by the IEEE Security In Storage Working Group (SISW) [1]. These algorithms are length-preserving, so that block boundaries do not shift or need to be adjusted as a result of encryption. Data Integrity. The data stored on the storage servers is vulnerable to modification and replay attacks. Tra- ditionally, data integrity is protected using cryptographic primitives such as message-authentication codes (MAC) and digital signatures. More sophisticated constructions (e.g., based on Merkle trees [54]) can be used to reduce the amount of additional storage needed to check the integrity of data blocks. Access Control. An access control mechanism needs to be employed to restrict access to the information stored to only authorized users. A natural access control method for cryptographic file systems is to distribute the appropriate cryptographic keys (e.g., encryption, MAC or signing keys) for a certain file only to users that have access permissions to that file. An alternative method uses capabilities [29], but assumes intelligent storage devices that can check the validity of the capabilities presented by users before performing operations on data. Key Management and User Revocation. Key management solutions in cryptographic file systems range from fully centralized key distribution using a trusted key server [26] to completely decentralized key distribution done by the file system users [45, 40]. The cryptographic keys for a file need to be updated after a user’s access permissions to that file are revoked. Additionally, the cryptographic information for that file (either an encryption of the file or some integrity information) has to be recomputed with the new cryptographic key. There are two revocation models, depending on when the cryptographic information for a file is up- dated. In an active revocation model, all cryptographic information is immediately recomputed after a revocation takes place. This is expensive and might cause disruptions in the normal operation of the file system. In the alternative model of lazy revocation, the information for each file is recomputed only when the file is modified for the first time after a revocation [26]. Consistency of Encrypted Data. Sharing of information among clients is an important feature offered by file systems. When multiple users are allowed concurrent access and modification of information, 2 consistency of data needs to be maintained. Many different consistency models have been defined and implemented, ranging from strong conditions such as linearizability [35] and sequential consis- tency [46], to loose consistency guarantees such as causal consistency [5] and PRAM [49]. Thesis contributions. In this thesis, we propose new approaches to three different mechanisms that can be used to improve current implementations of cryptographic file systems: data integrity, key management for cryptographic file systems adopting lazy revocation, and consistency of encrypted file objects. Our goal in this thesis is to demonstrate that storage systems can be secured using novel provably secure cryptographic constructions that are space-efficient and incur low performance-overhead. To this end, we first propose space-efficient novel constructions for storage integrity that exploit the fact that distributions of block contents and of block access patterns are not random in practice [57]. To preserve the length of the encrypted blocks sent to the storage servers, clients encrypt the blocks with a tweakable cipher and keep locally some state used to check the integrity of the blocks written. The constructions use the non-malleability property of tweakable ciphers to minimize the amount of local storage for integrity. Our preliminary results demonstrate that our constructions are space-efficient and have low performance overhead compared to constructions in which a hash or a MAC is stored per block. Experiments also demonstrate that defending against replay attacks requires more storage for integrity than a simple solution that defends only against modification attacks. Secondly, we construct efficient key management schemes for systems adopting lazy revocation, called key-updating schemes for lazy revocation [8, 7]. Assume that the same cryptographic key is used initially for a group of files with the same access permissions and the key is modified after every revocation. We denote the time between two revocations as a time interval. After several user revocations, the lazy revocation model implies that different versions of the key might be used for different files in the group. Storing and distributing these keys becomes more difficult in such systems than in systems using active revocation. We model key-updating schemes using a center (e.g., the group owner) that initially generates some state information, updated at every revocation. Upon a user request, the center uses its current local state to derive a user key and gives that to the user. From