Upload
ishana
View
10
Download
0
Embed Size (px)
DESCRIPTION
Security Issues In OSD. Vishal Kher 21 October 2002. Outline. Security for NASD Comparison With Our Regional Model Intrusion Detection Conclusion. How Things Were. Fileserver protects critical information resources Requests go through the fileserver Every request is inspected - PowerPoint PPT Presentation
Citation preview
Security Issues In OSDSecurity Issues In OSD
Vishal KherVishal Kher
21 October 200221 October 2002
2
OutlineOutline• Security for NASDSecurity for NASD• Comparison With Our Regional ModelComparison With Our Regional Model• Intrusion DetectionIntrusion Detection• ConclusionConclusion
3 Howard Gobioff, PDL Retreat 1998
How Things Were..• Fileserver protects critical information resourcesFileserver protects critical information resources• Requests go Requests go through through the fileserverthe fileserver• Every Every request is inspectedrequest is inspected• Malicious requests never read the diskMalicious requests never read the disk
4 Howard Gobioff, PDL Retreat 1998
How NASD Changes Things...• File manager is File manager is not not on the datapathon the datapath• Policy Policy decisions decisions made by file managermade by file manager• Drive must Drive must enforce enforce policypolicy
5 Garth Gibson, NSIC OBSD presentation, September 7, 2000
Basic Security Strategy• Integrity of communications (requests/data)Integrity of communications (requests/data)
– digital signature (HMAC-SHA-1), often called a MAC digital signature (HMAC-SHA-1), often called a MAC – signature = crypto_checksum( secret key, message)signature = crypto_checksum( secret key, message)– fixed length, lossy, all bits sensitive to all message, key fixed length, lossy, all bits sensitive to all message, key
bits and orderbits and order– receiver computation demonstrates sender has key, no receiver computation demonstrates sender has key, no
tamperingtampering
• Privacy of communicationsPrivacy of communications– encryption (Triple-DES)encryption (Triple-DES)– new-message = encrypt(secret key, message)new-message = encrypt(secret key, message)
• Freshness of communicationsFreshness of communications– nonces (you can generate a value that I know is not old)nonces (you can generate a value that I know is not old)– timestamps, sequence numberstimestamps, sequence numbers
6
What Does NASD Require to be Secure?
• File manager makes the policy decisionsFile manager makes the policy decisions• Passes access rights to the drive through Passes access rights to the drive through
cryptographic capabilitiescryptographic capabilities• Device doesn’t need to know the identity of the Device doesn’t need to know the identity of the
clientclient• User proves his identity and access rights using User proves his identity and access rights using
capability key capability key and and capability arguments capability arguments – These are passed by the File manager to the clientThese are passed by the File manager to the client
• Scheme for revocationScheme for revocation
7
Key Hierarchy• MasterKey MasterKey
– Used by administrator to control the key hierarchy, to set Used by administrator to control the key hierarchy, to set the the DriveKeyDriveKey, and for other administrative tasks, and for other administrative tasks
• DriveKeyDriveKey– Sets up partitions and Sets up partitions and PartitionKeyPartitionKeyss
• PartitionKeyNPartitionKeyN– Used by Used by File manager File manager to manage a partition and to set to manage a partition and to set
the the WorkingKeyWorkingKeys s – Drive and File manager store these keysDrive and File manager store these keys
• WorkingKeyWorkingKey– Used by FM to generate capabilitiesUsed by FM to generate capabilities– Each drive maintains two working keys per partitionEach drive maintains two working keys per partition
8
Key HierarchyKey Hierarchy• Black and Gold Keys are the Black and Gold Keys are the working keysworking keys• In case of a single working key update of the key In case of a single working key update of the key
invalidates all outstanding capabilitiesinvalidates all outstanding capabilities• Use two working keys toUse two working keys to
• Avoid bulk invalidation and storm of requests for Avoid bulk invalidation and storm of requests for new capabilitiesnew capabilities
• Graceful expiration of capabilities in the old Graceful expiration of capabilities in the old working keyworking key
MasterKey
DriveKey
PartitionKeys
Blue Key
Gold KeyCapability
Keys
9
Protocol DetailsProtocol Details
OBSDOBSD Secret Key KSecret Key K(working key)(working key)
Secret Key KSecret Key K(working key)(working key)
Request For AccessRequest For Access
CapArgs, Req, NonceIN, CapArgs, Req, NonceIN, MACMACcapkeycapkey(Req, NonceIN)(Req, NonceIN)
Reply, NonceOUT, Reply, NonceOUT, MACMACcapkeycapkey(Reply, NonceOUT)(Reply, NonceOUT)
Private CommunicationPrivate Communication
Access Control Version (AV)Access Control Version (AV)Stored on the device and FM,Stored on the device and FM,
Used for revocationUsed for revocation
ClientClient FMFM
CapKey = MACCapKey = MACKK(CapArgs, AV)(CapArgs, AV)
CapArgs= ObjID, Version, Rights, Expiry,..CapArgs= ObjID, Version, Rights, Expiry,..
10
OSD
OSD
The Region ApproachThe Region Approach
Client
Client
OSDManagerManager
Manager
Region Region
Network
• Central Metadata server per regionCentral Metadata server per region• Mobility of objects, device and clientMobility of objects, device and client• Object will reside at the proper location (self routing)Object will reside at the proper location (self routing)• Metadata servers share metadata – fault toleranceMetadata servers share metadata – fault tolerance
OSD
Client
OSD
11
The Region ApproachThe Region Approach• Object replication depending on the demand for the Object replication depending on the demand for the
objectobject• Intra-region as well as Inter-region mobility Intra-region as well as Inter-region mobility • Automatic backup based on object attributesAutomatic backup based on object attributes• Perform all of the above in a secure mannerPerform all of the above in a secure manner• NASD is good for single regionNASD is good for single region
– The capability-key is per object based The capability-key is per object based – If the file manager is compromised, whole system is If the file manager is compromised, whole system is
compromisedcompromised
12
Issues Due To MobilityIssues Due To Mobility• How to move an object within a region?How to move an object within a region?
– Metadata Manager moves the objectMetadata Manager moves the object– The object moves without contacting the Metadata The object moves without contacting the Metadata
ManagerManager– ProblemsProblems
• With the NASD approach capability keys need not be stored on With the NASD approach capability keys need not be stored on the devicethe device
• The capability keys are generated from partition keys, which are The capability keys are generated from partition keys, which are device dependantdevice dependant
• If we move the object, we will have to move the keys?If we move the object, we will have to move the keys?• If we change the keys, we need generate and distribute new If we change the keys, we need generate and distribute new
capability-keys to the existing clientscapability-keys to the existing clients• Need to authenticate the identity of the deviceNeed to authenticate the identity of the device• What if the object is encrypted? What if the object is encrypted? • Need a secure protocol for Need a secure protocol for seamlessseamless key-management key-management
13
Issues Due To MobilityIssues Due To Mobility• How to move a object from one region to another?How to move a object from one region to another?
– All of the previous problems still holdAll of the previous problems still hold– The source metadata manager has no control over the The source metadata manager has no control over the
remote device (no access to partition keys)remote device (no access to partition keys)– Need for secure communication and negotiation between Need for secure communication and negotiation between
metadata seversmetadata severs
• Device mobilityDevice mobility– Intra-regionIntra-region
• Device authentication, metadata manager has the partition keysDevice authentication, metadata manager has the partition keys
– Inter-regionInter-region• Use the old metadata manager, old metadata manager re-routes Use the old metadata manager, old metadata manager re-routes
the request to the new metadata managerthe request to the new metadata manager• Use the new metadata manager, generate new keysUse the new metadata manager, generate new keys• Device authenticationDevice authentication
14
Other IssuesOther Issues• Fault-toleranceFault-tolerance
– Metadata severs form a distributed systemsMetadata severs form a distributed systems– If one server goes down, one of the servers take its roleIf one server goes down, one of the servers take its role– The new metadata server should know all the keysThe new metadata server should know all the keys– Share the secret between the servers, threshold secret Share the secret between the servers, threshold secret
schemescheme
• If the metadata sever is compromised all devices If the metadata sever is compromised all devices are compromised (partition keys)are compromised (partition keys)
• If a device is unavailable or damaged (may be due If a device is unavailable or damaged (may be due DOS attack or physical damage), the data on the DOS attack or physical damage), the data on the device cannot be retrieveddevice cannot be retrieved– Divide the data among n disks in such a way that using Divide the data among n disks in such a way that using
at least at least t <= nt <= n disks we can retrieve the data disks we can retrieve the data
15
Intrusion DetectionIntrusion Detection• We need some disk level or object level intrusion We need some disk level or object level intrusion
detectiondetection• Why?Why?
– ExampleExample• Object replication, on high demandObject replication, on high demand
– An attacker can send large number of requests for an objectAn attacker can send large number of requests for an object– Waste of space due to replication, expensive key-management Waste of space due to replication, expensive key-management
operationsoperations
• Object mobilityObject mobility– What if an attacker keeps moving object making object unavailable?What if an attacker keeps moving object making object unavailable?
• Object level intrusion detectionObject level intrusion detection– Object detects attacks and takes action (blocks request Object detects attacks and takes action (blocks request
from attacker machine) or contacts metadata managerfrom attacker machine) or contacts metadata manager
• Use logs to detect malicious activityUse logs to detect malicious activity
16
ConclusionConclusion• Studied the NASD approachStudied the NASD approach• Compared with our regional approachCompared with our regional approach• NASD security scheme doesn’t scale well in our NASD security scheme doesn’t scale well in our
approachapproach• Need better scheme than NASDNeed better scheme than NASD• Need of a secure protocol to support floating Need of a secure protocol to support floating
objects, devices, and clientsobjects, devices, and clients• Need for disk level and/or object level intrusion Need for disk level and/or object level intrusion
detectiondetection• Can we leave the access control to the device or Can we leave the access control to the device or
the objectthe object