A Credential-based Security Mechanism for Object-based Storage

Abstract

Unlike direct attached storage (DAS), network attached storage (NAS) or storage area network (SAN), object-based storage, an emerging network storage technology, separates the control path, the data path and the management path, and enables direct interaction between clients and the storage devices. Clients acquire only the metadata information and some cryptographic primitives from the metadata servers. The clients, the metadata servers and the storage devices are separate, so it is very important to construct a security mechanism for securing data exchange between them. In this paper we present a credential-based security mechanism for object-based storage that stands on existing security infrastructure. In this mechanism, the object-based storage device (OSD) security model is a credential-based access control system, and commands transfer and data access both need be authorized. The client requests a credential including a capability key from the security manager after authenticated by the security manager through a PKI system. The security manager and the OSD device (OBSD) have a shared secret key to calculate the capability key which is used as a single secret key to identify the integrity of credential and encrypt the communications between the client and the OBSD