Design and Implementation of a Group Key Server-Based Cryptographic File System

Abstract

Network storage techniques facilitate data sharing but also introduce new vulnerabilities. Cryptographic file systems provide the confidentiality and integrity of file data stored on servers that are not under users′ direct control by cryptographic methods. The key management schemes for current shared cryptographic file systems cannot satisfy the security, flexibility and efficiency requirements simultaneously. This paper proposes a cryptographic file system called CKS-CFS. A trusted Group Key Server (GKS) is introduced to manage file encryption keys in a centralized manner and to enable the employment of flexible access control policies. The computation and storage requirement for GKS is reduced through the use of access control blocks and lockboxes so that the function of GKS can be implemented by hardware to provide strong security. The overhead of revocation is reduced by block granularity encryption and key versioning technique. The authors have implemented a prototype of GKS-CFS based on Luster and evaluated its performance. Compared with other systems, the cryptographic cost in common file operations in GKS-CFS is reduced by an order of magnitude by avoiding the usage of public-key cryptography; Bonnie++ benchmark test shows that the performance of sequential read/write and random file operations are reduced on average by 42.0% and 8.4% respectively.