ECFS: An Enterprise-Class Cryptographic File System for Linux

ECFS: An Enterprise-Class Cryptographic File System for Linux

U. S. Rawat (Jaypee University of Engineering & Technology, India) and Shishir Kumar (Jaypee University of Engineering & Technology, India)
Copyright: © 2012 |Pages: 11
DOI: 10.4018/jisp.2012040104
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

Proposed is a secure and efficient approach for designing and implementing an enterprise-class cryptographic file system for Linux (ECFS) in kernel-space. It uses stackable file system interface to introduce a layer for encrypting files using symmetric keys, and public-key cryptography for user authentication and file sharing, like other existing enterprise-class cryptographic file systems. It differs itself from existing systems by including all public-key cryptographic operations and public-key infrastructure (PKI) support in kernel-space that protects it from attacks that may take place with a user-space PKI support. It has a narrower domain of trust than existing systems. It uses XTS mode of AES algorithm for file encryption for providing better protection and performance. It also uses kernel-keyring service for improving performance. It stores the cryptographic metadata in file’s access control list (ACL) as extended attributes to ease the task of file sharing. A secure protocol has also been designed and implemented to guard against various possible attacks, when its files are accessed remotely over an untrusted network.
Article Preview

Encryption services by cryptographic file systems can be placed in user-space, device layer level or kernel-space. Kernel-space systems are more efficient and secure than user-space systems. In device layer systems, single key is being used for encryption, so file sharing is not possible among multiple users.

CFS (Blaze, 1993) is the first cryptographic file system for Unix, implemented as a user-space NFS (network file system) server. Then, TCFS (Cattaneo et al., 2001) is implemented in kernel-space as modified NFS client, but it accesses two user-space servers: nfsd and xattrd. These prior realizations suffer from poor performance, because of context switches and data copies between user-space and kernel-space. They use common mount wide key that limits there use for multiuser scenarios. EncFS (http://code.google.com/p/cryptsetup). LUKS for dmCrypt is enhanced version of dmCrypt. It stores all necessary setup information in the partition header, enabling the user to transport or migrate his data seamlessly. dmCrypt does not support file sharing among multiple users as single key is used for cryptographic operations.

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 12: 4 Issues (2018): 1 Released, 3 Forthcoming
Volume 11: 4 Issues (2017)
Volume 10: 4 Issues (2016)
Volume 9: 4 Issues (2015)
Volume 8: 4 Issues (2014)
Volume 7: 4 Issues (2013)
Volume 6: 4 Issues (2012)
Volume 5: 4 Issues (2011)
Volume 4: 4 Issues (2010)
Volume 3: 4 Issues (2009)
Volume 2: 4 Issues (2008)
Volume 1: 4 Issues (2007)
View Complete Journal Contents Listing