Cryptree. A Folder Tree Structure for Cryptographic File Systems. Dominik Grolimund, Luzius Meisser , Stefan Schmid, Roger Wattenhofer Computer Engineering and Networks Laboratory (TIK), ETH Zurich SRDS 06 October 3, Leeds, UK. D istributed C omputing G roup. Cryptree.
A Folder Tree Structure forCryptographic File Systems
Dominik Grolimund, Luzius Meisser, Stefan Schmid, Roger Wattenhofer
Computer Engineering and Networks Laboratory (TIK), ETH Zurich
October 3, Leeds, UK
Kangoo: a large-scale distributed file system(comparable to OceanStore, Celeste, CFS…)
Problem: Enforcement & management of access rights on untrusted (but reliable) storage
When someone loses access to an item, that item needs to be encrypted with a new key in order to prevent the former accessor to access the item in future.
Lazy revocation allows to postpone this (expensive) reencryption until the next update of the item.
Better performance at the price of slightly lower security. An adversary and former accessor of an item could continue to access it if he has kept a copy of the encryption key. Without lazy revocation, he would have had to keep a copy of the item itself to do so.
The classic, access-control-list based approach:
Access control is managed for each item individually.To grant Bob access to an item, the access key is encrypted with Bobs public key and attached to that item.
Problems with CACL:
Dynamic Inheritance of Access Rights
Downwards: full, recursive
Upwards: limited, ancestor names
Knowing K1 and the link allows to derive K2
Symmetric Link: symmetric cryptography, requires knowledge of K1 to update
Asymmetric Link: asymmetric cryptography, K2 can be replaced without knowing K1 More flexible than symmetric link, but expensive
Clearance Key, revealed to grant access
Subfolder Key Subfolders
Files Key Files in folder
Data Key Folder name
Whole read access structure
Similar to read access tree
When someone loses read access as a result of an operation, the involved items need to be reencrypted. We do this lazily on their next change (lazy revocation).
Besides its semantical advantages, the Cryptree should also perform better than the CACL-Approach.
We wrote sandbox implementations of different approaches and let them perform a given set of operations.
Test set: 30‘000 files (avg. size 2.5 MB), 2‘500 folders, 1‘000‘000 operations (ordered by likelihood: read, create, delete, move, modify, grant access, revoke access, grant write access, revoke write access)
Time spent for key management per operation
Total processing time spent for cryptography per operation