Abstract
This paper presents a security scheme for network-attached storage based on NFSv4 frame. One novel aspect of our system is that it enhances NFSv4 to guarantee the security of storage. Another novel feature is that we develop new user authentication mechanism which outperforms Kerberos. It uses HMAC and the symmetric cryptography to provide the integrity and privacy of transmitted data. The system includes three essential procedures: authenticating user, establishing security context and exchanging data. Our scheme can protect data from tampering, eavesdropping and replaying attacks, and it ensures that the data stored on the device is copy-resistant and encrypted. In spite of this level of security, the scheme does not impose much performance overhead. Our experiments show that large sequential reads or writes with security impose performance expense by 10-20%, which is much less than some other security systems.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Reed, B.C., Chron, E.G., Burns, R.C., Long, D.D.E.: Authenticating network-attached storage. IEEE Micro. 20(1), 49–57 (2000)
Haddon, B.K.: Security in Storage Management The Standards Question. In: Proc. of 18th IEEE Symposium on Mass Storage Systems (2001)
Xie, C., Jin, H., Wu, S., Li, S., Wang, Z.: Access Control of Global Distributed Storage System. In: Das, G., Gulati, V.P. (eds.) CIT 2004. LNCS, vol. 3356, pp. 369–374. Springer, Heidelberg (2004)
Mazires, D., Shasha, D.: Don’t trust your file server. In: Proceedings of the 8th Workshop on Hot Topics in operating Systems (HotOS VIII), Schloss Elmau, Germany, pp. 99–104 (May 2001)
Mazires, D., Kaminsky, M., Kaashoek, M.F., Witchel, E.: Separating key management from file system security. In: Proceedings of the 17th ACM Symposium on Operating Systems Principles, pp. 124–139 (December 1999)
Miller, E.L., Freeman, W.E., Long, D.D.E., Reed, B.C.: Strong secutity for network attached storage. In: Proceedings of the 1st ACM Conference on File and Storage technologies (FAST), Monterey, CA, pp. 1–13 (Janaury 2002)
Zhu, Y., Hu, Y.: SNARE: A Strong Security Scheme for Network-Attached Storage. In: Processings of 22nd International Symposium on Reliable Distributed Systems, October 06-08 (2003)
Gibson, G.A., Nagle, D.F., Amiri, J.B.K., Chang, F.W., Gobioff, H., Hardin, C., Riedel, E., Rochberg, D., Zelenka, J.: A Cost-effective, High-bandwidth Storage Architecture. In: Proceedings of the 8th Conference on Architectural Support for Programming Languages and Operating Systems, San Jose, CA (October 1998)
Cattaneo, G., Catuogno, L., Sorbo, A.D., Persiano, P.: The Design and Implementation of a Transparent Cryptographic File System for Unix. In: Proceedings of the Freenix Track: 2001 USENIX Annual Technical Conference, Boston, MA, pp. 199–212 (June 2001)
Gobioff, H.: Security for a High Performance Commodity Storage Subsystem. PhD thesis, Carnegie Mellon University (1999)
Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-hashing for Message Authentication. Request for Comment (RFC) 2104. Internet Engineering Task Force (IETF) (Febraury 1997)
Steiner, J.G., Neuman, B.C., Schiller, J.: Kerberos: An Authentication Service for Open Network Systems. In: Proceedings of the Winter 1988 USENIX Technical Conference, Dallas, TX (Febraury 1988)
Howard, J.H., Kazar, M.L., Menees, S.G., Nichols, D.A., Satyanarayanan, M., Sidebotham, R.N., West, M.J.: Scale and Performance in a Distributed File System. ACM Transactions on Computer Systems (Febraury 1988)
Hughes, J.: Security in storage. In: Proc. of 19th IEEE Symposium on Mass Storage Systems (2002)
Kohl, J., Neuman, C.: The Kerberos Network Authentication Service(V5). Request for Comment (RFC) 1510 (September 1993)
Linn, J.: Generic Security Service Application Program Interface Version 2, Update 1, Request for Comment (RFC) 2743 (January 2000)
Bellare, M., Canetti, R., Krawczyk, H.: Message Authentication Using Hash Functions -The HMAC Construction. In: RSA Laboratories CryptoBytes, Spring, vol. 2(1) (1996)
Blaze, M.: A cryptographic file system for unix. In: Proceedings of the first ACM Conference on Computer and Communication Security, Fairfax, VA, pp. 9–15 (November 1993)
Spasojevic, M., Satyanarayanan, M.: An Empirical Study of a Wide-area Distributed File System. ACM Transactions on Computer Systems 14(2), 200–222 (1996)
Sun, W., Shu, J., Zheng, W.: Storage Virtualization System with Load Balancing for SAN. In: GCC Workshops 2004, vol. 254 (2004)
Li, B., Shu, J.-w., Zheng, W.: Design and optimization of an iSCSI system. In: Jin, H., Pan, Y., Xiao, N., Sun, J. (eds.) GCC 2004. LNCS, vol. 3252, pp. 262–269. Springer, Heidelberg (2004)
Shepler, S., Callaghan, B., Robinson, D., Thurlow, R., Beame, C., Eisler, M., Noveck, D.: NFS Version 4 Protocol. Request for Comment (RFC) 3010, Internet Engineering Task Force (IETF) (December 2001)
Shepler, S., Callaghan, B., Robinson, D., Thurlow, R., Beame, C., Eisler, M., Noveck, D.: Network File System (NFS) version 4 Protocol. Request for Comment (RFC) 3530, Internet Engineering Task Force (IETF) (April 2003)
Anderson, T.E., Dahlin, M.D., Neefe, J.M., Patterson, D.A., Roselli, D.S., Wang, R.Y.: Serverless Network File Systems. ACM Transactions on Computer Systems (Febraury 1996)
Freeman, W., Miller, E.: Design for a Decentralized Security System for Network Attached Storage. In: Proc. of 17th IEEE Symposium on Mass Storage Systems (2000)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Li, X., Yang, J., Wu, Z. (2005). An NFSv4-Based Security Scheme for NAS. In: Chen, G., Pan, Y., Guo, M., Lu, J. (eds) Parallel and Distributed Processing and Applications - ISPA 2005 Workshops. ISPA 2005. Lecture Notes in Computer Science, vol 3759. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11576259_15
Download citation
DOI: https://doi.org/10.1007/11576259_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-29770-3
Online ISBN: 978-3-540-32115-6
eBook Packages: Computer ScienceComputer Science (R0)