National Data Store 2 crypto-clients - demonstration Front men : - - PowerPoint PPT Presentation

National Data Store 2 crypto-clients - demonstration

Front men : Maciej Brzeźniak, Staszek Jankowski

Supercomputing Dept. of PSNC, www.psnc.pl

Authors: NDS2 team at PSNC and partners

full list of credits at the end of presentation

Project funded by: NCBiR for 2011-2013 under „KMD2” project (no. NR02-0025-10/2011)

Project partners – 10 Polish universities and supercomputing centres:

• NDS (2007-2009): National Data Store

– Distributed, replicated storage – Virtual Filesystem in user space (Linux) – Standard user interfaces:

• SFTP, WebDAV, Web GUI, GridFTP

– Automatic replication:

• System-side, sync & async, NFS or GridFTP
• PLATON-U4 (2009-2012)

– Deployment of NDS for academic community – 10 sites in Poland – Tapes: 12+ PB in 5 sites – Disks: 2+ PB in 10 sites

• NDS2 = NDS + secure storage & sharing

+ publising + versioning + ACLs support + user management de-centralisation

NDS, PLATON & NDS2

FS with data migration (HSM) Replica access methods servers (NFS, GridFTP) Storage Node NDS system logic VFS for data and meta-data Access Node DB Node Access Methods Servers (SSH, HTTPs, WebDAV...) User Meta- data DB Users DB Accounting & limits DB Storage Node Replication HSM system (NFS) NAS appliance

NDS – features, limitations&experience => assumptions for NDS2

NDS2: a secure NDS

Feature NDS NDS2 Access protocols SFTP, WebDAV, GridFTP SFTP mainly; WebDAV, GridFTP Data access tools Typical tools:

• Windows: WinSCP, FileZilla
• Linux: sftp, SSHfs, DAVfs
• Grids: GridFTP client

=> Users need more „natural access” Project-provided tools:

• Windows: ndsCryptoFS4win!
• Linux: ndsCryptoFS4linux!
• Grids: GridFTP or VFS for Linux

‚Typical tools’ still supported Backup / archive / sync External tools:

• ‚Virtual file-system like’:
• Wins: Bitkinex, web folders:

problems with stability/reliability

• Linux: sshfs: OK
• Sync/backup tools: Bacula, rsync etc.

=> Too complicated for end-users! Integrated into clients!

• GUI client (B/A)
• ndsBox (syncing)
• r external tools

Still, typical tools can be used with VFS Encryption External tools:

• Some B/A/sync tools support encryption
• Boxcryptor etc.

=> Users need even easier solution! Integrated into clients!

• Virtual filesystems, GUI, CLI
• Appliance and mobile client

Still, you can use external tools Sharing

• Possible for single profile/institution

=> Limitation

• Cross-profile/institution sharing

Users may decide the scope of sharing

CryptoFS 4Windows

Clients for NDS2 (prototypes)

Windows Linux

• file system-like client:

(.net)

Any platform

CryptoFS 4Linux GUI&CLI Java client

• FS-like access
• Encryption & digests
• Storage space visible

as the local drive

• FS-like access
• Encryption & digests
• Storage space mount’d

as the local filesystem

• Browser-like access
• Drag & drop support
• Encryption & digests
• Meta-data, search etc.
• GUI/CLI: Java SWT, HSQL, Hibernate
• Encryption: BouncyCastle
• SFTP: JSCH (sftp)
• VFS: ‚FUSE-like’ library
• SFTP: paid library for Win
• Encryption: .net crypto API
• VFS: SSHfs/FUSE
• SFTP: SSHfs implementation of the client
• Encryption: openssl
• common Java library

for data access & management: nds2API WAN (SFTP) Replicated storage (NDS v2)

Mobile platform

Android client

• Browser-like access
• Encryption & digests

Work- groups

Appliance

• FS-like access (CIFS)
• Local sharing
• Encryption & digests

transparent to users

• SSHFS extended by implementing

encryption & digests: (C++) LAN (CIFS)

NDS2 vs others (EncFS, Boxcryptor)

• Why Boxcryptor & EncFS could make sense?

– Boxcryptor (Win, iOS, Android) supports EncFS data format

• Why NOT?

– Another intermediate layer? – Windows:

• Linux:

* BoxCryptor is made with CallBack FS * EncFS + SSHFS? * Virtual FS for backend storage * FUSE issues

– Security:

Feature NDS2 Box cryptor/ EncFS

File encryption algorithm / key type Symmetric (AES 256 CTR) Symmetric (AES 256) Key usage Generated per-file Common for all files File name encryption Symmetric (AES 256) key derived from user’s asymmetric private key Common for data and names Shared data encryption Per-directory asymmetric key, encrypted with private users’ key or group key Common key for every user – no fine-grained keys management

Demo

6

NDS2: GUI demo (screenshots 1)

Login screen:

• Login name
• Private RSA key for authentication
• Server connection details
• 4kB-long RSA keys pair for data encryption
• Needs localisation

NDS2/SFTP Server connection details:

• Server name
• Server port

NDS2: GUI demo (screenshots 2)

GUI client:

• supports Drag & Drop
• builds the upload jobs database

if many files are dropped

• enables to monitor status of these

jobs, pausing/resuming them etc.

NDS2: GUI demo (screenshots 3)

GUI client:

• Data are encrypted and integrity-controlled

in the ‚encrypted’ directory

• Remaining data are stored unencrypted
• Progress bars monitor upload/download status

NDS2: ndsCryptoFS4Windows demo

Login screen:

• Login name
• Login certificate containing a private key

for authentication

• Server connection details
• Certificate containing 4kB-long

RSA key pair for data encryption Remote storage space visible and accessible as a local drive

NDS2: ndsCryptoFS4Linux demo

Original directory content (user view) Encrypted directory content (server view)

NDS2: ndsCryptoFS4Linux demo

Original file content (user view) Encrypted file content (server view)

NDS2: Android client demo

NDS2: appliance demo

• Appliance administration interface

Network settings configuration NDS2 (or SFTP server) connection configuration Internal appliance disks / RAIDs configuration

NDS2: appliance demo

• Appliance: end-user experience

Access to data from the end-user workstation – remote storage space accessible through CIFS and NDS2 appliance Network share defined on appliance Data stored in NDS2/SFTP server Accessible through appliance and CIFS protocol

Discussion

17

• FULL NDS2 functionality:

– Interactive & reliable data storage and retrieval:

• Allows interactive storage & retrieval of files
• Implements upload/download ‚jobs’
• Can work in ‚background’
• Can work with NDS servers but also with SFTP servers

– Supports SHARING management:

• Initialisation and control of sharing

– SHARE DIRECTORY creation – Assigning the directory with the sharing keypair

• Access control lists management (ACLs)

– User-level METADATA support:

• Annotation, tagging etc.
• Meta-data based search (free form/structured)

– Plans/roadmap:

• Shell integration for Windows and Linux…
• Tests on the other platforms
• Synchronization support?

NDS2: GUI discussion

Any platform

GUI&CLI Java client

• Browser-like access
• Drag & drop support
• Encryption & digests
• Meta-data, search etc.
• GUI/CLI: Java SWT, HSQL, Hiber.
• Encryption: BouncyCastle
• SFTP: JSCH (sftp)
• common Java library

for data access & mgmt: nds2API: (Java) Replicated storage (NDS v2) WAN (SFTP)

• POSIX-like, local drive-like access

– Support PART

• f NDS2 functionality
• STORAGE

(also with regular SFTP server)

• SHARING (after it is

initiated by using GUI)

• Limited METADATA access

– ‚Natural’ interface for many users:

• FS-like behaviour
• Intelligent caching

may further improve experience

– Work on most popular OSs – Possible next steps?

• Caching?
• Other storage backends? Other platforms?

(out of scope of NDS2)

NDS2: cryptographic filesystems

CryptoFS 4Windows

Windows Linux

• Proprietary file system-

like client: (.NET)

CryptoFS 4Linux

• FS-like access
• Encryption & digests
• Storage space visible

as the local drive

• FS-like access
• Encryption & digests
• Storage space mount’d

as the local filesystem

• VFS: ‚FUSE-like’ lib (com)
• SFTP: lib 4 Win
• Encryption:
• VFS: SSHfs/FUSE
• SFTP: SSHfs implementation of the client
• Encryption: openssl

WAN (SFTP)

Work- groups

Appliance

• FS-like access (CIFS)
• Local sharing
• Encryption & digests

transparent to users

• SSHFS enriched in

encryption & digests: (C++) LAN (CIFS)

• Use cases:

– Small institution / workgroup shares data using local NAS appliance – Data protected against disaster and intrusion: backup and encryption

• The idea:

NDS2appliance

NDS2: appliance for workgroups

SMB/CIFS server Users

LAN

Data access & sharing (CIFS) LDAP/ Active Directory server Appliance admin MGMT interface (web) Local disk space Remote storage/ backup space Backup / restore Data access + encryption

WAN Public cloud Private cloud

NDS2: appliance for workgroups

• Appliance for institutions – possible implementations:

Box for small groups/ instiututions Rack server for bigger institutions Small (19,5x70x18,6cm) and silent, green (fits below the desk):

• CPU with AES-NI support (not a problem these days)
• 2 x 2,5” HDDs or 2x green SSDs inside

(up to ~ 2 TB of RAW internal storage)

• Must be cheap! e.g. ~600 EUR/box (not more than PC)

Rack server:

• CPUs with AES-NI on board
• Low voltage! (being green, costs)
• 4x 3,5” or 8x 2,5” SSD (up to 12 TB of RAW storage)
• Reasonable costs - ~2500EUR with 12TB of capacity

Virtual machine:

• E.g. vApp easy to run on vmware cluster or another VM image
• No assumptions on hardware – just needs LUN for local

storage and account in NDS2 for backups and sync’s Some ‚fancy’ hardware for users:

• Smart cards + readers (expresscard or USB)
• Psychological ‚trick’ (works for some users)

• Proof of concept:

=> Aim: to learn about issues related to mobile client

• Challenge 1: User-friendly, intuitive interface:

=> Core functionality only – simplicity:

• Data storage and retrieval
• Android Interface integration:
• NO sharing, user-level metadata mgmt etc.
• Challenge 2: Cryptography vs performance / battery life:

=> first experience – promising:

• Benchmarks for ARM CPUs promising
• AES support was planned for ARMv8 architecture
• Encryption may exhaust battery?
• Will mobile platform be used for small files only? (PDFs, DOCs, photos etc.)

NDS2: Android client

NDSbox… on the way

– Addresses Dropbox-like scenarios:

• Data synchronization among multiple devices

Sync & Share

NDSbox client application 4 Linux NDSbox client application

Sync & Share

NDSbox client application 4 Android

Sync & Share

Safe data sharing & publishing

– Secure sharing

• Sharing with other NDS2 users
• Very high level of security: symm. and asymm. Key handling combination

(more elaboration elsewhere)

– Secure publishing and import/export from/to World

• Similar to ‚get file link’ on Dropbox
• Works in both directions

– It’s safer than with Dropbox…

Trust

Safe key exchange

NDS2 sandbox

NO Trust NO Trust Data access import/ export Safe key exchange Data access & storage publication Data access

National Data Store 2 crypto-clients - demonstration

Thank you!

Project funded by: NCBiR for 2011-2013 under „KMD2” project (no. NR02-0025-10/2011)

Project partners – 10 Polish universities and supercomputing centres:

National Data Store 2 crypto-clients - demonstration

Project funded by: NCBiR for 2011-2013 under „KMD2” project (no. NR02-0025-10/2011)

Project partners – 10 Polish universities and supercomputing centres:

Credits:

PSNC team: Maciej Brzeźniak, {Gracjan, Michał, Staszek, Tomasz} Jankowski Adam Zawada Sławomir Zdanowski Rafał Mikołajczak Partners: Tomasz Chmiel, Łukasz Kuczyński, Michał Major, Łukasz Redynk, Kamil Guryn, and others