Presentation is loading. Please wait.

Presentation is loading. Please wait.

Decentralized User Authentication in a Global File System CS294-4 Presentation Nikita Borisov October 6, 2003.

Published byViolet Hardy Modified over 8 years ago

Similar presentations

Presentation on theme: "Decentralized User Authentication in a Global File System CS294-4 Presentation Nikita Borisov October 6, 2003."— Presentation transcript:

1 Decentralized User Authentication in a Global File System CS294-4 Presentation Nikita Borisov October 6, 2003

2 Goals Authenticate users to access the file system Support remote administrative domains Use only local information at access time Avoid certificates

3 Why not certificates? Complicated infrastructure Certificate chain hard to compute (e.g. SDSI) Or inflexible trust structure (e.g. VeriSign) Overkill for a file system?

4 SFS Servers Each server has a public key Key part of the name (“self-certifying”) –mit.edu,anb726muxau6phtk3zu3nq4n463mwn9a Use key to authenticate server and set up a secure connection –Connection provides confidentiality & integrity

5 Self-Certifying Names Public keys are explicit –Always together with the name No PKI necessary –Avoids organizational and technical issues Keys are obtained out-of-band –Perhaps falling back on people

6 Authentication Servers One server per administrative domain –Identified by self-certifying hostname Authenticate users –Unix passwords, public keys, SRP, … Manage local names and groups Export user and group records to remote servers

7 Groups Defined within an administrative domain Has a list of members and a list of owners Each user may define their own groups –E.g. alice.friends Members/owners can be remote or local

8 Group members Member typeExample Local userU=nikitab Local groupG=nikitab.friends Remote userU=billg@microsoft.com,wxyweq… Remote groupG=faculty@stanford.edu,r34qduk… Public keyP=d43dft5tr50lkxsdre42…

9 Group members Local users & groups –As defined by the authentication server Public key hashes –Allow ad-hoc users –Protect privacy Remote users & groups –Retrieved from remote servers –Authenticity protected by self-certifying name

10 Group Caching Group definitions may be distributed on many servers Each authentication server resolves and caches entire group membership Cache ensures all necessary information is locally available at time of access –Though it may be out of date

11 Resolving Membership Expand group names Query remote servers for group & user definitions Recursively query any new remote names Cache updated every hour Use version numbers to send deltas

12 Problems Freshness –Eventual consistency –Use out-of-date data for an hour –Longer if server unavailable Revocation –Easy to revoke users (with a delay of 1 hour) –Hard to revoke server keys

13 Scalability All relevant group members cached on local server students@berkeley.edu may be large registered-voters@ca.gov wouldn’t work –It would work with certificates Limit members to 1,000,000 to prevent DOS Most sharing groups are small –C.f. Athena at MIT

14 ACLs Each file and directory has an ACL –Stored in first 512 bytes Lists local users and groups and access rights –Read, write, modify ACL Remote names and public keys have to be indirected through a group –Save on space –Easier to change membership

15 Certificates Revisited What did we lose? –Human-readable namespace –Key management/revocation –Offline operation –Scalability Are these not important for a global FS?

Download ppt "Decentralized User Authentication in a Global File System CS294-4 Presentation Nikita Borisov October 6, 2003."

Similar presentations

Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Decentralized User Authentication in a Global File System Max Meisterhans - Seminar in Distributed Computing WS 05/06.

Decentralized User Authentication in a Global File System Max Meisterhans - Seminar in Distributed Computing WS 05/06.
Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.

Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
8.2 Discretionary Access Control Models Weiling Li.

8.2 Discretionary Access Control Models Weiling Li.
Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.

Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Slide 1 Many slides from Vitaly Shmatikov, UT Austin Public-Key Infrastructure CNS F2006.

Slide 1 Many slides from Vitaly Shmatikov, UT Austin Public-Key Infrastructure CNS F2006.
CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Using Digital Credentials On The World-Wide Web M. Winslett.

Using Digital Credentials On The World-Wide Web M. Winslett.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall 2003 1 Security Systems Lecture notes Dr.

Copyright © B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall Security Systems Lecture notes Dr.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Similar presentations

Ads by Google