[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Unix Crypto File System paper



Hi,

Some of you have sent me mail asking about my cryptographic file system
for Unix; it was the subject of a work-in-progress presentation at the
January Usenix conference.  I have a draft of a paper that you may find
helpful; I just got off the phone with our lawyer and finally have the
release to send it out, so if you'd like a copy of the draft, send me
your email (for postscript) or physical (for dead trees) address.  Before
you ask: the software also may be released, but that's a longer
process and it isn't really "ready for prime time" yet anyway.

The paper is just a draft, and also has some bugs in it, but some of it
seems relevant to the discussion here on similar projects for PCish
machines.

Here's the abstract:

========
Although cryptographic techniques are playing an increasingly
important role in modern computing system security, user-level tools
for encrypting file data are cumbersome and suffer from a number of
inherent vulnerabilities.  The Cryptographic File System (CFS) offers
an alternative to ad hoc user-level encryption for protecting file
data.  CFS supports secure storage at the system level through a
standard Unix file system interface to encrypted files.  Users can
associate a cryptographic key with any directories they wish to
protect.  Files in these directories (as well as their pathname
components) are transparently encrypted and decrypted with the
specified key without further user intervention; cleartext is never
stored on a disk or sent to a remote file server.  CFS can use any
available file system for its underlying storage without modification,
including distributed file systems such as NFS.  System management
functions, such as file backup, work in a normal manner and without
knowledge of the key.

This paper describes the design and implementation of CFS under Unix.
Encryption techniques for file system-level encryption are
described, and general issues of cryptographic system interfaces to
support routine secure computing are discussed.
========

-matt
[email protected]