National Data Store 2 crypto-clients - demonstration Front men : Maciej Brzeźniak, Staszek Jankowski Supercomputing Dept. of PSNC, www.psnc.pl Authors: NDS2 team at PSNC and partners full list of credits at the end of presentation Project funded by: NCBiR for 2011- 2013 under „KMD2” project (no. NR02 -0025-10/2011) Project partners – 10 Polish universities and supercomputing centres:
NDS, PLATON & NDS2 • NDS (2007-2009): National Data Store User – Distributed, replicated storage Access Methods Servers (SSH, HTTPs, WebDAV...) DB Node – Virtual Filesystem VFS for data and meta-data Meta- Access data DB Node NDS system logic in user space (Linux) – Standard user interfaces: Replication Users Accounting DB & limits DB Replica access methods servers • SFTP, WebDAV, Web GUI, GridFTP Storage Storage (NFS, GridFTP) Node Node – Automatic replication: FS with data migration (HSM) • System-side, sync & async, NFS or GridFTP HSM system (NFS) NAS appliance • PLATON-U4 (2009-2012) – Deployment of NDS for academic community – 10 sites in Poland – Tapes: 12+ PB in 5 sites – Disks: 2+ PB in 10 sites • NDS2 = NDS + secure storage & sharing + publising + versioning + ACLs support + user management de-centralisation
NDS2: a secure NDS NDS – features, limitations&experience => assumptions for NDS2 Feature NDS NDS2 Access protocols SFTP, WebDAV, GridFTP SFTP mainly ; WebDAV, GridFTP Data access tools Typical tools: Project-provided tools: • • Windows: WinSCP, FileZilla Windows: ndsCryptoFS4win! • • Linux: sftp, SSHfs, DAVfs Linux: ndsCryptoFS4linux! • • Grids: GridFTP client Grids: GridFTP or VFS for Linux => Users need more „ natural access ” ‚ Typical tools ’ still supported Backup / archive / External tools: Integrated into clients! • • sync ‚Virtual file -system like ’: GUI client (B/A) • • Wins: Bitkinex, web folders: ndsBox (syncing) • problems with stability/reliability or external tools • Linux: sshfs: OK • Sync/backup tools: Bacula, rsync etc. => Too complicated for end-users! Still, typical tools can be used with VFS Encryption External tools: Integrated into clients! • • Some B/A/sync tools support encryption Virtual filesystems, GUI, CLI • • Boxcryptor etc. Appliance and mobile client => Users need even easier solution! Still, you can use external tools • • Sharing Possible for single profile/institution Cross-profile/institution sharing => Limitation Users may decide the scope of sharing
Clients for NDS2 (prototypes) Windows Linux Work- Any Mobile groups platform platform • FS-like access • FS-like access (CIFS) • Browser-like access • Browser-like access • FS-like access • Encryption & digests • Local sharing • Drag & drop support • Encryption & digests • Encryption & digests • Storage space visible • Encryption & digests • Encryption & digests • Storage space mount’d • Meta-data, search etc. as the local drive transparent to users as the local filesystem LAN (CIFS) CryptoFS 4Windows CryptoFS 4Linux GUI&CLI Java client Android client Appliance • file system-like client: • SSHFS extended by implementing • common Java library (.net) encryption & digests: (C++) for data access & management: nds2API • VFS: SSHfs/FUSE • VFS: ‚FUSE - like’ lib rary • GUI/CLI: Java SWT, HSQL, Hibernate • SFTP: SSHfs implementation of the client • SFTP: paid library for Win • Encryption: BouncyCastle • Encryption: openssl • Encryption: .net crypto API • SFTP: JSCH (sftp) WAN (SFTP) Replicated storage (NDS v2)
NDS2 vs others (EncFS, Boxcryptor) • Why Boxcryptor & EncFS could make sense? – Boxcryptor (Win, iOS, Android) supports EncFS data format • Why NOT? – Another intermediate layer? – Windows: - Linux: * BoxCryptor is made with CallBack FS * EncFS + SSHFS? * Virtual FS for backend storage * FUSE issues – Security: Feature NDS2 Box cryptor/ EncFS File encryption algorithm Symmetric (AES 256 CTR) Symmetric (AES 256) / key type Key usage Generated per-file Common for all files File name encryption Symmetric (AES 256) key derived Common for data and names from user’s asymmetric private key Shared data Per-directory asymmetric Common key for every encryption key, encrypted with user – no fine-grained private user s’ key or group key keys management
Demo 6
NDS2: GUI demo (screenshots 1) NDS2/SFTP Server connection details: • Server name • Server port Login screen: • Login name • Private RSA key for authentication • Server connection details • 4kB-long RSA keys pair for data encryption • Needs localisation
NDS2: GUI demo (screenshots 2) GUI client: • supports Drag & Drop • builds the upload jobs database if many files are dropped • enables to monitor status of these jobs, pausing/resuming them etc.
NDS2: GUI demo (screenshots 3) GUI client: • Data are encrypted and integrity-controlled in the ‚ encrypted ’ directory • Remaining data are stored unencrypted • Progress bars monitor upload/download status
NDS2: ndsCryptoFS4Windows demo Login screen: • Login name • Login certificate containing a private key for authentication • Server connection details • Certificate containing 4kB-long RSA key pair for data encryption Remote storage space visible and accessible as a local drive
NDS2: ndsCryptoFS4Linux demo Original directory content (user view) Encrypted directory content (server view)
NDS2: ndsCryptoFS4Linux demo Original file content (user view) Encrypted file content (server view)
NDS2: Android client demo
NDS2: appliance demo • Appliance administration interface NDS2 (or SFTP server) connection configuration Network settings configuration Internal appliance disks / RAIDs configuration
NDS2: appliance demo • Appliance: end-user experience Data stored in NDS2/SFTP server Accessible through appliance and CIFS protocol Network share defined on appliance Access to data from the end-user workstation – remote storage space accessible through CIFS and NDS2 appliance
Discussion 17
NDS2: GUI discussion • FULL NDS2 functionality: Any – Interactive & reliable data storage and retrieval: platform • Allows interactive storage & retrieval of files • Implements upload/download ‚jobs’ • Browser-like access • Drag & drop support • Can work in ‚background’ • Encryption & digests • Meta-data, search etc. • Can work with NDS servers but also with SFTP servers – Supports SHARING management: • Initialisation and control of sharing GUI&CLI Java client – SHARE DIRECTORY creation – Assigning the directory with the sharing keypair • Access control lists management (ACLs) • common Java library for data access & mgmt: – User-level METADATA support: nds2API: (Java) • Annotation, tagging etc. • GUI/CLI: Java SWT, HSQL, Hiber. • Encryption: BouncyCastle • Meta-data based search (free form/structured) • SFTP: JSCH (sftp) – Plans/roadmap: WAN (SFTP) • Shell integration for Windows and Linux… • Tests on the other platforms • Synchronization support? Replicated storage (NDS v2)
NDS2: cryptographic filesystems • POSIX-like, local drive-like access – Support PART Windows Linux Work- of NDS2 functionality groups • STORAGE (also with regular SFTP server) • FS-like access • FS-like access (CIFS) • FS-like access • SHARING (after it is • Encryption & digests • Local sharing • Encryption & digests • Storage space visible • Encryption & digests • Storage space mount’d initiated by using GUI) as the local drive transparent to users as the local filesystem • Limited METADATA access – ‚Natural’ interface LAN (CIFS) for many users: CryptoFS 4Windows CryptoFS 4Linux Appliance • FS-like behaviour • Intelligent caching may further improve experience • Proprietary file system- • SSHFS enriched in like client: (.NET) encryption & digests: (C++) – Work on most popular OSs • VFS: SSHfs/FUSE • VFS: ‚FUSE - like’ lib (com) • SFTP: SSHfs implementation of the client • SFTP: lib 4 Win • Encryption: openssl • Encryption: – Possible next steps? WAN (SFTP) • Caching? • Other storage backends? Other platforms? (out of scope of NDS2)
NDS2: appliance for workgroups • Use cases: – Small institution / workgroup shares data using local NAS appliance – Data protected against disaster and intrusion: backup and encryption • The idea: NDS2appliance Local disk LAN space SMB/CIFS Backup / restore Data access server & sharing WAN (CIFS) Data access Users + encryption Remote MGMT storage/ interface backup (web) space Public Private cloud LDAP/ Active Appliance cloud Directory server admin
Recommend
More recommend