OceanStore: Data Security in an Insecure world John Kubiatowicz.

OceanStore:Data Security in an

Insecure world

John Kubiatowicz

OceanStore:2Networking Day ©2001 John Kubiatowicz/UC Berkeley

OceanStore Context: Ubiquitous Computing

• Computing everywhere:– Desktop, Laptop, Palmtop– Cars, Cellphones– Shoes? Clothing? Walls?

• Connectivity everywhere:– Rapid growth of bandwidth in the interior of the net– Broadband to the home and office– Wireless technologies such as CMDA, Satelite, laser

• But: Where is persistent information?– Must be the network!– Utility Model


Utility-based Infrastructure

Pac Bell

Sprint

IBMAT&T

CanadianOceanStore

IBM

• How many files in the OceanStore?– Assume 1010 people, 10,000 files/person (very conservative?)– So 1014 files in OceanStore!– If 1 gig files (ok, a stretch), get almost 1 mole of bytes!


Basic Structure:Untrusted, Peer-to-peer Model


But What About Security?• End-to-End and Everywhere Else!

– Protection at all levels– Data Protected Globally– Attacks recognized and squashed locally

• How is information protected?– Encryption for privacy– Secure Naming and Signatures for authenticity– Byzantine commitment for integrity

• Is it Available/Durable?– Redundancy with continuous repair – Redistribution for long-term durability

• Is it hard to manage?– Automatic optimization, diagnosis and repair


Secure Naming• Unique, location independent identifiers:

– Every version of every unique entity has a permanent, Globally Unique ID (GUID)

– GUIDs derived from secure hashes (e.g. SHA-1)– All OceanStore operations operate on GUIDs

• Naming hierarchy:– Users map from names to GUIDs via hierarchy of

OceanStore objects (ala SDSI)

Each link is either a GUID (RO)Or a GUID/public key combination

FooBarBaz

Myfile

Out-of-Band“Root link”


GUIDs Secure PointersName+Key

Active GUID

Global Object Resolutions

Floating Replica(Active Object)

Active Data

CommitLogs

CKPoint GUID

Archival GUIDArchival GUID

Signature

RP KeysACLsMetaData

Global Object Resolution

Archival copyor snapshot



Erasure Coded

Archival GUIDSignature

Inactive Object

Global Object Resolution


But What About the Red Arrows?

Location-Independent Routing!


4

2

3

3

3

2

2

1

2

4

1

2

3

3

1

34

1

1

4 3

2

4

Start with: Tapestry Routing Mesh

NodeID0x43FE

NodeID0x13FENodeID

0xABFE

NodeID0x1290

NodeID0x239E

NodeID0x73FE

NodeID0x423E

NodeID0x79FE

NodeID0x23FE

NodeID0x73FF

NodeID0x555E

NodeID0x035E

NodeID0x44FE

NodeID0x9990

NodeID0xF990

NodeID0x993E

NodeID0x04FE

NodeID0x43FE


Then add:Location-Independent Routing


Secure Routing• Node names are hash of public key

– Requests can be signed– Validate Responses in Request/response pairs

• Data validation built into network:– Pointers signed– Publication process verified– Responses from servers verified by checking GUIDs

• Denial of Service resilence: locality/redundancy– MACs along all links: local suppression of DoS– Multiple roots to avoid single points of failure– Multiple links for rapid recovery– Pointers provide locality: Find closest version of object


What about Update Integrity?

Byzantine Agreement!


The Path of an OceanStore Update


Consistency Mechanism applied directly to encrypted

data!


Archival DisseminationBuilt into Update


Conclusion:End-to-End and Everywhere Else

• Secure read-only data • Secure the commitment protocols• Secure the routing infrastructure• Continuous adaptation and repair

For more information: http://oceanstore.cs.berkeley.edu/

OceanStore: Data Security in an Insecure world John Kubiatowicz.

Documents

Transcript of OceanStore: Data Security in an Insecure world John Kubiatowicz.