1. STORAGE ENCRYPTION AND JAVA FILE SECURITY SYSTEM

Transcription

1 1. STORAGE ENCRYPTION AND JAVA FILE SECURITY SYSTEM Nowadays, the attacks are going to increase at the storage data systems. So the security systems are going to turn into a compulsory attribute of any storage data system. For the security purpose we are always dependent on the cryptography techniques. These techniques take the performance costs for the complete system. So we have proposed the Java File Security System(JFSS). It is based on the on-demand computing system concept, because of the performance issues. It is a greate comback for the system performance. The concept is used because, we are not always in need the secure the files, but the selected one only. The concerned chapter shows the design of the Java File Security System on Windows XP. When we use the operating system, we have to secure some important data. The date is always stored in the files, so we secure the important files well. To check the proposed functionality, we experiment the above said system on the Windows operating system. With these experiments, we have found that the proposed system is working properly, according to the needs of the users. The access control is one of the fundamental security services in the computer system. It is a mechanism for constraining the interaction between users and protected resources. File is one of the important resources of the computer system. That must be protected from the unauthorized access that it can t be tempered or stolen by intruders. The file security can enforced using cryptographic techniques. With the help of these techniques the important files are enciphered as well as authorization of consumers are provided suitable encryption keys. The cryptographic techniques can be applied at any level of the storage systems because they use the layered architecture. The level may be the block or virtual one in the operating system. Basically, file management is an important task of the computer system. The suggested file security system storing encrypted files using Rijndael Algorithm (AES), so an unauthorized user can t access the important data. The encryption takes place for the selected files (important ones which requires the security) only.

2 We are using the concept of on-demand computing which results in the high performance of the computer system. The proposed system is working properly for all types of the files. In this chapter there are more sections. Next section is section II which is about the related works. In section III, the design of the system is shown. In section IV, the evaluation is done. In section V, there is conclusion. 5.1 Types of Storage Data Enciphering: As we know that in the market there are a lot of methodologies available for enciphering the data that is stored on the secondary memory storage. These are like the involvement of complete hard disk, a volume-based or virtual disk based or a file-based or a folder-based enciphering takes place. Storage Encryption Full Disk Encryption Virtual Disk Encryption Volume Encryption File or Folder Encryption Figure 5.1: Types of storage encryptions Complete Encryption of Disk In this type of encryption the complete data of the disk storage device or drive is encrypted for booting the computer system, it may be the Operating System. And the data accessing takes place after the user authentications. Such type of encryption may be softwarebased or hardware based. Such type of software supports the both kinds of authentications network-oriented as well as local sources (local cache as well as local data) oriented. The pre-boot authentication takes place and the file decryption software decrypts the operating system s booting sectors. It is described with the help of the 2 nd arrow in the Fig The bootstrap loader software or program loads the operating system s booting sector for initiating the OS. After the loading of the operating system, the file decryption and encryption program or software decrypts the files of the operating system. These files are saved in the volume reserved for the system that is shown with the help of 3 rd arrow. After completion of the

3 booting job, the authentications are offered by the operating system. Then we can utilize the computer machine ordinarily. At the time of accessing these encrypted files, we do the reverse operations to use the encrypted files. The file encryption and decryption software do all this job of enciphering as well as deciphering transparently from the needed sectors of the hard disks. There is always a great lack of performance of the system. However, there are very high speed computers in the current use. Consequently there will be no time wastage in encrypting as well as decrypting of the operating system files because we are not working on the real time applications. The large files will take a noticeable time for the previously mentioned operations of decryption and encryption. We can notice the delays in such type of systems which are protected by the FDE software program at the time of booting as well as shut down. Hard Drive Regions MBR PBE Boot Sector (Encrypted) System Volume (Encrypted) Figure 5.2: A series of operation at the time booting by the FDE Software VDE A VDE stands for virtual disk encryption. A container is known as the procedure of enciphering the specified file. A container might keep or store various folders as well as files. The date from the container is accessible after the appropriate authentications. And this container is maintained and mounted on the virtual storage disks. This encryption technique of VDE can be utilized on any type of storage device. The container is a standalone file. It is stored within the logically created volumes. For instance there are basically three types of volumes available like boot volume, data volume, and system volume. These can be on our personal computers. Otherwise it can be on a USB flash storage device which is single file system operated. Volume Decryption as well as Encryption In this kind of encryption, the complete logical volume has been encrypted the data of the volume is accessible after an appropriate authentication by the system. Basically it is achieved

4 mostly on the hard disk data volumes, volume oriented removable electronic storage devices, and the exterior storage device. It is the specialized case of the full disk encryption system. At the very high level abstraction, the volume as well as the virtual disk encryption is operated in the similar fashion. All the read and write operations of the running software are performed through the operating system in the volumes and the containers of the secondary storage devices. After the loading of the operating system by the bootstrap loader, there is a requirement for using the encrypted volume or a container, and then it is initiated after the appropriate authentication. All the concerned sectors in the volume as well as in the container are decrypted and encrypted by the software involuntarily. All this takes a lot of time in these additional processes of opening as well as saving of the files. The delays are noticed in the case of big files. The mounting as well as unmouting takes place always have delays regarding the volume and the container. There is little basic difference in between a volume as well as a VDE. A container is portable one, but the volumes are not so. It means a container can be pasted on another storage device. Consequently the containers can be easily written of the CD s as well as DVDs because these are not volume oriented. The VDE are the unimportant for backing up the important data. Always the server or the media are written as a backup storage. We can utilize the volume oriented movable devices for the VDE where both the protection as well as the security is required. Files or Folders Encryption as well as Decryption File encryption is the process of encrypting individual files on a storage medium and permitting access to the encrypted data only after proper authentication is offered. Folder encryption is very similar to file encryption, only it addresses individual folders instead of files. 5.2 Encryption System Designing Methodologies There are so much enciphering stages in the recent systems which are available. It is an additional stage. This is the extra functionality that is provided to the users for the security and protection of their important data. These may be of following kinds.

5 Application-based Encryptions: The individual or independent files as well as the folders are enciphered for the sake of customers. It is a platform or configuration independent base application for fulfilling the customer s requirements. These application-based softwares are very much flexible in the selection of the files as well as the folders for encrypting or decrypting. However these require the user s headache for doing all this. These are not the transparent encryption methodologies as well as the secure keys are also handled by the customers. Device-based Encryptions: In this category of the software, here is the volume oriented encryptions. These are highly transparent softwares. These are very near to the secondary storage devices. Basically it takes place at the hardware level. They have better performances. However, these are not managed easily as well as they are not the flexible one system. Only key is utilized by the encryption systems here for encrypting the complete volume. FS-based Encryptions: This methodology provides a lot of advantages for us. The encryption takes place at the FS component layer of an OS. These are highly transparent one as well as these are highly flexible in the secret key management as well as these have good access control, better performance. These are very much immune to the attacks. A diverse variety of secret keys are utilized by the FSs here. 5.3 Taxonomy of File Systems There are basically three kinds of file storage systems. These are disk oriented, network oriented, as well as pseudo oriented. In the disk oriented file systems, we have the compact disk read only memories, floppy diskettes, hard drives etc. In the network oriented file storage systems all the network resources are managed. The pseudo oriented file storage systems are memory oriented. They don t utilize the disk spaces. All kernel based information as well as the abilities are given by these storage systems. The classification is shown with the help of Figure 5.3. It will help us for better understanding of the following text matter.

6 File Systems Disk-based File Systems Network File Systems Pseudo File Systems Block-based Disk-based Network-based Stackable Application-based Cryptographic File Systems (CFSs) Journaling File Systems Tracing File Systems Figure 5.3: The taxonomy of file systems Disk oriented File Systems Such kind of file systems are probably the most common type, they manage the free memory on a hard drive partition or a similar device. So many file storage systems are available which access the files from the untreated disks. The file names are mapped to a group of bytes on the disk storage which is the usual reason of all the file systems. For instance FAT, exfat, HFS, NTFS, HFS+, HPFS, UFS, ext2, ext3, ext4, and ReiserFS etc. There are so many subcategories of the file systems which come under this category like FFS, TFS, and Dbase oriented file storage system. The FFS believes all the particular abilities, performance and limits of the flash memories. Examples are JFFS, JFFS2 and CramFS etc. A tape file system is especially for the magnetic tapes. The magnetic tapes are sequentially accessible devices. They take a lot of time in random accessing than the disk devices. Here so many issues are posed in creating or developing the highly efficient managing by the general purpose file storage systems. The LTFS is a tape drive file system implemented by the International Business Machine. Data base oriented file system is a novel idea of files management. International Business Machine Data Base two is a database file system Network File Systems

7 Disk oriented file storage systems have their restricted area to the local files which are stored on a standalone machine. So there is no concept of interchanging the data from one machine to another. Here only the individual files are maintained. However the network based file storage systems operates on a computer network. These file storage systems permits to access the files which are lying on the different machine but they are interconnected on the network. Such kinds of file storage systems usually have a client and a server. The file system behaves like a client for a remote accessing file protocol which provides the accessing of the files stored on the servers. A server is a computer machine which provides the services to others (clients). And a client utilizes the services provided by the servers. It permits the utilization of disk-based file systems located on different computers over a network. It must be noted that a computer machine can be a server as well as a client in a number of file storage system. For instance, the AFS, RFS, SFS, NFS, Coda, as well as FS like clients regarding File Transfer Protocol come under this category of such file storage systems. As any other file system, they are mounted to mount points beneath the root file system Pseudo based File Systems Pseudo based file systems, also special or Virtual file systems do not manage disk space as disk-based do, or like network file systems do indirectly. These are again having many types but here for our study we are discussing only three of them namely Cryptographic File Systems, Journaling File Systems, and Tracing File Systems. These are explained in brief here in the following subsections Journaling File Systems It is another type of pseudo file system which is named as Journaling File System. It provides quicker as well as unfailing recoveries when the users shut down the system rudely; simulated RAID file storage system which are greatly oppose to breakdowns; unification of files which are present on the different computers on the networks; the encryption file storage systems who encrypt the entire data for the protection of the user s confidentiality. The journaling file storage systems are basically the logs of the transactions which are executed besides the file storage system. All the transactions regarding the modifications of the

8 information nodes or the data about data are recorded or maintained frequently. The journals are modified before the any file storage system operation takes place as well as modified once more when the file operation completes. With the help of this methodology, the journals can be replayed by the file storage systems at the state of system failure. It will give the descriptions about all the file operations has they encountered failure or success. All this assures that the complete file system structures are well preserved if any system failure takes place. But it is not guaranteed that all the data of the user will show the current alterations. The journals always increase the extra burdens on the file storage system. These are stored sequentially. They maintain the metadata alterations. The journal utilizes the less numbers of resources as compared with the real file operation. In the case of file operation, they are the set of arbitrary and sequential reads, writes as well as transfers. This is completely the additional headache, so the less performance is achieved. It leads to the reduction in the performances when we migrate from the fundamental file storage system to the journal oriented file storage system. The International Business Machine provides an open source namely the Enterprise Server File System (ESFS) in year two thousand. This is known as a journal file storage system for the Linux user s community Tracing File Systems A tracing file system either collects a huge quantity of traces. The traces may be very huge in size. Consequently, we have to save or parse them on the particular area for the further studies. Security and debugging are other two uses of the tracing file systems. It happens to be helpful in favor of safety as well as reviewing. Controlling FS tasks may support interruption as well as evaluate scratch. We may trace at various levels of granularity. The level of granularity may be the entire file system, a supposed user, a program or a system or user process. Recently these are well utilized in the computer forensics researches Cryptographic File systems A stackable security layer is provided with the help of the cryptographical file systems. The file storage system encrypts the file data as well as the names of the files and the directories which are residing on the disk storage. The other users, they may be the unauthorized ones or

9 intruders cannot easily access or read our files. It is impossible although they have the administrative permissions. A lot of such file systems are available here. For instance CFS, TCFS, CryptFS, EFS, NcryptFS, ecryptfs, and StegFS etc. come under the category of the file systems. o Cryptographic File System Types A variety of methodologies are utilized for the file systems of type cryptographical. These vary from block to application levels. Each of these approaches has its merits as well as its demerits and is discussed here. Block oriented Block-based encryption systems operate below the file system level, encrypting one disk block at a time. This is advantageous because they do not require knowledge of the file system that resides on top of them, and can even be used for swap partitions or applications that require access to raw partitions. This type of file systems never disclose the information of the independent files like their size as well as the owner otherwise the directory structure. The file systems like Cryptoloop, CGD, GEOM, BestCrypt come under the category. Disk Oriented Systems The higher level abstracted data is encrypted by such type of systems. These also work at the block level. All the individual files as well as the individual directories are accessed by these kinds of the systems. All these make it additional typical authorized. The block oriented systems are authenticated and the disk oriented file storage systems take hold of all the physical data layouts. The quantity of the information can be restricted from the attackers. The quantity may be regarding the file sizes as well as the ownerships of the files. All these are well maintained by the file storage system on the disk. Examples are EFS, StegFS etc. Network oriented Network-based encrypted file systems operate at a higher level of abstraction than diskbased file systems, so these cannot control the on-disk layout of files. Such kinid of systems can work in the above layer from the existing or fundamental file system with high level of portability. But performance and security cannot be achieved with these systems. All the requests or demands must pass through the network stacks. There is a requirement of the replication of

10 the data that are usually called the copies for the better performance. The security of the data is intruded because of the week basic network protocols. Under this category the file systems CFS as well as the TCFS come. Stackability of the File Systems The stackability is achieved a lot by the available cryptographical file systems which always make a negotiation among the kernel based, disk oriented, in addition to network oriented FSs. These stackable FSs could work over the head of the any type of file system. These are highly portable file systems. For instance CryptFS, NcryptFS are the file systems which are lying under this category. The data is not copied across the user space as well as the kernel space borders. Application-oriented systems The encryption of the files could be done with the help of the simple user based applications. For instance there are GPG, PGP, and crypt in the market. All these can be implemented over the underlying file systems. Such types of answers are tiresome for the users. These are tiresome because they always require the manual encryption as well as decryptions for any type of files. A lot of communications of the users are required for encrypting or decrypting processes. Usually the users make the errors which costs a lot in the terms of the data files which are the important ones. We may lost the information permanently if we will not work properly with the file storage systems FUSE oriented File Storage Systems It is particular kind of file storage system. In actuality it is not a fully fledged file system, but it is novel structure for the storage systems. FUSE is a basic unit at kernel level. It is very much helpful in creating the user oriented file systems. It is basically a combination of these following components. 1. Fundamental kernel module: It is registered with the virtual file system which works as a interface in-between the operating system. All the user based requests are translated by the VFS.

11 2. User oriented libraries: The usual name of this library is libfuse. It have the many supporting functions. These functions become the basis for the interface to the fuse based protocol. 3. FUSE based mounting function: The function library s name is as fusermount. All the file systems have the requirements or authorities at the level of administration level privileges for mounting them. This fusermount program is implemented on the system at the root named as setuid. This module is run in the full authorized permissions as are given to the system administrator. A customer of computer may create novel directories for the fuse based file system. All is done through the fusermount function library module. The novel file system will run in the background processes of the system. It will be executed in the simple user s permissions. It well translates all the file system demands and forwards them to the kernel module. All of the communications of the kernel module takes place through the file descriptors. These are found with the help of the directory /dev/fuse. 5.4 Java File Security System (JFSS) Design Goals Here the design of the Java File Security System (JFSS) has been described. The idea is closely related to Matt Blaze s Cryptographic File System. The main objective of the design is the file data security. The enciphering as well deciphering of the file data is done of the demand of the users. It is a well-situated file storage system for the users. JFSS is a simple to be design in principle. It can be mounted at any place on the secondary storage device up on the basic file system. The proposed JFSS is designed with the following fundamental requirements: The proposed system should have better system performance as well as expand it for the existing file system. It should be independent of File System. It must afford better security for a storage device in opposition to the attacks. It would be well-suited with the future technology for separate key management just like smart cards for storing the encryption keys which are directly in the possession of authorized users. It should be compatible with the existing file system services as the encrypted files should behave normally as of the other files within the system. It should be developed as a user level file system and be convenient for users.

12 Security The most fundamental requirement of any file storage security system is that the file data is secured against unauthorized access. Storage of complete sensitive files on the device comprises a security risk if the device is in the physical possession of an adversary. This includes the security of information like names of the files and the data stored. However the data about data like as the date of creation, starting addresses, and the information stored in the inode (information nodes of the files) is also vital for us. The users who have the suitable privileges to access the plaintext data stored are permitted to access it. For illustration, a super user cannot access the secure data. It is the different issue for the super user that he or she has no such privileges for accessing because of confidentiality. The arbitrary symmetrical keys are utilized by the system for creating the encrypted data. It is not possible to suppose the secret key. The users who have or posses the accurate symmetric encryption key can decrypt the cryptographic file data. The encryption operation for the specified file data is done by the users with the help of JFSS and the keys are transferred to the smart cards of the users. They are never saved on the hard disk of the system and are not sent through the s. The data is saved on the secondary storage devices in the encrypted format which promises confidentiality of the file data. If anybody wants to retrieve it after the possession of the system then the confidentiality of the file data is maintained because the file data is in the encrypted form. Smart card (SC) saved Encryption keys These are fundamentally debit card dimensioned synthetic card by embedded IC making them capable of storing and/or processing data. It contains a microprocessor in it. These vary on the basis of magnet strip cards inside that they can perform card matter, they provide increased security as well as they have more storing capability. The SCs are utilized in favor of storing the enciphering keys. Consequently it is the best way to separate the secret key and the concerned encrypted data which provides the better security for us. The smart cards are the easy handling devices. They are used to save private keys. For utilizing the encryption keys we have to transfer the data to the concerned data storage computer system. After it we can easily convert the data to

13 the plaintext. For transferring the private keys from the smart cards we require a smart card reader device. However in the recent personal computers, it comes with them. Standards for smart cards have been provided by ISO. Smart cards find use in applications such as telecommunications as SIM cards for mobile telephony and pre-paid public telephone cards, multimedia as pay-tv cards and banking as secure financial service cards. A smart card can be contact or contact-less depending upon its interaction with the external world. Hardware of a smart card consists of a CPU (which is usually an 8-bit microcontroller), the memory system (ROM, non-volatile memory and a small amount of RAM) and I/O control logic. Figure 5.4 illustrates the architecture of a smart card chip. ROM RST CLK I/O I/O CONTROL CPU NVM Vcc RAM RSA SecurID 3100 smart card Figure 5.4: The structure of a Smart Card Low cost approach of implementing a cryptographic algorithm on a smart card is to realize the algorithm on software targeted towards the smart card platform. This process becomes straightforward if the available smart card operating system and library routines are used and efficient if done using the assembly language of the microcontroller. Testing and debugging is also easier with an entire suite of development tools usually available from the smart card vendor for application software development. However, a dramatic improvement in processing time can be achieved by adding an embedded cryptographic core within the smart card hardware fabric. It is possible to embed custom crypto processors with tens of thousands of gates as co-processors to smart card CPUs. Transparent system

14 It is always irritating for the normal user of the computer system where the file storage systems don t have the transparency. All of the functionalities of the cryptographical file system must be transparent. Otherwise the system features will be ignored and the best solution of the cryptography will become useless for them. Luckily, it is achieved by many of the available cryptographic file storage systems at a good stage. Portability We have chosen the highly portable computer language named as Java for the implementation of our security file system. The system should be more portable on the diverse configurations than other file systems especially the kernel based file systems. CFS is highly portable network oriented file storage system. On demand computing: On-Demand Computing fulfills the need of computing availability at limited hardware and software costs. It is a commercial form where resources of the computers are offered on the demand basis. And pay on the basis of the resource usage. The file security system services should be available to the users on the demand that will save the extra burdens. It will save the lot of performance overhead because the user is in need of the file security for the specific files not for all the files. Strong Access Control Both the file matter as well as the private keys is saved on separate media namely the keys on the smart cards and the file data on the hard disk of the system. The public key based asymmetric cryptographical methodologies are also used, to control the access of the files. The files have a strong access control which results a more secure file. Easy to use It should be very simple in the use for any type of user in the society. So they can easily adopt the system for their files to be secure. The users feel comfortable in using it. JFSS provides uniform interface to the users on the demand for the file security. Adaptability

15 It can easily adapt the environment without any modifications in the underlying file system on which it is going to work. Reliability The cryptographic file system should use the available functionality and features. The file should seen normal after the decryption process without any loss. Key Managements To manage the private keys is a vital issue for the file storage system developers. Encryption key is managed as per-file key basis. Every file has its unique key and that is stored on the smart cards. File Name File names are not encrypted because there should be some clarification for the users that they can easily understand the keys for which files they are. That is done for the convenience of the users. User can feel comfort in the use of the system. Better performance Encryption algorithms are computationally concentrated, but the overhead should not discourage the user to use the cryptographic file system Working Model of Java File Security System The proposed solution Java File Security System (JFSS) using Rijndael algorithm is designed for completing above mentioned requirements. It is designed in the user space. The module named as FUSE module which is utilized for the development which is fully explained in the previous chapter s section 4.7.

16 Java File Security System (JFSS) + libfuse + glibc Encryption Key (Output) User space Smart Card FUSE Kernel space Plain file (Input) VFS Underlying File System Secondary Storage Device Encrypted File (Output) Figure 5.5: Working model of Java File Security System (JFSS) using Rijndael Algorithm FUSE module comes in the direct connection with the user file system and Virtual File System (VFS) that is also explored in the previous chapter. VFS handles all the file related operations (read, write, open, close, append, rename, copy etc.) and provides the uniform interface with the existing file systems which comes with the Operating Systems like FAT, NTFS etc. In the Figure 5.5, the working model of the Java File Security System (JFSS) is shown. It describes that JFSS takes the one input as a plain file (easily human readable file) and produces two outputs as an encrypted file (difficult to understand by human beings) and a file encryption key (FEK, Symmetric key) that goes to the smart cards. The encrypted file may be stored on any type of secondary storage device (hard disks, flash drives (Pan Drives), digital versatile disks (DVDs), compact disks (CDs) etc.). Both the encrypted data and the encryption keys are stored on different locations for the better security Architecture of Java File Security System (JFSS):

17 Application Program Plain File Java File Security System (JFSS) Access Controller Key Manager FUSE VFS Crypt Engine Private Key Underlying File System Encrypted File Secondary Storage Device Smart Card Figure 5.6: The architecture of Java File Security System (JFSS) The Figure 4.2 shows the complete architecture of the JFSS. It has basically three components: Key Manager (KM) Crypt Engine (CE) Access Controller (AC) All the components are shown in the following Figure 5.6 and explained in the next subsections. Key Manager (KM): The key manager should accomplish the organization, creation, and defense of key which are utilized in the enciphering procedure. 1. Arbitrarily Generated Keys: All of the created keys should be arbitrary. The encryption keys cannot be predictable by the attackers which are utilized for enciphering procedure pseudo-random number generator is a bad tool to create a key.

18 Sufficient Key length: The key size varies from 128 bits to 256 bits for the Rijndael algorithm. After keys creation, they must be guarded well. Some of the features must be considered as follows: 1. Authorized Key Accessing 2. Better key store practices. 3. Keys Storage throughout the life of Data: The keys must be stored and identified where they have been used for the lifetime of the data. 4. Key s Integrity: Integrity of keys is mainly significant if integrity checks are not applied. 5. Maintain proper Auditing: The proper logging and auditing should be maintained. Key Managing Schemes The main entities in Java File Security System (JFSS) are independent files as well as users. The user space is the primary active driving force for device, employing every enciphering methodology as well as main key managing system. The SecureRandom class available in Java language s java.security package is used for the generation of secret key for the file in JFSS. Crypt Engine (CE): When the file is to be written on disk by on demand computing, crypt engine accepts largely 2 inputs, one input is the plaintext file from the secondary storage and the random symmetric key generated by the Key Manager. It uses Rijndael algorithm to encrypt the file and produces the encrypted file. The Rijndael is a block cipher which works on a block of 16 bytes. Therefore there is a need to check the file size and if file size is not multiple of 16, it is padded in the file to make the file size perfect multiple of 16. This padding of file is done while it is being written. When the encrypted file is read from the disk, we first decrypt it using Rijndael algorithm and the file encryption key from the smart card and then take away the stuffed bytes as well as then surpass it to the file security system. The encrypted file is passed to the underlying file system. So to summarize, basically Crypt Engine encrypts the file data on the fly and passes it to the low level file system while writing and while reading it receives the encrypted file and decrypts the file data on the fly. Access Controller (AC):

19 The authorization as well as the authorization is controlled by the access controller. Identification is obtained through authentication as well as the privileges given to the specific user are achieved by authorization of an entity. It is responsible for creation and management of all access related information with respect to a file. All the keys are received of saved in the smart cards Implementation Methodology of JFSS To achieve the stated requirements, the following methodology is used: o Understanding of the related Existing Technologies From the literature survey, feasible encrypted file systems are selected as the basis for the secure file system being developed. For the selected file systems their data structures are identified to store data and metadata (the data about data). From the literature survey, cryptography algorithms and libraries are identified to provide security features for the selected file systems. o Design of Data structures and Cryptographic Techniques Several designed are developed from the identified data structures and cryptographic techniques for the file security system. After this many approaches are identified, alternatives and constraints of the study are determined and documented. At last a single design is selected. o Development and Testing of Prototype A prototype of the new file system is constructed from the preliminary design. This implementation is tested for any weaknesses by developing and using a test plan. Additional unimplemented requirements are identified from the original requirements set and weaknesses identified. o Design, Development and Testing of Java File Security System (JFSS) A complete design is developed based on the prototype design. The complete design is implemented and tested based on the test plan developed to check the operational prototype. o Documentation and User Manual development The complete documentation for installation is done for the users and use of the new file system library is created.

20 With the implementation of Java File Security System, it is used to store significant data on any media that need to be protected. In the JFSS, the smart cards are used to store file encryption keys. In JFSS, regardless of the type of file, all files that are to be secured are encrypted entirely to keep in secure status when stored on secondary storing system. While a customer wishes for saving files with help of JFSS, he/she must have an account on the Java File Security System. After that the user will use the facility of securing files. The user will chose the file to be encrypted and then the JFSS will generate a file encryption key. The encryption takes place with the help of Rijndael algorithm and saved to the secondary storage device. The key is also saved on the smart card of the user. Every file encryption key has been given a name that is encrypted and the key in it is also encrypted. All the names of the encrypted files are also encrypted. At the time of decryption the file encryption key which is related to the file is shown only. And other matter in the smart card is hidden. The system asks for the file to be decrypted and ask for the selection of the file encryption key which is saved on the smart cards. Only the needed or related key is shown on the smart card for removing the confusion among the users because the file encryption key names are also encrypted. We have used the Windows XP operating system to design the functionality of file security system. The programming language to be used is the Sun Microsystems Java technology. To design it there is a function design form which has the necessary buttons on it. Figure: 5.7 Login Display

21 The login form, that is used to login with the file security system. After entering the user id and password we are linking to the security execution program. We always need the user registration with the file security system. The registration is done by the program administrator who has the only permission to make number of users for the system. He or she will give the user s name as well as user password. It is displayed in the Fig After this user registration, he or she can login the system and use its functionality. The file encryption, decryption, about and help control form is appeared on the screen. It is shown in the Figure 5.8. It has the option to select the file to which the user wants to encrypt for the security feature. He or she can select any type of file and click on the encrypt button after that the encryption key is saved on the smart card is that is not available then the key is saved on the user specified location. Figure: 5.8 Encrytion tab display The user may want to decrypt his previously encrypted file to use it. Then he or she have to make two selections one for the file and one for the key especialy the encryption key. Then the user will get the message to be successful or unsuccessful decryption. The successful message is exposed with the help of Fig Figure 5.9: Decryption tab display We performe test and evaluation on the proposed file security system for files and the directories. For experiment the computer system was with the latest configurations.

22 The system has been tested for its functioning. In the first login window the user enter his or her userid and the password. If that is correct then he or she will get a message login successful or not. As in the Figure 5.10 the login is a successful one. Figure: 5.10 A successful login window In the next screen shot the user is going to select an important file that has the need of security. It encryptes the specified file and save the encryption key to the smart card which is a sapeate location of storage from the encrypted file. It increses security of the data. It is shown in the Figure Figure 5.11: Enciphering process tab display

23 Figure 5.12: Deciphering procces tab display This is the Figure 5.12 which shows the decryption process of the system. It has two file selection buttons on it. One file selection button for the specified encrypted file to whom the user is going to decrypt. Another one is for the key selection of the specifed file. Because every file has its own independent key to encrypt or to decrypt it. We have seen the file s look how it will behave after the encryption. The system is highly secure that we can cont delete the encrypted file and also con t change data which shows the integrity. The encrypted file s view is revealed by the figure below. Figure: 5.13 Display screen of an encrypted file CONCLUSION We have contributed a user oriented file storage system. We have balanced the design goals like security, performance, convenient and independability of the system.