National Data Store 2 crypto-clients - demonstration Front men : Maciej Brzeźniak, Staszek Jankowski Supercomputing Dept. of PSNC, www.psnc.pl Authors: NDS2 team at PSNC and partners full list of credits at the end of presentation Project funded by: NCBiR for 2011-2013 under KMD2 project (no. NR02-0025-10/2011) Project partners 10 Polish universities and supercomputing centres:
NDS, PLATON & NDS2 NDS (2007-2009): National Data Store Distributed, replicated storage Virtual Filesystem in user space (Linux) Standard user interfaces: SFTP, WebDAV, Web GUI, GridFTP Automatic replication: System-side, sync & async, NFS or GridFTP PLATON-U4 (2009-2012) Deployment of NDS for academic community 10 sites in Poland Tapes: 12+ PB in 5 sites Disks: 2+ PB in 10 sites Metadata DB Users DB DB Node Accounting & limits DB Access Methods Servers (SSH, HTTPs, WebDAV...) VFS for data and meta-data NDS system logic Replica access methods servers (NFS, GridFTP) FS with data migration (HSM) HSM system (NFS) User Replication Storage Node NAS appliance Access Node Storage Node NDS2 = NDS + secure storage & sharing + publising + versioning + ACLs support + user management de-centralisation
NDS2: a secure NDS NDS features, limitations&experience => assumptions for NDS2 Feature NDS NDS2 Access protocols SFTP, WebDAV, GridFTP SFTP mainly; WebDAV, GridFTP Data access tools Backup / archive / sync Encryption Typical tools: Windows: WinSCP, FileZilla Linux: sftp, SSHfs, DAVfs Grids: GridFTP client => Users need more natural access External tools: Virtual file-system like : Wins: Bitkinex, web folders: problems with stability/reliability Linux: sshfs: OK Sync/backup tools: Bacula, rsync etc. => Too complicated for end-users! External tools: Some B/A/sync tools support encryption Boxcryptor etc. => Users need even easier solution! Sharing Possible for single profile/institution => Limitation Project-provided tools: Windows: ndscryptofs4win! Linux: ndscryptofs4linux! Grids: GridFTP or VFS for Linux Typical tools still supported Integrated into clients! GUI client (B/A) ndsbox (syncing) or external tools Still, typical tools can be used with VFS Integrated into clients! Virtual filesystems, GUI, CLI Appliance and mobile client Still, you can use external tools Cross-profile/institution sharing Users may decide the scope of sharing
Clients for NDS2 (prototypes) Windows Linux Workgroups Any platform Mobile platform FS-like access Encryption & digests Storage space visible as the local drive FS-like access Encryption & digests Storage space mount d as the local filesystem FS-like access (CIFS) Local sharing Encryption & digests transparent to users Browser-like access Drag & drop support Encryption & digests Meta-data, search etc. Browser-like access Encryption & digests LAN (CIFS) CryptoFS 4Windows CryptoFS 4Linux Appliance GUI&CLI Java client Android client file system-like client: (.net) VFS: FUSE-like library SFTP: paid library for Win Encryption:.net crypto API SSHFS extended by implementing encryption & digests: (C++) VFS: SSHfs/FUSE SFTP: SSHfs implementation of the client Encryption: openssl common Java library for data access & management: nds2api GUI/CLI: Java SWT, HSQL, Hibernate Encryption: BouncyCastle SFTP: JSCH (sftp) WAN (SFTP) Replicated storage (NDS v2)
NDS2 vs others (EncFS, Boxcryptor) Why Boxcryptor & EncFS could make sense? Boxcryptor (Win, ios, Android) supports EncFS data format Why NOT? Another intermediate layer? Windows: - Linux: * BoxCryptor is made with CallBack FS * EncFS + SSHFS? * Virtual FS for backend storage * FUSE issues Security: Feature NDS2 Box cryptor/ EncFS File encryption algorithm / key type Symmetric (AES 256 CTR) Symmetric (AES 256) Key usage Generated per-file Common for all files File name encryption Shared data encryption Symmetric (AES 256) key derived from user s asymmetric private key Per-directory asymmetric key, encrypted with private users key or group key Common for data and names Common key for every user no fine-grained keys management
Demo 6
NDS2: GUI demo (screenshots 1) NDS2/SFTP Server connection details: Server name Server port Login screen: Login name Private RSA key for authentication Server connection details 4kB-long RSA keys pair for data encryption Needs localisation
NDS2: GUI demo (screenshots 2) GUI client: supports Drag & Drop builds the upload jobs database if many files are dropped enables to monitor status of these jobs, pausing/resuming them etc.
NDS2: GUI demo (screenshots 3) GUI client: Data are encrypted and integrity-controlled in the encrypted directory Remaining data are stored unencrypted Progress bars monitor upload/download status
NDS2: ndscryptofs4windows demo Login screen: Login name Login certificate containing a private key for authentication Server connection details Certificate containing 4kB-long RSA key pair for data encryption Remote storage space visible and accessible as a local drive
NDS2: ndscryptofs4linux demo Original directory content (user view) Encrypted directory content (server view)
NDS2: ndscryptofs4linux demo Original file content (user view) Encrypted file content (server view)
NDS2: Android client demo
NDS2: appliance demo Appliance administration interface NDS2 (or SFTP server) connection configuration Network settings configuration Internal appliance disks / RAIDs configuration
NDS2: appliance demo Appliance: end-user experience Data stored in NDS2/SFTP server Accessible through appliance and CIFS protocol Network share defined on appliance Access to data from the end-user workstation remote storage space accessible through CIFS and NDS2 appliance
Discussion 17
NDS2: GUI discussion FULL NDS2 functionality: Interactive & reliable data storage and retrieval: Allows interactive storage & retrieval of files Implements upload/download jobs Can work in background Can work with NDS servers but also with SFTP servers Supports SHARING management: Initialisation and control of sharing SHARE DIRECTORY creation Assigning the directory with the sharing keypair Access control lists management (ACLs) User-level METADATA support: Annotation, tagging etc. Meta-data based search (free form/structured) Plans/roadmap: Shell integration for Windows and Linux Tests on the other platforms Synchronization support? Any platform Browser-like access Drag & drop support Encryption & digests Meta-data, search etc. GUI&CLI Java client common Java library for data access & mgmt: nds2api: (Java) GUI/CLI: Java SWT, HSQL, Hiber. Encryption: BouncyCastle SFTP: JSCH (sftp) Replicated storage (NDS v2) WAN (SFTP)
NDS2: cryptographic filesystems POSIX-like, local drive-like access Support PART of NDS2 functionality STORAGE (also with regular SFTP server) SHARING (after it is initiated by using GUI) Limited METADATA access Natural interface for many users: FS-like behaviour Intelligent caching may further improve experience Work on most popular OSs Possible next steps? Caching? Windows Other storage backends? Other platforms? (out of scope of NDS2) FS-like access Encryption & digests Storage space visible as the local drive CryptoFS 4Windows Proprietary file systemlike client: (.NET) VFS: FUSE-like lib (com) SFTP: lib 4 Win Encryption: Linux FS-like access Encryption & digests Storage space mount d as the local filesystem CryptoFS 4Linux SSHFS enriched in encryption & digests: (C++) Workgroups Appliance VFS: SSHfs/FUSE SFTP: SSHfs implementation of the client Encryption: openssl FS-like access (CIFS) Local sharing Encryption & digests transparent to users LAN (CIFS) WAN (SFTP)
NDS2: appliance for workgroups Use cases: Small institution / workgroup shares data using local NAS appliance Data protected against disaster and intrusion: backup and encryption The idea: NDS2appliance LAN Local disk space Data access & sharing (CIFS) SMB/CIFS server Backup / restore WAN Users MGMT interface (web) Remote storage/ backup space Data access + encryption LDAP/ Active Directory server Appliance admin Private cloud Public cloud
NDS2: appliance for workgroups Appliance for institutions possible implementations: Box for small groups/ instiututions Small (19,5x70x18,6cm) and silent, green (fits below the desk): CPU with AES-NI support (not a problem these days) 2 x 2,5 HDDs or 2x green SSDs inside (up to ~ 2 TB of RAW internal storage) Must be cheap! e.g. ~600 EUR/box (not more than PC) Rack server for bigger institutions Rack server: CPUs with AES-NI on board Low voltage! (being green, costs) 4x 3,5 or 8x 2,5 SSD (up to 12 TB of RAW storage) Reasonable costs - ~2500EUR with 12TB of capacity Some fancy hardware for users: Smart cards + readers (expresscard or USB) Psychological trick (works for some users) Virtual machine: E.g. vapp easy to run on vmware cluster or another VM image No assumptions on hardware just needs LUN for local storage and account in NDS2 for backups and sync s
NDS2: Android client Proof of concept: => Aim: to learn about issues related to mobile client Challenge 1: User-friendly, intuitive interface: => Core functionality only simplicity: Data storage and retrieval Android Interface integration: NO sharing, user-level metadata mgmt etc. Challenge 2: Cryptography vs performance / battery life: => first experience promising: Benchmarks for ARM CPUs promising AES support was planned for ARMv8 architecture Encryption may exhaust battery? Will mobile platform be used for small files only? (PDFs, DOCs, photos etc.)
NDSbox on the way Addresses Dropbox-like scenarios: Data synchronization among multiple devices NDSbox client application 4 Linux Sync & Share NDSbox client application Sync & Share NDSbox client application 4 Android Sync & Share
Safe data sharing & publishing Secure sharing Sharing with other NDS2 users Very high level of security: symm. and asymm. Key handling combination (more elaboration elsewhere) Secure publishing and import/export from/to World Similar to get file link on Dropbox Works in both directions It s safer than with Dropbox Trust Safe key exchange Safe key exchange NO Trust Data access NO Trust Data access & storage Data access import/ export publication NDS2 sandbox
National Data Store 2 crypto-clients - demonstration Thank you! Project funded by: NCBiR for 2011-2013 under KMD2 project (no. NR02-0025-10/2011) Project partners 10 Polish universities and supercomputing centres:
National Data Store 2 crypto-clients - demonstration Credits: PSNC team: Maciej Brzeźniak, {Gracjan, Michał, Staszek, Tomasz} Jankowski Adam Zawada Sławomir Zdanowski Rafał Mikołajczak Partners: Tomasz Chmiel, Łukasz Kuczyński, Michał Major, Łukasz Redynk, Kamil Guryn, and others Project funded by: NCBiR for 2011-2013 under KMD2 project (no. NR02-0025-10/2011) Project partners 10 Polish universities and supercomputing centres: