Implementing and Evaluating Security Controls for an Object-Based Storage System

Abstract: This paper presents the implementation and performance evaluation of a real, secure object-based storage system compliant to the T10 OSD standard. In contrast to previous work, our system implements the entire three security methods of the OSD security protocol defined in the standard, namely CAPKEY, CMDRSP and ALLDATA, and an Oakley-based authentication protocol by which the Metadata Server (MDS) and client can be sure of each other's identities. Moreover, our system supports concurrent operations from multip… Show more

“…We prototyped DSFS in the HUST OSD project [14]. The prototype stores global ACLs along with other metadata in a Berkeley database.…”

“…We demonstrate and prove the DSFS concept on an object-based storage system (OBS) and implement a DSFS prototype in the HUST OSD project [14] that complies to the T10 standard [13]. Our implementation requires minimal changes to the current standard, which includes only an extended security attribute page and a collection object required, but enables the standard to support decentralized access control.…”

DSFS: Decentralized security for large parallel file systems

“…We prototyped DSFS in the HUST OSD project [14]. The prototype stores global ACLs along with other metadata in a Berkeley database.…”

“…We demonstrate and prove the DSFS concept on an object-based storage system (OBS) and implement a DSFS prototype in the HUST OSD project [14] that complies to the T10 standard [13]. Our implementation requires minimal changes to the current standard, which includes only an extended security attribute page and a collection object required, but enables the standard to support decentralized access control.…”

DSFS: Decentralized security for large parallel file systems

“…There are already implemented systems using OBS technologies, including the IBM's next generation StorageTank [22], the highly scalable Lustre file system [8] by Cluster File Systems, Inc. (Boston, MA, USA), ActiveScale storage clusters [31] from Panasas, Inc. (Fremont, CA, USA) and so on. There are also implementations based on ANSI T10 object store device (OSD) standard [11,33,40]. However, there is no encrypt-on-disk object store system complied with ANSI T10 OSD standard.…”

“…Along with avoiding re-encryption, the FPGA/ASIC hardware module can provide significant security and performance improvements. The system is improved from [33], which is based on ANSI T10 OSD standard. The main feature of the system is that all data are stored encrypted, it does not need re-encryption when revocation occurs by using FPGA/ASIC hardware module.…”

“…The system is based on the existing system [33], in which the authentication between client and MDS is based on the Oakley key determination protocol [35]. Other authentication protocols such as Kerberos [36] can also be used.…”

Integrating FPGA/ASIC into cryptographic storage systems to avoid re-encryption

BLESS: Object level encryption security for object-based storage system