WO2008147400A1 - Appareil, procédés et produits-programmes informatiques fournissant une authentification améliorée pour des opérations sur un système de fichier provenant de l'extérieur stocké par une unité non sécurisée - Google Patents

Appareil, procédés et produits-programmes informatiques fournissant une authentification améliorée pour des opérations sur un système de fichier provenant de l'extérieur stocké par une unité non sécurisée Download PDF

Info

Publication number
WO2008147400A1
WO2008147400A1 PCT/US2007/024642 US2007024642W WO2008147400A1 WO 2008147400 A1 WO2008147400 A1 WO 2008147400A1 US 2007024642 W US2007024642 W US 2007024642W WO 2008147400 A1 WO2008147400 A1 WO 2008147400A1
Authority
WO
WIPO (PCT)
Prior art keywords
digest
file system
proof
tree structure
hash value
Prior art date
Application number
PCT/US2007/024642
Other languages
English (en)
Inventor
Roberto Tamassia
Michael T. Goodrich
Nikolaos Triandopoulos
Charalampos Papamanthou
Original Assignee
Brown University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Brown University filed Critical Brown University
Publication of WO2008147400A1 publication Critical patent/WO2008147400A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity

Definitions

  • the exemplary embodiments of this invention relate generally to data authentication and, more specifically, relate to authentication for operations over an outsourced file system stored by an untrusted unit.
  • One consideration is that of authenticating an outsourced file system in a setting where data resides at remote storage units of untrusted host machines, outside of any administrative control. It is generally desirable to efficiently (e.g., with logarithmic complexity) verify the integrity of a dynamic file system, namely to verify that its status is consistent with the history of file-system operations ordered by a client, and correctly detect any malicious access or data-retrieval patterns by the server.
  • one goal is to verify the directory hierarchy of the file system, an important task, since, in many cases, the integrity of a file depends not only on its content, but also on its location in the file system. For example, the context of an .htaccess file depends on its location - its
  • One conventional technique is to have the client (which can abstract to an operating system (OS) kernel supporting many users) sign each file system update it makes in the outsourced file system (e.g., using a hashed message authentication code (HMAC) based on a key that it keeps secret from the server).
  • HMAC hashed message authentication code
  • This technique has some drawbacks, however. First, it allows for replay attacks since determining file freshness is difficult with such a system. Second, this technique requires the client to sign every possible path in the directory hierarchy in order to be able to authenticate locations. This last requirement is especially inefficient, for example, when the client performs the directory operation mv that moves a large directory to a new location.
  • Another technique is to assume that the outsourced file system is partially trustworthy or has some tamper- resistant trusted hardware as a part of its architecture (e.g., using trusted computing platforms). Such an assumption involves postulating that the networked file system is itself at least partially trusted, which is not that much different than simply trusting the hosting server in the first place.
  • a method for a client unit to interact with a file system stored by an untrusted server unit includes: storing in a memory accessible by the client unit a digest representative of the file system, wherein a tree structure corresponds to the file system, wherein the digest comprises a cryptographic hash value over the tree structure that includes structural and balancing information for the tree structure; issuing to the untrusted server unit an operation to be performed on the file system; and receiving a result and a proof in response to the operation, wherein the proof comprises information that enables re-computation of the digest by the client unit.
  • an apparatus in another exemplary embodiment of the invention, includes: a memory configured to store a digest representative of a file system, wherein a tree structure corresponds to the file system, wherein the digest comprises a cryptographic hash value over the tree structure that includes structural and balancing information for the tree structure, wherein the file system is stored by an untrusted server unit; a transceiver; and a data processor configured to issue to the untrusted server unit via the transceiver an operation to be performed on the file system, wherein the data processor is further configured to receive via the communication component a result and a proof in response to the operation, wherein the proof comprises information that enables re-computation of the digest by the data processor.
  • a method includes: storing in a memory accessible by an untrusted server unit a file system, wherein a tree structure corresponds to the file system; receiving from a client unit an instruction to perform an operation on the file system; and transmitting to the client unit, in response to the instruction, a result and a proof, wherein the proof comprises information that enables re-computation of a digest by the client unit, wherein the digest comprises a cryptographic hash value over the tree structure that includes structural and balancing information for the tree structure.
  • an apparatus in another exemplary aspect of the invention, includes: a transceiver; and a data processor configured to receive from a client unit via the transceiver an instruction to perform an operation on a file system, wherein the apparatus is configured to access the file system, wherein a tree structure corresponds to the file system, wherein the data processor is further configured to transmit to the client unit via the transceiver, in response to the instruction, a result and a proof, wherein the proof comprises information that enables re-computation of a digest by the client unit, wherein the digest comprises a cryptographic hash value over the tree structure that includes structural and balancing information for the tree structure.
  • FIG. 1 shows a schematic illustration of an exemplary authenticated storage model within which exemplary embodiments of the invention may be utilized
  • FIG. 2(a) depicts an exemplary skip-list hashing scheme for verifying operations on a map data structure
  • FIG. 2(b) illustrates an exemplary consistency proof P for the exemplary skip-list hashing scheme of FIG. 2(a);
  • FIG. 3 (a) shows an exemplary tree structure T corresponding to an exemplary file system;
  • FIG. 3(b) depicts an exemplary tree of paths T " corresponding to the exemplary tree structure T shown in FIG. 3(a);
  • FIG. 4 illustrates a simplified block diagram of various exemplary electronic devices that are suitable for use in practicing the exemplary embodiments of this invention
  • FIG. 5 depicts a flowchart illustrating one non-limiting example of a method for practicing the exemplary embodiments of this invention.
  • FIG. 6 depicts a flowchart illustrating another non-limiting example of a method for practicing the exemplary embodiments of this invention.
  • Authenticated Data Storage Systems Previous and related work on authenticated data storage considers integrity at the file or data block level. Most of the systems provide file integrity using authentication information at the client that is proportional to the size of the file system. The most efficient constructions generally involve the use of Merkle trees over the data blocks of a single file. SUNDR system provides integrity protection by employing hash-tree schemes and digital signatures. However, it makes heavy use of signatures (e.g., every operation is signed). SUNDR does not assume the existence of a secure module (i.e., client) and operates in a fully-distributed setting, thus it suffers from consistency limitations inherent in this multi-client model. Similarly, SiRiUS system stores a digital signature for each file.
  • an efficient authentication scheme of large, dynamic data sets using Galois/Counter Mode is described where a constant amount of memory is used.
  • efficient protocols for proving availability of static data in remote untrusted storage units are presented.
  • a recent technique for authenticated network storage proposes to use a Merkle tree as the underlying data structure; however, PKI is used and the hash root is outsourced to an external medium, raising communication as well as security issues.
  • the trusted digest is remotely maintained by the client at the server side, assuming a trusted storage component.
  • authenticated storage is memory checking, where a trusted checker checks the correctness of an untrusted memory, using cryptographic primitives and hashing primitives.
  • the model of authenticated data structures studies cryptographic techniques for authenticating that data structures that reside at untrusted hosts operate reliably with respect to updates performed by the owner of the data and queries issued by the users of the data structure. Techniques are known for authenticating the results of different types of queries, including set-membership queries, SQL queries on databases, geometric queries, and XML queries.
  • authenticated data structures are closely related to the authenticated storage problem, there exist important differences in the models used. Authenticated data structures use a three-party data verification model and the data source stores the entire data set. In contrast, outsourced data authentication (i.e., the authenticated storage problem) uses a two-party model and the data source stores only minimal information about the data, and consequently, data consistency and replay-attack safety are more challenging to meet.
  • the problem of authenticated storage is considered, where one desires to outsource a file-system to an untrusted server and yet ensure the file-system's integrity.
  • New exemplary architectures for authenticated outsourced storage are introduced. Using light-weight cryptographic primitives and efficient data structuring techniques, the exemplary authentication schemes allow a client to verify that the file-system is fully consistent with the history of updates or queries requested by the client. File-system operations are verified in time that is logarithmic in the size of the file-system using optimal storage complexity, constant storage overhead at the client and asymptotically no extra overhead at the server.
  • exemplary schemes described herein additionally verify the file-system directory structure, thus supporting the authentication of complex file-system operations (e.g., directory moves and navigation) and file-system meta-data (e.g., general directory attributes).
  • the exemplary architecture achieves generality by being platform-independent, as well as usability by operating transparently for end-users.
  • Various exemplary embodiments of the invention may be referred to herein as "Athos" (AuTHenticated Outsourced Storage), supporting an authenticated networked file system that allows for efficient verification of, for example, the integrity of contents and locations of files and directories.
  • provably secure protocols are constructed for authenticating file-system operations.
  • the client maintains some minimal cryptographic state (a "digest") that consistently represents the file-system, against which any file-system operation performed by the server can be verified to determine whether it has been executed correctly.
  • a digest some minimal cryptographic state
  • an efficient data structuring technique is employed for representing an entire file system in a way that facilitates meeting verification and efficiency goals.
  • Novel, exemplary techniques are presented for achieving consistency and file-system integrity verification: any update or query is validated at the client by having the server provide a succinct corresponding proof (e.g., through an authentication service module that runs in the untrusted memory and is, thus, also untrusted), which comprises, for example, partial data and hashes stored in the file-system data structure.
  • a succinct corresponding proof e.g., through an authentication service module that runs in the untrusted memory and is, thus, also untrusted
  • a succinct corresponding proof e.g., through an authentication service module that runs in the untrusted memory and is, thus, also untrusted
  • a succinct corresponding proof e.g., through an authentication service module that runs in the untrusted memory and is, thus, also untrusted
  • various conventional techniques provide: (a) O( 1 ) client storage, 0 ⁇ ri) update complexity and no hierarchy authentication; (b) O(log ⁇ ) client storage, O(log ⁇ ) update complexity and no hierarchy authentication; (c) O(n) client storage, O(log ⁇ ) update complexity and no hierarchy authentication; and/or (d)
  • Athos provides improvements over these techniques by enabling O(I) client storage, O(log ⁇ ) update complexity and hierarchy authentication for verification purposes.
  • FIG. 1 shows a schematic illustration of an exemplary authenticated data storage model 10 within which exemplary embodiments of the invention may be utilized. Owned by a client C 12 but hosted at a remote untrusted server S 14, a file system FS 16 evolves over time through a series of update and query operations, issued by C 12 and executed by S 14. At all times, C 12 stores a succinct state 20 (e.g., a digest of few bytes) of FS 16 that is consistent with the entire history of operations. Authentication of operations is performed through verification or consistency proofs that are provided to C 12 (along with any answers to the operations provided by FS 16) by an authentication service module 18 that runs in memory independently of FS 16 and is controlled by S 14. A proof is used by C 12 to verify the current operation and consistently update the state (digest). That is, the authentication service module 18 stores additional authentication information 22 about FS 16. The file system may be generated and queried through the series of update and query operations.
  • a succinct state 20 e.g., a
  • the client C 12 sends a query x 24 on the FS 16 to the untrusted server 5 14.
  • the server S 14 performs the query operation and obtains an answer a 26.
  • the authentication service 18 generates a proofs 28.
  • the answer a 26 and the proof >> 28 are sent to the client C 12.
  • the answer a 26 and the proof jy 28 are sent together (e.g., in a single message or transmission) from the server S 14 to the client C 12.
  • FIG. 1 the answer a 26 and the proof jy 28 are sent together (e.g., in a single message or transmission) from the server S 14 to the client C 12.
  • the query x 24 may be received once by the server S 14, with the server S 14 internally sending the query x 24 to both be processed (i.e., to obtain the answer a 26) and to generate the proofs 28.
  • the specific functionality of the query x 24, the answer a 26 and the proofy 28 are explained in further detail below.
  • an exemplary communication protocol is as follows:
  • Client C keeps state information s and issues a query or update operation o D O to the server S.
  • Server S performs the query or update operation o by accordingly answering the query (i.e., obtaining an answer) or updating the FS to a new version FS', and by running an authentication service (AS), S generates a verification or respectively a consistency proof n (generally referred to herein as a "proof) which is returned to client C, along with the result p of the operation; p is the corresponding answer if operation o is a query or the
  • This set of operations can be represented as a verify
  • the state s is not updated to state s'.
  • an error message or other indication of the failed verification may be output.
  • the above protocol and pair of algorithms may be considered an authenticated storage scheme.
  • the security requirement such a scheme should satisfy expresses the intuitive property that the verification performed at C is a reliable test for the file system's integrity. Let operate ⁇ , • ) be the algorithm that, given the current file
  • an authenticated storage scheme is time-efficient if the verification time is sub-linear in the file-system size ⁇ FS ⁇ .
  • An authenticated storage scheme is space- efficient if the state stored by the client C is sub-linear in ⁇ FS ⁇ or space-optimal if the state is of constant size.
  • Section 4 an exemplary lime-efficient, space-optimal and secure authenticated storage scheme is presented for a rich set of operations on an outsourced file system.
  • a hashing scheme for a certain query type Q describes a systematic method for computing a digest from an underlying data set (e.g., a file system) by hierarchically applying a cryptographic hash function (e.g., that is collision-resistant) over data objects and previously produced hash values.
  • Hashing schemes produce digests satisfying an important property: answers to queries in Q on the data set define sequences of hash values produced by the hashing scheme that can serve as proofs of the answers' correctness, subject to the (correct and authentic) data digest.
  • the inspiration stems from authenticated data structures, where a data structure produced by a trusted source is replicated to an untrusted server for answering users' queries.
  • authenticated e.g., signed
  • query verification is possible at/by the users.
  • the exemplary authenticated storage models presented herein can be seen as the model of authenticated data structures, where the source and the user coincide. But the relation stops here, because exemplary models for the invention require that the client stores only a single digest, that protocols satisfy a stronger notion of security, and because there are no known efficient hashing schemes for general file-system operations.
  • Exemplary hashing schemes are discussed that satisfy three important properties: (i) they are specialized for verifying a rich set of file-system operations; (ii) they define the file- system digest so that it not only encodes information that provides proofs for verifying the results of queries, but also encodes information that provides proofs for verifying updates performed in the file system; and (iii) the proof of any operation has size that is logarithmic in the size n of the entire file system and after any update the new digest can be computed with logarithmic in n cost.
  • An exemplary hashing scheme is maintained at the authentication service module (AS) of the server. The following invariant is maintained: the client maintains the correct digest of the current file system (as if it was computed by the client).
  • any query operation can be verified by having the (untrusted) AS provide the client with the corresponding (verification) proof.
  • Any update operation can be verified by designing the hashing scheme to include information that can be used to check the file system's integrity after an update, and by having the AS provide the client with this information as a (consistency) proof for the verification algorithm verify.
  • the verification can be divided, conceptually, into two steps: (1) first, the provided information is itself verified to be authentic subject to the existing state (i.e., consistent digest before the update), and (2) second, the (authenticated) information is used by the client to verify the updated file system (i.e., after the update is performed) and compute the new state (digest), which is now consistent with this update since it is computed using authentic data.
  • the consistency proof is such that the client is able to locally rerun the same update over the hashing scheme and the data structure and thus validate the new, updated state of the file system. Proof Sketch of Security.
  • the exemplary authenticated storage schemes are based on the following general approach.
  • H corresponds to an underlying authenticated data structure ADS
  • H one augments H to a new hashing scheme H, such that H additionally encodes in its (defining) digest the entire structural and balancing information that exists in ADS.
  • h v h(h U ⁇ ,..., h Ui , h(b v , s v ))
  • b v , s v describe all the balancing and respectively structural information about node v in the data structure.
  • the query types are set-membership or path property queries using the skip-list and the dynamic-tree data structure, respectively, and the corresponding hashing schemes of Goodrich 1 and Goodrich2 (see below), respectively.
  • the consistency proof by the definition of the corresponding augmented hashing scheme H contains all the balancing and structural information that completely characterizes the changes in FS due to the update. Assuming that the state is consistent, the consistency proof coming from an honest server S will be verified, thus also providing verification of the balancing and structural information related to the update.
  • C is able to locally perform the correct update as if C had direct access to the entire, (correct) current file system FS.
  • C is able to correctly and consistently update the state s to s', which is simply the new digest according to H.
  • any query can be securely verified since the underlying hashing scheme is secure.
  • any malicious behavior by S will be rejected by the verification algorithm, assuming that finding collisions is computationally difficult.
  • Each entry of the map is a tuple (k, v), where k is a key and v is the value that corresponds to k; v can be a collection of objects as well.
  • the entries of the map are sorted according to their keys (e.g., by using a comparator).
  • the authenticated map data structure resides in the server. Using a hashing scheme designed over skip-lists, one can define the digest for the authenticated map, computed according to the tree structure of the skip-list (see Figure 2(a) as discussed below).
  • FIG. 2(a) depicts an exemplary skip-list hashing scheme 30 for verifying operations on a map data structure and FIG. 2(b) illustrates an exemplary consistency proof P 50 for the exemplary skip-list hashing scheme 30 of FIG. 2(a).
  • the exemplary skip-list hashing scheme 30 shown in FIG. 2(a) has a number of entries, each one having a tuple (k, v).
  • FIG. 2(a) illustrates the insertion of key 14.
  • the exemplary consistency proof P 50 shown in FIG. 2(b) is returned by S in response to the update operation (i.e., to insert key 14).
  • the proof P 50 contains all the hashing and structural information needed to verify the consistency of P 50 subject to the current digest (i.e., before the update) and to locally perform the update and generate a new digest corresponding to the updated skip list.
  • P contains the two keys, for example, succ(x) and pred(x), that are the successor and predecessor of x in the ordering of the keys.
  • P also contains all the necessary hashing information (e.g., hash values) that allow C to recompute the digest do starting from succ(x) and pred(x) and hashing according to the hashing scheme that is used. Due to the collision-resistance property of the hash function, C can tell if the received path is the correct one. IfP is verified, C verifies that key x is not in the directory. Also, C knows the position at which this file should be added.
  • hashing information e.g., hash values
  • P contains all the necessary structural information that enable C to locally perform the update in the hashing scheme that corresponds to the file insertion, by placing x between succ(x) and pred(x) and computing the new hash values for only those nodes of the skip list that need a new hash. Knowing the new hash values, C can compute the new digest d'o , which is consistent with the insertion operation.
  • the key insertion (performed by S) can be verified in two steps: (1) first, path P is verified and then (2) it is used to locally perform the update and compute the new digest.
  • Lemma 3.1 There exists an authenticated storage scheme for operations on key-value pairs in a map that is based on an authenticated skip list, with the following expected complexity bounds:
  • the expected update (insertion and removal), query and verification time is 0(log «) with high probability.
  • Update time is the time required by S to do the actual update
  • query time is the time S needs to compute the (consistency or verification) proof
  • verification time is the time that C needs in order to process the proof and validate or reject the query or the update. Note that for set-membership queries and updates (e.g., through which tone can implement all file system operations) the size of a proof is asymptotically equal to the verification time; therefore, the verification time bounds will indirectly imply the size of the proof.
  • Tbe the tree that corresponds to the file system.
  • Each entry of the map corresponds to a node v of T and has the following format:
  • key(v) is the key of the specific entry, a unique id for each node of the file system (e.g., the i-node of the file system node, obtainable in UNIX by using the Stat command);
  • key(parent) is the key that corresponds to the parent node of v in the file system
  • key(sibling) is the key of the node that corresponds to the sibling of v according to the order of their creation (e.g., the first child of a node is considered to be that node that was created most recently). Note that if a node v is the last node of the children list, then this field, for example, may be null;
  • key(backsibling) is the key of the node that corresponds to the sibling just before v according to the order of their creation. Note that if a node v is the first node of the children list, then this field, for example, may be null;
  • key(child) is the key of the node that corresponds to the first child of v in the above described order.
  • each query/update to the file system is mapped to a standard query/update operation in the authenticated map.
  • Theorem 3.2 (Representation with Skip Lists) Assuming the existence of collision- resistant hash functions, there exists a secure and space optimal authenticated storage scheme that is implemented with skip lists and achieves the following performance, where n is the size of the file-system:
  • n be the path one wants to authenticate.
  • the id key( ⁇ ) of the node ⁇ e.g., this can be done by using the Stat command in UNIX.
  • One issues the query contains(key( ⁇ /t )).
  • the authenticated query takes time O(k log ri), where one issues k queries to the skip list.
  • O(k log ri) For the operation cd(n),only the path FI has to be authenticated, hence the bound follows.
  • the path FI is authenticated and it is checked to see if the field file of ⁇ * equals the respective cryptographic hash of what is being read.
  • the operation Is(FI) is basically an authentication of the path FI and then one has to follow sibling relations to check that what is being retrieved from the file system (in some order) by executing Is is equal to the authenticated information that one gets from the skip list. Hence one needs time O((k+t) log n).
  • the operations mkdir(FI), touch(FI) first the path ⁇ i ⁇ 2 . . . ⁇ i is authenticated.
  • a new id x is created for the new node ⁇ * (e.g., this can be done by actually creating the path in the file system and then calling Stat to get the i-node) and then the pointers are updated accordingly. Then the record with key x is inserted, as created above (with the updated pointers). Since only a constant number of pointers are updated, the complexity bound follows. Similarly, for the operations write(Fl) and rm(FI)the path FI is authenticated. Let x be the i-node of node ⁇ *.
  • Another exemplary method of representing the file system using a skip list is the following. Instead of storing the i-node number for the key of a node v, one can use as key the name of the path from the root to node v (for example, the key for the file lying in
  • /users/user/pub.txt will be the string "/users/user/pub.txt").
  • T be the (generally unbalanced) tree that represents the file system according to the directory hierarchy, where the topological (left-to-right) ordering of sibling nodes is also the lexicographical ordering of the corresponding files and directories.
  • the leaves of T are either files or empty directories.
  • the data staicture is based on dynamic trees.
  • FIG. 3(a) shows an exemplary tree structure T 70 corresponding to the file system.
  • FIG. 3(a) shows an exemplary tree structure T 70 corresponding to the file system.
  • FIG. 3(b) depicts an exemplary tree of paths 1 T 90 corresponding to the exemplary tree structure T 70 shown in FIG. 3(a). Nodes that belong to the dashed paths are duplicated.
  • Dynamic Trees and T The construction of the dynamic tree data structure from 'a tree T is briefly described. Tree T is transformed to a tree of paths "Tas follows. Paths in 'Tare defined by a path partition in the original file-system tree. 7Ms a rooted tree and its edges are classified as being either solid or dashed according to their weight in T (e.g., size of the subtree in T rooted at the lowest node of the edge), such that any internal node has at most one child connected by a solid edge.
  • This edge classification partitions the nodes of the tree into solid paths connected with each other by dashed edges (see FIG. 3(a)). Every internal node v in Thas at most one child u connected through a solid edge. If v has other children (through dashed edges), say nodes u ⁇ , . . . ,U k , then the dashed path d(v) of v is a path of length k such that there is a one-to-one correspondence between edges (u,, v) in T and nodes of d(v) and the ordering is preserved.
  • the tree TOf paths is constructed by considering all solid and dashed paths defined for tree T and defining the parent-child relation according to their connectivity in the original tree T.
  • solid paths are the parent paths of the dashed paths they define in T and dashed paths d(v) are the parent paths of the solid paths whose nodes are descendants in T of node v.
  • each path in Tis represented as a biased binary tree (weight-balanced tree) using appropriate weights and if these individual trees are appropriately interconnected, then it is possible to obtain a final tree T that is balanced.
  • any two nodes in the original tree T are connected in the final tree T through a path of logarithmic in ⁇ T ⁇ .
  • there are efficient algorithms in T for performing structural updates in the original tree for instance, any subtree in T can change parent in logarithmic time in ⁇ T ⁇ .
  • the tree T is used as the representation of the file system and also as the structure that will be used as a hashing scheme for defining the digest of the entire file system.
  • This hashing scheme should be appropriately constructed so that it can be used to verify a broad class of query and update operation on the file system.
  • the hashing scheme is used for authentication of path properties in trees. This hashing scheme is defined over trees of the form of the final tree T and has the following important property: given two nodes in the original tree T, the hashing scheme can be used to efficiently authenticate any "property" of the path connecting the nodes in T.
  • This exemplary hashing scheme is extended to authenticate path properties not only for paths in the original tree T (i.e., properties of paths related to the parent-child relation), but also for dashed paths in the intermediate tree T (i.e., properties of paths related to siblings).
  • This extension is performed by including in the hashing scheme information that is associated with the nodes of dashed paths, i.e., information associated with the files and subdirectories of any directory.
  • the exemplary hashing scheme can be augmented to include structural and balancing information related to T: in such a case the hash value of any node in T includes, for example, its sibling rank and weight.
  • each node v of the tree is related with a constant-size set of node attributes ⁇ N ⁇ (v), . . . , N*(v) ⁇ .
  • these can be the weight of v or other variables that one desires to relate with the node.
  • the set of these node attributes may be referred to as the node property 5V(v) of this node.
  • the node property 5V(v) of a node v to contain at least two attributes: S(v) and C(v).
  • every path /? is related with a set of path attributes ⁇ P ⁇ (p), ⁇ ⁇ ⁇ , P k ip) ⁇ - As non-limiting examples, these can be the length of a path or other variables that one would like to relate with this path.
  • the set of these path attributes may be referred to as the path property ⁇ P(p) of this path.
  • Theorem 4.1 (Representation with Dynamic Trees) Assuming the existence of collision-resistant hash functions, there exists a secure, time efficient and space optimal authenticated storage scheme that is implemented with dynamic trees and achieved the following performance, where n is the size of the file-system:
  • the authentication of any path FI is a query of the name of the path, namely a query of the property of the path, which according to Goodrich2 takes time O(log n+k).
  • Is(TT) one queries for the name of the dashed path d(nii) that corresponds to node ⁇ *- (the names of the children of n ⁇ ).
  • the query and verification time is O(log n+t+k).
  • Cd(FI) all one has to do is to query for the name of the path from ⁇ i to ⁇ (e.g., query for the attribute S(-)). This has query and verification time O(log n+k).
  • Operation mkdir(n) corresponds first to a cd operation (to authenticate the path FI) and then to the series of update operations (e.g., newTree(), link()) in the tree. These operations take time O( ⁇ ogn+k), O(I) and O(log n) respectively. Hence, the total time is O(log n+k).
  • operation rmdir(FI) corresponds first to a cd operation and then to the series of update operations (e.g., cut(), destroy! " ree()) in the tree.
  • the exemplary authentication scheme can provide a verification proof for negative answers by proving the existence of the two neighboring sibling nodes in a dashed path where the error occurs. In essence, this is, again, a path-property of a special type.
  • Table 2 a comparison of the three presented implementations, local skip lists, global skip lists and dynamic trees, for various file system operations is shown.
  • n is the size of the file system
  • C is the size of the children list
  • T is the subtree rooted on ⁇ *. Note that the dynamic trees clearly outperform skip lists in comparatively "expensive" operations such as mkdir and mv.
  • the client should be able to verify the correctness of the operation and to update the digest of the whole data structure by using the consistency proof sent by the server whenever an update takes place. But how does the client update the digest after an update in the dynamic trees case?
  • the server sends a path P with hash values and other information related to the update.
  • the consistency proof is generally more complex.
  • One exemplary consistency proof contains all the structural and balancing information and all the node and path attributes of the nodes that should be accessed by the update algorithm in order to perform the operation. Note that this information is included in the hashing scheme.
  • the client has all the information that, once authenticated using the current state (digest) is required for locally performing the update and computing the new digest.
  • this consistency proof has logarithmic size: since all the update operations described above take logarithmic time, they cannot visit more than O(log w+
  • the server can send structural and hashing information of size O(log «+
  • communication assumptions could be made. Briefly consider how the exemplary protocols can be applied in two such restricted multi-user settings, by making a general — and easy to meet in practice — communication assumption. First, if one assumes that different users belong in the same organizational unit and access a remote file system through the same network infrastructure, then the exemplary protocols are applicable to a single designated client, trusted by the users, which serializes all users' operations, verifying each operation locally. For instance, this may be the setting in a networked file system where many users share and operate on files that can be physically stored in remote and untrusted storage units, yet all users' requests are serialized in the system's filer.
  • an exemplary verification client can constitute an add-on module of the hosting operating system kernel that runs in parallel with the system's filer. Also, if one assumes that different users are online from geographically remote - and even mobile - locations but can share a trusted storage of constant size, then the exemplary protocols are applicable by simply having the authentication digest of the file system be stored in this shared storage unit (and by possibly enforcing certain locking mechanisms for achieving concurrency), where verification of operations are performed locally at/by the users.
  • users may share a secure web page or a file that is stored at (e.g., a single, trusted node of) a p2p storage network (e.g., accessed even by an untrusted node of it and using secure p2p searching techniques).
  • a p2p storage network e.g., accessed even by an untrusted node of it and using secure p2p searching techniques.
  • Athos can provide to the higher (or hosting) application complete information about the problematic operation and the current state of the file system in terms of its integrity.
  • Athos functionality can characterize the exact location in the file system where integrity was not verified and thus pinpoint which file or directory was maliciously (or accidentally) modified by the untrusted server or by the remote storage devices.
  • Athos can offer persistent authentication capabilities, where file-system operations or queries about past views of the file system can be issued and authenticated. This property of Athos may be significant, since it can be useful for supporting a secure audit of the entire outsourced file system.
  • the exemplary embodiments of the invention generally relate to interactions between a user and an untrusted server.
  • the exemplary embodiments of this invention may be implemented by one or more of the parties involved.
  • the user may comprise an electronic device or a portable electronic device.
  • Such an electronic device may itself comprise at least one data processor, at least one memory, a communication component (e.g., a transceiver), and a user interface comprising a user input (e.g., mouse, keyboard, keypad, joystick, touchscreen, touchpad) and a display device (e.g., display, monitor, screen, touchscreen, liquid crystal display).
  • the user may comprise a software program or a plug-in application attached to another program.
  • the server may comprise a web service running on a distributed collection of computers accessible via the internet.
  • a cryptographic component may be employed.
  • the cryptographic component may be a separate entity (e.g., an integrated circuit, an
  • a system implementing the exemplary embodiments of this invention may comprise a private network (e.g., local area network - LAN), a public network (e.g., a publicly available wireless local area network - WLAN), or the internet.
  • a private network e.g., local area network - LAN
  • a public network e.g., a publicly available wireless local area network - WLAN
  • the exemplary embodiments of this invention may be carried out by computer software implemented by a data processor or by hardware, or by a combination of hardware and software.
  • the exemplary embodiments of this invention may be implemented by one or more integrated circuits.
  • FIG. 4 illustrates a simplified block diagram of various exemplary electronic devices that are suitable for use in practicing the exemplary embodiments of this invention.
  • FIG. 4 shows a system 400 having a client 402 and a server 412.
  • the client 402 has a data processor (DP) 404, a memory (MEM) 406 coupled to the DP 404 and a transceiver (TRANS) 408 coupled to the DP 404.
  • the TRANS 408 enables bidirectional communication with the server 412.
  • the MEM 406 stores a digest 410 in accordance with exemplary embodiments of the invention, as further described herein.
  • the client 402 may comprise any suitable electronic device.
  • the server 412 has a data processor (DP) 414, a memory (MEM) 416 coupled to the DP 414 and a transceiver (TRANS) 418 coupled to the DP 414.
  • the TRANS 418 enables bidirectional communication with the client 402.
  • the MEM 416 stores a file system (FS)
  • FS 420 and the AS 422 may be stored in or provided by separate components (e.g., two memories, two circuits, two integrated circuits, two processors).
  • the server 412 may comprise any suitable electronic device.
  • the MEMs 406, 416 may be of any type appropriate to the technical environment and may be implemented using any appropriate data storage technology, such as optical memory devices, magnetic memory devices, semiconductor-based memory devices, fixed memory and removable memory, as non-limiting examples.
  • the DPs 404, 414 may be of any type appropriate to the technical environment, and may encompass one or more of microprocessors, general purpose computers, special purpose computers and processors based on a multi-core architecture, as non-limiting examples.
  • Exemplary embodiments of the invention or various aspects thereof, such as the authentication service, as a non-limiting example, may be implemented as a computer program stored by the respective MEM 406, 416 and executable by the respective DP 404, 414.
  • a method for a client unit to interact with a file system stored by an untrusted server unit comprising: storing in a memory accessible by the client unit a digest representative of the file system, wherein a tree structure corresponds to the file system, wherein the digest comprises a cryptographic hash value over the tree structure that includes structural and balancing information for the tree structure (501); issuing to the untrusted server unit an operation to be performed on the file system (502); and receiving a result and a proof in response to the operation, wherein the proof comprises information that enables re-computation of the digest by the client unit (503).
  • a method as above further comprising: verifying the proof to determine if the proof is authentic, wherein said verification comprises utilizing the proof to compute a proof digest and comparing the computed proof digest with the stored digest to determine a correspondence.
  • the operation comprises a first operation, wherein the steps of issuing, receiving and verifying are performed for a second operation, wherein the second operation is issued only if the proof for the first operation is verified to be authentic.
  • the digest comprises a first digest and the operation comprises an update operation, the method further comprising: in response to determining that the proof is authentic, using the proof to compute a second digest and storing said second digest in place of the first digest, wherein the second digest is representative of an updated file system comprising the file system after the update operation has been performed, wherein said second digest comprises a second cryptographic hash value over the updated file system that includes structural and balancing information for a second tree structure corresponding to said updated file system.
  • the operation comprises a query operation and wherein the result comprises an answer to the query operation.
  • the operation comprises at least one UNIX command, wherein the at least one UNIX command comprises at least one of: cd, read, write, rm, mkdir, touch, Is, rm, rmdir and mv.
  • the tree structure comprises a skip list or a dynamic tree.
  • the tree structure comprises a skip list having a plurality of nodes, wherein each node is identified by a corresponding i-node number.
  • the tree structure comprises a skip list having a plurality of nodes, wherein each node is identified by a corresponding path name.
  • the memory comprises a shared storage unit that is also accessible by at least one other client unit.
  • a storage requirement of the client unit for storing the digest remains substantially the same over time.
  • the cryptographic hash value comprises a collision-resistant cryptographic hash value.
  • the method is implemented by a computer program.
  • the method is implemented by a program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine for performing actions, the actions comprising the steps of performing the method.
  • a program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine for performing actions to interact with a file system stored by an untrusted server unit, the actions comprising: storing in a memory accessible by the client unit a digest representative of the file system, wherein a tree structure corresponds to the file system, wherein the digest comprises a cryptographic hash value over the tree structure that includes structural and balancing information for the tree structure; issuing to the untrusted server unit an operation to be performed on the file system; and receiving a result and a proof in response to the operation, wherein the proof comprises information that enables re-computation of the digest by the client unit.
  • a program storage device as above the actions further comprising: verifying the proof to determine if the proof is authentic, wherein said verification comprises utilizing the proof to compute a proof digest and comparing the computed proof digest with the stored digest to determine a correspondence.
  • a program storage device as in the previous wherein the operation comprises a first operation, wherein the steps of issuing, receiving and verifying are performed for a second operation, wherein the second operation is issued only if the proof for the first operation is verified to be authentic.
  • the actions further comprising: in response to an unsuccessful verification, obtaining information comprising at least one of the operation that led to the unsuccessful verification and a current integrity state of the file system.
  • a program storage device as in any above wherein the operation comprises a query operation and wherein the result comprises an answer to the query operation, the actions further comprising: in response to determining that the proof is authentic, determining that the answer is authentic.
  • the digest comprises a first digest and the operation comprises an update operation, the actions further comprising: in response to determining that the proof is authentic, using the proof to compute a second digest and storing said second digest in place of the first digest, wherein the second digest is representative of an updated file system comprising the file system after the update operation has been performed, wherein said second digest comprises a second cryptographic hash value over the updated file system that includes structural and balancing information for a second tree structure corresponding to said updated file system.
  • a program storage device as in any above wherein the operation comprises a query operation and wherein the result comprises an answer to the query operation.
  • the tree structure comprises a skip list or a dynamic tree.
  • the tree structure comprises a skip list having a plurality of nodes, wherein each node is identified by a corresponding i-node number.
  • a program storage device as in any above wherein the client unit arbitrates communication with the untrusted server unit on behalf of a plurality of users.
  • the memory comprises a shared storage unit that is also accessible by at least one other client unit.
  • a storage requirement of the client unit for storing the digest remains substantially the same over time.
  • the cryptographic hash value comprises a collision-resistant cryptographic hash value.
  • an apparatus comprising: a memory configured to store a digest representative of a file system, wherein a tree structure corresponds to the file system, wherein the digest comprises a cryptographic hash value over the tree structure that includes structural and balancing information for the tree structure, wherein the file system is stored by an untrusted server unit; a transceiver; and a data processor configured to issue to the untrusted server unit via the transceiver an operation to be performed on the file system, wherein the data processor is further configured to receive via the communication component a result and a proof in response to the operation, wherein the proof comprises information that enables re-computation of the digest by the data processor.
  • the data processor is further configured to verifying the proof to determine if the proof is authentic, wherein said verification comprises utilizing the proof to compute a proof digest and comparing the computed proof digest with the stored digest to determine a correspondence.
  • the operation comprises a first operation, wherein the steps of issuing, receiving and verifying are performed by the data processor for a second operation, wherein the second operation is issued by the data processor only if the proof for the first operation is verified to be authentic.
  • the data processor is further configured, in response to an unsuccessful verification, to obtain information comprising at least one of the operation that led to the unsuccessful verification and a current integrity state of the file system.
  • an apparatus as in any above wherein the operation comprises a query operation and wherein the result comprises an answer to the query operation, wherein the data processor is further configured, in response to determining that the proof is authentic, to determine that the answer is authentic.
  • the digest comprises a first digest and the operation comprises an update operation
  • the data processor is further configured, in response to determining that the proof is authentic, to use the proof to compute a second digest and to store said second digest in place of the first digest, wherein the second digest is representative of an updated file system comprising the file system after the update operation has been performed, wherein said second digest comprises a second cryptographic hash value over the updated file system that includes structural and balancing information for a second tree structure corresponding to said updated file system.
  • the operation comprises a query operation and wherein the result comprises an answer to the query operation.
  • the digest comprises only the cryptographic hash value.
  • the operation comprises at least one UNIX command, wherein the at least one UNIX command comprises at least one of: cd, read, write, rm, mkdir, touch, Is, rm, rmdir and mv.
  • the tree structure comprises a skip list or a dynamic tree.
  • the tree structure comprises a skip list having a plurality of nodes, wherein each node is identified by a corresponding i-node number.
  • the tree structure comprises a skip list having a plurality of nodes, wherein each node is identified by a corresponding path name.
  • An apparatus as in any above wherein the apparatus arbitrates communication with the untrusted server unit on behalf of a plurality of users.
  • the memory comprises a shared storage unit that is also accessible by at least one other apparatus.
  • a storage requirement of the memory for storing the digest remains substantially the same over time.
  • the cryptographic hash value comprises a collision-resistant cryptographic hash value.
  • the apparatus comprises a client electronic device.
  • an apparatus comprising: means for storing a digest representative of a file system, wherein a tree structure corresponds to the file system, wherein the digest comprises a cryptographic hash value over the tree structure that includes structural and balancing information for the tree structure, wherein the file system is stored by an untrusted server unit; means for communicating; and means for issuing to the untrusted server unit via the means for communicating an operation to be performed on the file system, wherein the means for communicating is further for receiving a result and a proof in response to the operation, wherein the proof comprises information that enables re-computation of the digest by the apparatus.
  • the means for storing comprises a memory
  • the means for communicating comprises a transceiver
  • the means for issuing comprises a data processor.
  • the means for re- computing comprises the data processor.
  • An apparatus as in any above further comprising means for verifying the proof to determine if the proof is authentic, wherein said verification comprises utilizing the proof to compute a proof digest and comparing the computed proof digest with the stored digest to determine a correspondence.
  • the means for verifying comprises the data processor.
  • An apparatus as in any above, wherein the means for obtaining comprises the data processor.
  • an apparatus as in any above wherein the operation comprises a query operation and wherein the result comprises an answer to the query operation, wherein the means for verifying is further for, in response to determining that the proof is authentic, determining that the answer is authentic.
  • the digest comprises a first digest and the operation comprises an update operation
  • the apparatus further comprising: means for, in response to determining that the proof is authentic, using the proof to compute a second digest and means for storing said second digest in place of the first digest, wherein the second digest is representative of an updated file system comprising the file system after the update operation has been performed, wherein said second digest comprises a second cryptographic hash value over the updated file system that includes structural and balancing information for a second tree structure corresponding to said updated file system.
  • the operation comprises a query operation and wherein the result comprises an answer to the query operation.
  • the digest comprises only the cryptographic hash value.
  • the operation comprises at least one UNIX command, wherein the at least one UNIX command comprises at least one of: cd, read, write, rm, mkdir, touch, Is, rm, rmdir and mv.
  • the tree structure comprises a skip list or a dynamic tree.
  • the tree structure comprises a skip list having a plurality of nodes, wherein each node is identified by a corresponding i-node number.
  • the tree structure comprises a skip list having a plurality of nodes, wherein each node is identified by a corresponding path name.
  • An apparatus as in any above wherein the apparatus arbitrates communication with the untrusted server unit on behalf of a plurality of users.
  • the memory comprises a shared storage unit that is also accessible by at least one other apparatus.
  • a storage requirement of the means for storing the digest remains substantially the same over time.
  • the cryptographic hash value comprises a collision-resistant cryptographic hash value.
  • the apparatus comprises a client electronic device.
  • a method comprising: storing in a memory accessible by an untrusted server unit a file system, wherein a tree structure corresponds to the file system (601 ); receiving from a client unit an instruction to perform an operation on the file system (602); and transmitting to the client unit, in response to the instruction, a result and a proof, wherein the proof comprises information that enables re-computation of a digest by the client unit, wherein the digest comprises a cryptographic hash value over the tree structure that includes structural and balancing information for the tree structure (603).
  • the operation comprises a query operation and wherein the result comprises an answer to the query operation.
  • the operation comprises an update operation and wherein the proof further comprises structural information necessary to perform the update operation.
  • transmission of the proof to the client unit is performed by an authentication service stored in a second memory accessible by the untrusted server unit.
  • the operation comprises at least one UNIX command, wherein the at least one UNIX command comprises at least one of: cd, read, write, rm, mkdir, touch, Is, rm, rmdir and mv.
  • the tree structure comprises a skip list or a dynamic tree.
  • the tree structure comprises a skip list having a plurality of nodes, wherein each node is identified by a corresponding i-node number.
  • a method as in any above, wherein the tree structure comprises a skip list having a plurality of nodes, wherein each node is identified by a corresponding path name.
  • the cryptographic hash value comprises a collision-resistant cryptographic hash value.
  • the method is implemented by a computer program.
  • the method is implemented by a program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine for performing actions, the actions comprising the steps of performing the method.
  • a program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine for performing actions, the actions comprising: storing in a memory accessible by an untrusted server unit a file system, wherein a tree structure corresponds to the file system; receiving from a client unit an instruction to perform an operation on the file system; and transmitting to the client unit, in response to the instruction, a result and a proof, wherein the proof comprises information that enables re-computation of a digest by the client unit, wherein the digest comprises a cryptographic hash value over the tree structure that includes structural and balancing information for the tree structure.
  • the actions further comprising: performing the operation on the stored file system.
  • a program storage device as in any above wherein the operation comprises a query operation and wherein the result comprises an answer to the query operation.
  • a program storage device as in any above wherein the operation comprises an update operation and wherein the proof further comprises structural information necessary to perform the update operation.
  • transmission of the proof to the client unit is performed by an authentication service stored in a second memory accessible by the untrusted server unit.
  • the tree structure comprises a skip list or a dynamic tree.
  • the tree structure comprises a skip list having a plurality of nodes, wherein each node is identified by a corresponding i-node number.
  • a program storage device as in any above wherein the tree structure comprises a skip list having a plurality of nodes, wherein each node is identified by a corresponding path name.
  • an apparatus comprising: a transceiver; and a data processor configured to receive from a client unit via the transceiver an instruction to perform an operation on a file system, wherein the apparatus is configured to access the file system, wherein a tree structure corresponds to the file system, wherein the data processor is further configured to transmit to the client unit via the transceiver, in response to the instruction, a result and a proof, wherein the proof comprises information that enables re-computation of a digest by the client unit, wherein the digest comprises a cryptographic hash value over the tree structure that includes structural and balancing information for the tree structure.
  • the data processor is further configured to perform the operation on the file system.
  • An apparatus as in any above wherein the operation comprises a query operation and wherein the result comprises an answer to the query operation.
  • transmission of the proof to the client unit is performed via an authentication service stored in a second memory accessible by the data processor.
  • the digest comprises only the cryptographic hash value.
  • the operation comprises at least one UNIX command, wherein the at least one UNIX command comprises at least one of: cd, read, write, rm, mkdir, touch, Is, rm, rmdir and mv.
  • the tree structure comprises a skip list or a dynamic tree.
  • the tree structure comprises a skip list having a plurality of nodes, wherein each node is identified by a corresponding i-node number.
  • the tree structure comprises a skip list having a plurality of nodes, wherein each node is identified by a corresponding path name.
  • the cryptographic hash value comprises a collision-resistant cryptographic hash value.
  • the apparatus comprises an untrusted server.
  • an apparatus comprising: means for receiving from a client unit an instruction to perform an operation on a file system, wherein the apparatus is configured to access the file system, wherein a tree structure corresponds to the file system; means for transmitting to the client unit, in response to the instruction, a result and a proof, wherein the proof comprises information that enables re-computation of a digest by the client unit, wherein the digest comprises a cryptographic hash value over the tree structure that includes structural and balancing information for the tree structure.
  • the means for receiving comprises a receiver and the means for transmitting comprises a transmitter.
  • the means for receiving and the means for transmitting comprise a transceiver.
  • An apparatus as in any above further comprising: means for performing the operation on the file system.
  • An apparatus as in the previous, wherein the means for performing comprises a data processor.
  • An apparatus as in any above, wherein the operation comprises a query operation and wherein the result comprises an answer to the query operation.
  • An apparatus as in any above, wherein the operation comprises an update operation and wherein the proof further comprises structural information necessary to perform the update operation.
  • transmission of the proof to the client unit is performed via an authentication service stored in a means for storage accessible by the apparatus.
  • An apparatus as in any above further comprising: means for storing the file system.
  • An apparatus as in the previous, wherein the means for storing comprises a memory.
  • the digest comprises only the cryptographic hash value.
  • the operation comprises at least one UNIX command, wherein the at least one UNIX command comprises at least one of: cd, read, write, rm, mkdir, touch, Is, rm, rmdir and mv.
  • the tree structure comprises a skip list or a dynamic tree.
  • the tree structure comprises a skip list having a plurality of nodes, wherein each node is identified by a corresponding i-node number.
  • the tree structure comprises a skip list having a plurality of nodes, wherein each node is identified by a corresponding path name.
  • the cryptographic hash value comprises a collision-resistant cryptographic hash value.
  • the apparatus comprises an untrusted server.
  • a system comprising: a client unit comprising: a memory configured to store a digest representative of a file system, wherein a tree structure corresponds to the file system, wherein the digest comprises a cryptographic hash value over the tree structure that includes structural and balancing information for the tree structure, wherein the file system is stored by an untrusted server unit; a transceiver; and a data processor configured to issue to the untrusted server unit via the transceiver an operation to be performed on the file system, wherein the data processor is further configured to receive via the communication component a result and a proof in response to the operation, wherein the proof comprises information that enables re-computation of the digest by the data processor; and an untrusted server unit comprising: a transceiver; and a data processor configured to receive from a client unit via the transceiver an instruction to perform an operation on a file system, wherein the apparatus is configured to access the file system, wherein a tree structure corresponds to the file system, where
  • Some exemplary embodiments of the invention provide an efficient way to authenticate an outsourced untrusted file system.
  • skip lists and dynamic trees are applied and an efficient hashing scheme may be used to represent the entire file system with a small, constant size digest. That is, the client maintains a constant size state of the entire file system. This state is an efficient representation both of the contents of the files and the hierarchy of the file system. This allows for applications where low-computing power and/or low-storage devices (e.g., sensors, smartcards, portable storage devices such as flash cards) are used to access an outsourced file system in a secure way.
  • low-computing power and/or low-storage devices e.g., sensors, smartcards, portable storage devices such as flash cards
  • there is no authentication information on the client's side that is proportional to the size of the file system, something that is the case for most previous techniques.
  • the set of query and update operations on the file system can efficiently be authenticated.
  • the client authenticates these operations by receiving the verification or consistency proof from the server.
  • Common and important file system operations, such as cd and Is, can be authenticated in logarithmic time.
  • the exemplary embodiments of the invention are not limited solely to a UNIX system nor the identified UNIX commands, and may be utilized in conjunction with other suitable systems, commands or architectures.
  • connection or coupling any use of the terms "connected,” “coupled” or variants thereof should be interpreted to indicate any such connection or coupling, direct or indirect, between the identified elements.
  • one or more intermediate elements may be present between the “coupled” elements.
  • the connection or coupling between the identified elements may be, as non-limiting examples, physical, electrical, magnetic, logical or any suitable combination thereof in accordance with the described exemplary embodiments.
  • the connection or coupling may comprise one or more printed electrical connections, wires, cables or any suitable combination thereof.
  • various exemplary embodiments of the invention can be implemented in different mediums, such as software, hardware, logic, special purpose circuits or any combination thereof.
  • some aspects may be implemented in software which may be run on a computing device, while other aspects may be implemented in hardware.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

L'invention concerne, selon un mode de réalisation à titre d'exemple, un client qui conserve un état cryptographique minimal ('empreinte numérique') qui représente de manière cohérente un système de fichier provenant de l'extérieur, à l'encontre duquel des opérations de système de fichier effectuées par le serveur non sécurisé peuvent être vérifiées pour déterminer si elles ont été exécutées correctement. Selon un exemple non limitatif, un procédé pour qu'une unité client interagisse avec un système de fichier stocké par une unité de serveur non sécurisée, comprend : le stockage dans une mémoire accessible à l'unité client d'une empreinte numérique représentant le système de fichier, une structure arborescente correspondant au système de fichier et l'empreinte numérique comprenant une valeur de hachage cryptographique sur la structure arborescente qui inclut des informations structurelles et d'équilibre pour la structure arborescente (501); la transmission à l'unité de serveur non sécurisée d'une opération devant être effectuée sur le système de fichier (502); et la réception d'un résultat et d'une preuve en réponse à l'opération, la preuve comprenant des informations qui permettent de recalculer l'empreinte numérique par l'unité client (503).
PCT/US2007/024642 2006-11-30 2007-11-30 Appareil, procédés et produits-programmes informatiques fournissant une authentification améliorée pour des opérations sur un système de fichier provenant de l'extérieur stocké par une unité non sécurisée WO2008147400A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US86179406P 2006-11-30 2006-11-30
US60/861,794 2006-11-30

Publications (1)

Publication Number Publication Date
WO2008147400A1 true WO2008147400A1 (fr) 2008-12-04

Family

ID=40075406

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2007/024642 WO2008147400A1 (fr) 2006-11-30 2007-11-30 Appareil, procédés et produits-programmes informatiques fournissant une authentification améliorée pour des opérations sur un système de fichier provenant de l'extérieur stocké par une unité non sécurisée

Country Status (1)

Country Link
WO (1) WO2008147400A1 (fr)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8594329B2 (en) 2010-12-17 2013-11-26 Microsoft Corporation Non-interactive verifiable, delegated computation
GB2529246A (en) * 2014-08-15 2016-02-17 Ibm Method for securing integrity and consistency of a cloud storage service with efficient client operations
WO2018005403A1 (fr) * 2016-06-30 2018-01-04 Microsoft Technology Licensing, Llc Commande de validation de mémoires de valeurs clés
EP4244750A4 (fr) * 2022-07-01 2024-03-13 Space And Time Labs Inc Procédés de vérification de résultats de requête de base de données et dispositifs associés
US12001582B2 (en) 2023-12-04 2024-06-04 Space And Time Labs, Inc. Methods for verifying vector database query results and devices thereof

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030088783A1 (en) * 2001-11-06 2003-05-08 Dipierro Massimo Systems, methods and devices for secure computing
US20040243816A1 (en) * 2003-05-30 2004-12-02 International Business Machines Corporation Querying encrypted data in a relational database system
US20040250113A1 (en) * 2003-04-16 2004-12-09 Silicon Graphics, Inc. Clustered filesystem for mix of trusted and untrusted nodes
US20050091261A1 (en) * 2003-10-02 2005-04-28 Agency For Science, Technology And Research Method for incremental authentication of documents

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030088783A1 (en) * 2001-11-06 2003-05-08 Dipierro Massimo Systems, methods and devices for secure computing
US20040250113A1 (en) * 2003-04-16 2004-12-09 Silicon Graphics, Inc. Clustered filesystem for mix of trusted and untrusted nodes
US20040243816A1 (en) * 2003-05-30 2004-12-02 International Business Machines Corporation Querying encrypted data in a relational database system
US20050091261A1 (en) * 2003-10-02 2005-04-28 Agency For Science, Technology And Research Method for incremental authentication of documents

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8594329B2 (en) 2010-12-17 2013-11-26 Microsoft Corporation Non-interactive verifiable, delegated computation
GB2529246A (en) * 2014-08-15 2016-02-17 Ibm Method for securing integrity and consistency of a cloud storage service with efficient client operations
US9589153B2 (en) 2014-08-15 2017-03-07 International Business Machines Corporation Securing integrity and consistency of a cloud storage service with efficient client operations
WO2018005403A1 (fr) * 2016-06-30 2018-01-04 Microsoft Technology Licensing, Llc Commande de validation de mémoires de valeurs clés
US10396991B2 (en) 2016-06-30 2019-08-27 Microsoft Technology Licensing, Llc Controlling verification of key-value stores
EP4244750A4 (fr) * 2022-07-01 2024-03-13 Space And Time Labs Inc Procédés de vérification de résultats de requête de base de données et dispositifs associés
US12001582B2 (en) 2023-12-04 2024-06-04 Space And Time Labs, Inc. Methods for verifying vector database query results and devices thereof

Similar Documents

Publication Publication Date Title
Xu et al. Slimchain: Scaling blockchain transactions through off-chain storage and parallel processing
Xu et al. vchain: Enabling verifiable boolean range queries over blockchain databases
CN110915166B (zh) 区块链
US8726034B2 (en) Cryptographic accumulators for authenticated hash tables
US7974221B2 (en) Efficient content authentication in peer-to-peer networks
Papamanthou et al. Time and space efficient algorithms for two-party authenticated data structures
EP3837652B1 (fr) Mémorisation de données de chaîne de blocs distribuée selon un modèle de compte
Hu et al. Spatial query integrity with voronoi neighbors
JP2021533448A (ja) ハイパーレッジャファブリックブロックチェーンにおいてsqlベースのリッチクエリをサポートするためのシステムおよび方法
CA2731954C (fr) Appareil, procedes et produits-programmes d'ordinateur permettant une possession de donnees prouvable dynamique
Goodrich et al. Athos: Efficient authentication of outsourced file systems
Zheng et al. Efficient query integrity for outsourced dynamic databases
Li et al. Integrity-verifiable conjunctive keyword searchable encryption in cloud storage
Esiner et al. Flexdpdp: Flexlist-based optimized dynamic provable data possession
Papadopoulos et al. Practical authenticated pattern matching with optimal proof size
Goodrich et al. Efficient verification of web-content searching through authenticated web crawlers
US9015790B2 (en) Integrating sudo rules with entities represented in an LDAP directory
Fernando et al. SciBlock: A blockchain-based tamper-proof non-repudiable storage for scientific workflow provenance
Hong et al. Gridb: scaling blockchain database via sharding and off-chain cross-shard mechanism
Zhang et al. Integrity authentication for SQL query evaluation on outsourced databases: A survey
Heitzmann et al. Efficient integrity checking of untrusted network storage
WO2008147400A1 (fr) Appareil, procédés et produits-programmes informatiques fournissant une authentification améliorée pour des opérations sur un système de fichier provenant de l'extérieur stocké par une unité non sécurisée
Tamassia et al. Efficient content authentication in peer-to-peer networks
Zhang et al. CorrectMR: Authentication of distributed SQL execution on MapReduce
Tang et al. Reputation audit in multi-cloud storage through integrity verification and data dynamics

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07875045

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07875045

Country of ref document: EP

Kind code of ref document: A1