This paper presents a security scheme for network-attached storage based on NFSv4 frame. One novel aspect of our system is that it enhances NFSv4 to guarantee the security of storage. Another novel feature is that we develop new user authentication mechanism which outperforms Kerberos. It uses HMAC and the symmetric cryptography to provide the integrity and privacy of transmitted data. The system includes three essential procedures: authenticating user, establishing security context and exchanging data. Our scheme can protect data from tampering, eavesdropping and replaying attacks, and it ensures that the data stored on the device is copy-resistant and encrypted. In spite of this level of security, the scheme does not impose much performance overhead. Our experiments show that large sequential reads or writes with security impose performance expense by 10-20%, which is much less than some other security systems.


File System User Authentication Mutual Authentication Message Authentication Code Authentication Server 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Reed, B.C., Chron, E.G., Burns, R.C., Long, D.D.E.: Authenticating network-attached storage. IEEE Micro. 20(1), 49–57 (2000)CrossRefGoogle Scholar
  2. 2.
    Haddon, B.K.: Security in Storage Management The Standards Question. In: Proc. of 18th IEEE Symposium on Mass Storage Systems (2001)Google Scholar
  3. 3.
    Xie, C., Jin, H., Wu, S., Li, S., Wang, Z.: Access Control of Global Distributed Storage System. In: Das, G., Gulati, V.P. (eds.) CIT 2004. LNCS, vol. 3356, pp. 369–374. Springer, Heidelberg (2004)Google Scholar
  4. 4.
    Mazires, D., Shasha, D.: Don’t trust your file server. In: Proceedings of the 8th Workshop on Hot Topics in operating Systems (HotOS VIII), Schloss Elmau, Germany, pp. 99–104 (May 2001)Google Scholar
  5. 5.
    Mazires, D., Kaminsky, M., Kaashoek, M.F., Witchel, E.: Separating key management from file system security. In: Proceedings of the 17th ACM Symposium on Operating Systems Principles, pp. 124–139 (December 1999)Google Scholar
  6. 6.
    Miller, E.L., Freeman, W.E., Long, D.D.E., Reed, B.C.: Strong secutity for network attached storage. In: Proceedings of the 1st ACM Conference on File and Storage technologies (FAST), Monterey, CA, pp. 1–13 (Janaury 2002)Google Scholar
  7. 7.
    Zhu, Y., Hu, Y.: SNARE: A Strong Security Scheme for Network-Attached Storage. In: Processings of 22nd International Symposium on Reliable Distributed Systems, October 06-08 (2003)Google Scholar
  8. 8.
    Gibson, G.A., Nagle, D.F., Amiri, J.B.K., Chang, F.W., Gobioff, H., Hardin, C., Riedel, E., Rochberg, D., Zelenka, J.: A Cost-effective, High-bandwidth Storage Architecture. In: Proceedings of the 8th Conference on Architectural Support for Programming Languages and Operating Systems, San Jose, CA (October 1998)Google Scholar
  9. 9.
    Cattaneo, G., Catuogno, L., Sorbo, A.D., Persiano, P.: The Design and Implementation of a Transparent Cryptographic File System for Unix. In: Proceedings of the Freenix Track: 2001 USENIX Annual Technical Conference, Boston, MA, pp. 199–212 (June 2001)Google Scholar
  10. 10.
    Gobioff, H.: Security for a High Performance Commodity Storage Subsystem. PhD thesis, Carnegie Mellon University (1999)Google Scholar
  11. 11.
    Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-hashing for Message Authentication. Request for Comment (RFC) 2104. Internet Engineering Task Force (IETF) (Febraury 1997)Google Scholar
  12. 12.
    Steiner, J.G., Neuman, B.C., Schiller, J.: Kerberos: An Authentication Service for Open Network Systems. In: Proceedings of the Winter 1988 USENIX Technical Conference, Dallas, TX (Febraury 1988)Google Scholar
  13. 13.
    Howard, J.H., Kazar, M.L., Menees, S.G., Nichols, D.A., Satyanarayanan, M., Sidebotham, R.N., West, M.J.: Scale and Performance in a Distributed File System. ACM Transactions on Computer Systems (Febraury 1988)Google Scholar
  14. 14.
    Hughes, J.: Security in storage. In: Proc. of 19th IEEE Symposium on Mass Storage Systems (2002)Google Scholar
  15. 15.
    Kohl, J., Neuman, C.: The Kerberos Network Authentication Service(V5). Request for Comment (RFC) 1510 (September 1993)Google Scholar
  16. 16.
    Linn, J.: Generic Security Service Application Program Interface Version 2, Update 1, Request for Comment (RFC) 2743 (January 2000)Google Scholar
  17. 17.
    Bellare, M., Canetti, R., Krawczyk, H.: Message Authentication Using Hash Functions -The HMAC Construction. In: RSA Laboratories CryptoBytes, Spring, vol. 2(1) (1996)Google Scholar
  18. 18.
    Blaze, M.: A cryptographic file system for unix. In: Proceedings of the first ACM Conference on Computer and Communication Security, Fairfax, VA, pp. 9–15 (November 1993)Google Scholar
  19. 19.
    Spasojevic, M., Satyanarayanan, M.: An Empirical Study of a Wide-area Distributed File System. ACM Transactions on Computer Systems 14(2), 200–222 (1996)CrossRefGoogle Scholar
  20. 20.
    Sun, W., Shu, J., Zheng, W.: Storage Virtualization System with Load Balancing for SAN. In: GCC Workshops 2004, vol. 254 (2004)Google Scholar
  21. 21.
    Li, B., Shu, J.-w., Zheng, W.: Design and optimization of an iSCSI system. In: Jin, H., Pan, Y., Xiao, N., Sun, J. (eds.) GCC 2004. LNCS, vol. 3252, pp. 262–269. Springer, Heidelberg (2004)Google Scholar
  22. 22.
    Shepler, S., Callaghan, B., Robinson, D., Thurlow, R., Beame, C., Eisler, M., Noveck, D.: NFS Version 4 Protocol. Request for Comment (RFC) 3010, Internet Engineering Task Force (IETF) (December 2001)Google Scholar
  23. 23.
    Shepler, S., Callaghan, B., Robinson, D., Thurlow, R., Beame, C., Eisler, M., Noveck, D.: Network File System (NFS) version 4 Protocol. Request for Comment (RFC) 3530, Internet Engineering Task Force (IETF) (April 2003)Google Scholar
  24. 24.
    Anderson, T.E., Dahlin, M.D., Neefe, J.M., Patterson, D.A., Roselli, D.S., Wang, R.Y.: Serverless Network File Systems. ACM Transactions on Computer Systems (Febraury 1996)Google Scholar
  25. 25.
    Freeman, W., Miller, E.: Design for a Decentralized Security System for Network Attached Storage. In: Proc. of 17th IEEE Symposium on Mass Storage Systems (2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Xiangguo Li
    • 1
  • JianHua Yang
    • 1
  • Zhaohui Wu
    • 1
  1. 1.Computer Science and Engineering College of Zhejiang UniversityHangZhouChina

Personalised recommendations