Protocol Messages

In order to implement the protocol discussed in this thesis, several messages are exchanged between workstation and file server, when a user logs on to a workstation. All such messages to the file server kernel from workstation and vice-versa are routed throughtranscryptd. The messages are prefixed with a transcrypt header. The header contains the packet type and the length of the message (Figure 5.6). In addition, all messages originating to and from the file server kernel, will have a kernel header prefixed with the message. The kernel header comprises of a ‘pid’ identifier, which ensures that the corresponding replay packet reaches the waiting thread within the kernel [30], a ‘direction’ field, which indicates whether the message is part of the initial authentication protocol or related to token decryption operations during file access, and a ‘client-address’ field that carries the address of the user workstation.

are handled by the transcryptd itself.

Figure 5.6: Protocol Headers

5.5.3.1 Message Formats

Various messages that are sent by the file server are described in brief here.

1. Packet type: TCPT PKS REG

This packet starts the TransCrypt’s user authentication protocol and is sent by the workstation during log in by the user. The field uid ws denotes the UID of the user at the workstation. After receiving this message,transcryptd at the file server retrieves the Global uid (i.e. the certificate name) and maps it to the lo- cal uid within the file server using the certtab file at the file server. Transcryptd

then forwards the packet to the file server kernel, replacing Global uid with the local uid. All other parameters are left for the kernel to interpret as explained earlier. Format of the packet is as shown below.

Kernel Header TransCrypt Header

TCPT_PKS_REG

Global uid len|

Global uid|SCURI len

|SCURI|uid ws

2. Packet type: TCPT FS USR CHAL

When the file server kernel receives a PKS registration packet (TCPT PKS REG), it starts the mutual authentication between the FS kernel and the user. This packet carries the challenge and the key material in data field as shown below.

Kernel Header TransCrypt Header

TCPT_FS_USR_CHAL E

P

u (rf s|kf s)

3. Packet type: TCPT WS FS CHAL

This message is part of the standard three way mutual authentication protocol between the file server kernel and the user. The message, as shown below, car- ries the response to the challenge from file server and the challenge from the smart card as well as the key material from the workstation.

Kernel Header TransCrypt Header

TCPT_WS_FS_CHAL E

P

u (rf s|rws|kws)

4. Packet type: TCPT WS FS CRED

This message completes the authentication between the file server and the user. If successful, the user’s PKS location will be stored in a hash table in the ker- nel. The message, as shown below, carries the credentials for the workstation

supplied by the workstation and tokens will be sent by the file server only to the registered PKS.

Kernel Header TransCrypt Header

TCPT_WS_FS_CRED E

P

u (rws|SID)

5. Packet type: WS USR LOGOUT

When a user logs out of a workstation, the login program sends this optional message, as shown below, to the file server kernel. After receiving this packet,

transcryptd retrieves the Global uid and maps it to the local uid using the certtab file at the file server. It then forwards the message to the kernel after replacing Global uid with the local uid. Kernel will then remove the user entry from the hashtable to recover memory if an entry for the user is present. The entry may also be removed by the kernel when it is not used for a long duration, simulating to the logout.

Kernel Header TransCrypt Header

TCPT_USR_LOGOUT

Global uid len|

Chapter 6

Performance Evaluation

The success of a security solution depends on its impact on the standard operations of the system. We carried out performance analysis of the secure network file system developed using TransCrypt. This chapter discusses the results of the performance analysis activities.

Tests were conducted to obtain timing measurements of the create and setfacl system calls in our TransCrypt implementation. In order to study the impact of the cryptographic solution using TransCrypt, performance results were compared with the standard NFS remote file access methods.

6.1

Experimental Setup

All tests are performed on two Intel Core 2 Duo E4400 dual core CPUs, running at 2 GHz with 2 MB L2 cache and 2GB of RAM. To prevent process migration during

testing (which affects the results) one core of each processor is disabled. Separate partitions formatted with ext3 filesystem with block size of 4096 bytes are used to perform the tests. The operations are conducted on the Linux Kernel version 2.6.26. Benchmark scripts are written to perform these tests.

Time taken to perform the following operations are measured.

• Create : The corresponding test measures the time taken to create a file on a file server from a workstation. This shows the effect of token creation for the file.

• Setfacl : The corresponding test measures the time taken to create a named user entry in a remote file’s ACL from a workstation. This shows the effect of token acquisition and token creation (i.e. decryption with PKS and creation with another user’s public key).

Measurements were taken 10 times for create and setfacl commands and the mean of the readings was taken. Each operation is performed on 1000 files for each test because these operations complete quickly on a single file.