Difference between revisions of "Secure Internet Filesystem/Conclusion"
(initial) |
m (→Requirements) |
||
| Line 3: | Line 3: | ||
=== Requirements === | === Requirements === | ||
| − | None of these protocols, NFS and SMB, fullfill the requirements for a distributed file system over the internet. What is needed, is a encrypted connection between server and client with at | + | None of these protocols, NFS and SMB, fullfill the requirements for a distributed file system over the internet. What is needed, is a encrypted connection between server and client with at least 128Bit key length followed by an authentication of the user to the server for this connection. |
Furthermore the connection have to be based on TCP instead of UDP and only one well defined port may to be used in order to make life of firewall administrators easier. All connections must be initiated from the client to the server, the server itself never opens a connection to the client. | Furthermore the connection have to be based on TCP instead of UDP and only one well defined port may to be used in order to make life of firewall administrators easier. All connections must be initiated from the client to the server, the server itself never opens a connection to the client. | ||
Revision as of 22:42, 15 April 2007
Diplomathesis
Requirements
None of these protocols, NFS and SMB, fullfill the requirements for a distributed file system over the internet. What is needed, is a encrypted connection between server and client with at least 128Bit key length followed by an authentication of the user to the server for this connection.
Furthermore the connection have to be based on TCP instead of UDP and only one well defined port may to be used in order to make life of firewall administrators easier. All connections must be initiated from the client to the server, the server itself never opens a connection to the client.
The connection have to be persistent between the transfers of the file system operations, which means that a connection is initiated at the beginning and this is the only connection established. Neither should each operation open a new connection and close it after the operation is done, nor should there be more than one connection for a mounted share and user. This implies, that data and command have to be transferred over the same TCP/IP tunnel.
The server is responsible for access control. The user, which wants to access files on the server, authenticates himself at the beginning and the resulting server process then only have the rights of this particular user on the file system of the server.
Used software
To save some amount of time, I will build on a packet called "OpenSSH" which provides some parts of the functionality I need. It consists of a client and a server and was originally intended as a secure remote shell, but it can be extended by modules for other protocols. The functionality I need from OpenSSH is, that it provides encrypted and authenticated channels, where data can be transmitted in a secure way.
Contents of the diplomathesis
- Performance analysis and drawbacks of my solution
- Define a appropriate communication protocol
- Write a server module which understands this protocol
- Write a file system driver for the Linux kernel
Back to Overview
