Authenticating Network-Attached Storage

0272-1732/00/$10.00  2000 IEEE The need to access anything from anywhere has increased the role of distributed file servers in computing. Distributed file systems provide local file system semantics for access to remote storage. This allows network clients to incorporate the remote storage into their local file system. File semantics are well understood by users and applications, making distributed file servers a convenient tool in developing distributed applications. As the role played by distributed file systems expands, problems with their design become increasingly evident. Faster clients, high-bandwidth connections, and larger drive capacities increase the demand on file servers. Although it would seem that the I/O capacity of the system storage devices would limit network file server performance, in actuality, file servers frequently are CPU bound. Riedel and Gibson discovered that, even with low overall CPU utilization, burst loads were sufficiently intense to overuse the server. In addition to the performance problems of distributed network file systems, security also presents a problem. Applications that rely on distributed file systems should not be compromised by security weaknesses of the file systems on which they are built. Local file systems have a single kernel that restricts access to file data, but because a distributed file system involves multiple servers and clients, it cannot rely on a single kernel to restrict access. The security risk is even greater since the network that connects servers and clients may also pose a threat. The authenticated network-attached disks we present address these problems by providing an architecture based on one-way hash functions that make available mutual authentication of the network disks and the clients. This architecture obviates the need for more performance-intensive authentication methods such as public-key encryption and Kerberos, but does not preclude their use. The authentication protocol used by the network storage is very simple and flexible, and allows keys to be created and managed using existing authentication systems.