A virtual, unlimited in size, and secure file system embedded in a smart card Carry secured yottaoctets and more on the go I. Chahid, S. Chaumette, R. Laplace, D. Dubernet, C. Masci, V. Prince, LaBRI, Université Bordeaux 1 Contact author :
[email protected] With the convergence of technologies and the increasing number of mobile terminals, users will be more and more willing to access their files from everywhere. There thus should be : (1) a way to have a virtual globally accessible location to store data; (2) a way to carry an entry point to this virtual system on the go ; (3) a trust system to make this storage secure. This is what we achieve in the FSOnCard project by providing a virtual secure File System On Card. The resulting system is virtually unlimited in size, it is accessible from everywhere, and it is secure. You can carry it in a smart card in your pocket while on the go. The project relies on two main things: the Fuse framework and a Smart Card. The basic principle is to allow a Java Card to encrypt and decrypt the contents of files in a transparent manner for the user. The resulting cyphered files are stored either on a local file system or on a remote location, in which case it can be accessed from anywhere provided the smart card is available. Fuse[1] (File system in User Space) is composed of a kernel module and a user space library that together make it possible to implement a file system in user space. Provided the Fuse kernel module is available inside your Linux kernel, you do not need to be a privileged user neither to use it, nor to develop an application that would use its features (the only constraint is to be a member of the Linux fuse user group). The way it works is as follows. A node of the file system is installed as a Fuse entry point (in some sens a virtual Fuse system is mounted at this point). Thereafter, every system call related to IOs and that addresses a part of the mounted file system is trapped by Fuse and redirected to a user supplied function. For instance, if you open a file using the standard Posix open system call, the call is catched by Fuse and directed to a user supplied (and user space) open function. The subsequent read are redirected as well (see figure 1). There is no need to modify any application to use this feature. The rerouting of the calls is done by the Linux kernel when it detects that the type of the file system entry is a Fuse object. It thus becomes possible to implement a filesystemlike interface to anything.
Figure 1. Fuse mode of operation
We use this feature to redirect IO calls to a module that interacts with a smart card, more precisely a Java Card[2]. This smart card is in charge of : (1) maintaining a table that describes a virtual file system (i.e. it handles the creation and deletion of directories and files – mknode, rmnode, open, remove system calls) ; (2) cyphering and deciphering (we use 3DES[3]) the data that are passed to it – read and write system calls . By doing so, the contents of the files are cyphered by the card before being written to the disk by our module (this is achieved by eventually calling the real kernel IO operations or our FTP module in case the file is stored on a remote machine see bellow ) and deciphered before being given back to the user.
Figure 2. FSOnCard usage scenario
Figure 2 illustrates the way it works. A virtual file system stored in a smart card (fake_root) is mounted using Fuse on a standard file system entry (/root/virtual). When a file is copied inside the virtual file system entry point (/root/virtual/) it is first cyphered and thereafter copied inside a physical location (/root/local_src/). This is achieved as described figure 1 and its is totally transparent for the user. We have developed a FTP module that makes it possible to store the cyphered files on a remote server. In this case the ‘directory’ entries stored in the card contain a reference to the corresponding ftp server. The files stored remotely thus become accessible from any location.
In terms of security, we cannot guarantee anything if the local computer gets corrupted. What we guarantee, is that once a file has been copied or moved to the virtual file system using FSOnCard, and the card has been removed, nobody is ever able to decipher it. It is only the cyphered version of the file which is stored on some disk. The application has been run on a number of examples. The limited bandwidth of the cards that we have been using did not make it possible to achieve very efficient results with large files. Nevertheless, it should be noted that smart cards with a larger bandwidth exist that would lead to better results. There are also a number of solutions that combine the security provided by smart cards with the efficiency of the PC it is connected to (see for instance HighBandwidth Encryption with LowBandwidth Smartcards[5]). The system is designed so that new transfer protocols to store data at a remote location can easily be added. We intend to develop additional modules based on HTTP or other transfer protocols. In the future, we also intend to adapt this system to use mobile phones embedding smart cards with the Security and Trust Services API for J2ME (SATSA), i.e. JSR 177[4], rather than a more classical smart card. By doing so, the users will not even have to care about an additional card. References [1] Fuse : http://fuse.sourceforge.net/ [2] Java Card Technology for Smart Cards: Architecture and Programmer's Guide By Zhiqun Chen Prentice Hall PTR [3] Applied Cryptography Bruce Schneier Wiley; 2nd edition [4] JSR 177: Security and Trust Services API for J2ME http://jcp.org/en/jsr/detail?id=177 [5] HighBandwidth Encryption with LowBandwidth Smartcards Matt Blaze In proceedings of Fast Software Encryption Pages 3340 1996
