You are here

A Secure Directory Service based on Exclusive Encryption

TitleA Secure Directory Service based on Exclusive Encryption
Publication TypeConference Paper
Year of Publication2002
AuthorsDouceur, JR, Adya, A, Benaloh, J, Bolosky, WJ, Yuval, G
Conference NameACSAC'02 - Proceedings of the 18th Annual Computer Security Applications Conference
Date Published12/2003
PublisherIEEE Computer Society
Conference LocationSan Diego, CA, USA
ISBN Number0-7695-1828-1
Keywordsdirectory service, encryption, exclusive encryption, Windows

We describe the design of a Windows file-system directory service that ensures the persistence, integrity, privacy, syntactic legality, and case-insensitive uniqueness of the names it indexes. Byzantine state replication provides persistence and integrity, and encryption imparts privacy. To enforce Windows' baroque name syntax - including restrictions on allowable characters, on the terminal character, and on several specific names - we develop a cryptographic process, called "exclusive encryption," that inherently excludes syntactically illegal names and that enables the exclusion of case-insensitively duplicate names without access to their plaintext. This process excludes entire names by mapping the set of allowed strings to the set of all strings, excludes certain characters through an amended prefix encoding, excludes terminal characters through varying the prefix coding by character index, and supports case-insensitive comparison of names by extracting and encrypting case information separately. We also address the issues of hiding name-length information and access-authorization information, and we report a newly discovered problem with enforcing case-insensitive uniqueness for Unicode names.