Check out the new USENIX Web site. next up previous
Next: Implementation Details Up: DisCFS Design Previous: Threat Analysis


  An important advantage of the access mechanism we present is scalability. This is due to the fact that we do not maintain user access rights on the DisCFS server. In fact, the server does not even have the concept of a ``user'' in the traditional operating system sense; it merely processes requests from keys that can supply a valid trust chain to one of the keys contained in the default policy of the server.

This design decision has two implications: (a) users must supply (sometimes long) chains of credentials, and (b) the server's trust state remains constant irrespective of the number of potential users. Caching alleviates some of the processing overhead associated with the long trust chains.

Keeping servers uncontaminated by user information allows data set partitioning and replication across systems even in separate administrative domains. The disk capacity of the server must be proportional to the amount of information it contains, and its connection to the Internet should be appropriate for the actual traffic it experiences, not the user set or the number of policies that must be enforced.

Although the number of potential users is irrelevant, the number of actual users that connect to the server to access information is important because the access control operations they initiate load the server. It is clear that a KeyNote-based access control mechanism places greater load on the processing resources of the server, however this can be addressed in two ways: (a) by using hardware acceleration for the cryptographic operations, and (b) by replicating or partitioning datasets across servers, thus spreading the load over many access points.

next up previous
Next: Implementation Details Up: DisCFS Design Previous: Threat Analysis
Stefan Miltchev