Abstract
Almost all cryptographic storage systems need re-encryption when revoking users. These systems differ from each other only in the timing of re-encryption. As re-encryption is an expensive operation, it is significant to avoid re-encryption. To avoid re-encryption in cryptographic storage systems, field programmable gate array (FPGA) and application-specific integrated circuit (ASIC) hardware module have been integrated into encrypt-on-disk object store system in this paper, letting private key never leave the hardware module and object key existing only in hardware module in plaintext. Anyone who does not know private or object key, so when revoking users, just needs to modify access control list (ACL) to delete the privileges of the users. To facilitate file sharing and key management, a group is adopted. In the system, almost all computationally expensive cryptographic operations are through FPGA/ASIC hardware module. Once a creator revokes some users, objects do not need re-encryption. How to use ACL and FPGA/ASIC hardware module to authenticate and authorise is also described. And the procedure of object store and the distribution of metadata are detailed. Finally, an encrypt-on-disk object store prototype system is implemented using FPGA in software solution with tested and effective performance.
Acknowledgements
This work was supported by the National Basic Research Program of China (973 Program) under Grant No. 2004CB318201, the Program for New Century Excellent Talents in University NCET-04-0693 and NCET-06-0650, Wuhan Project 20061002031 and 200750730307 and the National Science Foundation of China Nos 60503059 and 60603048.