Tahoe-LAFS: The Least-Authority File System

Tahoe-LAFS is a distributed storage system, started in 2006 as a robust back end for a personal-backup company named AllMyData (long since defunct). Before shutting down, the company open sourced the code, and now a community of hackers improves and maint

  • PDF / 366,857 Bytes
  • 29 Pages / 504 x 720 pts Page_size
  • 57 Downloads / 195 Views

DOWNLOAD

REPORT


Tahoe-LAFS: The Least-­ Authority File System Tahoe-LAFS is a distributed storage system, started in 2006 as a robust back end for a personal-backup company named AllMyData (long since defunct). Before shutting down, the company open sourced the code, and now a community of hackers improves and maintains the project. The system allows you to upload data from your computer into a network of servers called a “grid,” and then retrieve your data from the grid later. In addition to providing a backup (e.g., in case your laptop hard drive fails), it offers flexible ways to share specific files or directories with other users on the same grid. In this way, it behaves somewhat like a “network drive” (SMB or NFS), or a file-transfer protocol (FTP or HTTP). Tahoe’s special feature is “provider-independent security.” All files are encrypted and cryptographically hashed locally, before leaving your computer. The storage servers never get to see the plaintext (because of the encryption), nor can they make undetected changes (because of the hashes). In addition, the ciphertext is erasure coded into redundant shares, and uploaded to multiple independent servers. This means your data can survive the loss of a few servers, to improve durability and availability. As a result, you can pick storage servers purely on the basis of their performance, cost, and uptime, without also needing to rely upon them for security. Most other network drives are entirely vulnerable to the servers: an attacker who compromises the hosting provider gets to see or modify your data, or delete it entirely. Tahoe’s confidentiality and integrity are entirely independent of the storage providers, and the availability is improved too.

223

© Mark Williams, Cory Benfield, Brian Warner, Moshe Zadka, Dustin Mitchell, Kevin Samuel, Pierre Tardy 2019 M. Williams et al., Expert Twisted, https://doi.org/10.1007/978-1-4842-3742-7_6

Chapter 6

Tahoe-LAFS: The Least-­Authority File System

How Tahoe-LAFS Works A Tahoe “grid” consists of one or more Introducers, some Servers, and some Clients. •

Clients know how to upload and download data.



Servers hold the encrypted shares.



Introducers help Clients and Servers find and connect to each other.

The three node types communicate using a special protocol named “Foolscap,” which is descended from Twisted’s “Perspective Broker,” but with added security and flexibility. Tahoe uses “capability strings” to identify and access all files and directories. These are random-looking chunks of base32 data that contain the encryption key, integrity-­protecting hashes, and share-location information. We abbreviate these as “filecaps” when they refer to a file, or “dircaps” for directories.

Figure 6-1.  Tahoe-LAFS Grid Diagram

224

Chapter 6

Tahoe-LAFS: The Least-­Authority File System

(The examples in this chapter are shortened for readability, but filecaps are normally about 100 characters long.) They sometimes come in multiple flavors: a “writecap” gives whoever knows it the ability to change a file, whereas a “read