NASD Capabilities

    [ NASD Home | Work at CMU | Related Work | Technology Transfer ]
    [ DARPA Highlights | Recent Talks | Publications | NASD Code Downloads ]


    A capability is a token given by the file manager to a client that the client uses to convince a drive that a request has been authorized. In NASD, a capability consists of the capability arguments and a capability key. The capability arguments are:

    • Drive name: Enables the receiving drive to explicitly check that it is drive for which the capability is intended.
    • Partition: Specifies which partition on the drive the capability refers to.
    • Object: Specifies which object the capability refers to.
    • Region: Specifies a byte range within an object which the capability refers to. The range may exceed the currently allocated storage of an object thereby enabling the client to extend the length of the file through use of the capability.
    • Access rights: A list of access rights granted to the bearer of the capability.
    • Expiration: The expiration time for the capability. This prevents a given capabillity key from being used for long than a specified lifetime. Additionally, the expiration allows a file manager to know that capabilities will no longer be useful after a specified time period which avoids explicit revocation action.
    • Minimum protection requirement: A file manager specifies the required security precautions that the client must take when using this capability. This allows a file manager to require that the client protect the privacy or integrity of all drive requests and have non-compliant requests be reject by the drive.
      A specified partition will have a minimum set of protection options that were specified by the partition manager. All capabilities accessing this partition must contain atleast the minimum of the partition. If the drive does not require atleast integrity of the arguments, an adversary can always generate forged capabilities with no protection.
    • Audit identifier: The audit identifier is used by the file manager to embed audit information (such as user id) in a capability. This information is not understood by the drive but could be used in any on-drive audit trails.
    • Key identifer: Specify if the red or black key should be used to verify this capability.

    The capability key is MessageDigestActiveKey(capability arguments,access control version).

    The active key is either the red or black key (determined by the file manager). The client does not know the value of either the red or the black key so the client (and an adversary) is unable to generate a capability with arbitrary contents. The drive does know the value of the red and the black key so is able to repeat the MessageDigest and regenerate the capability key.

    The access control version number is a version control on the access control information on an object. The primary use of the access control version number is to allow the file manager to explicitly revoke all outstanding capablities. We expect this to happen infrequently such as when access control permissions on an object change to become more restrictive.


    PDL Home NASD Home

    © 2008.
    Last updated 11 November, 2004