1. Field of the Invention
The present invention relates generally to an improved data processing system, and in particular to a computer implemented method, data processing system, and computer program product for providing transparent aware data transformation at the file system level to enable efficient encryption and integrity validation of network files.
2. Description of the Related Art
Most data processing systems contain sensitive data and sensitive operations that need to be protected. Secure data communication is essential in a wide range of businesses, including, but not limited to, banking, e-commerce, on-line stock trading, business-to-business transactions, and so forth. With the spread of networks and connectivity to the Internet, proper handling of confidential information has become increasingly important to prevent accidental interception of confidential information by an unauthorized recipient. Companies typically have policies in place as to designations and handling of confidential information. For example, encryption of all files containing confidential information may be required for transfer of files outside of a company's network or outside of selected computers.
Cryptography plays a pivotal role in various solutions offered for meeting challenges of confidentiality and security. Cryptography comprises a family of technologies. Two of these technologies are encryption and decryption. Encryption is A process of encoding data to prevent unauthorized access, especially during transmission of the data. Encryption uses a key that is required for decoding. Encryption ensures privacy by transforming data into a form that cannot be decrypted without the encryption key. Decryption is the reverse of encryption. Decryption uses the encryption key to transform encrypted data back into the original form.
One encryption scheme is Secure Sockets Layer (SSL). This standard is a widely used security protocol on the Internet. SSL ensures sensitive files are protected when transferred between a server and a client using a technique called “public key cryptography”. With public key encryption, an asymmetric scheme is employed that uses a pair of keys for encryption. Public key cryptography involves providing each person a pair of keys, a public key and a secret key. The public key is published typically while the secret key is kept secret. The public key encrypts the data and a corresponding secret key decrypts the data.
A secret key is another key used in the public key encryption. The user typically keeps the secret key secret and uses it to encrypt digital signatures and decrypt received messages. Types of public key encryption include Rivest-Shamir-Adleman (RSA) encryption, which is a public key encryption algorithm on which programs, such as Pretty Good Privacy (PGP) encryption program, is based. Another encryption technology is Diffie-Hellman (DH) encryption, which is a commonly used key exchange protocol.
Encryption is also used for protecting files while they are in storage. For example, a user may wish to encrypt files on a hard disk to prevent an intruder or other unauthorized person from reading or accessing the files. Thus, encryption may transform data into a form undecipherable by anyone without a secret decryption key.
In this manner, encryption allows for secure communication over an insecure channel. However, the traditional techniques for encrypting and decrypting data over an insecure network connection before and after the data transfer using IP Security (IPSec) or Secure Sockets Layer (SSL) connections are computationally expensive. Since it may be expensive to alter existing client file system implementations, it is often feasible to stack an encryption file system or filter driver over an existing Network File System (NFS), Common Internet File System (CIFS), or General Parallel File System (GPFS) client. Encryption file systems allow for encrypting entire file systems or subsets of file systems. Since encryption file systems, such as Cryptographic File System (CFS) and eCryptfs, store the files in encrypted form on disk, it is not necessary to re-encrypt the files before transferring them to a server. In fact, for some cryptographic ciphers, encrypting data twice with the same cipher and the same key may weaken the level of security provided by the encryption.
However, there are four key problems to address in stacking an encryption layer on top of existing network file systems. A first problem is serializing access across multiple client implementations of the cryptographic file system layer working on the same inode. A second problem is making the server decide based on the user and client type whether to encrypt all traffic containing decrypted file data or not to encrypt the network file system traffic encrypted file data. A third problem is maintaining a consistent view of the key store (and the associated universally unique identifiers (UUIDs)) on the client and server. A fourth problem is having the cryptographic file system detect and use a more optimal performance configuration, such as read and write block sizes, when transferring data over a network file system.