Integrating FPGA/ASIC into cryptographic storage systems to avoid re-encryption

摘要

Almost all cryptographic storage systems need re-encryption when revoking users. These systems differ from each other only in the timing of re-encryption. As re-encryption is an expensive operation, it is significant to avoid re-encryption. To avoid re-encryption in cryptographic storage systems, field programmable gate array (FPGA) and application-specific integrated circuit (ASIC) hardware module have been integrated into encrypt-on-disk object store system in this paper, letting private key never leave the hardware module and object key existing only in hardware module in plaintext. Anyone who does not know private or object key, so when revoking usersjust needs to modify access control list (ACL) to delete the privileges of the users. To facilitate file sharing and key management, a group is adopted. In the system, almost all computationally expensive cryptographic operations are through FPGA/ASIC hardware module. Once a creator revokes some users, objects do not need re-encryption. How to use ACL and FPGA/ASIC hardware module to authenticate and authorise is also described. And the procedure of object store and the distribution of metadata are detailed. Finally, an encrypt-on-disk object store prototype system is implemented using FPGA in software solution with tested and effective performance.