Decentralized Authentication Mechanisms for Object-based Storage Devices

Network-attached object-based storage separates data-path from control-path and enables direct interaction between clients and the storage devices. Clients interact with the file manager only to acquire the meta-data information and some cryptographic primitives, for example, access keys. Most of the current schemes rely on a centralized file manager to support these activities. This paper presents security mechanisms for decentralized authentication for object-based storage. The schemes are novel in several ways. First of all, they reduce the load on the file manager and free the system from central point of failure and denial of service attacks. We exploit Role-based Access Control (RBAC) to provide scalability and design authentication schemes that efficiently utilize RBAC. In most of the cases, the client needs to acquire only one access key from the file manager, which can be used by the client to further derive role-keys for the roles that he/she is permitted to play within an organization. Further, the number of cryptographic keys required for the purpose of authentication in these schemes is less as compared to the existing schemes. Finally, we also present two simple schemes that enable the clients to access objects stored on any device on the network using a single identity key.