Databases Reference
In-Depth Information
To date, researchers have developed two schemes for trustworthy migration
of records between compliance storage servers; both of these schemes rely on
secure coprocessors (SCPUs). In the scheme proposed in [41], the SCPU of
the original storage server (SCPU
1
) should be provided assurances that the
migration target environment (SCPU
2
) is trustworthy and endorsed by the
relevant regulatory authority (RA).
To achieve this, the migration process is initiated by (i) the system opera-
tor retrieving a migration certificate (MC) from the RA. The MC is in effect
a signature on a message containing the timestamped identities of SCPU
1
and SCPU
2
. Upon migration, (ii) the MC is presented to SCPU
1
(and pos-
sibly SCPU
2
), who authenticates the signature of the RA. If this succeeds,
SCPU
1
is ready to (iii) mutually authenticate and perform a key exchange
with SCPU
2
, using their internally stored key pairs and certificates. SCPU
2
will need backwards-compatible authentication capabilities, as the default au-
thentication mechanisms of SCPU
2
may be unknown to SCPU
1
.Thisback-
wards compatibility is relatively easy to achieve as long as the participating
certificate authorities (i.e., SCPU manufacturer or delegates thereof) still ex-
ist and have not been compromised yet. A cross-certification chain can be set
up between the old and the new certification authority root certificates. Once
(iii) succeeds, SCPU
1
will be ready and willing to transfer a description of the
state of the compliance records and index contents on a secure channel pro-
vided by an agreed-upon symmetric key (e.g., using a Di
e-Hellman variant).
After the state information has been migrated, the actual records and index
contents can be transferred by the main CPUs , without SCPU involvement.
The scheme proposed in [22] supports the migration of files through mul-
tiple servers while maintaining integrity guarantees. In this scheme, file and
directories can be rearranged or omitted during the migration, based on cor-
porate policies. The approach relies on the existence of a trusted third party,
such as a storage system vendor, who records the public keys associated with
the sequence of storage servers purchased by an organization.
The migration process is divided into three phases:
•
In phase 1, the party in charge of migration prepares a plan for the mi-
grations. The log of this plan includes the policies governing the migration
and, in compact form, a representation of the list of files and directories
to be migrated, the planned file and directory omissions, and the planned
directory restructurings.
•
In phase 2, the current storage server generates certificates that attest to
the current state of the directory tree and file contents, and adds them to
the log. The scheme assumes that the server will generate the certificates
correctly, either because it is part of the trusted computing base or be-
cause it contains trusted hardware that is capable of perusing directories
and creating certificates. In either case, these certificates can be generated
reasonably quickly.
