Fast and secure distributed read-only file system

Internet users increasingly rely on publicly available data for everything from software installation to investment decisions. Unfortunately, the vast majority of public content on the Internet comes with no integrity or authenticity guarantees. This paper presents the self-certifying read-only file system, a content distribution system providing secure, scalable access to public, read-only data. The read-only file system makes the security of published content independent from that of the distribution infrastructure. In a secure area (perhaps off-line), a publisher creates a digitally signed database out of a file system's contents. The publisher then replicates the database on untrusted content-distribution servers, allowing for high availability. The read-only file system avoids performing any cryptographic operations on servers and keeps the overhead of cryptography low on clients, allowing servers to scale to a large number of clients. Measurements of an implementation show that an individual server running on a 550-Mhz Pentium III with FreeBSD can support 1,012 connections per second and 300 concurrent clients compiling a large software package. Categories and Subject Descriptors: D.4.3 [Operating Systems]: File System Management--Distributed file systems; D.4.6 [Operating Systems]: Security and Protection--Authentication; D.4.7 [Operating Systems]: Organization and Design--Distributed systems General Terms: Design, Management, Performance, Security Additional Key Words and Phrases: File systems, read-only, security