This work is in an early stage of development.
Rumor provides a rich platform for file replication among mobile hosts, but the mobility has also introduced new security threats to the sharing community. In particular, communication among mobile machines often must go across inherently insecure wide area and wireless networks; thus the need for authenticated and encrypted data transport is greater.
Also, mobile computers will lead to users sharing data with more people and more widely varied people than ever before. For example, two people meeting at a conference may decide to share files based on a common discovered interest. Data will be increasingly shared with people and machines that are far away and not well known. Therefore, a host in the mobile sharing environment should never completely trust the other party.
Portable computers are convenient in many ways. Unfortunately, due to at least one convenience--their very own portability--they lend themselves to theft. We can expect to see far more stolen (and thus completely compromised) machines. This fact, and the more limited trust users will have in thir partners, suggest that data sharing policies will reduce the potential demage imposed by a compromised host to the greatest extent possible. For example, a host should not be given the privilege to modify the shared data unless its role of participation requires that privilege. Similarly every propagation of updates should be logged and traceable.
Our initial design for secure file sharing in this type of user model can be briefly described as follows: Pretty Good Privacy (PGP) will be modified to serve as a library that can be integrated with Rumor to provide all necessary encryption and authentication functionality. Since encryption and authentication typically have significant performance costs, users of the system will be able to select the level of security they need.
At the highest level available, each site will store a database that maps every file to a list of privileged participants who have acquired the update authorization. In addition, a trusted server is needed to function as a repository for keeping versions of updates and the master copy of the database. Before a local site tries to get updates propagated from a remote site, the remote site must acquire a signature from the trusted repository by sending its version of the update there. Then the remote site will attach its own signature in addition to the repository's and send out the data. The local site will only accept the data if the signature from the repository server shows it is a legitimate update from the remote site. The latter is achieved by comparing the remote site's signature with the database information.
This work will have some relation to the Truffles research project jointly performed by UCLA and Trusted Information Systems.