Integrated Computer-Aided Engineering 21 (2014) 3–18 3

DOI 10.3233/ICA-130444
IOS Press

Information dependability in distributed

systems: The dependable distributed storage
system
Salvatore Distefanoa,∗ and Antonio Puliafitob
a
Dipartimento di Elettronica, Informazione e Bioingegneria, Politecnico di Milano, Milano, Italy
b
Dipartimento di Ingegneria, Università di Messina, Messina, Italy

Abstract. In distributed infrastructures data are usually scattered among different nodes and thus accessible by several users. It is
therefore necessary to provide mechanisms and tools for managing the information, ensuring the access exclusively to authorized
users avoiding malicious ones. Furthermore, satisfactory performance and adequate fault tolerance have to be provided while
addressing information confidentiality, availability and integrity issues. In this paper we face the problem of data dependability
in distributed system, proposing a redundant lightweight cryptography algorithm combining symmetric and asymmetric cryptog-
raphy approaches. The proposed algorithm, named dependable distributed storage system (D2 S2 ), has been implemented on top
of the Grid gLite middleware file access and replica management libraries, as a file system service with cryptography capability,
redundancy management and POSIX interface. To demonstrate the effectiveness and the applicability of the D2 S2 gLite imple-
mentation, performance and reliability of its operations have been evaluated and compared to those of existing solutions. The tests
have been performed on real applications to provide a complete overview of the D2 S2 implementation. The results thus obtained
demonstrate the effectiveness of the D2 S2 implementation also compared to existing solutions and former implementations.

Keywords: Dependability, information security, performance, reliability, distributed system, grid

1. Introduction terfaces for aggregating, managing and interconnect-

Information and Communication Technology (ICT)
moves towards network-distributed computing paradi-
gms. From clusters to data-centers built on multi-
core systems, such a trend aims at aggregating dis-
tributed resources accessed through the Internet. Peer
to peer systems exploit overlay networks in order to
connect peers, volunteer computing adopts a client-
server approach to aggregate volunteer contributors,
Grids adopt resource brokers (or workload manage-
ment systems) for managing the resources and the in-
coming job requests, Clouds implement specific in-
∗ Corresponding author: Salvatore Distefano, Dipartimento di
Elettronica, Informazione e Bioingegneria, Politecnico di Milano,
Piazza L. Da Vinci 32, 20133 Milano, Italy. E-mail: salvatore.
ing (physical and virtual) resources according to a
service computing paradigm, as a service. All such
mechanisms and tools allow to aggregate from thou-
sands (Grid, Cloud) to millions (P2P, volunteer com-
puting) resources into large scale distributed systems.
Even though the final goal of these paradigms differs,
ranging from business-commercial applications (Grid,
Cloud) to scientific-academic-free of charge contexts
(Grid, volunteer computing) and to file/resource shar-
ing (P2P, volunteer computing), there are problems and
issues common to all of them.
Among them dependability often assumes strategic
importance. Indeed, in order to implement distributed
computing goals it is mandatory to consider depend-
ability aspects such as reliability and security. Espe-
cially in the information management: data have to be
promptly available from different locations, ensuring

[email protected]. reliability and security in accesses. A possible solution

ISSN 1069-2509/14/$27.50 
c 2014 – IOS Press and the author(s). All rights reserved
4 S. Distefano and A. Puliafito / Information dependability in distributed systems: The dependable distributed storage system
is to replicate and disseminate data among nodes. But
sharing information in distributed multi-user environ-
ments triggers problems of security concerning data
confidentiality and integrity.
Some of the middleware implementing the above re-
ferred paradigms usually provide data and resources
management’s capabilities such as indexing and replica
management, ensuring security on accessing services
and on communicating data, but they often lack of data
protection from direct malicious accesses, at system
level. In other words, the fact that data are dissemi-
nated and stored in remote nodes, directly accessible
from their administrators, constitutes one of the main
risks for data security in such environments, known as
insider abuse/attack. It is therefore mandatory to in-
troduce adequate data protection mechanisms, which
deny data intelligibility to unauthorized users, also if
they are (local) system administrators.
The focus this paper is therefore on information re-
liability and security of distributed systems identified
and characterized hereinafter as information depend-
ability. Specifically, the main contribution of this work
is to provide a mechanism to store data in distributed
systems, overcoming the above discussed problems
and issues concerning data dependability. In terms of
reliability, the design and implementation of a specific
data redundancy management mechanism is required
to achieve such goal. In terms of security, it is neces-
sary to develop an algorithm that provides the highest
data protection, ensuring confidentiality and integrity.
To this extent, all the work proposed in literature is
mainly based on symmetric cryptography. Most of the
adopted solutions implement key splitting algorithms.
The underlying idea of the key splitting approach is
that at least a subset of the systems (key servers) over
which the keys are distributed has to be trustworthy.
However this approach is weak from three points of
views: security, since often it is not possible to ad-
equately secure the list of servers with key parts, in
fact the system administrators can always access the
key parts and it is really hard to achieve trustworthy
on remote and distributed nodes for users; reliability/
availability, since keys and consequently data can be
unavailable if one or more of the key servers, depend-
ing on the fault tolerance policy implemented, cannot
be accessed; performance, since there is an initial over-
head to rebuild a key, depending on the number of parts
in which the key is split. A possible solution for im-
proving the reliability/availability of key splitting algo-
rithms is to replicate the key servers, but this contrasts
with security challenges.
The solution we propose to store data in a distributed
environment taking into account dependability require-
ments is to combine both the symmetric and the asym-
metric cryptography with a data redundancy algorithm
into the dependable distributed storage system (D2 S2 ).
D2 S2 has been implemented on top of the gLite mid-
dleware in order to demonstrate the feasibility of the
approach, exploiting libraries and API provided by the
specific middleware. Interesting and remarkable con-
tributions of the implementation are the organization
of data in an encrypted file system, the protection of
both data/files and file system structure, the introduc-
tion of the capability of file rewriting in the gLite stor-
age systems and the use of a cache to improve the D2 S2
operation performance.
Moreover, the D2 S2 gLite implementation has been
evaluated considering both single I/O operations and
possible applications, investigating its performance
and reliability against existing solutions and former
implementations. In particular we demonstrated the ef-
fectiveness of our implementation through real appli-
cations, by which we evaluated the impact of cache on
the system performance and reliability.
This paper extends previous work [8,9] mainly
broadening the scope to reliability issues, thus turn-
ing into the wider dependability context to provide
further investigation on the impact of dependability
on the overall storage system. Furthermore, the refer-
ence architecture of D2 S2 is here specified identify-
ing functionalities and modules of both its Client and
Server, also providing and discussing new evaluation
results obtained by testing the resulting implementa-
tion through real applications and against the former
implementations.
The reminder of the paper is organized as follows:
Section 2 provides an overview of the state of the art of
information dependability in distributed environments.
In Section 3 we describe the main algorithms of the
proposed technique, while Section 4 deals with its im-
plementation into the gLite Grid middleware. Then, in
Section 5, the results obtained by evaluating our im-
plementation are presented. A discussion on the pro-
posed solution, final remarks and possible future work
are provided in Section 6.
2. Related work
Several work in literature addressed problems and
issues related to reliable, available and secure storage
systems, but few of them consider both aspects to-
 S. Distefano and A. Puliafito / Information dependability in distributed systems: The dependable distributed storage system
gether. Focusing on both reliability and security the
perspective slightly changes, since choices and algo-
rithms can be affected by multi-objective, combined
constraints.
In this context, an interesting solution has been de-
veloped in [28]. It implements a distributed storage
system (Oasis+) entirely deployed in-memory using
the distributed shared memory approach, operating as
a backbone service in a computing cluster. The Oa-
sis+ storage system implements an interesting solu-
tion from the reliability perspective in a small cluster
context, but it does not take into account security as-
pects. Both dependability (in terms of reliability, avail-
ability and fault tolerance) and security are instead ad-
dressed in [10], which proposes a solution based on
intrusion tolerance, i.e. the fragmentation-redundancy-
scattering, that can be scalable to large pervasive sys-
tems. A drawback of the technique is the high over-
head in term of messages required for managing the in-
formation security, since higher security standards im-
ply higher fragmentation that, on the other hand, af-
fects the performance of data operations. Another in-
teresting work on the topic is proposed in [26], based
on a dependable distributed storage system named Ca-
gra. It is optimized for 3D rendering and implements
an interesting fault tolerance mechanism through re-
dundancy, based on a consistent hashing algorithm to
manage and locate data that unfortunately do not en-
sure key data coherency thus limiting its applicability
to large datasets.
The most important and effective way for achieving
data reliability and fault tolerance is redundancy, con-
sisting of replicating information and disseminating re-
dundant data onto the system. In distributed system, re-
liability can be implemented both locally at the single
node of the system and globally considering the sys-
tem as a whole. Several techniques have been devel-
oped and implemented at local level, among others the
redundant array of independent disks (RAID) technol-
ogy is the most effective and widely used. The problem
of local reliability can be thus considered as solved, but
it is still open at a global level. Several attempts have
been implemented in such direction. For example, [23,
24] proposes a middleware system that features spe-
cific enhancements designed to support the develop-
ment and assessment of highly dependable service-
oriented systems and applications named CROWN-C.
Fault tolerance issues have been faced at higher service
layer by implementing a specific fault tolerant Grid
service. Reliability and data redundancy also are dealt
with in [4,10,12,27], mainly adopting data catalogue
5
and replica services specifically conceived for redun-
dant data management.
On the other hand, the problem of a secure storage
has been mainly faced in literature as definition of ac-
cess rights [14], in particular addressing problems of
data sharing, whilst the coding of data is demanded
to the user, since no automatic mechanism to access
a secure storage space in a transparent way has been
defined. In such context, several solutions propose to
encrypt data in order to achieve information secu-
rity [5,6,19,20,22]. Symmetric encryption techniques
are mainly adopted, moving the problem towards the
symmetric key hiding in order to protect data from ma-
licious users, external attacks and insider abuses.
The most effective way to achieve data security is
encryption, based on the cryptography theory. Cryp-
tography algorithms are grouped into two main classes:
symmetric (also known as conventional or secret
key) [30] and asymmetric (public key) [18]. Asym-
metric ciphers are much slower, even if more secure,
than symmetric ones. An interesting technique com-
bining the high security of asymmetric cryptography
algorithms with the efficiency of the symmetric ap-
proach is PGP (Pretty Good Privacy) [11]. PGP en-
crypts data through symmetric cryptography and then
applies an asymmetric cryptography algorithm to se-
cure the symmetric key. GNU has developed a PGP-
like algorithm in the open source project GPG (GNU
Privacy Guard) [31].
Different solutions adopting cryptography to se-
cure information in distributed computing environ-
ment have been conceived [3,6,7,11,13,16,17,19–21,
31]. In [19], the authors propose a technique for se-
curing data disseminated in a distributed environment
based on symmetric cryptography. The key security is
entrusted to a unique keystore server that stores it, to
which all the data access requests must be notified in
order to decrypt the data. This algorithm implements
a spatial security policy: the security lies in physically
hiding and securing the keystore server, and the access
to the keystore is physically restricted and monitored in
order to protect from malicious users, external attacks
and insider abuses.
Shamir in [20] studied in depth the problem of data
access in distributed environments, proposing a so-
lution based on symmetric keys. The secret sharing
scheme splits the (AES) symmetric key in n parts,
which can be recomposed if and only if at least k  n
parts are available (k/n threshold scheme). Moreover,
in order to prevent unauthorized accesses, the symmet-
ric key is stored in different key-servers. In this way,
6 S. Distefano and A. Puliafito / Information dependability in distributed systems: The dependable distributed storage system
the system is both resistant to attacks and reliable since
n − k + 1 key-servers have to be compromised or have
to fail in order to make the key unavailable and conse-
quently data inaccessible. Brunie et al. have specified a
similar technique in [6], decomposing the (AES) sym-
metric key in n trunks that can be rebuilt only if all the
n parts are available.
The solutions above discussed are based on symmet-
ric cryptography. Most of them implement key split-
ting algorithms. The underlying idea of the key split-
ting approach is that at least a subset of the nodes (key
servers) over which the keys are distributed has to be
trustworthy. This approach well addresses data-sharing
and reliability/availability issues but it is weak from the
security point of view, since the list of servers with key
parts has to be adequately secured, also from system
administrators that can always access the keys. This
is a serious problem to adequately address in an alter-
native way, in fact, even though higher security could
be achieved by increasing the fragmentation into key
parts and consequently of keystores (anyway vulnera-
ble to insider abuses), this should have a heavy impact
on performance.
This fact has been also demonstrated in [17,29]
evaluating and comparing different dependable storage
system solutions in distributed environments. More
specifically, [29] proposes a model and evaluation
metrics used in the analysis of 4 schemes: replica-
tion with shared keys (through key server), replica-
tion with lockboxes (mixing symmetric and asymmet-
ric encryption), and two variants adopting the local
key approach, threshold secret sharing with local en-
cryption and short secret sharing. Experimental mea-
sures demonstrate that the replication with lockboxes
and private keys’ scheme ensures the greatest security,
while all the schemes provide similar level of reliabil-
ity/availability. The best performance in retrieving data
is provided by the short secret sharing scheme.
Thus, in order to achieve the highest security also
preventing insider abuses the use of private keys and
asymmetric encryption is required, possibly taking into
account also performance requirements.
3. The proposed solution
The main goal of this work is to achieve data re-
liability and security in distributed systems specifi-
cally conceived for providing users with access to
their storage accounts. To this purpose, data reliabil-
ity/availability, confidentiality and integrity must be
pursued avoiding both outsider and, in particular, in-
sider attacks: no one except the user/owner can access
data, including system administrators.
In such scenario two main actors can be identified:
the final user (or also customer) and the storage sys-
tem administrator (or provider). The former accesses
the storage system through a specific Client that sends
the user request to the storage system through the net-
work in a client-server fashion. On the other hand, the
Server (that could be a Web-Grid service) processes
the incoming requests returning the corresponding
results/data. As discussed above the system should en-
sure data reliability/availability and reliability preserv-
ing from both outsider and insider abuses.
Data reliability can be achieved by introducing re-
dundancy. Storage systems are usually implemented
as redundant, starting from very robust and reliable
RAID configurations. This adequately covers internal-
isolated faults. In order to face common failure modes
and causes it is necessary to adequately replicate data
by splitting and distributing them among different stor-
age systems physically independent. The main prob-
lem to face is therefore related to the replica manage-
ment since it is necessary to ensure data consistency. In
order to achieve data security, the best solution is the
cryptography. As discussed above, till now, the most
successful approach adopted for solving the problem
is the symmetric cryptography due to its performance
against the asymmetric one. A problem of symmetric
encryption is the symmetric key (DataKey) securing-
hiding as in the Kerckhoffs’ principle [15].
On the other hand, a whole asymmetric cryptogra-
phy algorithm has a heavy impact on data access times,
since this requires greater computational resources and
therefore is slower than the symmetric algorithms. This
usually does not allow encrypting large amounts of
data in acceptable time for users, considerably slowing
down the overall system’s performance. Thus, it be-
comes necessary to implement a solution representing
a trade-off between security and performance require-
ments. The only condition to satisfy is that no other
than the owner of data can access the private key, that
is the only exclusive way to decrypt data encrypted by
the coupling public key. In other words we assume that
the private key is securely stored in a trust location (for
example a physical token such as a smartcard device).
As above introduced, the most successful approach
for addressing the key-security problem is to split the
key (DataKey) among different KeyServers. The main
drawback of such approach is the total failure of the
protection mechanism in case a malicious user obtains
 S. Distefano and A. Puliafito / Information dependability in distributed systems: The dependable distributed storage system
(a) (b)
Fig. 1. Modular architecture of D2 S2 client (a) and server (b).
the key. This technique does not protect the owner of
data from who has (legally or illegally) the privileges
of administrator, since administrators can access to all
the key components/splits. For this reason we retain it
is necessary to use a more effective solution.
An adequate one could be to implement a two-stage
encryption algorithm: at the first stage data are en-
crypted by exploiting the faster symmetric encryption,
while at the second stage the symmetric DataKey used
for encrypting data is in its turn encrypted through an
asymmetric encryption technique, solution adopted in
D2 S2 as detailed in the following.
3.1. Static view: Architecture
As shown in Fig. 1 the D2 S2 system is com-
posed of two main parts connected through the net-
work, the storage system and the client, following
the client/server architecture. In the following we pro-
vide modular-layered architectures of D2 S2 server and
client, where modules at the same layer directly inter-
acting and cooperating, providing functionalities to the
upper layers.
3.1.1. Server
According to the considerations made above and
starting from the assumption of reliable storage nodes
implementing some specific RAID technology, in or-
der to implement a high reliable storage system it is
necessary to use redundant storage nodes. Different
possible options are available as redundant data man-
agement policies: replication, advanced coding algo-
rithms, parity, etc. The main drawback of redundant
storage nodes is the necessity of coordination through
a management system that distributes data according
to a specific redundancy policy.
Figure 1(a) shows the architecture implementing the
D2 S2 server. Three main components are identified:
– Identity manager: Manages the user account (ac-
counting), authentication, authorization, roles,
and privileges/permissions within or across the
storage system, with the goal of increasing secu-
rity and performance, ensuring privacy, while de-
creasing cost and downtime.
7
– Replica manager: Manages data replica imple-
menting specific data redundancy policies, index-
ing replicas and keeping track of where portions
of the data set can be found.
– Interface: Implements the storage system inter-
face to end-users. It mainly receives the user re-
quests and forwards them to the specific module
for processing. The service has to be network pro-
vided, thus specific protocols have to be adopted.
3.1.2. Client
Four main modules are identified for the D2 S2
Client in Fig. 1(b): the loader, the encrypter/decrypter,
the store and replica manager and the interface with the
remote storage system. They implements the following
functionalities:
– Loader: The module that loads data from the re-
mote storage system. It initially loads the DataKey
and the data index-map from the remote storage
system. Thus it manages each remote data load-
ing/read.
– Encrypter/decrypter: Encrypts and decrypts data
to/from the storage system. It uses the keys (both
the asymmetric and the symmetric ones) provided
by the loader.
– Store and replica manager (SRM): Manages the
data storage operation. It therefore implements
functionalities and provides primitives for writing
data into the remote storage system. For perfor-
mance issues data loaded from the storage sys-
tems can be also locally buffered (cached).
– Interface: It implements the interface to the stor-
age system. It forwards all the requests incoming
from the lower level modules to the storage sys-
tem through the network, adopting adequate pro-
tocols.
All such modules need to interact in order to ade-
quately perform the required functions. Moreover, ad-
equate tricks and countermeasures have to be adopted
in order to protect decrypted data (in clear) from mali-
cious accesses.
3.2. Dynamic view: Algorithms
Once identified and described the D2 S2 main func-
tionalities and the corresponding modules, it is neces-
sary to deal with their interactions, detailing how they
have to collaborate for performing their intended func-
tions. To this purpose we can start roughly assigning
reliability/availability commitments to the D2 S2 server
side, while security issues are mainly in charge of the
D2 S2 client.
8 S. Distefano and A. Puliafito / Information dependability in distributed systems: The dependable distributed storage system
Fig. 2. D2 S2 Client-Server interaction workflow.
The server replica manager handles redundancy ap-
plying some specific policies. Such management sys-
tem has to be highly reliable, more than the underly-
ing storage subsystem usually based on RAID config-
urations. Thus, it should be as much decentralized as
possible, in order to provide adequate guarantees.
With regards to security, the proposed solution com-
bines both symmetric and asymmetric cryptography
into a hierarchical approach, applied in the client
side. An authorized user, authenticated by his/her own
asymmetric keys through the client, contacts the stor-
age system where his/her data are located. Data in the
storage system are encrypted by a symmetric cryptog-
raphy algorithm whose DataKey K is also stored in the
storage, in its turn encrypted by the user/owner pub-
lic key (KPUB), obtaining the encrypted KPUB (K). In
this way, only the user that has the matching private
key KPRIV can decrypt the DataKey and therefore the
encrypted data. KPUB(K) is stored together the data to
allow the owner to access data from any node of the in-
frastructure. He/she only needs the smartcard contain-
ing the private key.
In order to implement data sharing, K is replicated
into as many copies as the users authorized to access
data, then saved into the storage system. In this way a
copy of DataKey encrypted by the ith authorized user
i i
public key KPUB (KPUB (K)) must be stored into the
storage system in order the user can access the data.
It is important to remark that, in the proposed algo-
rithm, the decryption is exclusively performed into the
authorized users’ node where the asymmetric keys are
hosted, and the decrypted symmetric key, the data and
Fig. 3. Client initialization algorithm.
Fig. 4. Data sharing algorithm.
all the other information concerning these latter have to
be secured and preserved from unauthorized accesses,
as discussed above. In this way the highest layer of se-
curity is achieved and ensured: data and keys are al-
ways encrypted both in the remote storage system and
in transfers, while they are in clear only in the trust
user host, which implements mechanisms for securing
them.
The algorithm related to the D2 S2 Client-Server in-
teractions can be better decomposed into the four sub-
activities identified in Fig. 2: initialization, data shar-
ing, data I/0 and finalize, detailed in the following sub-
sections through activity diagrams which swim-lines
are associated to the D2 S2 modules identified in Fig. 1.
Since all the interactions are managed by the inter-
faces, for the sake of clarity in diagramming we omit
to highlight specific activities on interfaces.
3.2.1. Initialization
The first phase of the system is devoted to the initial
setting of the environment, as described by the activ-
ity diagram of Fig. 3. Once a user logs into the sys-
tem trough the Client, the algorithm requests to the
 S. Distefano and A. Puliafito / Information dependability in distributed systems: The dependable distributed storage system 9

Client: Client: Server: Client: Client:SRM Server: Client:SRM Server:

Loader Decrypter Replica Man. Encrypter Replica Replica Man.
Encrypt(Data,K) Man.
Request(Data) Retrieve(K(Data))
Send(OPReq) Recv(OPReq)
Send(K(Data)) Recv(K(Data))
Recv(K(Data)) Send(K(Data)) R=Process(OPReq)
[NO] [OK]
R=Store(K(Data))
Decrypt(K(Data),K)
Recv(R) Send(R)
Recv(R) Send(R)
Error(Read)

(a) (b) (c)

Fig. 5. Read (a) write (b) and generic operation (c) algorithms.

Client:SRM Server: the DataKey does not exist the storage system has to
Replica Man. be initialized. Thus a new DataKey K is generated
by the Client, then encrypted and sent to the Server
Send(ENDREQ) Recv(ENDREQ)
replica manager, that replicates it and stores the copies
Recv(R)
as shown in Fig. 3.
R=CheckStatus

[NO]
Send(R)
[OK]
FlushMem(User)
Logout(User)
Fig. 6. Termination algorithm.
remote storage system the symmetric DataKey K en-
crypted by the public key of the user KPUB. The Client
Loader therefore forwards the request to the storage
system that first verifies the identity of the user through
the Server ID manager and then, in case it is autho-
rized, forwards the requests to the replica manager. If
the storage system has been already initialized, a spe-
cific query returns the set of storage elements hosting
the encrypted DataKey KPUB(K). The replica manager
has to retrieve KPUB(K) from one of the storage el-
ements: in order to achieve fault tolerance, the corre-
sponding algorithm starts by querying the first storage
element and, in case of faults, iterates by querying the
other storage elements until the data are retrieved or all
the storage elements have been queried without suc-
cess. The data thus retrieved, or a Null value in case of
unsuccessful queries or an error code in case of unau-
thorized user, are then forwarded to the Client. In case
of success, this latter has to decrypt KPUB (K) by using
the user private key KPRIV (K) and stores the decrypted
DataKey K in a safe memory location.
Otherwise, if the user is not recognized by the sys-
tem the algorithm terminates with error, while in case
3.2.2. Data sharing
In order to access a specific data set, the generic
jth user needs the copy of the DataKey K used to en-
crypt such data. This implies that the storage system
has to store a copy of K encrypted by the user public
j j
key KPUB , and so KPUB (K). If the jth user has cre-
j
ated the data set, KPUB(K) is automatically stored into
the storage system at the initialization phase, as dis-
cussed above. Otherwise it is necessary that another
authorized user, the ith one, creates a copy of K, en-
crypts that by the jth user public key, thus obtaining
j
KPUB (K), and stores this latter into the storage system
as specified in the activity diagram of Fig. 4. After that,
the ith user has access to the data set.
3.2.3. I/O
The data stored in the storage system are organized
according to a specific structure, i.e. a file system tree.
Data are therefore split into blocks and files that are
logically distributed in a folder of the tree. They are
managed and accessed by using well-known I/O prim-
itives (open, close, read, write, unlink, access, chmod,
closedir, create, lseek, lstat, mkdir, opendir, read-dir,
rename, rmdir, stat and unlink). In Fig. 5, the algo-
rithms implementing read, write and the other generic
operations are represented. In particular the read algo-
rithm of Fig. 5(a) implies the decryption of data re-
ceived from the remote storage system, while the write
algorithm of Fig. 5(b) requires the encryption of data
before they are sent to the storage system Server. A
generic operation is just a command or a signal sent by
the Client to the Server, as shown in Fig. 5(c).
10 S. Distefano and A. Puliafito / Information dependability in distributed systems: The dependable distributed storage system
UI Storage
gLite D2S2
FILE INDEX
D 2S 2 System
Unswappable Mem
LFC SE
SE SE
UI
GFAL
(a)
Fig. 7. D2 S2 implementation schema (a) and file system (b).
3.2.4. Finalize
The termination algorithm is described in the activ-
ity diagram of Fig. 6. Before a user leaves the system,
it is necessary to remove the symmetric DataKey and
the other information from the Client node memory.
But, since a user could still have one or more data I/O
pending operations, it is necessary to check the status
of such operations on the storage system. The Server
replica manager thus receives and processes such re-
quest, asking to all the storage elements hosting the
data for their status. Then, according to the results of
such inquiry the user decides whether to close the cur-
rent session or to wait for the completion of some op-
eration.
4. The grid implementation
The dependable storage system architecturally and
logically described in Section 2, has been implemented
as a service of the gLite Grid middleware [32]. More
specifically, the D2 S2 implementation has been inte-
grated in the gLite middleware, which provides li-
braries and services supporting storage (the Grid file
access libraries or GFAL [33]) and data management
(LCG File Catalog or LFC). In order to ensure security
it is necessary that the dependable storage service is
available in interactive mode both on the D2 S2 Client
node (user interface or UI in Grid-gLite) and in the
D2 S2 Server side (implementing a distributed storage
system on top of storage elements or SE) in order to
perform data management and encryption-decryption
operations.
The D2 S2 reliability/availability mechanisms stron-
gly base on the gLite LFC providing services that
implement an enhanced file catalog, with adequate
replica management facilities. With regards to secu-
rity, we adopt well-known and effective standards,
the AES [30] symmetric encryption algorithm and the
RSA asymmetric cryptography [18] based on the X-
509 certification mechanism of the public key infras-
FILE GUID SFN(K(BLK[1]))
(K(BLK[1]))
D2S2FI GUID SFN(K(BLK[n]))
SE
SFN(K(BLK[1])) SFN(K(BLK[1]))
(K(BLK[n])) SFN(K(GDS2FI))
GUID SFN(KPUB
FILE K(D2S2FI)
SFN(K(BLK[n])) (K)) SFN(K(BLK[n]))
BLOCKS GUID(KPUB(K)) SFN(K(D2S2FI)) SE SFN(K(D2S2FI)) SE
CACHE
LFC
SFN(KPUB(K)) SFN(KPUB(K))
D2S2FBC
(b)
tructure (PKI) [25]. This introduces the necessity, as
discussed above, of an initialization phase in which the
environment is configured (DataKey and indexes load-
ing) and a termination phase to finalize it.
4.1. The grid storage system
The schema mapping the logical D2 S2 architecture
of Fig. 1 into the gLite middleware according to the
requirements and specifications above described is de-
picted in Fig. 7(a). D2 S2 is implemented as a layer
working on top of GFAL, providing a dependable
file service with security/cryptography capability by
means of POSIX interface.
The D2 S2 storage service creates a virtual file sys-
tem structuring data in files, directories and subdirec-
tories without any restrictions on levels and number
of files per directory. Since we build this architecture
on top of GFAL, in D2 S2 all data objects are seen as
files stored on the SE, accessible by users through the
GFAL interface (LFN, . . . SRM, grid user ID GUID,
etc.). One of the most interesting capability of such im-
plementation is the file modification and/or rewriting,
operation not implemented by the GFAL library. GFAL
only allows to create/write new files, without any pos-
sibilities of modifying those after creation.
A D2 S2 file can be entirely stored in the SE in one
chunk with variable length or it can be split into two
or more blocks with fixed, user defined length, spec-
ified in the D2 S2 setup configuration, as reported in
Fig. 7(b). To avoid conflicts among file names, we uni-
vocally identify each chunk or block of data file by
a GUID identifier. The file index shown in Fig. 7(b)
(D2S2FI), maps a file to the corresponding blocks.
Such file index is encrypted through the symmetric
DataKey and is kept in UI unswappable memory lo-
cations. In this way the user operates on a virtual file
system whose logic structure usually does not corre-
spond with its physical structure. The main goal of
file indexing is the optimization of the file I/O opera-
tions, since it reduces the data access time. Moreover,
 S. Distefano and A. Puliafito / Information dependability in distributed systems: The dependable distributed storage system
since the D2 S2 file rewriting and modification has to
be implemented through GFAL primitives, these oper-
ations are performed by deleting the file and rewriting
its modified version; splitting a D2 S2 file into several
chunks/blocks files in the SE is the only feasible way
to achieve the rewriting goal.
The file system is created at D2 S2 initialization.
Each file and block is encrypted through the symmetric
DataKey, encrypted, in turn by the user public key, and
both are stored together.
The reliability of the D2 S2 storage system is del-
egated to LFC. This latter implements a reliable
replica management system that indexes and replicates
the blocks univocally identified by the corresponding
GUIDs, storing the copies, characterized by site file
names (SFN), into the selected SE (specified in the
D2 S2 setting parameters). This also allows exploiting
all the features provided by LFC, that itself implements
a whole file system with POSIX interface and access
control list management. Moreover, in order to ensure
the highest level of information security, it is necessary
to also encrypt the file system structure.
Another strength point of D2 S2 is the possibility
of optimizing the performance of I/O operations. In-
deed D2 S2 implements a local cache of encrypted
blocks/chunks (D2S2FBC), locally managed in the
UI unswappable memory in order to avoid unautho-
rized or malicious accesses. All the operations involv-
ing blocks/chunks already loaded in the UI cache are
performed locally, by directly varying such blocks/
chunks. When a file is closed, the blocks stored in
cache are updated through LFC into the SEs. A specific
D2 S2 primitive (d2s2_flush) has been specified to
force the flushing of data from the UI cache to the stor-
age. This could have a significant impact on storage op-
eration performance reducing the number of accesses
to the remote storage system, especially in read opera-
tions.
Indeed, write operations trigger problems of cache
coherence and therefore require adequate mechanisms
for their management. In the current implementation a
relaxed consistency protocol is applied, allowing hav-
ing different copies of the same data on local caches.
The relaxation model adopted is relaxing all program
orders, more specifically implementing a weak order-
ing [1] where the data synchronization is up to the pro-
grammer through explicit invocation of a specific syn-
chronization operations.
4.2. D2 S2 API and commands
D2 S2 implements a POSIX.1 interface ensuring
high usability both from shell, through the command
11
Table 1
D2 S2 primitive headers
D2 S2 Primitives
int d2s2_access(const char *, int)
int d2s2_chmod(const char *, mode_t)
int d2s2_close(int)
int d2s2_closedir(DIR *)
int d2s2_create(const char *, mode_t)
int d2s2_errmsg(char *, int, const char *)
int d2s2_finalize(char *)
int d2s2_flush(char *)
int d2s2_init(char *, char *)
off_t d2s2_lseek(int, off t, int)
int d2s2_lstat(const char *, struct stat *)
int d2s2_mkdir(const char *, mode_t)
int d2s2_open(const char *, int, mode t)
DIR *d2s2_opendir(const char *)
ssize t d2s2_read(int, void *, size_t)
struct dirent *d2s2_readdir(DIR *)
int d2s2_rename(const char*, const char*)
int d2s2_rmdir(const char *)
int d2s2_share(const char *, struct stat *)
int d2s2_stat(const char *, struct stat *)
int d2s2_unlink(const char *)
ssize_t d2s2_write(int, const void *, size_t)
set, and from programming environments, due to the
D2 S2 API. In such a way, the access to a file of the
virtual encrypted file system is similar to the access to
a local file and the mechanisms, apart from the access
time latency, is totally hidden to the final user. D2 S2
specifies the same library function set of GFAL, com-
posed of 22 primitives reported in Table 1. D2 S2 func-
tions are prefixed by “d2s2_*” while the gLite-LCG
one by “lcg_*” and the GFAL one by “gfal_*”.
But, as discussed in Section 2, D2 S2 requires the ini-
tialization and the termination phases, therefore spe-
cific functions (d2s2_finalize, d2s2_flush,
d2s2_init, d2s2_share) are defined to this pur-
pose. In the following we specify the D2 S2 primitives
starting from the same phases characterization adopted
above.
4.2.1. Initialization.
The initialization phase is mandatory in D2 S2 . In
this phase the library context is initialized with the user
preferences set on environment variables: D2S2DK
(GUID of the DataKey block), D2S2FI (GUID of the
file index block), D2S2PUBKEY (user’s public key
used to encrypt), D2S2PRVKEY (user’s private key
used to encrypt).
A user needing to access the D2 S2 has to invoke the
d2s2_init function in order to read the symmetric
DataKey K encrypted by the user public key KPUB
from the Grid storage. As shown in Fig. 8 first and
successive accesses are distinguished into two cases.
12 S. Distefano and A. Puliafito / Information dependability in distributed systems: The dependable distributed storage system
(a)
(b)
Fig. 8. d2s2_init implementation of the first (a) and following (b) D2 S2 initializations.
In the first initialization phase, d2s2_init generates
the symmetric key K as a sequence of random num-
bers obtained by invoking an OPENSSL ad-hoc func-
tion. In the following accesses d2s2_init loads K
and the file index D2S2FI from the storage elements.
The algorithms in both cases are similar: first the Client
on the UI checks for the presence of the encrypted key
KPUB (K) in the LFC by invoking a lcg_lr primitive
specifying the GUID of the DataKey block; then, in
case it does not exist, a new key is created, encrypted
and sent to the storage system (Fig. 8(a)), that creates
and stores it in the SE closest to the UI (by implicitly
invoking a gfal_write from the UI to the selected
SE) through lcg_cr, and finally replicates the en-
crypted DataKey into the SE through lcg_rep; oth-
erwise, if the Datakey exists, this and the file index are
loaded in the UI by two consecutive gfal_read op-
erations (Fig. 8(b)). KPUB (K) is therefore decrypted
by the user private key and placed into an unswappable
memory location of the UI to avoid malicious accesses.
4.2.2. Data sharing
D2 S2 data sharing is implemented by the d2s2_sh
are primitive. A user i that wants to share the data
stored into an SE with a generic jth user in the same
virtual organization has to access the X509 PKI certifi-
cate of user j. The d2s2_share algorithm therefore
j
extracts the user j public key of (KPUB ) and then cre-
j
ates a new copy of the DataKey K encrypted by KPUB . The d2s2_write is an operation entirely per-
As shown in Fig. 9, d2s2_share then stores the new
j
encrypted DataKey KPUB (K) into the SE by invoking
a gfal_write operation. Thus, the jth user can have
access to the data through d2s2_init.
4.2.3. I/O
D2 S2 data I/O operations are implemented through
I/O POSIX primitives such as: open, read/write and
close. Files are always encrypted in memory; the en-
cryption is performed at runtime. To improve the D2 S2
performance and the usability of its library the ac-
cessed files’ chunks are locally buffered into a cache
in the UI until the corresponding files are closed. At
file closing, the UI cache is synchronized with the
Grid storage systems (LFC and SE) by invoking a
d2s2_flush.
More specifically, as pictorially described in Fig. 10,
the gds2_read reads the blocks set BLK1 corre-
sponding to the selected part of the file. Some of
such blocks could be already loaded and stored on the
cache D2S2FBC. The blocks not present in the cache,
identified by the set BLK2 ⊆ BLK1, are firstly lo-
cated by inquiring the LCG through a lcg_lr in-
vocation and therefore loaded from the SE by an ex-
plicit gfal_read call. This data, with that loaded
from cache, are placed in the output buffer, and the file
blocks cache is updated with the data just loaded from
the SE. The sets BLK1 and BLK2 correspond to the
vectors BLK1[] and BLK2[] of Fig. 10.
formed by the Client locally, as shown in Fig. 11. The
 S. Distefano and A. Puliafito / Information dependability in distributed systems: The dependable distributed storage system
Fig. 9. d2s2_share primitive implementation.
Fig. 10. d2s2_read implementation on gLite.
Fig. 11. d2s2_write implementation on gLite.
data blocks to modify are temporarily saved into the
file blocks cache. When the file is closed, renamed,
moved, deleted, the flush of the cache is forced, or the
gLite D2 S2 session is terminated, the data in cache are
synchronized with the corresponding one catalogued
by LFC and stored into the SEs.
d2s2_<op> is a generic data I/O operation mapped
into the corresponding LFC/GFAL operation lcg/
gfal_<op>. When a d2s2_<op> modifies the file
system structure (delete, rename, move, mkdir, etc.) it
is necessary to update the file index and all its replica
stored in the SEs by rewriting the such file index, in-
voking a LFC lcg_del followed by a lcg_cr and
consequently lcg_rep as depicted in Fig. 12.
13
4.2.4. Finalize
The main goal of the termination operation is to
synchronize Client and Server and in particular the
data modified by the final user in the UI cache, to
be updated to the Grid storage system. This is per-
formed by the d2s2_finalize function by invok-
ing d2s2_flush. The gLite implementations of such
primitives are shown in Fig. 13. With specific regards
to the latter, d2s2_flush synchronizes a specific file
or part of it by firstly identifying all the corresponding
dirty blocks (DBLK[]), and then writing them to the
storage system. Since gLite libraries do not allow any
modification of files, the write operation has to delete
the original stored blocks (by performing a lcg_del
erasing all the copies stored in the SEs) and thus stores
the new blocks (lcg_cr) then replicated by LFC
(lcg_rep) as in Fig. 13(a). d2s2_finalize has
to just synchronize the whole cache D2S2FBC and the
index D2S2FI invoking two times d2s2_flush as
shown in Fig. 13(b).
5. Evaluating the implementation
The D2 S2 gLite implementation has been evaluated
through several experiments and measurements. Ac-
cording to the classification done in [29] the technique
14 S. Distefano and A. Puliafito / Information dependability in distributed systems: The dependable distributed storage system

Fig. 12. d2s2_<op> implementation on gLite.

(a)

(b)

Fig. 13. implementation of d2s2_flush (a) and d2s2_finalize (b) D2 S2 primitives on gLite.

here implemented can be classified as replication with
lockboxes, which ensures the highest level of secu-
rity (1). Thus, we have addressed our investigation on
evaluating the impact, in terms of performance, of en-
suring the highest security (Section 5.1). Then, in Sec-
tion 5.2 we have evaluated the performance and relia-
bility of D2 S2 on real applications, also comparing it
against the former Grid secure storage system (GS3 )
implementation.
5.1. Functional tests
In order to assess the performance of D2 S2 13 ex-
periments consisting in invoking the main D2 S2 op-
erations (read, write, and delete) varying the file size
from 256 Bytes (28 B) and doubling it up to 1 GBytes
(220 B) have been performed. The results thus obtained
have been compared against the LOCAL, GFAL and
encrypted GFAL file system primitive results. In the
experiments we have measured the invocation response
time Tr , i.e. the time elapsed from launching the oper-
ation till the reply is received.
More specifically we have performed the same mea-
surements of [8], where we evaluated GS3 at the basis
of the D2 S2 gLite implementation. Thus, in the exper-
iments we have disabled the cache in order to effec-
tively evaluate the actual operation response time, al-
ways operating on new files. In order to provide useful
measures, we have repeated each test 10000 times, cal-
culating the average value of the results thus obtained.
One of the aims of the experiments on D2 S2 is the
comparison against the GS3 implementation, in order
 S. Distefano and A. Puliafito / Information dependability in distributed systems: The dependable distributed storage system 15

to understand the impact on performance of data re-

dundancy and corresponding LFC management. Fur-
thermore, in the D2 S2 we consider a wider range of
data size than in GS3 (1 GB vs 128 MB) in order to
provide effective information about the performance of
big data transfers on the system as, for example, those
related to virtual machine migration.
Figure 14 shows the results obtained by the exper-
iments on the read, write and delete operations. All
the curves in the graph follow a similar trend since
they mainly implement data transfers, which Tr can be
roughly approximated by the formula:
(a)
Size
Tr = Lat +
Bw
where Lat is the latency, the constant time to access
the disk/network, Bw is the bandwidth, the maximum
data transfer rate, and Size is the amount of data to be
transferred.
According to this formula, the resulting curves are
characterized by an initial zone where the response
time is almost constant since Lat  Size/Bw, followed
by a zone in which Size/Bw becomes predominant pro-
ducing a quick rise. Since a delete operation just sends
a command to the server, the amount of data exchanged
by client and server does not depend on the amount of (b)
data to delete, i.e. Size is constant, and accordingly the
Tr is almost constant as shown by the corresponding
diagram of Fig. 14(c).
With specific regards to the read operation, the re-
sults of the D2 S2 shown in Fig. 14(a) are compara-
ble to the GFAL and E-GFAL ones. This is due to the
fact that D2 S2 read operations do not have to update
the file index, and therefore they only have one GFAL
open/access operation, as in GFAL and E-GFAL. How-
ever, the gap between D2 S2 and GFAL performance
increases with the dataset size. This may involve prob-
lems in the management of huge datasets, especially in
government systems with very high and bursty work-
load. However, D2 S2 allows providing adequate guar- (c)
antees on information security, overperforming the
Fig. 14. D2 S2 read (a), write (b) and delete (c) performance.
simple encryption implementation E-GFAL. If no se-
curity requirements are specified the GFAL storage
system can be used providing better performance than two consecutive write operations have to be performed.
D2 S2 . However, the presence of the file index table allows im-
The results obtained by the write operation tests are plementing the file modification/rewriting capability.
shown in Fig. 14(b) and highlight that D2 S2 is consid- Analogously, in Fig. 14(c) we can observe a great
erably slower than GFAL, E-GFAL and LOCAL calls. gap between the D2 S2 performance and the others:
This is due to the fact that, each time a D2 S2 write op- a D2 S2 delete operation requires updating the remote
eration is performed, it is also necessary to update the storage system file index after removing a file. This
file index stored into the storage element, and therefore requires further GFAL file open and write operations
16 S. Distefano and A. Puliafito / Information dependability in distributed systems: The dependable distributed storage system

Table 2
thus increasing the overall elaboration time. D2 S2 primitive headers
With regards to the GS3 implementation, it is possi-
Tr (sec) Reliability
ble to observe that D2 S2 provides better performance
File system Gcc SQL SQL SQL
than the former. This is probably due to the impact of
insert update delete
data redundancy that allows optimizing data transfer to Local 0.019 0.006 0.007 0.008 1
and from the SE through LFC. GS3 12.535 15.248 12.347 11.123 0.999525
Another interesting information that can be obtained D2 S2 no cache 47.528 21.423 19.357 18.947 0.999875
by the diagrams concerns big data transfers in D2 S2 : to D2 S 2 10.733 12.662 10.287 9.709 0.999975
read a file of 1 GB 100 sec. are required, while 180 sec.
for writing it, approximately. This means that, for ex- D2 S2 , demonstrating its effectiveness. With regards to
ample, a virtual machine (status or difference) migra- the reliability, a long-term test has been performed in
tion in D2 S2 can be actually performed in a reasonable order to adequately evaluate our implementation. More
time ensuring the highest level of security achievable. specifically we have performed 10000 invocations per
operation, in total 40000 tests on each implementation.
5.2. Application tests Among the N = 40000 operations performed we have
collected the number of successful invocations S, thus
To evaluate the D2 S2 behavior we then select two identifying the reliability R as:
I/O bound applications: Gcc (GNU C compiler) and
S
DB-SQLite (on-file data base). In the former case, the R=
compilation of a 10 KB source file located on the re- N
mote storage system through Gcc has been considered. In this way we have obtained the results showed in
The other analysis has instead measured the response the rightmost column of Table 2, by which we can ap-
time of insert, update and delete queries on a remote preciate the impact of the redundancy management on
SQLite DB. Both the performance and the reliability D2 S2 . Indeed, the reliability measure corresponding to
of such operations have been investigated, comparing GS3 is significantly lower than the D2 S2 ones. Fur-
the full D2 S2 implementation against a modified D2 S2 thermore, also in this case the impact of the cache on
version in which the cache has been disabled, against D2 S2 reliability is highlighted by the experiments. In
the former GS3 implementation and also against lo- fact, the system experienced just 1 failure in the cache-
cal file system operations. This allows evaluating the enabled D2 S2 implementation (N − S = 1), while
impact of redundancy management on the D2 S2 com- 5 failures affected the same implementation without
pared to the preliminary GS3 implementation. More- cache and 19 failures have been experienced for the
over, we have also evaluated the cache impact on D2 S2 , cache-enabled GS3 implementation. From the data col-
even if in a particular case characterized by specific lected it is not possible to understand the cause of such
conditions as detailed above. failures, but very likely the network is the first cause
The same testbed of the previous analysis has been of failure. Such effect in particular affects the GS3 im-
used for the tests, each repeated 10000 times. The re- plementation since it does not provide any redundant
sults thus obtained are shown in Table 2. source for retrieving the requested data. In fact, a 4-
In terms of performance we can observe that the GS3 nine reliability is achieved by D2 S2 against a 3-nine
implementation is slower than the D2 S2 one, thus con- reliability by GS3 .
firming the positive impact of redundancy/LFC man- This is also confirmed by the results shown in Ta-
agement on the implementation. Furthermore, with re- ble 2, where no failures are experienced by using the
gards to the cache, the results show that the request re- local file system.
sponse time of the D2 S2 operations without consider-
ing the cache is almost the double of that with cache,
in case of SQLite operations, while it is 4 times greater 6. Conclusions
than the cache one in the case of Gcc compilation. Al-
though, as already discussed, this strongly depends on In this work we proposed the dependable distributed
the application data locality in processing (Gcc com- storage system, a reliable and secure (encrypted) stor-
pilation has greater data locality than SQLite DB ap- age system.
plications), the results allow us to definitely state that Reliability in D2 S2 is achieved by data redundancy
the cache has a significant impact on performance in at different level: RAID policies are implemented in
 S. Distefano and A. Puliafito / Information dependability in distributed systems: The dependable distributed storage system
order to improve internal reliability, while physical
redundancy and adequate replica management is re-
quired to prevent common causes of failures.
With regards to security, the algorithm is based
on the idea of combining symmetric and asymmetric
cryptography following a two-step approach. The sym-
metric cryptography is directly applied to data, while
the DataKey is (asymmetric) encrypted by the user
public key. Decryption and encryption are performed
in the user node, and both the key and the data are
managed by avoiding malicious accesses. In this way
owner(s) can exclusively access their data. In order to
share such data with other users it is necessary to store
in the storage system copies of the DataKey encrypted
by the users private keys.
The D2 S2 algorithm has been implemented into the
gLite middleware as a dependable file system on top of
LFC and GFAL libraries. This choice allows protecting
both data/files and also their structure, the whole file
system, achieving reliability through LFC capabilities.
This implementation has been evaluated in terms of
both performance and reliability by mainly consider-
ing read, write and delete operations, providing satis-
factory results also in case of real applications (GCC,
SQLite).
Further development and future work on D2 S2 will
mainly focus on its implementation and adaptation to
Cloud computing, dealing with optimization on perfor-
mance and reliability in order to provide a valid sup-
port for big data management, a strategic challenge in
the current ICT scenario.
References
[1] S.V. Adve and K. Gharachorloo, Shared memory consistency
models: A tutorial, Computer 29(12) (December 1996), 66–
76. doi: 10.1109/2.546611.
[2] R. Ball, J. Grant, J. So, V. Spurrett and R. De Lemos, De-
pendable and secure distributed storage system for ad hoc
networks, in: Proceedings of the 6th International Confer-
ence on Ad-hoc, Mobile and Wireless Networks (ADHOC-
NOW’07), E. Kranakis and J. Opatrny, eds, Springer-Verlag,
(2007), 142–152.
[3] Z. Bankovic, J.M. Moya, A. Araujo, D. Fraga, J.C. Vallejo
and J.M. de Goy, Distributed intrusion detection system for
wireless sensor networks based on a reputation system cou-
pled with kernel self-organizing maps, Integrated Computer-
Aided Engineering 17(2) (2010), 87–102.
[4] G. Belalem and Y. Slimani, A hybrid approach to replica man-
agement in data grids, Int J Web Grid Serv 3(1) (2007), 2–18.
[5] C. Blanchet, R. Mollon and G. Deleage, Building an en-
crypted file system on the egee grid: Application to protein
sequence analysis, in: ARES’06: Proceedings of the First In-
ternational Conference on Availability, Reliability and Secu-
rity, Washington, DC, USA: IEEE Computer Society, (2006),
965–973.
17
[6] L. Brunie, L. Seitz and J.-M. Pierson, Key management for
encrypted data storage in distributed systems, in: IEEE Secu-
rity in Storage Workshop, Washington DC, IEEE Computer
Society, USA, (October 2003), 20–30.
[7] A. Chakrabarti, Grid computing security, Springer-Verlag,
New York, Inc., Secaucus, NJ, USA, 2007.
[8] V.D. Cunsolo, S. Distefano, A. Puliafito and M. Scarpa, GS3:
A grid storage system with security features, J Grid Comput
8(3) (2010), 391–418.
[9] S. Distefano and A. Puliafito, Achieving distributed system
information security, Seventh International Conference on
Computational Intelligence and Security (2011), 526–530.
[10] L. Guy, P. Kunszt, E. Laure, H. Stockinger and K. Stockinger,
Replica management in data grids, Global Grid Forum In-
formational Document, GGF5, Tech Rep (2002).
[11] S. Garfinkel, PGP: Pretty good privacy, O-Reilly Media
(November 1994).
[12] B. Han, S. Yang and X. Yu, Greplica: A web-based data grid
replica management system, in: Semantics, Knowledge and
Grid, SKG’05 First International Conference on (November
2005), 114.
[13] K. Hwang, Y.K. Kwok, S. Song, M. Cai, Y. Chen, Y. Chen,
R. Zhou and Lou: Gridsec: Trusted grid computing with se-
curity binding and self-defense against network worms and
ddos attacks, in: International Workshop on Grid Computing
Security and Resource Management (GSRM’05) (2005), 187–
195.
[14] L. Junrang, W. Zhaohui, Y. Jianhua and X. Mingwang, A
secure model for network-attached storage on the grid, in:
SCC’04: Proceedings of the 2004 IEEE International Confer-
ence on Services Computing, Washington, DC, USA: IEEE
Computer Society (2004), 604–608.
[15] A. Kerckhoffs, La cryptographie militaire, Journal des Sci-
ences Militaires IX (1883), 5–83.
[16] Y. Lim, H.M. Kim, S. Kang and T. Kim, Vehicle-to-grid com-
munication system for electric vehicle charging, Integrated
Computer-Aided Engineering 19(1) (2012), 57–65.
[17] N. Looker and J. Xu, Dependability assessment of grid
middleware, in: DSN’07: Proceedings of the 37th Annual
IEEE/IFIP International Conference on Dependable Systems
and Networks, Washington, DC, USA: IEEE Computer Soci-
ety, (2007), 125–130.
[18] R.L. Rivest, A. Shamir and L.M. Adelman, A method for ob-
taining digital signatures and public-key cryptosystems, Com-
mun ACM 21(2) (1978), 120–126.
[19] D. Scardaci and G. Scuderi, A secure storage service for the
glite middleware, in: International Symposium on Informa-
tion Assurance and Security, Los Alamitos, CA, USA: IEEE
Computer Society, (2007), 261–266.
[20] A. Shamir, How to share a secret, Commun ACM 22(11)
(1979), 612–613.
[21] Z. Sun, J. Shen and J. Yong, A novel approach to data dedu-
plication over the engineering-oriented cloud systems, Inte-
grated Computer-Aided Engineering 20(1) (2013), 45–57.
[22] D. Thain and M. Livny, Parrot: Transparent user-level mid-
dleware for data-intensive computing, Scalable Computing:
Practice and Experience 6(3) (2005), 9–18.
[23] P. Townend, N. Looker, D. Zhang, J. Xu, J. Li, L. Zhong and J.
Huai, Crown-c: A high-assurance service-oriented grid mid-
dleware system, in: HASE’07: Proceedings of the 10th IEEE
High Assurance Systems Engineering Symposium, (2007).
[24] P. Townend and J. Xu, Dependability in grids, IEEE Dis-
tributed Systems Online 6(12) (2005), 1–7.
[25] S. Tuecke, V. Welch, D. Engert, L. Pearlman and M. Thomp-
18 S. Distefano and A. Puliafito / Information dependability in distributed systems: The dependable distributed storage system

son, Internet x.509 public key infrastructure (pki) proxy cer-
tificate profile, RFC 3820 (Proposed Standard), jun 2004.
Available: http://www.ietf.org/rfc/rfc3820.txt Accessed May
2013.
[26] K. Ueno and S. Furuhashi, Cagra dependable distributed stor-
age system for 3D computer graphics rendering, in: Pro-
ceedings of the 2009 Software Technologies for Future De-
pendable Distributed Systems (STFSSD ’09 IEEE Computer
Society, Washington, DC, USA, 179–183. DOI=10.1109/
STFSSD.2009.19
[27] S. Vazhkudai, S. Tuecke and I. Foster, Replica selection in
the globus data grid, in: CCGRID’01: Proceedings of the 1st
International Symposium on Cluster Computing and the Grid,
Washington, DC, USA: IEEE Computer Society (2001), 106.
[28] D. Watson, Y. Luo and B.D. Fleisch, The Oasis+ dependable
distributed storage system, Proceedings of the 2000 Pacific
Rim International Symposium on Dependable Computing Los
Angeles, CA, (Dec 2000), 18–19.
[29] L. Xiao, Y. Ye, I.L. Yen and F. Bastani, evaluation and com-
parisons of dependable distributed storage designs for clouds,
high-assurance systems engineering (HASE), IEEE 12th Int
Symposium on (2010), 152–161. doi: 10.1109/HASE.2010.
22.
[30] Federal information processing standard publication 197.
2001.
[31] GPG – GNU Privacy Guard – Documentation Sources.
GnuPG.org. [Online]. Available: http://www.gnupg.org/
documentation/.
[32] gLite middleware website, http://glite.cern.ch, Accessed May
2013.
[33] gLite Middleware technical committee, the grid file access-
GFAL C API description. CERN, Geneve, http://
griddeployment.web.cern.ch/griddeployment/gis/GFAL/
GFALindex.html. Accessed May 2013.
Copyright of Integrated Computer-Aided Engineering is the property of IOS Press and its
content may not be copied or emailed to multiple sites or posted to a listserv without the
copyright holder's express written permission. However, users may print, download, or email
articles for individual use.