Improving the Security of KMS on a Cloud Platform Using Trusted Hardware
Perustieteiden korkeakoulu | Master's thesis
Unless otherwise stated, all rights belong to the author. You may download, display and print this publication for Your own personal use. Commercial use is prohibited.
Digital Media Technology
Master's Programme in ICT Innovation
AbstractFor the past few years, the demand for cloud computing has increased rapidly. Users outsource data processing and storage of their private data to cloud systems. As the IoT industry is booming, cloud computing not only addresses the hardware and software restrictions of individual devices but also provides flexibility in resource allocation. According to the advantages, cloud computing plays an important role in the technology industry. However, the risk of data leakage and sensitive data exposed has raised when users outsource their data to a third party. Currently, most cryptography based security techniques pay attention to the secret while in the application, at rest or in transit. With respect to the insider attacks, the sensitive data is in danger to be attacked by compromised devices without being noticed. In order to prevent insider threats, Hardware Security Module (HSM) provides a secure cryptographic solution to protect the data in an isolated space. However, compared with a software-based solution, it is costly and lacks the scalability. According to that, in this thesis, we apply a software-based technology, such as Intel Software Guard Extensions (Intel SGX) technology, to tackle the insider and outside threats towards the system. The main idea of the research in this thesis is to utilize the Intel SGX technology in a key management service (KMS) in the cloud system to protect the sensitive data. The sensitive data inside the KMS is only processed within SGX enclaves, and implementing corresponding encryption functions within enclaves is also part of the thesis. In addition, the thesis analyses the performance implications of this solution. Moreover, we deploy the KMS with Intel SGX technology in a Kubernetes Cluster environment, in order to accomplish the high availability of the cloud system.
Thesis advisorKjällman, Jimmy
Intel software Guard extension, kubernetes, hardware security module, key management service, advanced encryption standard