Improving the Security of KMS on a Cloud Platform Using Trusted Hardware

Thumbnail Image
Journal Title
Journal ISSN
Volume Title
Perustieteiden korkeakoulu | Master's thesis
Digital Media Technology
Degree programme
Master's Programme in ICT Innovation
For the past few years, the demand for cloud computing has increased rapidly. Users outsource data processing and storage of their private data to cloud systems. As the IoT industry is booming, cloud computing not only addresses the hardware and software restrictions of individual devices but also provides flexibility in resource allocation. According to the advantages, cloud computing plays an important role in the technology industry. However, the risk of data leakage and sensitive data exposed has raised when users outsource their data to a third party. Currently, most cryptography based security techniques pay attention to the secret while in the application, at rest or in transit. With respect to the insider attacks, the sensitive data is in danger to be attacked by compromised devices without being noticed. In order to prevent insider threats, Hardware Security Module (HSM) provides a secure cryptographic solution to protect the data in an isolated space. However, compared with a software-based solution, it is costly and lacks the scalability. According to that, in this thesis, we apply a software-based technology, such as Intel Software Guard Extensions (Intel SGX) technology, to tackle the insider and outside threats towards the system. The main idea of the research in this thesis is to utilize the Intel SGX technology in a key management service (KMS) in the cloud system to protect the sensitive data. The sensitive data inside the KMS is only processed within SGX enclaves, and implementing corresponding encryption functions within enclaves is also part of the thesis. In addition, the thesis analyses the performance implications of this solution. Moreover, we deploy the KMS with Intel SGX technology in a Kubernetes Cluster environment, in order to accomplish the high availability of the cloud system.
Hirvisalo, Vesa
Thesis advisor
Kjällman, Jimmy
Intel software Guard extension, kubernetes, hardware security module, key management service, advanced encryption standard
Other note