Improving the Security of KMS on a Cloud Platform Using Trusted Hardware

Thumbnail Image

Files

master_Kuan_Shan_2018.pdf (5.15 MB)

URL

Journal Title

Journal ISSN

Volume Title

Perustieteiden korkeakoulu | Master's thesis
Unless otherwise stated, all rights belong to the author. You may download, display and print this publication for Your own personal use. Commercial use is prohibited.

Authors

Date

2018-12-10

Department

Major/Subject

Digital Media Technology

Mcode

SCI3024

Degree programme

Master's Programme in ICT Innovation

Language

en

Pages

74

Series

Abstract

For the past few years, the demand for cloud computing has increased rapidly. Users outsource data processing and storage of their private data to cloud systems. As the IoT industry is booming, cloud computing not only addresses the hardware and software restrictions of individual devices but also provides flexibility in resource allocation. According to the advantages, cloud computing plays an important role in the technology industry. However, the risk of data leakage and sensitive data exposed has raised when users outsource their data to a third party. Currently, most cryptography based security techniques pay attention to the secret while in the application, at rest or in transit. With respect to the insider attacks, the sensitive data is in danger to be attacked by compromised devices without being noticed. In order to prevent insider threats, Hardware Security Module (HSM) provides a secure cryptographic solution to protect the data in an isolated space. However, compared with a software-based solution, it is costly and lacks the scalability. According to that, in this thesis, we apply a software-based technology, such as Intel Software Guard Extensions (Intel SGX) technology, to tackle the insider and outside threats towards the system. The main idea of the research in this thesis is to utilize the Intel SGX technology in a key management service (KMS) in the cloud system to protect the sensitive data. The sensitive data inside the KMS is only processed within SGX enclaves, and implementing corresponding encryption functions within enclaves is also part of the thesis. In addition, the thesis analyses the performance implications of this solution. Moreover, we deploy the KMS with Intel SGX technology in a Kubernetes Cluster environment, in order to accomplish the high availability of the cloud system.

Description

Supervisor

Hirvisalo, Vesa

Thesis advisor

Kjällman, Jimmy

Keywords

Intel software Guard extension, kubernetes, hardware security module, key management service, advanced encryption standard

Other note

Citation

Permanent link to this item

https://urn.fi/URN:NBN:fi:aalto-201812146512

Collections

[dipl] Perustieteiden korkeakoulu / SCI