International Conference on Security, Privacy, and Applied Cryptography Engineering

Security, Privacy, and Applied Cryptography Engineering pp 269-288 | Cite as

Architecture Considerations for Massively Parallel Hardware Security Platform

Building a Workhorse for Cryptography as a Service
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9354)

Abstract

Cryptography as a service (CaaS) provides means for executing sensitive cryptographic operations when the primary computing platform does not offer the required level of trust and security. Instead of executing operations like document signing directly by an application running in untrusted environment, the operation keys are only present in trusted environment used by CaaS. Once the operation keys are put in place, the applications use a CaaS interface to obtain results of sensitive operations - document signatures - executed by CaaS. A typical scenario is the use of virtual computing platform in the cloud. Use of CaaS reduces impact of the potential compromise of this virtual platform and simplifies subsequent recovery. The attacker will not learn the value of sensitive keys (e.g., signing keys) and is only able to use the keys for a limited time. The CaaS is enabling technology for a large number of use cases where security is important. The concept of scalable and universally available CaaS has also far-reaching usability, security, legal, and economics consequences of cloud use. In this position paper, we focus on requirements for building a CaaS platform – what are the options and challenges to build hardware and software components for CaaS suitable for usage scenarios with different load patterns and user requirements. We propose a suitable architecture for CaaS that can be shared by a large number of concurrent users, i.e., providing access to a large number of cryptographic keys. We also provide practical results from our prototype implementation.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    CryptLib++ project, http://www.cryptlib.com/ (July 12, 2015)
  2. 2.
    OpenSSL project, https://openssl.org (July 12, 2015)
  3. 3.
    NVIDIAs next generation CUDA compute architecture: Fermi. NVIDIA (2009)Google Scholar
  4. 4.
    Amazon AWS. CloudHSM, https://aws.amazon.com/cloudhsm/ (July 12, 2015)
  5. 5.
    Bleikertz, S., Bugiel, S., Ideler, H., Nürnberger, S., Sadeghi, A.-R.: Client-Controlled Cryptography-as-a-Service in the Cloud. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 19–36. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  6. 6.
    Chow, R., Golle, P., Jakobsson, M., Shi, E., Staddon, J., Masuoka, R., Molina, J.: Controlling data in the Cloud: Outsourcing computation without outsourcing control. In: ACM Workshop on Cloud Computing Security (CCSW 2009), pp. 85–90. ACM (2009)Google Scholar
  7. 7.
    Doroz, Y., Ozturk, E., Sunar, B.: Accelerating fully homomorphic encryption in hardware. IEEE Transactions on Computers 64(6), 1509–1521 (2015)MathSciNetMATHGoogle Scholar
  8. 8.
    Focardi, R., Luccio, F.L., Steel, G.: An introduction to security API analysis. In: Aldini, A., Gorrieri, R. (eds.) FOSAD 2011. LNCS, vol. 6858, pp. 35–65. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  9. 9.
    Initiative for open authentication (OATH), http://www.openauthentication.org/ (July 12, 2015)
  10. 10.
    Gentry, C.: Fully homomorphic encryption using ideal lattices. In: 41st ACM Symposium on Theory of Computing (STOC), pp. 169–178. ACM (2009)Google Scholar
  11. 11.
    Jang, K., Han, S., Han, S., Moon, S., Park, K.: SSLSshader: cheap SSL acceleration with commodity processors. In: 8th USENIX Conference on Networked Systems and Implementation, NSDI 2011. USENIX Association (2011)Google Scholar
  12. 12.
    Kumar, S., Paar, C., Pelzl, J., Pfeiffer, G., Schimmler, M.: Breaking ciphers with COPACOBANA –a cost-optimized parallel code breaker. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 101–118. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  13. 13.
    Lepoint, T., Naehrig, M.: A comparison of the homomorphic encryption schemes FV and YASHE. In: Pointcheval, D., Vergnaud, D. (eds.) AFRICACRYPT. LNCS, vol. 8469, pp. 318–335. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  14. 14.
    M’Raihi, D., Bellare, M., Hoornaert, F., Naccache, D., Ranen, O.: HOTP: An HMAC-based one-time password algorithm. In: RFC 4226. IETF (2005)Google Scholar
  15. 15.
    OpenVZ. VirtualHSM project, https://openvz.org/virtual_hsm (July 12, 2015)
  16. 16.
    Rankl, W., Effing, W.: Smart Card Handbook. Wiley (2004) ISBN 9780470856680Google Scholar
  17. 17.
    Robinson, P.: Cryptography as a service. In: RSAConference Europe 2013 (2013)Google Scholar
  18. 18.
    Švenda, P.: JCAlgTester project, http://www.fi.muni.cz/~xsvenda/jcsupport.html (July 12, 2015)

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Enigma BridgeCambridgeGreat Britain
  2. 2.Faculty of InformaticsMasaryk UniversityBrnoCzech Republic

Personalised recommendations