Client-controlled Cryptography-as-a-Service in the Cloud

Sören Bleikertz, Sven Bugiel, Hugo Ideler, Stefan Nürnberger, Ahmad-Reza Sadeghi

In: Proceedings of the 11th International Conference on Applied Cryptography and Network Security 2013. International Conference on Applied Cryptography and Network Security (ACNS-13) 11th June 25-28 Banff Alberta Canada Lecture Notes in Computer Science (LNCS) Springer 2013.


Today, a serious concern about cloud computing is the protection of clients’ data and computations against various attacks from outsiders as well as against the cloud provider. Moreover, cloud clients are rather limited in implementing, deploying and controlling their own security solutions in the cloud. The provider theoretically has access to stored keys in dormant images and deploying keys during run-time is infeasible because authenticating running VM instances is not possible. In this paper, we present a security architecture that allows for establishing secure client-controlled Cryptography-as-a-Service (CaaS) in the cloud: Our CaaS enables clients to be in control of the provisioning and usage of their credentials and cryptographic primitives. They can securely provision keys or even implement their private virtual security module (e.g., vHSM or SmartCard). All clients’ cryptographic operations run in a protected client-specific secure execution domain. This is achieved by modifying the Xen hypervisor and leveraging standard Trusted Computing technology. Moreover, our solution is legacy-compatible by installing a transparent cryptographic layer for the storage and network I/O of a VM. We reduced the privileged hypercalls necessary for administration by 79%. We evaluated the effectiveness and efficiency of our design which resulted in an acceptable performance overhead.

nuernberger2013acns_cloud.pdf (pdf, 1 MB )

Deutsches Forschungszentrum für Künstliche Intelligenz
German Research Center for Artificial Intelligence