Keys in the Clouds: Auditable Multi-device Access to Cryptographic Credentials

04/23/2018
by   Arseny Kurnikov, et al.
0

Personal cryptographic keys are the foundation of many secure services, but storing these keys securely is a challenge, especially if they are used from multiple devices. Storing keys in a centralized location, like an Internet-accessible server, raises serious security concerns (e.g. server compromise). Hardware-based Trusted Execution Environments (TEEs) are a well-known solution for protecting sensitive data in untrusted environments, and are now becoming available on commodity server platforms. Although the idea of protecting keys using a server-side TEE is straight-forward, in this paper we validate this approach and show that it enables new desirable functionality. We describe the design, implementation, and evaluation of a TEE-based Cloud Key Store (CKS), an online service for securely generating, storing, and using personal cryptographic keys. Using remote attestation, users receive strong assurance about the behaviour of the CKS, and can authenticate themselves using passwords while avoiding typical risks of password-based authentication like password theft or phishing. In addition, this design allows users to i) define policy-based access controls for keys; ii) delegate keys to other CKS users for a specified time and/or a limited number of uses; and iii) audit all key usages via a secure audit log. We have implemented a proof of concept CKS using Intel SGX and integrated this into GnuPG on Linux and OpenKeychain on Android. Our CKS implementation performs approximately 6,000 signature operations per second on a single desktop PC. The latency is in the same order of magnitude as using locally-stored keys, and 20x faster than smart cards.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
09/10/2018

Tandem: Securing Keys by Using a Central Server While Preserving Privacy

Users' devices, e.g., smartphones or laptops, are typically incapable of...
research
10/21/2022

SCL: A Secure Concurrency Layer For Paranoid Stateful Lambdas

We propose a federated Function-as-a-Service (FaaS) execution model that...
research
04/20/2022

Exploring Widevine for Fun and Profit

For years, Digital Right Management (DRM) systems have been used as the ...
research
10/01/2021

Enhancing Cold Wallet Security with Native Multi-Signature schemes in Centralized Exchanges

Currently, one of the most widely used protocols to secure cryptocurrenc...
research
11/23/2022

Privacy-Preserving Application-to-Application Authentication Using Dynamic Runtime Behaviors

Application authentication is typically performed using some form of sec...
research
07/15/2019

Anonymous and confidential file sharing over untrusted clouds

Using public cloud services for storing and sharing confidential data re...
research
06/19/2018

Formal verification of the YubiKey and YubiHSM APIs in Maude-NPA

In this paper, we perform an automated analysis of two devices developed...

Please sign up or login with your details

Forgot password? Click here to reset