Description
The Sealed Cloud technology enables secure server-side encryption and
handling of confidential data. A provider of a Sealed Cloud based system should not be able to get any
access to data handled by services in the Sealed Cloud, a concept called provider-proofness.
However, currently the provider is still required to be a trusted third party, both because key generation is handled by an employee and because of the deployed code review mechanism, both of which are integral for provider-proofness
but can be error-prone.
In this thesis, we overcome these limitations by proposing the Trust Anchor Network as well as means to bootstrap it, and evaluate its security wrt. an internal attacker. The Trust Anchor Network is a network of high security servers, which
generate and handle a set of cryptographic keys autonomously without human interaction.
While other services can use those keys during runtime, no person can get direct or indirect access to them, and thus compromise the system. Instead, keys are split during the bootstrap process using a (t-n)-threshold secret sharing scheme, involving a variable number of people for any given security level. These so-called trustees represent the root of trust.
Trustees can be chosen from different, possibly competing, companies to minimize the risk of a sufficient malicious coalition.
We propose a way for enforced code review with auto-update functionality, streamlining the code review process.
In our security analysis, we show that an implementation of the Sealed Cloud using the Trust Anchor Network has the property of full provider-proofness.
|
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching