Abstract
Hardware security modules can be used to encapsulate simple security services that bind security functions such as decryption with authorisation and authentication. Such hardware secured services provide a functional root of trust that can be placed within context of a wider IT solution hence enabling strong separations of control and duty.
This paper describes an approach to using such hardware-encapsulated services to create virtual trust domains within a deployed solution. This trust domain is defined by the hardware protection regime, the service code and the policies under which it is managed. An example is given, showing how a TLS session within a web service environment can be protected and how this service can extend the secure communications into the backend systems.
Chapter PDF
References
Monahan, B.: From security protocols to systems security: A case for systems security modeling tools. In: Proceedings of the 11th Cambridge International Workshop on Security Protocols. LNCS. Springer, Heidelberg (2003)
Dalton, C.I., Griffin, J.: Applying military grade security to the internet. In: Joint European Networking Conference, Edinburgh (1997)
Baldwin, A., Beres, Y., Casassa Mont, M., Shiu, S.: Trust services: Reducing risk in e-commerce. In: Proceedings of the International Conference on E-Commerce Research (2001)
Baldwin, A., Shiu, S., Casassa Mont, M.: Trust services: A framework for service based solutions. In: 26th IEEE Computer Software and Applications Conference (COMPSAC), Oxford, UK (2002)
Haber, S., Stornetta, W.S.: How to time-stamp a digital document. Journal of Cryptology 3, 99–111 (1991)
Goh, C., Baldwin, A.: Towards a more complete model of roles. In: 3rd ACM Workshop on Role-Based Access, pp. 55–61 (1998)
RSA: PKCS#11 v2.11 cryptographic token interface standard (2001)
FIPS: Security requirements for c yptographic modules. Fips 140-2 (2001)
Smith, S., Palmer, E., Weingart, S.: Using a high performance programmable secure coprocessor. In: Hirschfeld, R. (ed.) FC 1998. LNCS, vol. 1465, pp. 73–89. Springer, Heidelberg (1998)
Itoi, N.: Secure coprocessor integration with Kerberos V5. In: Usenix Security Symposium, pp. 113–128 (2000)
Smith, S., Safford, D.: Practical private information retrieval with secure coprocessors. Technical report, IBM Research T.J. Watson Research Centre (2000)
Smith, R.: Cost profile of a highly assured, secure operating system. ACM Transactions on Information Systems Security (2000)
Pearson, S. (ed.): Trusted Computing Platforms: TCPA technology in context. HP books. Prentice-Hall, Englewood Cliffs (2002)
Sloman, M., Lupu, E.: Policies for distributed systems and networks. In: Proceedings of the 2nd International Policy Workshop. LNCS, vol. 1995. Springer, Heidelberg (2001)
Grandison, T., Sloman, M.: Sultan - a language of trust specification and analysis. In: Proceedings of the 8th Workshop of the HP Openview University association (2001)
Casassa Mont, M., Baldwin, A., Goh, C.: Power prototype: Towards integrated policy based management. In: Hong, J., R.W. (eds.) Proceedings of the IEEE/IFIP Network Operations and Management Symposium (NOMS), pp. 789–802 (2000)
Baldwin, A., Shiu, S.: Encryption and key management in a SAN. In: IEEE Security In Storage Workshop, SISW 2002 (2002)
Baldwin, A., Shiu, S.: Hardware security appliances for trust. In: First International Conference on Trust Management. LNCS. Springer, Heidelberg (2003)
Ferreira, A., Shiu, S., Baldwin, A.: Towards accountability for electronic patient records. In: The 16th IEEE Symposium on Computer-Based Medical Systems (2003)
Baldwin, A., Shiu, S.: Enabling shared audit data. In: Boyd, C., Mao, W. (eds.) ISC 2003. LNCS, vol. 2851, pp. 14–28. Springer, Heidelberg (2003)
Kurniawan, B.: Java for the Web with Servlets, JSP and EJB. A developer’s guide to J2EE solutions. Que (2002)
Richter, J.: Applied Microsoft.Net Framework Programming. Microsoft Press (2002)
Dierks, T., Allen, C.: The TLS protocol version 1.0. IETF RFC 2246 (1999)
Freier, A., Karlton, P., Kocher, P.: The SSL protocol version 3.0. IETF Internet Draft (1996)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Baldwin, A., Shiu, S. (2003). Hardware Encapsulation of Security Services. In: Snekkenes, E., Gollmann, D. (eds) Computer Security – ESORICS 2003. ESORICS 2003. Lecture Notes in Computer Science, vol 2808. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-39650-5_12
Download citation
DOI: https://doi.org/10.1007/978-3-540-39650-5_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-20300-1
Online ISBN: 978-3-540-39650-5
eBook Packages: Springer Book Archive