research-article

Toward scaling hardware security module for emerging cloud services

Authors:

Dongsu HanAuthors Info & Claims

SysTEX '19: Proceedings of the 4th Workshop on System Software for Trusted Execution

Article No.: 3, Pages 1 - 6

https://doi.org/10.1145/3342559.3365335

Published: 27 October 2019 Publication History

Abstract

The hardware security module (HSM) has been used as a root of trust for various key management services. At the same time, rapid innovation in emerging industries, such as container-based microservices, accelerates demands for scaling security services. However, current on-premises HSMs have limitations to afford such demands due to the restricted scalability and high price of deployment. This paper presents ScaleTrust, a framework for scaling security services by utilizing HSMs with SGX-based key management service (KMS) in a collaborative, yet secure manner. Based on a hierarchical model, we design a cryptographic workload distribution between HSMs and KMS enclaves to achieve both the elasticity of cloud software and the hardware-based security of HSM appliances. We demonstrate practical implications of ScaleTrust using two case studies that require secure cryptographic operations with low latency and high scalability.

References

[1]

Asylo: An Open and Flexible Framework for Enclave Applications. https://asylo.dev.

[2]

AWS CloudHSM. https://aws.amazon.com/cloudhsm.

[3]

Egnyte Key Management. https://www.egnyte.com/encryption-key-management.html.

[4]

Google Cloud HSM. https://cloud.google.com/hsm.

[5]

IBM Cloud HSM. https://www.ibm.com/cloud/hardware-security-module.

[6]

IBM Systems cryptographic HSMs. https://www.ibm.com/security/cryptocards/hsms.

[7]

Intel® Software Guard Extensions SDK for Linux^* OS. https://github.com/intel/linux-sgx.

[8]

Official Docker v17.06 documentation. Manage swarm security with public key infrastructure [Accessed Aug. 20, 2019].

[9]

Open Enclave SDK. https://openenclave.io/sdk.

[10]

OpenDNSSEC SoftHSM. https://www.opendnssec.org/softhsm.

[11]

SafeNet Hardware Security Modules. https://safenet.gemalto.com/data-encryption/hardware-security-modules-hsms.

[12]

Thales eSecurity Key Management. https://www.thalesesecurity.com/products/key-management.

[13]

WolfSSL Intel SGX. https://www.wolfssl.com/wolfssl-intel-sgx-fips-140--2.

[14]

FIPSPUB 140--2. Security requirements for cryptographic modules, 2001.

[15]

J.-B. Bédrune et al. Everybody be Cool, This is a Robbery! https://i.blackhat.com/USA-19/Thursday/us-19-Campana-Everybody-Be-Cool-This-Is-A-Robbery.pdf, 2019.

[16]

J. G. Beekman et al. Challenges For Scaling Applications Across Enclaves. In Proc. SysTEX. ACM, 2017.

Digital Library

[17]

J. Bradley et al. JSON web token (JWT). https://tools.ietf.org/html/rfc7519, 2015.

[18]

S. Chakrabarti et al. Intel SGX Enabled Key Manager Service with OpenStack Barbican. arXiv preprint arXiv:1712.07694, 2017.

[19]

S. Chakrabarti et al. Scaling Intel® Software Guard Extensions Applications with Intel® SGX Card. In Proc. HASP. ACM, 2019.

Digital Library

[20]

L. Chen. Microservices: architecting for continuous delivery and devops. In Proc. ICSA. IEEE, 2018.

[21]

CloudFlare. The DNSSEC Root Signing Ceremony. https://www.cloudflare.com/dns/dnssec/root-signing-ceremony.

[22]

EFTLAB. HSMs in a Payment Industry. https://www.eftlab.com/hsms-in-a-payment-industry.

[23]

J. Haswell. SSD Architectures to Ensure Security and Performance. Flash Memory Summit, 2016.

[24]

F. R. Konkel. The Pentagon isn't ready yet for classified information to be stored off-premise in the cloud. https://www.nextgov.com/emerging-tech/2015/02/dod-wants-physical-separation-classified-data-cloud-now/105753.

[25]

D. Liu et al. Veriui: Attested Login for Mobile Devices. In Proc. HotMobile, 2014.

Digital Library

[26]

S. Luo et al. TZ-KMS: A Secure Key Management Service for Joint Cloud Computing with ARM TrustZone. In Proc. SOSE, 2018.

[27]

F. McKeen et al. Innovative Instructions and Software Model for Isolated Execution. In Proc. HASP, 2013.

Digital Library

[28]

R. Stubbs. Turning Cryptography into a Service. https://www.cryptomathic.com/news-events/blog/turning-cryptography-into-a-service-part-1.

[29]

Thales eSecurity. What is FIPS 140-2? https://www.thalesesecurity.com/faq/key-secrets-management/what-fips-140-2.

[30]

J. Wilder. PCI Requirement 3.6.6 - Using Split Knowledge & Dual Control. https://kirkpatrickprice.com/video/pci-requirement-3-6-6-using-split-knowledge-dual-control/.

[31]

E.Wolff. Microservices: flexible software architecture. Addison-Wesley Professional, 2016.

[32]

T. Yarygina et al. Overcoming Security Challenges in Microservice Architectures. In Proc. SOSE. IEEE, 2018.

[33]

J. Zhang et al. Data Security and Privacy-Preserving in Edge Computing Paradigm: Survey and Open Issues. IEEE Access, 2018.

Cited By

Bhowmik BDongala JSudhama KAntony RGirish K(2025)Hardware Security in Evolving FinTech LandscapeFifth International Conference on Computing and Network Communications10.1007/978-981-97-4540-1_31(425-438)Online publication date: 6-Feb-2025
https://doi.org/10.1007/978-981-97-4540-1_31
Aref YOuda A(2024)HSM4SSL: Leveraging HSMs for Enhanced Intra-Domain SecurityFuture Internet10.3390/fi1605014816:5(148)Online publication date: 26-Apr-2024
https://doi.org/10.3390/fi16050148
Takei YShudo K(2024)Pragmatic Analysis of Key Management for Cryptocurrency Custodians2024 IEEE International Conference on Blockchain and Cryptocurrency (ICBC)10.1109/ICBC59979.2024.10634356(747-765)Online publication date: 27-May-2024
https://doi.org/10.1109/ICBC59979.2024.10634356
Show More Cited By

Index Terms

Toward scaling hardware security module for emerging cloud services
1. Security and privacy
  1. Systems security

Recommendations

Toward a framework for cloud security
ICA3PP'10: Proceedings of the 10th international conference on Algorithms and Architectures for Parallel Processing - Volume Part II

While the emergence of cloud computing has made it possible to rent information technology infrastructures on demand, it has also created new security challenges. The primary security concern is trusting data (or resources in general) on another ...
Cloud Computing Security: Amazon Web Service
ACCT '15: Proceedings of the 2015 Fifth International Conference on Advanced Computing & Communication Technologies

Cloud Computing is a recently emerged model which is becoming popular among almost all enterprises. It involves the concept of on demand services which means using the cloud resources on demand and we can scale the resources as per demand. Cloud ...
Cloud-based security services for the smart grid
CASCON '13: Proceedings of the 2013 Conference of the Center for Advanced Studies on Collaborative Research

In recent years, cloud-based services become very popular. Their market is expanding every day. Security as a service (SECaaS) is a promising area of cloud computing. It offers cost-effective cyber security solutions to client entities. It can be a good ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

SysTEX '19: Proceedings of the 4th Workshop on System Software for Trusted Execution

October 2019

42 pages

ISBN:9781450368889

DOI:10.1145/3342559

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 October 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

Korea government (MOTIE & DAPA) award

Conference

SOSP '19

SOSP '19: ACM SIGOPS 27th Symposium on Operating Systems Principles

October 27, 2019

Ontario, Huntsville, Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
438
Total Downloads

Downloads (Last 12 months)71
Downloads (Last 6 weeks)7

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Bhowmik BDongala JSudhama KAntony RGirish K(2025)Hardware Security in Evolving FinTech LandscapeFifth International Conference on Computing and Network Communications10.1007/978-981-97-4540-1_31(425-438)Online publication date: 6-Feb-2025
https://doi.org/10.1007/978-981-97-4540-1_31
Aref YOuda A(2024)HSM4SSL: Leveraging HSMs for Enhanced Intra-Domain SecurityFuture Internet10.3390/fi1605014816:5(148)Online publication date: 26-Apr-2024
https://doi.org/10.3390/fi16050148
Takei YShudo K(2024)Pragmatic Analysis of Key Management for Cryptocurrency Custodians2024 IEEE International Conference on Blockchain and Cryptocurrency (ICBC)10.1109/ICBC59979.2024.10634356(747-765)Online publication date: 27-May-2024
https://doi.org/10.1109/ICBC59979.2024.10634356
Khan AMatskin MProdan RBussler CRoman DSoylu A(2024)Cloud storage cost: a taxonomy and surveyWorld Wide Web10.1007/s11280-024-01273-427:4Online publication date: 24-May-2024
https://dl.acm.org/doi/10.1007/s11280-024-01273-4
Cabrera-Gutiérrez ACastillo EEscobar-Molero ACruz-Cozar JMorales DParrilla L(2023)Blockchain-Based Services Implemented in a Microservices Architecture Using a Trusted Platform Module Applied to Electric Vehicle Charging StationsEnergies10.3390/en1611428516:11(4285)Online publication date: 24-May-2023
https://doi.org/10.3390/en16114285
Han JYun IKim SKim TSon SHan D(2023)Scalable and Secure Virtualization of HSM With ScaleTrustIEEE/ACM Transactions on Networking10.1109/TNET.2022.322042731:4(1595-1610)Online publication date: Aug-2023
https://doi.org/10.1109/TNET.2022.3220427
Aref YOuda A(2023)Still Computers Networking is Less Secure Than It should be, Causes and Solution2023 International Symposium on Networks, Computers and Communications (ISNCC)10.1109/ISNCC58260.2023.10323980(1-8)Online publication date: 23-Oct-2023
https://doi.org/10.1109/ISNCC58260.2023.10323980
Rana SParast FKelly BWang YKent K(2023)A comprehensive survey of cryptography key management systemsJournal of Information Security and Applications10.1016/j.jisa.2023.10360778(103607)Online publication date: Nov-2023
https://doi.org/10.1016/j.jisa.2023.103607
Khan HAli FNazir S(2022)Systematic analysis of software development in cloud computing perceptionsJournal of Software: Evolution and Process10.1002/smr.2485Online publication date: 29-Jun-2022
https://doi.org/10.1002/smr.2485

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten