Virtual HSM: Building a Hardware-backed Dependable Cryptographic Store

Cloud computing is being used by almost everyone, from regular consumer to IT specialists, as it is a way to have high availability, geo-replication, and resource elasticity with pay-as-you-go charging models. Another benefit is the minimal management effort and maintenance expenses for its users. However, security is still pointed out as the main reason hindering the full adoption of cloud services. Consumers lose ownership of their data as soon as it goes to the cloud; therefore, they have to rely on cloud provider’s security assumptions and Service Level Agreements regarding privacy and integrity guarantees for their data. Hardware Security Modules (HSMs) are dedicated cryptographic processors, typically used in secure cloud applications, that are designed specifically for the protection of cryptographic keys in all steps of their life cycles. They are physical devices with tamperproof resistance, but rather expensive. There have been some attempts to virtualize HSMs. Virtual solutions can reduce its costs but without much success as performance is incomparable and security guarantees are hard to achieve in software implementations. In this dissertation, we aim at developing a virtualized HSM supported by modern attestation-based trusted hardware in commodity CPUs to ensure privacy and reliability, which are the main requirements of an HSM. High availability will also be achieved through techniques such as cloud-of-clouds replication on top of those nodes. Therefore virtual HSMs, on the cloud, backed with trusted hardware, seem increasingly promising as security, attestation, and high availability will be guaranteed by our solution, and it would be much cheaper and as reliable as having physical HSMs

Hardware based cryptography: technological advances for applications in Colombia using embedded systems

To have totally independent systems that offer a sufficient security scheme has become a necessity in Colombia, this because of the proliferation of IoT type systems and similar; In general, it is required to make stand-alone systems totally independent and distributed to offer users a solution to this need, this work offers the analysis and comparison of two security schemes type digital signature and/or hardware security module (HSM) and its variations, made on embedded platforms type microcontroller software, which shows the strategy to provide information protection, In addition, it is analyzed how each implementation was executed, in which devices and metrics of interest, in the first application the cryptography schemes were made using a deep programming that describes the algorithms in C++ language and in the second implementation the use of the dedicated hardware that the embedded platform type microcontroller had is detailed; In both cases, solutions with an acceptable throughput were generated, allowing to obtain comparable solutions and the same style as those made in a PC or similar hardware. On the other hand, an exhaustive review of this type of solutions in the country-region was made, in order to have a reference as to the possible use of this type of applications

Settlement in modern network-based payment infrastructures – description and prototype of the E-Settlement model

Payment systems are undergoing rapid and fundamental changes stimulated largely by technological progress especially distributed network technology and real-time processing. Internet and e-commerce will have a major impact on payment systems in the future. User demands and competition will speed up developments. Payment systems will move from conventions that were originally paper-based to truly network-based solutions. This paper presents a solution – E-Settlement – for improving interbank settlement systems. It is based on a decentralised approach to be fully integrated with the banks’ payment systems. The basic idea is that central bank money, the settlement cover, is transferred as an encrypted digital stamp as part of the interbank payment message. The future payment systems would in this model operate close to the Internet/e-mail concept by sending payment messages directly from the sending bank’s account/payment server to the system of the receiving bank with immediate final interbank settlement without intervening centralised processing. Payment systems would become more efficient and faster and the overall structure would be come straightforward. The E-Settlement and network-based system concept could be applied with major benefits for correspondent banking, ACH and RTGS processing environments. In order to assess this novel idea the Bank of Finland built a prototype of the E-Settlement model. It consist of a group of emulated banks sending payments to each other via a TCP/IP network under the control of a central bank as the liquidity provider and an administration site monitoring the system security. This paper contains an introduction to network-based payment systems and E-Settlement, the specifications of the E-Settlement model and the description, results and experiences of the actual E-Settlement prototype.network-based payment systems; settlement systems; interbank settlement; payment system integration

Implementation of practical and secure methods for storage of cryptographic keys in applications

Dissertação de mestrado integrado em Informatics EngineeringEncryption has been essential to protect modern systems and services. It became the security foundation of databases, payment systems, cloud services, and others. Cryptography enabled the creation and validation of digital signatures, where the protection of the private key is very important to prevent false signatures. Cryptocur rencies rely on this mechanism. Crypto wallets hold private keys used to sign transactions and prove ownership of a digital asset. These have to keep the private key secure, but accessible to its owner, as it may be needed frequently. With the increasing number of decentralized web applications that interact with a blockchain, this subject has become more prevalent, as they usually require frequent signatures from the user. The mass adoption of cryptocurrencies by non-technical users urged the creation of crypto wallets that are secure but prioritize usability. Some of these are hosted services that store the private keys in their servers and others are non-hosted, where the user is responsible for storing it. When implemented as a browser plugin, these wallets allow the user to seamlessly interact with a web application. The rise of cloud technology brought forth multi-signature on the cloud, by combining different cloud services owned by the user. These give the user control of his private key and are less vulnerable to cyber attacks. In this work, it is presented a comprehensive analysis of existing crypto wallet approaches in usability and security to understand the existing problems. The next step was to propose multiple possible solutions to those problems and produce their implementations. These take advantage of previously studied multi-cloud technology and are used to attempt to improve usability and security. To evaluate the proposed solutions and to compare them to the existing ones, we have developed a framework that consisted of various objective tests based on previous work, which have the goal of evaluating security and usability. Finally, the proposed and existing solutions were compared using the proposed framework.A encriptação tem sido fundamental para proteger serviços e sistemas modernos, tornando-se essencial para proteger bases de dados, sistemas de pagamento, serviços de nuvem, entre outros. A criptografia permitiu a criação e validação de assinaturas digitais, onde a proteção da chave privada é bastante importante para impedir assinaturas falsas. As criptomoedas dependem deste mecanismo. As carteiras digitais contém chaves privadas que são usadas para assinar transações e provar a posse de um artefacto digital. Estas guardam a chave privada de forma segura e acessível ao seu proprietário, pois pode ser necessária frequentemente. Com o aumento do número de aplicações web descentralizadas que interagem com blockchains, este assunto tem ganho relevância, pois estas podem necessitar assinaturas frequentes por parte do utilizador. A adoção em massa de criptomoedas por utilizadores não técnicos levou à necessidade de criar carteiras digitais seguras, mas que priorizam a usabilidade. Algumas destas carteiras classificam-se como serviços hosted, que guardam as chaves privadas nos seus servidores, e outras como non-hosted, onde o utilizador é responsável por as guardar. Quando implementadas como um browser plugin, estas carteiras permitem o uti lizador interagir fluidamente com uma aplicação web. A ascensão da tecnologia nuvem permitiu o aparecimento da múltipla assinatura na nuvem, através da combinação de diferentes serviços de nuvem já possuídos pelo utilizador. Estes dão ao utilizador controlo total da sua chave privada e são menos vulneráveis a ciberataques. Neste trabalho, é feita uma análise compreensiva à usabilidade e segurança dos vários tipos de carteiras digitais, para perceber os seus problemas existentes. O próximo passo foi propor várias possíveis soluções aos problemas encontrados e também fazer a sua implementação. Estas utilizam trabalho previamente estudado sobre tecnologia multi-nuvem e são usadas para com intuito de melhorar a usabilidade e segurança. Para fazer uma avaliação das soluções propostas e compará-las a produtos existentes, desenvolvemos uma framework para testar segurança e usabilidade com vários testes objetivos, baseados em trabalho previamente estudado. No final, as soluções propostas e as já existentes foram comparadas utilizando o framework proposto

Resource Storage Management Model for Ensuring Quality of Service in the Cloud Archive Systems

Nowadays, service providers offer a lot of IT services in the public or private cloud. The client can buy various kinds of services like SaaS, PaaS, etc. Recently there was introduced Backup as a Service (BaaS) as a variety of SaaS. At the moment there are available several different BaaSes for archiving the data in the cloud, but they provide only a basic level of service quality. In the paper we propose a model which ensures QoS for BaaS and some  methods for management of storage resources aimed at achieving the required SLA. This model introduces a set of parameters responsible for SLA level which can be offered on the basic or higher level of quality. The storage systems (typically HSM), which are distributed between several Data Centres,  are built based on disk arrays, VTLs, and tape libraries. The RSMM model does not assume bandwidth reservation or control, but is rather focused on the management of storage resources

Secure secondary utilization system of genomic data using quantum secure cloud

量子セキュアクラウドによる高速安全なゲノム解析システムの開発に成功 --従来不可能だった情報理論的安全で高速な処理を実現--. 京都大学プレスリリース. 2022-11-24.Secure storage and secondary use of individual human genome data is increasingly important for genome research and personalized medicine. Currently, it is necessary to store the whole genome sequencing information (FASTQ data), which enables detections of de novo mutations and structural variations in the analysis of hereditary diseases and cancer. Furthermore, bioinformatics tools to analyze FASTQ data are frequently updated to improve the precision and recall of detected variants. However, existing secure secondary use of data, such as multi-party computation or homomorphic encryption, can handle only a limited algorithms and usually requires huge computational resources. Here, we developed a high-performance one-stop system for large-scale genome data analysis with secure secondary use of the data by the data owner and multiple users with different levels of data access control. Our quantum secure cloud system is a distributed secure genomic data analysis system (DSGD) with a “trusted server” built on a quantum secure cloud, the information-theoretically secure Tokyo QKD Network. The trusted server will be capable of deploying and running a variety of sequencing analysis hardware, such as GPUs and FPGAs, as well as CPU-based software. We demonstrated that DSGD achieved comparable throughput with and without encryption on the trusted server Therefore, our system is ready to be installed at research institutes and hospitals that make diagnoses based on whole genome sequencing on a daily basis

Block-level De-duplication with Encrypted Data

Deduplication is a storage saving technique which has been adopted by many cloud storage providers such as Dropbox. The simple principle of deduplication is that duplicate data uploaded by different users are stored only once. Unfortunately, deduplication is not compatible with encryption. As a scheme that allows deduplication of encrypted data segments, we propose ClouDedup, a secure and efficient storage service which guarantees blocklevel deduplication and data confidentiality at the same time. ClouDedup strengthens convergent encryption by employing a component that implements an additional encryption operation and an access control mechanism. We also propose to introduce an additional component which is in charge of providing a key management system for data blocks together with the actual deduplication operation. We show that the overhead introduced by these new components is minimal and does not impact the overall storage and computational costs

Hardware Security Module Cryptosystem Using Petri Net

An embedded system is a combination of hardware and software designed to perform specific functions. It consists of SoCs (system on chip) that it relies on to do its computing work. A key feature of an embedded system is that it consumes less power and components occupy less space on the IC (integrated circuit) thus, the use of SoCs. Embedded system manufacturers get these SoCs from third-party companies to reduce their time to market. That would increase the possibility of the systems to be compromised. In this paper, we present a novel approach to securing such critical systems. For that, we made a Hardware Security Module (HSM), which consists of secure SoC with encrypt/decrypt engine that use Petri net for algorithm modulation to secure data flow. We ensure that the system uses genuine firmware and data is secured since we use encrypt/decrypt algorithms only known to manufacturers