On Aug 2, 2009, at 4:00 PM, Arshad Noor wrote:
Jerry Leichter wrote:
How
does a server, built on stock technology, keep secrets that it can
use to authenticate with other servers after an unattended reboot?
Without tamper-resistant hardware that controls access to keys,
anything the software can get at at boot, an attacker who steals a
copy of a backup, say - can also get at.
Almost every e-commerce site (that needs to be PCI-DSS compliant) I've
worked with in the last few years, insists on having unattended
reboots.
I penned a recent blog about this fact at
http://www.cryptoclarity.com/CryptoClarityLLC/Welcome/Entries/2009/7/23_Encrypted_Storage_and_Key_Management_for_the_cloud.html
or
http://tinyurl.com/klkrvu
It discusses this fact and how it can be mitigated. Specifically, how
wrapped keys can be escrowed, and used to boot a machine in, what I
consider, a significantly more secure manner. Given that you can never
guarantee a cloud provider can not tamper with you machine while
running, this post describes the problem, a set of goals and one
possible solution.
Encrypted Kernels are requirement. Geoff Arnold
http://speakingofclouds.com/
suggested that an AMI that can boot an encrypted AMI may solve the
issue. A harder, but possible solution would be to change the AMI's
Grub loader without changing AWS's infrastructure. Anyone interested
on working on a prototype :-)
Jim
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
