On the Suitability of Using SGX for Secure Key Storage in the Cloud

Brorsson, Joakim; Nikbakht Bideh, Pegah; Nilsson, Alexander; Hell, Martin

On the Suitability of Using SGX for Secure Key Storage in the Cloud

Mark

Brorsson, Joakim ^LU

; Nikbakht Bideh, Pegah ^LU

; Nilsson, Alexander ^LU

and Hell, Martin ^LU (2020) 17th International Conference on Trust, Privacy and Security in Digital Business, TrustBus2020 12395. p.32-47

Abstract: This paper addresses the need for secure storage in virtualized services in the cloud. To this purpose, we evaluate the security properties of Intel's Software Guard Extensions (SGX) technology, which provides hardware protection for general applications, for securing virtual Hardware Security Modules (vHSM). In order for the analysis to be comparable with analyses of physical HSMs, the evaluation proceeds from the FIPS 140--3 standard, the successor to FIPS 140--2, which is commonly used to assess security properties of HSMs.

Our contribution is twofold. First, we provide a detailed security evaluation of vHSMs using the FIPS 140–3 standard. Second, after concluding that the standard is designed for stand-alone rather than... (More); This paper addresses the need for secure storage in virtualized services in the cloud. To this purpose, we evaluate the security properties of Intel's Software Guard Extensions (SGX) technology, which provides hardware protection for general applications, for securing virtual Hardware Security Modules (vHSM). In order for the analysis to be comparable with analyses of physical HSMs, the evaluation proceeds from the FIPS 140--3 standard, the successor to FIPS 140--2, which is commonly used to assess security properties of HSMs.

Our contribution is twofold. First, we provide a detailed security evaluation of vHSMs using the FIPS 140–3 standard. Second, after concluding that the standard is designed for stand-alone rather than virtual systems, we propose a supplementary threat model, which considers threats from different actors separately. This model allows for different levels of trust in actors with different capabilities and can thus be used to assess which parts of FIPS 140--3 that should be considered for a specific attacker.

Using FIPS 140--3 in combination with the threat model, we find that SGX enclaves provide sufficient protection against a large part of the potential actors in the cloud. Thus, depending on the threat model, SGX can be a helpful tool for providing secure storage for virtualized services. (Less)

Please use this url to cite or link to this publication: https://lup.lub.lu.se/record/7c36e888-1510-4884-b44f-6fdb0018cbe1

author

Brorsson, Joakim ^LU

; Nikbakht Bideh, Pegah ^LU

; Nilsson, Alexander ^LU

and Hell, Martin ^LU

organization

publishing date

2020

type

Chapter in Book/Report/Conference proceeding

publication status

published

subject

keywords

SGX, FIPS, Trusted Computing, Enclaves, HSM

host publication

Lecture Notes in Computer Science

volume

12395

pages

32 - 47

publisher

Springer Science and Business Media B.V.

conference name

17th International Conference on Trust, Privacy and Security in Digital Business, TrustBus2020

conference location

Bratislava, Slovakia

conference dates

2020-09-14 - 2020-09-17

external identifiers

scopus:85091599686

ISBN

978-303058985-1

DOI

10.1007/978-3-030-58986-8_3

project

Säkra mjukvaruuppdateringar för den smarta staden

Side channels on software implementations of post-quantum cryptographic algorithms

language

English

LU publication?

yes

id

7c36e888-1510-4884-b44f-6fdb0018cbe1

date added to LUP

2020-06-09 10:13:34

date last changed

2022-04-18 22:54:10

@inproceedings{7c36e888-1510-4884-b44f-6fdb0018cbe1,
  abstract     = {{This paper addresses the need for secure storage in virtualized services in the cloud. To this purpose, we evaluate the security properties of Intel's Software Guard Extensions (SGX) technology, which provides hardware protection for general applications, for securing virtual Hardware Security Modules (vHSM). In order for the analysis to be comparable with analyses of physical HSMs, the evaluation proceeds from the FIPS 140--3 standard, the successor to FIPS 140--2, which is commonly used to assess security properties of HSMs.<br/><br/>Our contribution is twofold. First, we provide a detailed security evaluation of vHSMs using the FIPS 140–3 standard. Second, after concluding that the standard is designed for stand-alone rather than virtual systems, we propose a supplementary threat model, which considers threats from different actors separately. This model allows for different levels of trust in actors with different capabilities and can thus be used to assess which parts of FIPS 140--3 that should be considered for a specific attacker.<br/><br/>Using FIPS 140--3 in combination with the threat model, we find that SGX enclaves provide sufficient protection against a large part of the potential actors in the cloud. Thus, depending on the threat model, SGX can be a helpful tool for providing secure storage for virtualized services.}},
  author       = {{Brorsson, Joakim and Nikbakht Bideh, Pegah and Nilsson, Alexander and Hell, Martin}},
  booktitle    = {{Lecture Notes in Computer Science}},
  isbn         = {{978-303058985-1}},
  keywords     = {{SGX; FIPS; Trusted Computing; Enclaves; HSM}},
  language     = {{eng}},
  pages        = {{32--47}},
  publisher    = {{Springer Science and Business Media B.V.}},
  title        = {{On the Suitability of Using SGX for Secure Key Storage in the Cloud}},
  url          = {{https://lup.lub.lu.se/search/files/80413111/TrustBus2020_paper_11_1_.pdf}},
  doi          = {{10.1007/978-3-030-58986-8_3}},
  volume       = {{12395}},
  year         = {{2020}},
}

Lund University Publications

LUND UNIVERSITY LIBRARIES

On the Suitability of Using SGX for Secure Key Storage in the Cloud