Marshall W. Bern, Howard J. Karloff, et al.
Theoretical Computer Science
Migrating systems onto virtualized environments, such as cloud platforms, is becoming a business imperative. Such platforms offer the promise of higher resilience combined with a relatively low cost of ownership. The platforms also involve a number of challenges that hinder their adoption, and a primary concern involves security. These security concerns stem in part from vulnerabilities that underlying virtualization functionality introduces, such as the ability to capture and replay the execution state of a virtualized machine. In systems where security is paramount, HSMs (hardware security modules) are often used. HSMs provide a tamper-resistant environment for storing sensitive cryptographic material and for executing cryptographic operations using this material. HSMs may appear to be important components for enhancing the security of virtual environments; however, current implementations are not well suited for this purpose. In this paper, we describe a typical HSM solution stack based on the de facto industry standard called PKCS #11 (Public Key Cryptography Standard # 11). We explain the challenges introduced by virtualized platforms and show why the typical architectures based on PKCS #11 are not suitable for such environments. Finally, we describe an alternative IBM HSM solution called EP11 (Enterprise PKCS #11) and show how it addresses many of these challenges.
Marshall W. Bern, Howard J. Karloff, et al.
Theoretical Computer Science
Michael Ray, Yves C. Martin
Proceedings of SPIE - The International Society for Optical Engineering
Liqun Chen, Matthias Enzmann, et al.
FC 2005
Eric Price, David P. Woodruff
FOCS 2011