[144675] in cryptography@c2.net mail archive
Re: Unattended reboots
daemon@ATHENA.MIT.EDU (james hughes)
Mon Aug 3 16:55:04 2009
Cc: James Hughes <hughejp@mac.com>, Jerry Leichter <leichter@lrw.com>,
Cryptography <cryptography@metzdowd.com>, Geoff Arnold <geoff@geoffarnold.com>
From: james hughes <hughejp@mac.com>
To: Arshad Noor <arshad.noor@strongauth.com>
In-reply-to: <4A761A9D.6080106@strongauth.com>
Date: Sun, 02 Aug 2009 23:29:25 -0700
On Aug 2, 2009, at 4:00 PM, Arshad Noor wrote:
> Jerry Leichter wrote:
> How
>> does a server, built on stock technology, keep secrets that it can
>> use to authenticate with other servers after an unattended reboot?
>> Without tamper-resistant hardware that controls access to keys,
>> anything the software can get at at boot, an attacker who steals a
>> copy of a backup, say - can also get at.
>
> Almost every e-commerce site (that needs to be PCI-DSS compliant) I've
> worked with in the last few years, insists on having unattended
> reboots.
I penned a recent blog about this fact at
http://www.cryptoclarity.com/CryptoClarityLLC/Welcome/Entries/2009/7/23_Encrypted_Storage_and_Key_Management_for_the_cloud.html
or
http://tinyurl.com/klkrvu
It discusses this fact and how it can be mitigated. Specifically, how
wrapped keys can be escrowed, and used to boot a machine in, what I
consider, a significantly more secure manner. Given that you can never
guarantee a cloud provider can not tamper with you machine while
running, this post describes the problem, a set of goals and one
possible solution.
Encrypted Kernels are requirement. Geoff Arnold
http://speakingofclouds.com/
suggested that an AMI that can boot an encrypted AMI may solve the
issue. A harder, but possible solution would be to change the AMI's
Grub loader without changing AWS's infrastructure. Anyone interested
on working on a prototype :-)
Jim
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
