View
0
Download
0
Category
Preview:
Citation preview
ControlYourCloud:BYOKisGood,
ButnotGoodEnough
May18th,2017,ICMC’2017,Arlington,VA,CA©Cryptomathic,2017
AboutCryptomathic• Inbusinessfor30+years• Aso2warecompany,whichusesHSMsandHardwareSecurityPeripheralsExtensively.• AtechnologyproviderofCryptographicKeyManagementSystems
• Sweetspotinhelpingaugmenthybridarchitectures• WerelyongoodandsoundHardwareSecurityProducts
BYOK• BYOK=BringYourOwnKey• Itsuggestsaone-waymechanism:
• FromtheperspecOveofaCloudCompuOngProvider:YourKey,intomyCloud.• Theword“key”tendstobegenerallyunderstoodinaverybroadsense
• SymmetricKeys• GeneralPurposeEncrypOon/DecrypOonKeys• MasterDerivaOonKeys(especiallyusedinfinancialservice)
• AsymmetricKey(Pairs)• -andcorrespondingcerOficates.
• However,inthecontextofCloudServiceProviders,itappearstohavebeenassignedamorelimitedmeaningforgeneralpurposecryptoonly–atleastiniOally.
CloudServiceProviders(CSPs)Offering• ThreemajorcloudserviceprovidersalloffersomeformofCryptographicServices• AmazonAWS• Microso]Azure• GoogleCloudPla^orm
• Themainpurposesappeartobe• PromoOngdirectintegraOonwiththeirownservices• throughofferingexternalAPIsandcapabiliOes.
• AllthreeoffersomeformofKeyManagementServiceandcryptographicAPIs.
KeyManagementServicesoffered(re.BYOK)
• HSM• ThalesnShieldHSM
• Crypto• AES128or256andRSAkeys
• BYOKProtocol/Format• basedonThalescommands
AmazonAWS GoogleCloudPla^ormMicroso]Azure
• HSM• GemaltoLunaSAHSM
• Crypto• AES128and256keysonly
• BYOKProtocol/Format• PKCS#1towrapakey
• HSM• Nonecurrently
• Crypto• AES256keysonly
• BYOKProtocol/Format• RSA-OAEPencryptedkey
Data-at-restEncrypOonandAPIfuncOonality
• Data-restEncrypRon• AES128or256• +rightsmanagementpolicy
• CryptoservicesandAPIs• Encrypt/decrypt• SignandVerify• Wrap/unwrap
AmazonAWS GoogleCloudPla^ormMicroso]Azure
• Data-at-restencrypRon• AES-GCM128or256
• CryptoservicesandAPIs• encrypt/decryptonlywithAES-GCM
• basedonGemaltoHSM
• Data-at-restencrypRon• AES-GCM256
• CryptoservicesandAPIs• encrypt/decryptonlywithAES-GCM
BYOK–animportanttool(butnottheonlyone)• BYOKhelpsyougetyourowngeneratedkeyintotheCloud
• -ratherthanhavingtheCSPgenerateoneforyouonyourbehalf.• TheCloudServiceProvider“willhandleitforyou”–butthereisnocommonexportfacility• Thus,ifyouneedacopy,besuretosaveonebeforesubmigngit!
• BYOKhas(slightly)differentmeaningsintheeyesoftheCSP• BesureyouunderstandthelimitaOonsofwhatisavailable• AlsounderstandyourresponsibiliOes,i.e.
• DoyoureallywanttomanageyourencrypOonkeyinaspreadsheet?• Probably,youalsohavemanyothertypesofkeysyouneedtomanage
EnterMYOK™-ManageYourOwnKey(s)• Inmanagingyourownkeys,itisimpliedthat
• Youcanworkwithyourkeyssecurely• Youcanprovisionkeystowheretheyareneeded• Youareabletomanagethelife-cycleofkeysyoumanage
• GeneraOon,Import,Export• Backup,Restore• Update,Roll-back,Recover• CerOfy,RecerOfyandRevoke
• Ideally,youneedtobeabletodothisinawaythatismeaningfultoyourbusiness• Acentralsystem,available(toyou)andunderyoursolecommand.
MYOKsoluOons–anexampleCentralizedKeyManagementSystemreplacingandunifyingpoorly-designed,proprietaryandmanualkeymanagementinterfacesofexisRngproductsandHSMs
üû
AdvancedKeyLifecycleManagement• Morethanjustkeys• Name• Algorithmandlength• Exportsegngs
• KCVlength• Intendedrecipients• Formats
• Thebiggerpicture• KeyUsageLogs• Lifecyclestatus• Customdata
TypicallyEncounteredKeyFormats(otherthanBYOK)• AtallaKeyBlock/Variant
• File-basedformat.ApplicaOonkeysonly.
• CryptogramunderZMKP• Exporttoafileencryptedbyapublickey.
• PINpad• ExportasXORsharesonaPINpad.Symmetrickeysonly.
• PKCS#8Cryptogram• ExportasanencryptedPKCS#8file.Asymmetrickeysonly.
• StandardCryptogram• Exportasanencryptedkeyfile.Symmetrickeysonly.
• SubjectPublicKeyInfo• Exportofpublickeys.
• TR-31• CompaOblewithe.g.ThalesPaymentsHSMs
• IBMCCA• ForIBMHSMs(withcontrolvector)
SoundArchitecture• Client/serverdesign• Aservicewhichcanrunfromyourlabs(whetherowndatacenterordessktop)• DBMS,HSM(FIPS140-2,L3)
• AdministratorsconnectfromWindowsclient• SmartcardbasedauthenOcaOonforalloperaOons(FIPS140-2,L3)• PINpadsforreadingcardsandimporOng/exporOng/prinOngkeyshares
Thankyoumao.Landrock@cryptomathic.com
MYOKisatrademarkofCryptomathic
Recommended