Abstract
Managing encryption keys in cloud computing is a very challenging task, especially where the model is shared and entirely controlled by the cloud providers. Hardware Security Module (HSM) solutions turned out to be an efficient approach for delivering cloud key management services. Unfortunately, the HSM approach has shown some shortcomings related to key migration when it comes to widespread cloud deployment. Recent systems based on homomorphic encryption and multiparty computation suffer from security issues or heavy overhead costs inherent to underlying cryptographic techniques. In this paper, we introduce a new software cloud key management system based on a dedicated (t, n) verifiable secret sharing protocol that tolerates up to t byzantine adversaries. The proposed design meets the requirements of BYOK (Bring Your Own Keys) model and multi-clouds deployment that are gaining more attraction among the biggest cloud industry players. Taking advantage of our verifiable secret sharing protocol, that reduces by a factor t the opening phase of the VSS protocols known in the literature, the proposed design offers promising performances. We also provide a formal model of our construction and proof of security. Finally, we implement a prototype of our design and give some experimental results about its performance along with some optimizations that make it efficient enough to be deployed in real-world applications.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Archer, W., et al.: From Keys to databases real-world applications of secure multi-party computation. In cryptology ePrint Archive, Report 450 (2018)
Amazon, A. W. S. CloudHSM (2015)
Azougaghe, A., Ait Oualhaj, O., Hedabou, M., Belkasmi, M., Kobbane, A.: Many-to-one matching game towards secure virtual machines migration in cloud computing. In: 2016 International Conference on Advanced Communication Systems and Information Security (ACOSIS), IEEE (2017)
Blakley, G. R.: Safeguarding cryptographic keys. In: Proceedings of the 1979 AFIPS National Computer Conference, pp. 313–317 (1979)
Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_4
Bentajer, A., Hedabou, M., Abouelmehdi, K., Elfezazi, S.: CS-IBE: a data confidentiality system in public cloud storage system. Proc. Comput. Sci. 141, 559–564 (2018)
Bentajer, A., Hedabou, M.: Cryptographic key management issues in cloud computing. Adv. Eng. Res. 34, 78–112 (2020)
Benaloh, J., Leichter, J.: Generalized secret sharing and monotone functions. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 27–35. Springer, New York (1990). https://doi.org/10.1007/0-387-34799-2_3
Barker, E., Roginsky, A.: Recommendation for cryptographic key generation. US Department of Commerce, National Institute of Standards and Technology (2012). https://doi.org/10.6028/NIST.SP.800-133
The Encrypting File System (EFS). http://technet.microsoft.com/en-us/library/cc700811.aspx. A white paper from Microsoft Corporation
Haitner, I., Reingold, O.: Statistically-hiding commitment from any one-way function. In: Proceedings of the Thirty-Ninth Annual ACM Symposium on Theory of Computing, pp. 1–10 (2007)
Hedabou, M., Bénéteau, L., Pinel, P.: Some ways to secure elliptic curve cryptosystems. Adv. Appl. Clifford Algebras 48, 677–688 (2008)
Chandramouli, R., Iorga, M., Chokhani, S.: Cryptographic Key management issues and challenges in cloud services. In: Secure Cloud Computing, pp. 1–30. Springer, New York, NY (2014). https://doi.org/10.6028/NIST.IR.7956
Feldman, P.: A practical scheme for non-interactive verifiable secret sharing. In: Proceedings of FOCS 1987, pp. 427–437 (1987)
Damgard, I.: Commitment schemes and zero-knowledge protocols. In: Lectures on Data Security, pp. 63–86. Springer (1999)
Goyal, V.: Reducing trust in the PKG in identity based cryptosystems. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 430–447. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_24
Kate, A., Zaverucha, G.M., Goldberg, I.: Constant-size commitments to polynomials and their applications. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 177–194. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_11
Naor, M.: Bit commitment using pseudorandomness. J. Cryptol. 4(2), 151–158 (1991). https://doi.org/10.1007/BF00196774
Rosen, A.: Analysis of the porticor homomorphic key management protocol. Available at: https://wulujia.com/attachments/porticor/Porticor
Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)
Stadler, M.: Public verifiable secret sharing. EUROCRYPT LNCS 1996(1070), 190–199 (1996)
Simmons, G.J., Jackson, W., Martin, K.M.: The geometry of shared secret schemes. Bull. ICA 1, 71–88 (1991)
Wilcox-O’Hearn, Z., Warner, B.: Tahoe: the least-authority file system. In: Proceedings of the 4th ACM International Workshop on Storage Security and Survivability, StorageSS 2008, pp. 21–26, New York, NY, USA. ACM (2008)
Wright, C., Martino, M., Zadok, E.: NCryptfs: a secure and convenient cryptographic file system. In: Proceedings of the Annual USENIX Technical Conference, pp. 197–210. USENIX Association (2003)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Hedabou, M. (2021). Cloud Key Management Based on Verifiable Secret Sharing. In: Yang, M., Chen, C., Liu, Y. (eds) Network and System Security. NSS 2021. Lecture Notes in Computer Science(), vol 13041. Springer, Cham. https://doi.org/10.1007/978-3-030-92708-0_18
Download citation
DOI: https://doi.org/10.1007/978-3-030-92708-0_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-92707-3
Online ISBN: 978-3-030-92708-0
eBook Packages: Computer ScienceComputer Science (R0)