Hardware Encapsulation of Security Services

Hardware security modules can be used to encapsulate simple security services that bind security functions such as decryption with authorisation and authentication. Such hardware secured services provide a functional root of trust that can be placed within context of a wider IT solution hence enabling strong separations of control and duty. This paper describes an approach to using such hardware-encapsulated services to create virtual trust domains within a deployed solution. This trust domain is defined by the hardware protection regime, the service code and the policies under which it is managed. An example is given, showing how a TLS session within a web service environment can be protected and how this service can extend the secure communications into the backend systems.

[1]  Naomaru Itoi Secure Coprocessor Integration with Kerberos V5 , 2000, USENIX Security Symposium.

[2]  Sean W. Smith,et al.  Building a high-performance, programmable secure coprocessor , 1999, Comput. Networks.

[3]  Brian Monahan From Security Protocols to Systems Security , 2003, Security Protocols Workshop.

[4]  Alan O. Freier,et al.  The SSL Protocol Version 3.0 , 1996 .

[5]  Marco Casassa Mont,et al.  Trust services: a framework for service-based solutions , 2002, Proceedings 26th Annual International Computer Software and Applications.

[6]  Marco Casassa Mont,et al.  POWER prototype: towards integrated policy-based management , 2000, NOMS 2000. 2000 IEEE/IFIP Network Operations and Management Symposium 'The Networked Planet: Management Beyond 2000' (Cat. No.00CB37074).

[7]  Simon Shiu,et al.  Encryption and key management in a SAN , 2002, First International IEEE Security in Storage Workshop, 2002. Proceedings..

[8]  Ana Ferreira,et al.  Towards accountability for Electronic Patient Records , 2003, 16th IEEE Symposium Computer-Based Medical Systems, 2003. Proceedings..

[9]  Budi Kurniawan Java for the Web with Servlets, JSP, and EJB , 2002 .

[10]  Jorge Lobo,et al.  Policies for Distributed Systems and Networks , 2001, Lecture Notes in Computer Science.

[11]  Simon Shiu,et al.  Hardware Security Appliances for Trust , 2003, iTrust.

[12]  Adrian Baldwin,et al.  Towards a more complete model of role , 1998, RBAC '98.

[13]  Marco Casassa Mont,et al.  Trust Services: A Trust Infrastructure for E-Commerce , 2001 .

[14]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[15]  Jorge Lobo,et al.  Policies for distributed systems and networks : international workshop, POLICY 2001, Bristol, UK, January 29-31, 2001 : proceedings , 2001 .

[16]  Miles E. Smid,et al.  Security Requirements for Cryptographic Modules | NIST , 1994 .

[17]  David R. Safford,et al.  Practical Private Information Retrieval with Secure Coprocessors , 2000 .

[18]  Simon Shiu,et al.  Enabling shared audit data , 2004, International Journal of Information Security.

[19]  Jeffrey Richter Applied Microsoft .NET Framework Programming , 2002 .

[20]  Richard E. Smith Cost profile of a highly assured, secure operating system , 2001, TSEC.

[21]  Siani Pearson,et al.  Trusted Computing Platforms: TCPA Technology in Context , 2002 .

[22]  Sean W. Smith,et al.  Using a High-Performance, Programmable Secure Coprocessor , 1998, Financial Cryptography.

[23]  Stuart Haber,et al.  How to time-stamp a digital document , 1990, Journal of Cryptology.

[24]  Chris I. Dalton,et al.  Applying military grade security to the Internet , 1997, Comput. Networks ISDN Syst..