Accession Number : AD1033603

Title :   Bootstrapping and Maintaining Trust in the Cloud

Descriptive Note : Technical Report


Personal Author(s) : Schear,Nabil ; Moyer,Thomas M ; Cable,Patrick II T ; Rudd,Robert ; Richard,Bryan

Full Text :

Report Date : 01 Dec 2016

Pagination or Media Count : 12

Abstract : Today's infrastructure as a service (IaaS) cloud environments rely upon full trust in the provider to secure applications and data. Cloud providers do not offer the ability to create hardware-rooted cryptographic identities for IaaS cloud resources or sucient information to verify the integrity of systems. Trusted computing protocols and hardware like the TPM have long promised a solution to this problem. However, these technologies have not seen broad adoption because of their complexity of implementation, low performance, and lack of compatibility with virtualized environments. In this paper we introduce a scalable trusted cloud key management system called key lime. Our system provides an end-to-end solution for both bootstrapping hardware rooted cryptographic identities for IaaS nodes and for system integrity monitoring of those nodes via periodic attestation. We can support these functions in both bare-metal and virtualized IaaS environments using a virtual TPM. key lime provides a clean interface that allows higher level security services like disk/network encryption or conguration management to leverage trusted computing without themselves being trusted computing aware. We show that our bootstrapping protocol adds about 2 seconds latency to IaaS node instantiation, we can detect system integrity violations in as little as 110ms, and that keylime can

Descriptors :   computing system architectures , firmware , identities , infrastructure , protocols , virtualization , cloud computing , configuration management , computer programming , virtual machines , operating systems

Subject Categories : Computer Systems

Distribution Statement : APPROVED FOR PUBLIC RELEASE