Unattended reboots
james hughes
hughejp at mac.com
Mon Aug 3 02:29:25 EDT 2009
On Aug 2, 2009, at 4:00 PM, Arshad Noor wrote:
> Jerry Leichter wrote:
> How
>> does a server, built on stock technology, keep secrets that it can
>> use to authenticate with other servers after an unattended reboot?
>> Without tamper-resistant hardware that controls access to keys,
>> anything the software can get at at boot, an attacker who steals a
>> copy of a backup, say - can also get at.
>
> Almost every e-commerce site (that needs to be PCI-DSS compliant) I've
> worked with in the last few years, insists on having unattended
> reboots.
I penned a recent blog about this fact at
http://www.cryptoclarity.com/CryptoClarityLLC/Welcome/Entries/2009/7/23_Encrypted_Storage_and_Key_Management_for_the_cloud.html
or
http://tinyurl.com/klkrvu
It discusses this fact and how it can be mitigated. Specifically, how
wrapped keys can be escrowed, and used to boot a machine in, what I
consider, a significantly more secure manner. Given that you can never
guarantee a cloud provider can not tamper with you machine while
running, this post describes the problem, a set of goals and one
possible solution.
Encrypted Kernels are requirement. Geoff Arnold
http://speakingofclouds.com/
suggested that an AMI that can boot an encrypted AMI may solve the
issue. A harder, but possible solution would be to change the AMI's
Grub loader without changing AWS's infrastructure. Anyone interested
on working on a prototype :-)
Jim
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list