[Cryptography] Hyper-V claims to protect tenant secrets ??

Jerry Leichter leichter at lrw.com
Fri Oct 2 21:46:33 EDT 2015 

> It would appear that whichever cloud service utilizes this Microsoft technology has *literally* handed over the (encryption) keys to their kingdom to Microsoft, and the cloud service provider no longer *owns* and/or *controls* 'their'  cloud machines in any real sense.  This cloud service provider is merely providing real estate & electricity for his zombie Microsoftbot machines.
I don't understand this statement.  *Microsoft* supplies cloud services.

> The acid test: can the cloud service provider -- no matter where located -- keep Microsoft from handing over cloud customer data to Microsoft itself or anyone that Microsoft designates -- e.g., FBI/NSA/GCHQ ?  No.
Why?

I guess you're assuming that you have to use a Microsoft-managed KDC.  Yes, if Microsoft manages your KDC, *and* that management gives it the ability to extract keys from the KDC, then Microsoft Microsoft can give those keys to anyone who is in a position to demand them.  But (a) I see nothing in the design that say Microsoft even has to manage the KDC; (b) "managing" in the sense of making sure the thing keeps running does not give the manager of a properly designed KDC access to the keys it stores.

> The cloud customer, on the other hand, will trust this cloud service to the same extent that they trust Microsoft today.  For some customers, trusting Microsoft may be better than trusting cloud service provider A**z*n, but they still have to trust Microsoft.  In particular, both the cloud service provider and the cloud service customer must *trust Microsoft*, even for running non-Microsoft (e.g., Linux) code, because Microsoft has locked down the boot sequence on these machines.
Yes, the whole theory of "trusted boot" relies on trusting a chain of software.  No matter how you run your MS software, you have to trust some of the stuff they wrote.  Or you have to verify it.  Same as you have to trust the hardware and firmware Intel wrote into the chips, and tons of other software in all kinds of peripherals.  Welcome to reality.

I just don't understand the antipathy and paranoia here.  This is an effort to greatly reduce the available attack surface of machines in the cloud, bringing them quite close to the best you could reasonably hope to achieve with careful design and management of physical hardware you own and control.  It's a much higher level of assurance than all but the best managed systems can achieve.

Frankly, if you want to protect yourself from a serious attack by the three-letter agencies ... you'd better start of with a budget comparable to theirs.  Good luck with that.
                                                        -- Jerry

More information about the cryptography mailing list