control your cloud: byok is good, · • pkcs#1 to wrap a key • ... • wrap/unwrap amazon aws...
TRANSCRIPT
![Page 1: Control Your Cloud: BYOK is Good, · • PKCS#1 to wrap a key • ... • Wrap/unwrap Amazon AWS Google Cloud Plaorm Microso] Azure • Data-at-rest encrypon • AES-GCM 128 or 256](https://reader035.vdocuments.us/reader035/viewer/2022081406/5f16d72e965b2e6fc46fe241/html5/thumbnails/1.jpg)
ControlYourCloud:BYOKisGood,
ButnotGoodEnough
May18th,2017,ICMC’2017,Arlington,VA,CA©Cryptomathic,2017
![Page 2: Control Your Cloud: BYOK is Good, · • PKCS#1 to wrap a key • ... • Wrap/unwrap Amazon AWS Google Cloud Plaorm Microso] Azure • Data-at-rest encrypon • AES-GCM 128 or 256](https://reader035.vdocuments.us/reader035/viewer/2022081406/5f16d72e965b2e6fc46fe241/html5/thumbnails/2.jpg)
AboutCryptomathic• Inbusinessfor30+years• Aso2warecompany,whichusesHSMsandHardwareSecurityPeripheralsExtensively.• AtechnologyproviderofCryptographicKeyManagementSystems
• Sweetspotinhelpingaugmenthybridarchitectures• WerelyongoodandsoundHardwareSecurityProducts
![Page 3: Control Your Cloud: BYOK is Good, · • PKCS#1 to wrap a key • ... • Wrap/unwrap Amazon AWS Google Cloud Plaorm Microso] Azure • Data-at-rest encrypon • AES-GCM 128 or 256](https://reader035.vdocuments.us/reader035/viewer/2022081406/5f16d72e965b2e6fc46fe241/html5/thumbnails/3.jpg)
BYOK• BYOK=BringYourOwnKey• Itsuggestsaone-waymechanism:
• FromtheperspecOveofaCloudCompuOngProvider:YourKey,intomyCloud.• Theword“key”tendstobegenerallyunderstoodinaverybroadsense
• SymmetricKeys• GeneralPurposeEncrypOon/DecrypOonKeys• MasterDerivaOonKeys(especiallyusedinfinancialservice)
• AsymmetricKey(Pairs)• -andcorrespondingcerOficates.
• However,inthecontextofCloudServiceProviders,itappearstohavebeenassignedamorelimitedmeaningforgeneralpurposecryptoonly–atleastiniOally.
![Page 4: Control Your Cloud: BYOK is Good, · • PKCS#1 to wrap a key • ... • Wrap/unwrap Amazon AWS Google Cloud Plaorm Microso] Azure • Data-at-rest encrypon • AES-GCM 128 or 256](https://reader035.vdocuments.us/reader035/viewer/2022081406/5f16d72e965b2e6fc46fe241/html5/thumbnails/4.jpg)
CloudServiceProviders(CSPs)Offering• ThreemajorcloudserviceprovidersalloffersomeformofCryptographicServices• AmazonAWS• Microso]Azure• GoogleCloudPla^orm
• Themainpurposesappeartobe• PromoOngdirectintegraOonwiththeirownservices• throughofferingexternalAPIsandcapabiliOes.
• AllthreeoffersomeformofKeyManagementServiceandcryptographicAPIs.
![Page 5: Control Your Cloud: BYOK is Good, · • PKCS#1 to wrap a key • ... • Wrap/unwrap Amazon AWS Google Cloud Plaorm Microso] Azure • Data-at-rest encrypon • AES-GCM 128 or 256](https://reader035.vdocuments.us/reader035/viewer/2022081406/5f16d72e965b2e6fc46fe241/html5/thumbnails/5.jpg)
KeyManagementServicesoffered(re.BYOK)
• HSM• ThalesnShieldHSM
• Crypto• AES128or256andRSAkeys
• BYOKProtocol/Format• basedonThalescommands
AmazonAWS GoogleCloudPla^ormMicroso]Azure
• HSM• GemaltoLunaSAHSM
• Crypto• AES128and256keysonly
• BYOKProtocol/Format• PKCS#1towrapakey
• HSM• Nonecurrently
• Crypto• AES256keysonly
• BYOKProtocol/Format• RSA-OAEPencryptedkey
![Page 6: Control Your Cloud: BYOK is Good, · • PKCS#1 to wrap a key • ... • Wrap/unwrap Amazon AWS Google Cloud Plaorm Microso] Azure • Data-at-rest encrypon • AES-GCM 128 or 256](https://reader035.vdocuments.us/reader035/viewer/2022081406/5f16d72e965b2e6fc46fe241/html5/thumbnails/6.jpg)
Data-at-restEncrypOonandAPIfuncOonality
• Data-restEncrypRon• AES128or256• +rightsmanagementpolicy
• CryptoservicesandAPIs• Encrypt/decrypt• SignandVerify• Wrap/unwrap
AmazonAWS GoogleCloudPla^ormMicroso]Azure
• Data-at-restencrypRon• AES-GCM128or256
• CryptoservicesandAPIs• encrypt/decryptonlywithAES-GCM
• basedonGemaltoHSM
• Data-at-restencrypRon• AES-GCM256
• CryptoservicesandAPIs• encrypt/decryptonlywithAES-GCM
![Page 7: Control Your Cloud: BYOK is Good, · • PKCS#1 to wrap a key • ... • Wrap/unwrap Amazon AWS Google Cloud Plaorm Microso] Azure • Data-at-rest encrypon • AES-GCM 128 or 256](https://reader035.vdocuments.us/reader035/viewer/2022081406/5f16d72e965b2e6fc46fe241/html5/thumbnails/7.jpg)
BYOK–animportanttool(butnottheonlyone)• BYOKhelpsyougetyourowngeneratedkeyintotheCloud
• -ratherthanhavingtheCSPgenerateoneforyouonyourbehalf.• TheCloudServiceProvider“willhandleitforyou”–butthereisnocommonexportfacility• Thus,ifyouneedacopy,besuretosaveonebeforesubmigngit!
• BYOKhas(slightly)differentmeaningsintheeyesoftheCSP• BesureyouunderstandthelimitaOonsofwhatisavailable• AlsounderstandyourresponsibiliOes,i.e.
• DoyoureallywanttomanageyourencrypOonkeyinaspreadsheet?• Probably,youalsohavemanyothertypesofkeysyouneedtomanage
![Page 8: Control Your Cloud: BYOK is Good, · • PKCS#1 to wrap a key • ... • Wrap/unwrap Amazon AWS Google Cloud Plaorm Microso] Azure • Data-at-rest encrypon • AES-GCM 128 or 256](https://reader035.vdocuments.us/reader035/viewer/2022081406/5f16d72e965b2e6fc46fe241/html5/thumbnails/8.jpg)
EnterMYOK™-ManageYourOwnKey(s)• Inmanagingyourownkeys,itisimpliedthat
• Youcanworkwithyourkeyssecurely• Youcanprovisionkeystowheretheyareneeded• Youareabletomanagethelife-cycleofkeysyoumanage
• GeneraOon,Import,Export• Backup,Restore• Update,Roll-back,Recover• CerOfy,RecerOfyandRevoke
• Ideally,youneedtobeabletodothisinawaythatismeaningfultoyourbusiness• Acentralsystem,available(toyou)andunderyoursolecommand.
![Page 9: Control Your Cloud: BYOK is Good, · • PKCS#1 to wrap a key • ... • Wrap/unwrap Amazon AWS Google Cloud Plaorm Microso] Azure • Data-at-rest encrypon • AES-GCM 128 or 256](https://reader035.vdocuments.us/reader035/viewer/2022081406/5f16d72e965b2e6fc46fe241/html5/thumbnails/9.jpg)
MYOKsoluOons–anexampleCentralizedKeyManagementSystemreplacingandunifyingpoorly-designed,proprietaryandmanualkeymanagementinterfacesofexisRngproductsandHSMs
üû
![Page 10: Control Your Cloud: BYOK is Good, · • PKCS#1 to wrap a key • ... • Wrap/unwrap Amazon AWS Google Cloud Plaorm Microso] Azure • Data-at-rest encrypon • AES-GCM 128 or 256](https://reader035.vdocuments.us/reader035/viewer/2022081406/5f16d72e965b2e6fc46fe241/html5/thumbnails/10.jpg)
AdvancedKeyLifecycleManagement• Morethanjustkeys• Name• Algorithmandlength• Exportsegngs
• KCVlength• Intendedrecipients• Formats
• Thebiggerpicture• KeyUsageLogs• Lifecyclestatus• Customdata
![Page 11: Control Your Cloud: BYOK is Good, · • PKCS#1 to wrap a key • ... • Wrap/unwrap Amazon AWS Google Cloud Plaorm Microso] Azure • Data-at-rest encrypon • AES-GCM 128 or 256](https://reader035.vdocuments.us/reader035/viewer/2022081406/5f16d72e965b2e6fc46fe241/html5/thumbnails/11.jpg)
TypicallyEncounteredKeyFormats(otherthanBYOK)• AtallaKeyBlock/Variant
• File-basedformat.ApplicaOonkeysonly.
• CryptogramunderZMKP• Exporttoafileencryptedbyapublickey.
• PINpad• ExportasXORsharesonaPINpad.Symmetrickeysonly.
• PKCS#8Cryptogram• ExportasanencryptedPKCS#8file.Asymmetrickeysonly.
• StandardCryptogram• Exportasanencryptedkeyfile.Symmetrickeysonly.
• SubjectPublicKeyInfo• Exportofpublickeys.
• TR-31• CompaOblewithe.g.ThalesPaymentsHSMs
• IBMCCA• ForIBMHSMs(withcontrolvector)
![Page 12: Control Your Cloud: BYOK is Good, · • PKCS#1 to wrap a key • ... • Wrap/unwrap Amazon AWS Google Cloud Plaorm Microso] Azure • Data-at-rest encrypon • AES-GCM 128 or 256](https://reader035.vdocuments.us/reader035/viewer/2022081406/5f16d72e965b2e6fc46fe241/html5/thumbnails/12.jpg)
SoundArchitecture• Client/serverdesign• Aservicewhichcanrunfromyourlabs(whetherowndatacenterordessktop)• DBMS,HSM(FIPS140-2,L3)
• AdministratorsconnectfromWindowsclient• SmartcardbasedauthenOcaOonforalloperaOons(FIPS140-2,L3)• PINpadsforreadingcardsandimporOng/exporOng/prinOngkeyshares
![Page 13: Control Your Cloud: BYOK is Good, · • PKCS#1 to wrap a key • ... • Wrap/unwrap Amazon AWS Google Cloud Plaorm Microso] Azure • Data-at-rest encrypon • AES-GCM 128 or 256](https://reader035.vdocuments.us/reader035/viewer/2022081406/5f16d72e965b2e6fc46fe241/html5/thumbnails/13.jpg)