SHEMP: Secure Hardware Enhanced MyProxy
نویسندگان
چکیده
While PKI applications differ in how they use keys, all applications share one assumption: users have keypairs. In previous work, we established that desktop keystores are not safe places to store private keys, because the TCB is too large. These keystores are also immobile, difficult to use, and make it impossible for relying parties to make reasonable trust judgments. Since we would like to use desktops as PKI clients and cannot realistically expect to redesign the entire desktop, this paper presents a system that works within the confines of modern desktops to shrink the TCB needed for PKI applications. Our system (called Secure Hardware Enhanced MyProxy (SHEMP)) shrinks the TCB in space and allows the TCB’s size to vary over time and over various application sensitivity levels, thus making desktops usable for PKI.
منابع مشابه
Secure Hardware Enhanced MyProxy
Traditionally, users either put their key on some sort of hardware device such as a smart card or USB token, or they place it directly on the hard disk such as in a browser or system keystore. Most modern operating systems (such as Windows and Mac OSX) include a keystore and a set of Cryptographic Service Providers (CSPs) which use the key. In fact, many cross-platform software systems, such as...
متن کاملThe MyProxy online credential repository
The MyProxy online credential repository has been used by the grid computing community for over four years for managing security credentials in the grid public key infrastructure. MyProxy improves usability by giving users access to their credentials over the network using password authentication, allowing users to delegate their credentials via web browser interfaces to the grid, and supportin...
متن کاملAn Online Credential Repository for the Grid: MyProxy
Grid Portals, based on standard Web technologies, are increasingly used to provide user interfaces for Computational and Data Grids. However, such Grid Portals do not integrate cleanly with existing Grid security systems such as the Grid Security Infrastructure (GSI), due to lack of delegation capabilities in Web security mechanisms. We solve this problem using an online credentials repository ...
متن کاملA Mediated RSA-based End Entity Certificates Revocation Mechanism with Secure Concerned in Grid
The End Entity Certificates (EECs) revocation mechanism in Grid Security Infrastructure (GSI) adopts Certificate Revocation List (CRL) currently. However, CRL is an inefficient mechanism with drawbacks of “time granularity problem” and unmanageable sizes. This paper presents a new EECs revocation mechanism MEECRM (Mediated RSA-based End Entity Certificates Revocation Mechanism) to eliminate “ke...
متن کاملSimplifying Public Key Credential Management Through Online Certificate Authorities and PAM
The secure management of X509 certificates in heterogeneous computing environments has proven to be problematic for users and administrators working with Grid deployments. We present an architecture based on short lived X509 credentials issued by a MyProxy server functioning as an Online Certificate Authority, on the basis of initial user authentication via PAM (Pluggable Authentication Modules...
متن کامل