Shan Jiang, Sean Smith, Kazuhiro Minami
Too often, 'security of Web transactions' reduces to 'encryption of the channel'---and neglects to address what happens at the server on the other end. This oversight forces clients to trust the good intentions and competence of the server operator---but gives clients no basis for that trust. In this paper, we apply secure coprocessing and cryptography to solve this real problem in Web technology. We present a vision: using secure coprocessors to establish trusted co-servers at Web servers and moving sensitive computations inside these co-servers; we present a prototype implementation of this vision that scales to realistic workloads; and we validate this approach by building a simple E-voting application on top of our prototype.
By showing the real potential of COTS secure coprocessing technology to establish trusted islands of computation in hostile environments---such as at web servers with risk of insider attack---this work also helps demonstrate that 'secure hardware' can be more than synonym for 'cryptographic accelerator.'
Keywords: secure coprocessors, SSL, insider attack, e-commerce
Read Paper (in PDF)