Securing the Financial Cloud (SFC)

The SFC project aims at transferring highly sensitive financial services into the cloud, and implementing a prototype of a cloud architecture for such financial services. Achieving this goal requires an interdisciplinary approach represented by SFC's subprojects:

Cryptographic technologies

Identifying and analyzing relevant cryptographic primitives for the use in a financial cloud is a key aspect of this subproject. Based on the analysis, existing cryptographic schemes will be adapted and new schemes will be developed to match the requirements imposed by the financial cloud.

Optimized realization

This subproject aims at providing highly optimized hardware (e.g. FPGA) implementations of cryptographic schemes resultant from the previously described subproject. These implementations will be subject to extensive analyses of their resistance against side-channel attacks.

Security architecture

The financial cloud offers a highly complex infrastructure for financial services. Accordingly, special mechanisms and procedures demand high levels of security. This subproject focuses on how to specify security requirements, in particular with attribute-based cryptography in mind. Attribute-based cryptography is considered a key technology for the financial cloud. In addition to technological approaches to security, the socio-technical nature of the financial cloud requires consideration of human users, and thus, manual security processes.

Software architecture

The architecture for cloud infrastructure for financial services requires integration of the cloud solutions with standards and mechanisms, which have been established for decades in the financial sector. This integration is an important challenge that must be solved in order to achieve security and efficiency for the financial cloud.

An important aspect of a secure cloud architecture for financial services is access control for sensitive data. In this project, attribute-based cryptography is the technology of choice to realize access control allowing for cryptographic enforcement of access structures based on attributes and policies. In contrast to classical approaches, with attribute-based encryption every user holds only one key and data needs to encrypted only once, while only users authorized to access the specific data can do so. This reduces the overhead in memory and key management and removes the need for an authority that grants access to data based on access control lists, which, in turn, simplifies processes required to achieve and maintain security.

In this project, the task of research group "Codes and Cryptography" is to develop efficient attribute-based schemes for the financial cloud and to analyze the security of such schemes. Besides efficiency and security, integration of higher level security processes is an important aspect of our work.

Cryptographic keys for the financial cloud need strong protection. For this task, special purpose hardware, like smart cards and hardware security modules (HSM), is used. Another aspect of our work is to identify bilinear pairings, as required by attribute-based schemes, to be implemented to efficiently run on such special purpose hardware.

Like other cloud systems, the financial cloud and its underlying infrastructure are subject to a potentially hostile environment. This opens up the system to side-channel attacks, i.e. leakage of information on cryptographic keys based on time or energy consumptions of concrete implementations of cryptographic schemes. Identifying side-channels is a challenging task as it requires consideration of combinations of hardware and software. We will identify side-channels of aforementioned hardware implementations of bilinear pairings. Based on our findings, software we will develop countermeasures to prevent side-channel attacks.