Limited Use Cryptographic Tokens in Securing Ephemeral Cloud Servers

Gautam Kumar, Brent Lagesse


Many enterprises and consumers today are dependent on services deployed on Infrastructure as a Service (IaaS) cloud providers. Such cloud deployments can have hundreds of virtual servers running. Each virtual server needs to have access to sensitive information such as database passwords and API keys. In such as scenario, verifying that a large number of servers have not been compromised is an arduous task. In this paper we propose an architecture which limits the extent to which an attacker can exploit a compromised server in a large scale cloud deployment. To achieve such a limitation we propose the use of hash chains as an authentication mechanism for virtual server with a Central Trusted Authority (CTA) acting as a proxy to sensitive resources. This architecture shifts the requirement of security validation from hundreds of public facing servers to a few servers without public interfaces which comprise the CTA. Since hash chains offer an inherent limitation in their use, our architecture leans towards using ephemeral virtual servers, thus also providing a moving target defence.


  1. Aksari, Y. and Artuner, H. (2009). Active authentication by mouse movements. In Computer and Information Sciences, 2009. ISCIS 2009. 24th International Symposium on, pages 571-574. IEEE.
  2. Basiri, A., Behnam, N., Rooij, R. d., Hochstein, L., Kosewski, L., Reynolds, J., and Rosenthal, C. (2016). Chaos Engineering. IEEE Software, 33(3):35-41.
  3. Bilge, L. and Dumitras, T. (2012). Before we knew it: an empirical study of zero-day attacks in the real world. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 833-844. ACM.
  4. Chalkias, K. and Stephanides, G. (2006). Timed release cryptography from bilinear pairings using hash chains. In Communications and Multimedia Security, pages 130-140. Springer.
  5. Chen, R., Reznichenko, A., Francis, P., and Gehrke, J. (2012). Towards statistical queries over distributed private user data. In Presented as part of the 9th USENIX Symposium on Networked Systems Design and Implementation (NSDI 12), pages 169-182.
  6. Dunlop, M., Groat, S., Urbanski, W., Marchany, R., and Tront, J. (2011). MT6d: A Moving Target IPv6 Defense. In 2011 - MILCOM 2011 Military Communications Conference, pages 1321-1326.
  7. Evans, D., Nguyen-Tuong, A., and Knight, J. (2011). Effectiveness of Moving Target Defenses. In Jajodia, S., Ghosh, A. K., Swarup, V., Wang, C., and Wang, X. S., editors, Moving Target Defense, number 54 in Advances in Information Security, pages 29-48. Springer New York. DOI: 10.1007/978-1-4614-0977-9 2.
  8. Green, M., MacFarland, D. C., Smestad, D. R., and Shue, C. A. (2015). Characterizing Network-Based Moving Target Defenses. In Proceedings of the Second ACM Workshop on Moving Target Defense, MTD 7815, pages 31-35, New York, NY, USA. ACM.
  9. Harms, R. and Yamartino, M. (2010). The economics of the cloud. Microsoft whitepaper, Microsoft Corporation.
  10. Kampanakis, P., Perros, H., and Beyene, T. (2014). SDNbased solutions for Moving Target Defense network protection. In World of Wireless, Mobile and Multimedia Networks (WoWMoM), 2014 IEEE 15th International Symposium on a, pages 1-6.
  11. Lamport, L. (1981). Password authentication with insecure communication. Communications of the ACM, 24(11):770-772.
  12. Li, F., Clarke, N., Papadaki, M., and Dowland, P. (2014). Active authentication for mobile devices utilising behaviour profiling. International journal of information security, 13(3):229-244.
  13. Libert, B. and Vergnaud, D. (2008). Tracing Malicious Proxies in Proxy Re-encryption. In Galbraith, S. D. and Paterson, K. G., editors, Pairing-Based Cryptography Pairing 2008, number 5209 in Lecture Notes in Computer Science, pages 332-353. Springer Berlin Heidelberg. DOI: 10.1007/978-3-540-85538-5 22.
  14. lyft (2015). Confidant: Your secret keeper. A library to store and retrive senstive configuration within a central trusted authority encrypted at rest using Amazon KMS.
  15. McCune, J. M., Parno, B. J., Perrig, A., Reiter, M. K., and Isozaki, H. (2008). Flicker: An execution infrastructure for TCB minimization. In ACM SIGOPS Operating Systems Review, volume 42, pages 315-328. ACM.
  16. Panwar, A., Patidar, R., and Koshta, V. (2011). Layered security approach in cloud. In 3rd International Conference on Advances in Recent Technologies in Communication and Computing (ARTCom 2011), pages 214- 218.
  17. Parno, B., McCune, J. M., and Perrig, A. (2010). Bootstrapping trust in commodity computers. In 2010 IEEE Symposium on Security and Privacy, pages 414-429. IEEE.
  18. Randles, M., Lamb, D., and Taleb-Bendiab, A. (2010). A Comparative Study into Distributed Load Balancing Algorithms for Cloud Computing. In 2010 IEEE 24th International Conference on Advanced Information Networking and Applications Workshops (WAINA), pages 551-556.
  19. Risk Based and Security (2014). An Executives Guide to 2013 Data Breach Trends. Presentation, Risk Based Security.
  20. Rogaway, P. and Shrimpton, T. (2004). Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, SecondPreimage Resistance, and Collision Resistance. In Roy, B. and Meier, W., editors, Fast Software Encryption, number 3017 in Lecture Notes in Computer Science, pages 371-388. Springer Berlin Heidelberg. DOI: 10.1007/978-3-540-25937-4 24.
  21. Vaquero, L. M., Rodero-Merino, L., and Buyya, R. (2011).
  22. Dynamically Scaling Applications in the Cloud. SIGCOMM Comput. Commun. Rev., 41(1):45-52.
  23. Wichers, D. (2014). OWASP Top-10 2013. OWASP Foundation, February.
  24. Yi, X. and Wang, W. (2012). The Cloud Access Control Based on Dynamic Feedback and Merkle Hash Tree. In 2012 Fifth International Symposium on Computational Intelligence and Design (ISCID), volume 1, pages 217-221.
  25. Yiu, M. L., Lo, E., and Yung, D. (2011). Authentication of moving kNN queries. In 2011 IEEE 27th International Conference on Data Engineering, pages 565- 576. IEEE.

Paper Citation

in Harvard Style

Kumar G. and Lagesse B. (2017). Limited Use Cryptographic Tokens in Securing Ephemeral Cloud Servers . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-209-7, pages 447-454. DOI: 10.5220/0006208704470454

in Bibtex Style

author={Gautam Kumar and Brent Lagesse},
title={Limited Use Cryptographic Tokens in Securing Ephemeral Cloud Servers},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},

in EndNote Style

JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Limited Use Cryptographic Tokens in Securing Ephemeral Cloud Servers
SN - 978-989-758-209-7
AU - Kumar G.
AU - Lagesse B.
PY - 2017
SP - 447
EP - 454
DO - 10.5220/0006208704470454