Blog |Follow Nick on Twitter| About
 

I've had an idea, whether it's a good one or not is yet to be seen; one of the big issues to cloud application and servers is encryption key management, there is a simple chicken n egg issue, if the secret key is on the server/application then it's a vector to be attacked if the key isn't then usability issues exist.

My idea is a CA / DH kinda thing, what if the actual key used for encryption was derived from the cloud it's self, the basic premise is adding an extra layer to be compromised in order for an attacker to decypt the data.

Using RedHat's new OpenShift service I've knocked up a demo -> secretkey-linickx.rhcloud.com. ~~The demo is over HTTP (not HTTPS) so~~ You wouldn't use the demo in production probably because you do not trust me but I've pushed the code to github -> github.com/linickx/secretkey for users/dev/people/someone to take a copy and have a play.

Comments welcome, Pull requests preferred!

2011-07-26 UPDATE: Openshift has SSL termination, HTTPS does work, however as seen in my commit log the PHP cannot detect it as the SSL is being handled by a proxy.

 

 
Nick Bettison ©