Data In Transit Protection With Exclusive Control Of Keys And Certificates Across Heterogeneous Distributed Computing Environments
- 26 Jun 2023
As a part of the Quantum-Safe Cloud and Systems group at IBM Research, Zurich, I work on applied security focusing on key/secrets management, PKI, HSM’s and securing applications against threats from a quantum computer. Hands-on with contributions to IBM cloud Key Protect, Hyper Protect Crypto Service, Secrets Manager and IBM Kubernetes Service.
Enabled Quantum Safe (Q-Safe) support in different frameworks, and components. Specifically, Q-Safe TLS in Postgres, Java based Netty, Java gRPC, Envoy, a full implementation of a Q-Safe service mesh for OpenShift clusters, and a Q-Safe PKI implementation in Hashicorp Vault
Led the design and implementation of a private PKI with different Crypto backends for IBM cloud Secrets manager with support for HPCS, Thales and Marvell HSM’s
Led the design and implementation of certificate life cycle management using the ACME protocol with asynchronous issuance and automated renewal.
Co-led the implementation and delivered TLS handshake termination using Hyper Protect Crypto Service (HPCS). TLS establishment is transparently intercepted by a custom implementation of openssl engine that forwards signature requests to the HSM holding the private key, enabling TLS termination without the risk of exposing long term private keys.
Co-led the design and led the implementation of a performant and scalable middleware for Hardware Security Modules (HSM). These additions increased the throughput for key operations by 3x - 10x, and latency by a factor of 50.
Contributed to the enablement of the first Hyper Protect Crypto service (HPCS) demo at THINK-2018, and was the key enabling factor to ramp the HPCS product offering in IBM Cloud