Design and Implementation of the Ephemerizer System

Abstract: This thesis describes the system design and implementation of the secure Ephemerizer System that was first introduced by Radia Perlman in 2005. The system is designed to enable users to keep data for a finite period of time before making the data unrecoverable by destroying the keys with which the data was encrypted. The task of the Ephemerizer System service is to create, advertise, and destroy keys required for the Ephemerizer System's functionalities. We designed the Ephemerizer System Service's security by placing the sensitive key management modules into a Trusted Computing Base (TCB). Our compartmentalized approach distributes security requirements at different sensitivity levels into different protection domains. In our approach, we implement the trusted protection domain (our TCB) on a tamper-resistant Javacard. We placed the key storage database into the partly trusted protection domain to improve scalability and availability of the Ephemerizer System. The partly trusted protection domain requires memory isolation and other security mechanisms provided by the underlying operating system. We implemented several mechanisms on the TCB, such as the signature engine, cryptographic modules, the on-card expiration validator, and on-card time verification. We make the Ephemerizer System available to users as a web service and expose it though a uniform API. This approach enables the seamless integration of the Ephemerizer System into business processes on heterogeneous platforms.