SECURING SECRETS WITH HYBRID ENCRYPTION AND DIGITAL SIGNATURE SCHEME IN KUBERNETES
Kubernetes is well known for its success in solving the complexity of managing container-based applications. However, as the problem is solved, the complexity in security aspect also increases, especially in secret management in Kubernetes. Poor secret management can lead to secret leaks with pot...
Saved in:
| Main Author: | |
|---|---|
| Format: | Final Project |
| Language: | Indonesia |
| Online Access: | https://digilib.itb.ac.id/gdl/view/74110 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Institut Teknologi Bandung |
| Language: | Indonesia |
| Summary: | Kubernetes is well known for its success in solving the complexity of managing
container-based applications. However, as the problem is solved, the complexity in
security aspect also increases, especially in secret management in Kubernetes. Poor
secret management can lead to secret leaks with potentially fatal consequences.
From 2018 to 2021, there are several cases of secret leaks in Kubernetes.
To overcome these problems, a solution is proposed based on the problem analysis
conducted. This problem involves the confidentiality and integrity aspects of secret
storage and usage in Kubernetes. The solution to the confidentiality problem is to
encrypt the secret at rest by using hybrid encryption scheme with RSA-OAEP and
AES-GCM algorithms. This solution is chosen because the current symmetric
encryption capability of Kubernetes is considered not to solve the existing
problems. The solution for integrity problem is to use digital signature scheme with
RSA algorithm because there is no integrity assurance mechanism for secrets in
Kubernetes. This solution also involves a logging mechanism for secret-related
operations. This solution is implemented in the form of additional components in
Kubernetes named Kube-Encryptor and Kube-Decryptor.
The results of the implemented solutions went through a series of tests and
evaluations. The test results show that the solution successfully performs secrets
encryption, decryption, signing, verification, and logging for related operations.
The evaluation results show that the solution successfully solves the existing
problems. The proposed solution design is also successfully integrated with other
components of the final capstone project. However, the residual risk identification
results show that there are still some problems that were not identified in the
problem and solution analysis. At the end of this final project, several suggestions
are given for further development of the application, including resolving the
residual risks. |
|---|