Hosting content delivery networks (CDNs) on clouds has the potential to improve performance as resources and caches can be placed closer to subscribers. However, avoidance of data leakage over an untrusted public cloud is critical, especially for sensitive data such as the SSL private key. The popular Keyless SSL solution allows content owners to retain on-premise custody of SSL private keys on their own key servers, but this solution likely causes performance bottleneck and impede the elasticity of CDNs. This paper describes a novel key management system, named STYX, for transmitting trusted data over untrusted channels and storing them on untrusted platforms. STYX accomplishes secure key provisioning for CDN scale-out and the key is securely protected with full revocation rights for CDN scale-in. STYX is implemented as a three-phase hierarchical key management scheme by leveraging Intel Software Guard Extensions (SGX) and QuickAssist Technology (QAT). Furthermore, STYX supports CDN services by integrating Nginx as the SSL termination proxy and the popular Redis/Memcached/Apache as backend caching engines. The performance evaluation shows that STYX significantly outperforms the native HTTPS servers on the CDN node due to QAT acceleration, providing up to a 5x enhancement in throughput and a 50% reduction in latency.

中文翻译：

---

STYX：面向公有云弹性内容交付网络的分层密钥管理系统

在云上托管内容交付网络 (CDN) 有可能提高性能，因为资源和缓存可以放置在更靠近订阅者的位置。但是，避免通过不受信任的公共云泄漏数据至关重要，尤其是对于 SSL 私钥等敏感数据。流行的 Keyless SSL 解决方案允许内容所有者在他们自己的密钥服务器上保留 SSL 私钥的内部保管，但这种解决方案可能会导致性能瓶颈并阻碍 CDN 的弹性。本文描述了一种名为 STYX 的新型密钥管理系统，用于通过不受信任的渠道传输受信任的数据并将其存储在不受信任的平台上。STYX 完成了 CDN 横向扩展的安全密钥配置，并且密钥受到 CDN 横向扩展的完全撤销权限的安全保护。STYX 通过利用英特尔软件保护扩展 (SGX) 和 QuickAssist 技术 (QAT) 作为三阶段分层密钥管理方案实施。此外，STYX 通过将 Nginx 作为 SSL 终止代理和流行的 Redis/Memcached/Apache 作为后端缓存引擎来支持 CDN 服务。性能评估表明，由于 QAT 加速，STYX 在 CDN 节点上的性能明显优于原生 HTTPS 服务器，提供高达 5 倍的吞吐量增强和 50% 的延迟降低。