Leveraging Intel SGX to Create a Nondisclosure Cryptographic library

TL;DR

This paper presents a secure cryptographic library leveraging Intel SGX enclaves to protect cryptographic keys and computations, enhancing confidentiality and integrity for online services.

Contribution

It introduces a novel approach to implement cryptographic operations within SGX enclaves, maintaining a small TCB and securely handling keys.

Findings

Keys are securely stored inside enclaves

Cryptographic operations are performed within protected regions

Open source implementation available at GitHub

Abstract

Enforcing integrity and confidentiality of users' application code and data is a challenging mission that any software developer working on an online production grade service is facing. Since cryptology is not a widely understood subject, people on the cutting edge of research and industry are always seeking for new technologies to naturally expand the security of their programs and systems. Intel Software Guard Extension (Intel SGX) is an Intel technology for developers who are looking to protect their software binaries from plausible attacks using hardware instructions. The Intel SGX puts sensitive code and data into CPU-hardened protected regions called enclaves. In this project we leverage the Intel SGX to produce a secure cryptographic library which keeps the generated keys inside an enclave restricting use and dissemination of confidential cryptographic keys. Using enclaves to store the keys we maintain a small Trusted Computing Base (TCB) where we also perform computation on temporary buffers to and from untrusted application code. As a proof of concept, we implemented hashes and symmetric encryption algorithms inside the enclave where we stored hashes, Initialization Vectors (IVs) and random keys and open sourced the code (https://github.com/hmofrad/CryptoEnclave).