Integrating Remote Attestation with Transport Layer Security

TL;DR

This paper presents a method to integrate Intel SGX remote attestation into standard TLS connections without modifying existing protocols, enhancing secure communication in untrusted environments.

Contribution

It introduces a seamless integration of remote attestation with TLS, enabling attested secure channels without protocol modifications or existing implementation changes.

Findings

Prototype implementations for OpenSSL, wolfSSL, and mbedTLS

Successful integration of remote attestation into TLS setup

No changes needed for existing TLS protocol implementations

Abstract

Intel(R) Software Guard Extensions (Intel(R) SGX) is a promising technology to securely process information in otherwise untrusted environments. An important aspect of Intel SGX is the ability to perform remote attestation to assess the endpoint's trustworthiness. Ultimately, remote attestation will result in an attested secure channel to provision secrets to the enclave. We seamlessly combine Intel SGX remote attestation with the establishment of a standard Transport Layer Security (TLS) connection. Remote attestation is performed during the connection setup. To achieve this, we neither change the TLS protocol, nor do we modify existing protocol implementations. We have prototype implementations for three widely used open-source TLS libraries: OpenSSL, wolfSSL and mbedTLS. We describe the requirements, design and implementation details to seamlessly bind attested TLS endpoints to Intel SGX enclaves.