Blindfold: Keeping Private Keys in PKIs and CDNs out of Sight
Hisham Galal, Mohammad Mannan, Amr Youssef
TL;DR
Blindfold leverages trusted execution environments to securely generate and manage private keys in PKI and CDN setups, preventing exposure to malicious actors and untrusted software, thus enhancing security without significant performance loss.
Contribution
This paper introduces Blindfold, a novel system that protects private keys in HTTPS/TLS infrastructures using trusted execution environments, addressing a critical security gap in CDN-integrated PKI.
Findings
Blindfold slightly outperforms SoftHSM in key generation by 1%.
Blindfold's certificate issuance performance is within 0.01% of SoftHSM.
Prototype implementation demonstrates practical feasibility and efficiency.
Abstract
Public key infrastructure (PKI) is a certificate-based technology that helps in authenticating systems identities. HTTPS/TLS relies mainly on PKI to minimize fraud over the Internet. Nowadays, websites utilize CDNs to improve user experience, performance, and resilience against cyber attacks. However, combining HTTPS/TLS with CDNs has raised new security challenges. In any PKI system, keeping private keys private is of utmost importance. However, it has become the norm for CDN-powered websites to violate that fundamental assumption. Several solutions have been proposed to make HTTPS CDN-friendly. However, protection of private keys from the very instance of generation; and how they can be made secure against exposure by malicious (CDN) administrators and malware remain unexplored. We utilize trusted execution environments to protect private keys by never exposing them to human operators…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.