WO2020078534A1 - Node and method for secure server communication - Google Patents

Node and method for secure server communication Download PDF

Info

Publication number
WO2020078534A1
WO2020078534A1 PCT/EP2018/078148 EP2018078148W WO2020078534A1 WO 2020078534 A1 WO2020078534 A1 WO 2020078534A1 EP 2018078148 W EP2018078148 W EP 2018078148W WO 2020078534 A1 WO2020078534 A1 WO 2020078534A1
Authority
WO
WIPO (PCT)
Prior art keywords
node
enclave
certificate
public key
client
Prior art date
Application number
PCT/EP2018/078148
Other languages
French (fr)
Inventor
Dan Touitou
Naor SHLOMO
Avigail Oron
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Priority to CN201880098755.6A priority Critical patent/CN113261252B/en
Priority to PCT/EP2018/078148 priority patent/WO2020078534A1/en
Priority to EP18786776.7A priority patent/EP3857838A1/en
Publication of WO2020078534A1 publication Critical patent/WO2020078534A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data

Definitions

  • the present invention relates to the communications field, and to a node and a method for securely communicating with a server in a network.
  • TEE Trusted Execution Environment
  • SGX Software Guard Extensions
  • AMD AMD’s Secure Memory Encryption
  • SME Secure Memory Encryption
  • Attestation - the protected application has the ability to prove to a third party it is communicating with its identity, i.e. that it is indeed a specific program running in the TEE.
  • SGX performs attestation by using a dedicated protocol through which the protected code, the enclave, generates a signed report.
  • This report usually contains a hash of a public key and can be verified e.g. by InteEs Enhanced Privacy ID (EPID) system.
  • EPID Enhanced Privacy ID
  • the enclave may send the signed report and the public key to the third party, which will verify the report authenticity, checks that the hash of the public key is equivalent to the hash included in the report and then uses that public key to generate a shared secret based channel with the enclave.
  • Transport Layer Security Currently the standard way for clients to securely communicate with a server based on HTTPS-technology is via the cryptographic protocol named Transport Layer Security (TLS).
  • TLS Transport Layer Security
  • the server provides the client with an x.509 certificate.
  • the certificate contains a public key and a subject name and its authenticity is proved by a Certificate Authority signature.
  • the client and the server Upon reception and verification of the certificate the client and the server generate a shared secret that will be used for the continuation of the session.
  • the TEE attestation is not standard and cannot be utilized directly by an HTTPS-client. According to SGX-specifications, the way to fill this gap is to provide the enclave with a private key of a signed certificate, in other words the expectation is that the administrator securely connects with the enclave and after attestation protocol provides the enclave with a signed certificate and the certificate’s private key.
  • TEE attestation is performed by using a dedicated protocol through which the protected code, the enclave, generates a signed report.
  • This report usually contains a hash of a public key and can be verified by Intel EPID system.
  • Intel EPID system is not supported by standard clients which expect to get an x.509 certificate.
  • the present invention aims to allow a client to access a trusted service in a network without adding functionality to either the client TLS stack or the browser.
  • the present invention has the object to provide a new type of network node acting as a new certificate authority, whose signature attests that a public key provided to it belongs to a specific enclave.
  • a further object is to provide the new certificate authority as a new layer of attestation to existing network nodes operating as a certificate authorities.
  • the aim is to provide a trust certificate authority (TCA), which enforces a protocol through which the TCA attests to a client the authenticity of a specific enclave that belongs to a specific domain name.
  • TCA trust certificate authority
  • a first aspect of the present invention provides a node for allowing a client node to access a trusted service provided by another node in a network, configured to sign a certificate to certify the ownership of a public key, wherein the public key is owned by an enclave of a trusted execution environment, TEE, in the another node and a code to be executed for providing the trusted service to the client node is protected in the enclave; and make the signed certificate available to the client node.
  • This node executes the necessary measures instead of a client node to prove that a public key belongs to a specific enclave and not a potentially malicious man-in-the-middle.
  • the format of the certificate comprises an additional protocol layer on top of the attestation protocol according to the X.509 standard.
  • a client node does not need to be modified, because the client node receives a certificate according to the X.509 standard.
  • a second aspect of the present invention provides a system for allowing a client to access a trusted service provided by another node in a network, comprising a node according to the first aspect; another node, whereby the another node comprises a trusted execution environment, TEE, wherein a code to be executed for providing the trusted service to the client node and data is protected in the enclave; an administrator node of the another node; and an attestation authority node.
  • TEE trusted execution environment
  • the administrator node is configured to connect to the enclave, verify the authenticity of the enclave, and provide the enclave with a private key of the certificate of the another node;
  • the enclave is configured to generate a random public key and create a signed report containing a hash of the public key, connect to the node and demonstrate to the node that the enclave belongs to the another node by using the private key of the another node, and provide the node with the signed report;
  • the node is further configured to verify the authenticity of the signed report by using an enhanced privacy ID, EPID, algorithm in an attestation authority node; and sign the certificate with a named subject, wherein the named subject comprises the enclave’s hash value.
  • This implementation form of a system for allowing a client to access a trusted service provided by another node in a network employs four nodes or entities, namely the node, another node, an administrator node and an attestation authority node, to ensure that an unmodified client node based on the HTTPS -standard may access a trusted service provided by another node in a safe manner, since the authenticity of the trusted service is assured by the interaction of the four node resulting in a certificate signed by the node and provided to a client node.
  • a third aspect of the present invention provides a method for allowing a client to access a trusted service provided by another node in a network, comprising the steps of signing, by a node, a certificate to certify the ownership of a public key, whereby the public key is owned by an enclave of a trusted execution environment, TEE, in the another node and a code to be executed for providing the trusted service to the client node and data is protected in the enclave; and making the signed certificate available to the client node.
  • TEE trusted execution environment
  • the method further comprises the steps of connecting, by an administrator of the another node, to the enclave; verifying, by the administrator, the authenticity of the enclave; providing, by the administrator, the enclave with a private key of the certificate of the another node; generating, by the enclave, a random public key and creating a signed report containing a hash of the public key;
  • the step of signing, by the node, the certificate to certify the ownership of a public key comprises signing the certificate with a named subject, wherein the named subject comprises the enclave’s hash value.
  • the creating of a signed report containing a hash of the private key is carried out via a quoting enclave.
  • a forth aspect of the present invention provides a computer program product comprising program code for controlling a node according to the first or second aspect, or for performing, when implemented on a processor, a method according to the third aspect.
  • Fig. 1 shows a node according to an embodiment of the present invention.
  • Fig. 2 shows a system according to an embodiment of the present invention.
  • Fig. 3 shows a method according to an embodiment of the present invention.
  • Fig. 4 shows another method according to an embodiment of the present invention.
  • Fig. 1 shows a node 100 according to an embodiment of the present invention.
  • the node 100 is suitable for allowing a client node to access a trusted service provided by another node in a network and comprises two units.
  • the first unit 101 is configured to sign a certificate to certify the ownership of a public key, wherein the public key is owned by an enclave of a trusted execution environment, TEE, in the another node and a code to be executed for providing the trusted service to the client node is protected in the enclave.
  • the second unit 102 is configured to make the signed certificate available to the client node.
  • the certificate may be a certificate, which an enclave running in the another node provides to the node's first unit 101 to demonstrate that it is an authentic part of a web domain (e.g. example.com) which a client node wants to securely access without risking to expose sensitive data to a man-in-the-middle purporting to be the trusted service.
  • a web domain e.g. example.com
  • the first unit 101 of the node 100 acting as a new trusted certificate authority is configured to provide a signature to the certificate proving to the client node that a public key, which the client intends to use to generate a shared secret based channel with the enclave of another node providing a trusted service, is indeed from the specific enclave and not from an impostor.
  • Fig. 2 shows a system 200 according to an embodiment of the present invention.
  • the system comprises four nodes in a network, which may be employed to allow a client node (not shown) to access a trusted service provided by an (SGX, SME) enclave running in another node 203: an attestation authority node 201, a trusted certification authority (TCA) 202, which has been referred to as the node 100 in Fig. 1, an TEE enclave running in the another node 203 and an administrator node 204, which administrates the another node 203.
  • TCA trusted certification authority
  • the above introduced nodes may be configured to cooperate in the following way to allow a client to access a trusted service without adding functionality to either the client TLS stack or Browser. It is assumed that the enclave, to which the client intends to reveal sensitive data, is part of a web domain (e.g. example.com):
  • An administrator node“Admin” or 204 of a web domain providing services to web clients is configured to connect to one of potentially a plurality of enclaves, which are entities designed to ensure integrity of data and proving to appropriately configured clients their identity and to verify the authenticity of the particular enclave, meaning that it is member of a“family” of enclaves or nodes which belong to a domain and are authorized to provide services by the administrator.
  • the administrator node 204 may provide it with an according certificate of the web domain, wherein the certificate comprises a (secret) private key of the administrator 204.
  • the specific enclave 203 is configured to generate a random public key and to create via a quoting enclave a signed report containing a hash of the public key according to SGX specifications.
  • the enclave 203 is further configured to connect to the TCA 202, to demonstrate that it belongs to the particular web domain by using the web domain certificate, which it has received from the administrator 204 and to provide the TCA 202 with the signed report.
  • the TCA 202 is configured to verify the authenticity of the signed report according to Intel 's Enhanced Privacy ID (EPID) algorithm.
  • EPID Enhanced Privacy ID
  • the TCA 202 is further configured to sign the certificate with a subject name, which comprises the enclave’s hash value of the public key, when the signed report has been verified by the TCA 202.
  • the subject name may comprise a URL composed of the enclave’s hash value of the public key and the web domain (e.g. enclavehash.example.com).
  • the signed certificate now provides proof to a client node that the public key from the enclave has indeed been issued by the same enclave.
  • Fig. 3 shows a method 300 for allowing a client to access a trusted service provided by another node in a network according to an embodiment of the present invention, wherein the method comprises the steps of signing 301, by a node, a certificate to certify the ownership of a public key, whereby the public key is owned by an enclave of a trusted execution environment, TEE, in the another node and a code to be executed for providing the trusted service to the client node and data is protected in the enclave; and making 302, by the node, the signed certificate available to the client node.
  • TEE trusted execution environment
  • Fig. 4 shows a method 400 for allowing a client to access a trusted service provided by another node in a network according to another embodiment of the present invention, wherein the method 300 further comprises the steps of connecting 401, by an administrator of the another node, to the enclave; verifying, by the administrator, the authenticity of the enclave; providing, by the administrator, the enclave with a private key of the certificate of the another node; generating 402, by the enclave, a random public key and creating a signed report containing a hash of the public key; connecting 403, by the enclave, to the node and demonstrating to the node that the enclave belongs to the another node by using the private key of the another node; providing 404, by the enclave, the node with the signed report; verifying 405, by the node, the authenticity of the signed report by using an enhanced privacy ID, EPID, algorithm in an attestation authority node; and wherein the step of signing 301, by the no

Abstract

The present invention provides a node (100) which is suitable for allowing a client node to access a trusted service provided by another node in a network and comprises two units. The first unit (101) is configured to sign a certificate to certify the ownership of a public key, wherein the public key is owned by an enclave of a trusted execution environment, TEE, in the another node and a code to be executed for providing the trusted service to the client node is protected in the enclave. The second unit (102) is configured to make the signed certificate available to the client node. The certificate may be a certificate, which an enclave running in the another node provides to the node´s first unit (101) to demonstrate that it is an authentic part of a web domain (e.g. example.com) which a client node wants to securely access without risking to expose sensitive data to a man-in-the-middle purporting to be the trusted service.

Description

NODE AND METHOD FOR SECURE SERVER COMMUNICATION
TECHNICAL FIELD The present invention relates to the communications field, and to a node and a method for securely communicating with a server in a network.
BACKGROUND
A Trusted Execution Environment, TEE, such as InteEs Software Guard Extensions, SGX, technology or AMD’s Secure Memory Encryption, SME, is a secure area inside a main processor that ensures that an application running in it has the following properties:
1. Code immutability - logic of the protected application cannot be altered
2. Data confidentiality - application data cannot be accessed
3. Attestation - the protected application has the ability to prove to a third party it is communicating with its identity, i.e. that it is indeed a specific program running in the TEE.
SGX performs attestation by using a dedicated protocol through which the protected code, the enclave, generates a signed report. This report usually contains a hash of a public key and can be verified e.g. by InteEs Enhanced Privacy ID (EPID) system. In order to communicate with a third party the enclave may send the signed report and the public key to the third party, which will verify the report authenticity, checks that the hash of the public key is equivalent to the hash included in the report and then uses that public key to generate a shared secret based channel with the enclave.
Currently the standard way for clients to securely communicate with a server based on HTTPS-technology is via the cryptographic protocol named Transport Layer Security (TLS). During a TLS session establishment the server provides the client with an x.509 certificate. The certificate contains a public key and a subject name and its authenticity is proved by a Certificate Authority signature. Upon reception and verification of the certificate the client and the server generate a shared secret that will be used for the continuation of the session.
As we can see, the TEE attestation is not standard and cannot be utilized directly by an HTTPS-client. According to SGX-specifications, the way to fill this gap is to provide the enclave with a private key of a signed certificate, in other words the expectation is that the administrator securely connects with the enclave and after attestation protocol provides the enclave with a signed certificate and the certificate’s private key.
However, this approach is not viable for applications aiming to provide full trust to the customers, because a user wanting to provide his sensitive data to the application cannot differentiate between the enclave and some man-in-the-middle-layer that got the private key from the administrator.
If it is intended to use the TEE technology instead of the above described TLS scheme, the user faces a problem. TEE attestation is performed by using a dedicated protocol through which the protected code, the enclave, generates a signed report. This report usually contains a hash of a public key and can be verified by Intel EPID system. However, this protocol is not supported by standard clients which expect to get an x.509 certificate.
Two ideas attempting to solve this problem have been published:
1) Extension for X.509 certificate (Knaught and alt.) - According to this solution in prior art an enclave adds to the certificate an extension containing a proof that the public key was generated by the enclave. This proof (an EPID signed report) is concatenated with the certificate as an x.509 extension. The main drawback of this approach is that it requires not only to changes the client's TLS stack to support this extension, but also to update it whenever a change in the attestation protocol is made.
2) Add-on for client’s browser (Krawiecka and Alt.) - According to this solution in prior art functionality of the browser is extended enabling it to verify the quote from the enclave and build a trusted channel with it. As well as in solution 1) changes are required on the client side and those changes are required, whenever the enclave attestation protocol is updated. SUMMARY
In view of the above-mentioned problems and disadvantages, the present invention aims to allow a client to access a trusted service in a network without adding functionality to either the client TLS stack or the browser. In particular, the present invention has the object to provide a new type of network node acting as a new certificate authority, whose signature attests that a public key provided to it belongs to a specific enclave. A further object is to provide the new certificate authority as a new layer of attestation to existing network nodes operating as a certificate authorities. Thus, the aim is to provide a trust certificate authority (TCA), which enforces a protocol through which the TCA attests to a client the authenticity of a specific enclave that belongs to a specific domain name.
The object of the present invention is achieved by the solution provided in the enclosed independent claims. Advantageous implementations of the present invention are further defined in the dependent claims.
A first aspect of the present invention provides a node for allowing a client node to access a trusted service provided by another node in a network, configured to sign a certificate to certify the ownership of a public key, wherein the public key is owned by an enclave of a trusted execution environment, TEE, in the another node and a code to be executed for providing the trusted service to the client node is protected in the enclave; and make the signed certificate available to the client node. This node executes the necessary measures instead of a client node to prove that a public key belongs to a specific enclave and not a potentially malicious man-in-the-middle.
In an implementation form of the first aspect, the format of the certificate comprises an additional protocol layer on top of the attestation protocol according to the X.509 standard.
Due to adding an additional protocol layer on top of the attestation protocol according to the X.509 standard instead of extending the X.509 standard, a client node does not need to be modified, because the client node receives a certificate according to the X.509 standard.
A second aspect of the present invention provides a system for allowing a client to access a trusted service provided by another node in a network, comprising a node according to the first aspect; another node, whereby the another node comprises a trusted execution environment, TEE, wherein a code to be executed for providing the trusted service to the client node and data is protected in the enclave; an administrator node of the another node; and an attestation authority node.
In an implementation form of the second aspect, the administrator node is configured to connect to the enclave, verify the authenticity of the enclave, and provide the enclave with a private key of the certificate of the another node; the enclave is configured to generate a random public key and create a signed report containing a hash of the public key, connect to the node and demonstrate to the node that the enclave belongs to the another node by using the private key of the another node, and provide the node with the signed report; and the node is further configured to verify the authenticity of the signed report by using an enhanced privacy ID, EPID, algorithm in an attestation authority node; and sign the certificate with a named subject, wherein the named subject comprises the enclave’s hash value.
This implementation form of a system for allowing a client to access a trusted service provided by another node in a network employs four nodes or entities, namely the node, another node, an administrator node and an attestation authority node, to ensure that an unmodified client node based on the HTTPS -standard may access a trusted service provided by another node in a safe manner, since the authenticity of the trusted service is assured by the interaction of the four node resulting in a certificate signed by the node and provided to a client node.
A third aspect of the present invention provides a method for allowing a client to access a trusted service provided by another node in a network, comprising the steps of signing, by a node, a certificate to certify the ownership of a public key, whereby the public key is owned by an enclave of a trusted execution environment, TEE, in the another node and a code to be executed for providing the trusted service to the client node and data is protected in the enclave; and making the signed certificate available to the client node.
In an implementation form of the third aspect, the method further comprises the steps of connecting, by an administrator of the another node, to the enclave; verifying, by the administrator, the authenticity of the enclave; providing, by the administrator, the enclave with a private key of the certificate of the another node; generating, by the enclave, a random public key and creating a signed report containing a hash of the public key;
connecting, by the enclave, to the node and demonstrating to the node that the enclave belongs to the another node by using the private key of the another node; providing, by the enclave, the node with the signed report; verifying, by the node, the authenticity of the signed report by using an enhanced privacy ID, EPID, algorithm in an attestation authority node; and wherein the step of signing, by the node, the certificate to certify the ownership of a public key comprises signing the certificate with a named subject, wherein the named subject comprises the enclave’s hash value.
In an implementation form of the third aspect, the creating of a signed report containing a hash of the private key is carried out via a quoting enclave.
A forth aspect of the present invention provides a computer program product comprising program code for controlling a node according to the first or second aspect, or for performing, when implemented on a processor, a method according to the third aspect.
It has to be noted that all devices, elements, units and means described in the present application could be implemented in the software or hardware elements or any kind of combination thereof. All steps which are performed by the various entities described in the present application as well as the functionalities described to be performed by the various entities are intended to mean that the respective entity is adapted to or configured to perform the respective steps and functionalities. Even if, in the following description of specific embodiments, a specific functionality or step to be performed by external entities is not reflected in the description of a specific detailed element of that entity which performs that specific step or functionality, it should be clear for a skilled person that these methods and functionalities can be implemented in respective software or hardware elements, or any kind of combination thereof.
BRIEF DESCRIPTION OF DRAWINGS
The above described aspects and implementation forms of the present invention will be explained in the following description of specific embodiments in relation to the enclosed drawings, in which
Fig. 1 shows a node according to an embodiment of the present invention.
Fig. 2 shows a system according to an embodiment of the present invention.
Fig. 3 shows a method according to an embodiment of the present invention. Fig. 4 shows another method according to an embodiment of the present invention.
DETAILED DESCRIPTION OF EMBODIMENTS
Fig. 1 shows a node 100 according to an embodiment of the present invention. The node 100 is suitable for allowing a client node to access a trusted service provided by another node in a network and comprises two units. The first unit 101 is configured to sign a certificate to certify the ownership of a public key, wherein the public key is owned by an enclave of a trusted execution environment, TEE, in the another node and a code to be executed for providing the trusted service to the client node is protected in the enclave. The second unit 102 is configured to make the signed certificate available to the client node. The certificate may be a certificate, which an enclave running in the another node provides to the node's first unit 101 to demonstrate that it is an authentic part of a web domain (e.g. example.com) which a client node wants to securely access without risking to expose sensitive data to a man-in-the-middle purporting to be the trusted service.
However, since a certificate, possibly containing a private key from an administrator of the trusted service, could have been stolen by an imposter of a trusted service, a client node needs proof that the issuer of the certificate is indeed the specific enclave which the client node wants to access. To this end, the first unit 101 of the node 100 acting as a new trusted certificate authority is configured to provide a signature to the certificate proving to the client node that a public key, which the client intends to use to generate a shared secret based channel with the enclave of another node providing a trusted service, is indeed from the specific enclave and not from an impostor.
Fig. 2 shows a system 200 according to an embodiment of the present invention. The system comprises four nodes in a network, which may be employed to allow a client node (not shown) to access a trusted service provided by an (SGX, SME) enclave running in another node 203: an attestation authority node 201, a trusted certification authority (TCA) 202, which has been referred to as the node 100 in Fig. 1, an TEE enclave running in the another node 203 and an administrator node 204, which administrates the another node 203.
In an embodiment the above introduced nodes may be configured to cooperate in the following way to allow a client to access a trusted service without adding functionality to either the client TLS stack or Browser. It is assumed that the enclave, to which the client intends to reveal sensitive data, is part of a web domain (e.g. example.com):
An administrator node“Admin” or 204 of a web domain providing services to web clients is configured to connect to one of potentially a plurality of enclaves, which are entities designed to ensure integrity of data and proving to appropriately configured clients their identity and to verify the authenticity of the particular enclave, meaning that it is member of a“family” of enclaves or nodes which belong to a domain and are authorized to provide services by the administrator. Once the“membership” of the specific enclave 203 to the family is confirmed by the administrator (node), the administrator node 204 may provide it with an according certificate of the web domain, wherein the certificate comprises a (secret) private key of the administrator 204. The specific enclave 203 is configured to generate a random public key and to create via a quoting enclave a signed report containing a hash of the public key according to SGX specifications. The enclave 203 is further configured to connect to the TCA 202, to demonstrate that it belongs to the particular web domain by using the web domain certificate, which it has received from the administrator 204 and to provide the TCA 202 with the signed report. The TCA 202 is configured to verify the authenticity of the signed report according to Intel 's Enhanced Privacy ID (EPID) algorithm. The TCA 202 is further configured to sign the certificate with a subject name, which comprises the enclave’s hash value of the public key, when the signed report has been verified by the TCA 202. In further embodiment, the subject name may comprise a URL composed of the enclave’s hash value of the public key and the web domain (e.g. enclavehash.example.com). The signed certificate now provides proof to a client node that the public key from the enclave has indeed been issued by the same enclave.
Fig. 3 shows a method 300 for allowing a client to access a trusted service provided by another node in a network according to an embodiment of the present invention, wherein the method comprises the steps of signing 301, by a node, a certificate to certify the ownership of a public key, whereby the public key is owned by an enclave of a trusted execution environment, TEE, in the another node and a code to be executed for providing the trusted service to the client node and data is protected in the enclave; and making 302, by the node, the signed certificate available to the client node.
Fig. 4 shows a method 400 for allowing a client to access a trusted service provided by another node in a network according to another embodiment of the present invention, wherein the method 300 further comprises the steps of connecting 401, by an administrator of the another node, to the enclave; verifying, by the administrator, the authenticity of the enclave; providing, by the administrator, the enclave with a private key of the certificate of the another node; generating 402, by the enclave, a random public key and creating a signed report containing a hash of the public key; connecting 403, by the enclave, to the node and demonstrating to the node that the enclave belongs to the another node by using the private key of the another node; providing 404, by the enclave, the node with the signed report; verifying 405, by the node, the authenticity of the signed report by using an enhanced privacy ID, EPID, algorithm in an attestation authority node; and wherein the step of signing 301, by the node, the certificate to certify the ownership of a public key comprises signing 406 the certificate with a named subject, wherein the named subject comprises the enclave’s hash value of its public key.
The present invention has been described in conjunction with various embodiments as examples as well as implementations. However, other variations can be understood and effected by those persons skilled in the art and practicing the claimed invention, from the studies of the drawings, this disclosure and the independent claims. In the claims as well as in the description the word“comprising” does not exclude other elements or steps and the indefinite article“a” or“an” does not exclude a plurality. A single element or other unit may fulfill the functions of several entities or items recited in the claims. The mere fact that certain measures are recited in the mutual different dependent claims does not indicate that a combination of these measures cannot be used in an advantageous implementation.

Claims

Claims
1. Node (100) for allowing a client node to access a trusted service provided by another node in a network, configured to:
sign (101) a certificate to certify the ownership of a public key,
wherein the public key is owned by an enclave of a trusted execution environment, TEE, in the another node and a code to be executed for providing the trusted service to the client node is protected in the enclave, and
make (102) the signed certificate available to the client node.
2. Node according to claim 1, wherein the format of the certificate comprises an additional protocol layer on top of the attestation protocol according to the X.509 standard.
3. System (200) for allowing a client to access a trusted service provided by another node in a network, comprising:
the node (202) according to claims 1 or 2;
another node (203), whereby the another node comprises a trusted execution environment, TEE, wherein a code to be executed for providing the trusted service to the client node and data is protected in the enclave;
an administrator node (204) of the another node; and
an attestation authority node (201).
4. System according to claim 3, wherein
the administrator node (204) is configured to:
connect to the enclave,
verify the authenticity of the enclave, and
provide the enclave with a private key of the certificate of the another node; the another node (203) is configured to:
generate a random public key and create a signed report containing a hash of the public key,
connect to the node and demonstrate to the node that the enclave belongs to the another node by using the private key of the another node, and
provide the node with the signed report; and the node (202) is further configured to:
verify the authenticity of the signed report by using an enhanced privacy ID, EPID, algorithm in the attestation authority node (201); and
sign the certificate with a named subject, wherein the named subject comprises the enclave’s hash value.
5. Method (300) for allowing a client to access a trusted service provided by another node in a network, comprising the steps of:
Signing (301), by a node, a certificate to certify the ownership of a public key, whereby the public key is owned by an enclave of a trusted execution environment, TEE, in the another node and a code to be executed for providing the trusted service to the client node and data is protected in the enclave; and
making (302), by the node, the signed certificate available to the client node.
6. Method (400) according to claim 5, comprising the further steps of:
Connecting (401), by an administrator of the another node, to the enclave;
verifying, by the administrator, the authenticity of the enclave;
providing, by the administrator, the enclave with a private key of the certificate of the another node;
generating (402), by the enclave, a random public key and creating a signed report containing a hash of the public key;
connecting (403), by the enclave, to the node and demonstrating to the node that the enclave belongs to the another node by using the private key of the another node; providing (404), by the enclave, the node with the signed report;
verifying (405), by the node, the authenticity of the signed report by using an enhanced privacy ID, EPID, algorithm in an attestation authority node; and
wherein the step of signing, by the node, the certificate to certify the ownership of a public key comprises signing (406) the certificate with a named subject, wherein the named subject comprises the enclave’s hash value.
7. Method according to claim 6, wherein the creating of a signed report containing a hash of the private key is carried out via a quoting enclave.
8. Computer program product comprising program code for controlling a node according to one of the claims 1 to 4, or for performing, when implemented on a processor, a method according to claims 5 to 7.
PCT/EP2018/078148 2018-10-16 2018-10-16 Node and method for secure server communication WO2020078534A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN201880098755.6A CN113261252B (en) 2018-10-16 2018-10-16 Node and method for secure server communication
PCT/EP2018/078148 WO2020078534A1 (en) 2018-10-16 2018-10-16 Node and method for secure server communication
EP18786776.7A EP3857838A1 (en) 2018-10-16 2018-10-16 Node and method for secure server communication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2018/078148 WO2020078534A1 (en) 2018-10-16 2018-10-16 Node and method for secure server communication

Publications (1)

Publication Number Publication Date
WO2020078534A1 true WO2020078534A1 (en) 2020-04-23

Family

ID=63862169

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2018/078148 WO2020078534A1 (en) 2018-10-16 2018-10-16 Node and method for secure server communication

Country Status (3)

Country Link
EP (1) EP3857838A1 (en)
CN (1) CN113261252B (en)
WO (1) WO2020078534A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2622355A (en) * 2022-09-06 2024-03-20 The Blockhouse Tech Limited Enclave architecture

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117097487B (en) * 2023-10-19 2024-01-26 翼方健数(北京)信息科技有限公司 Remote authentication method, system and medium for simplifying trusted execution environment by using digital certificate authentication
CN117235693B (en) * 2023-11-14 2024-02-02 杭州安恒信息技术股份有限公司 Trusted authentication and secure channel establishment method of trusted execution environment

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180096137A1 (en) * 2016-10-01 2018-04-05 Intel Corporation Using a second device to enroll a secure application enclave

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6898710B1 (en) * 2000-06-09 2005-05-24 Northop Grumman Corporation System and method for secure legacy enclaves in a public key infrastructure
CN102594558B (en) * 2012-01-19 2014-08-06 东北大学 Anonymous digital certificate system and verification method of trustable computing environment
US9553730B2 (en) * 2013-06-02 2017-01-24 Microsoft Technology Licensing, Llc Certificating authority trust evaluation
DE102018101307A1 (en) * 2017-02-22 2018-08-23 Intel Corporation SGX enclave remote authentication techniques
CN107463838B (en) * 2017-08-14 2019-10-18 广州大学 Method for safety monitoring, device, system and storage medium based on SGX

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180096137A1 (en) * 2016-10-01 2018-04-05 Intel Corporation Using a second device to enroll a secure application enclave

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
THOMAS KNAUTH: "Integrating Remote Attestation with Transport Layer Security", 17 January 2018 (2018-01-17), XP055525709, Retrieved from the Internet <URL:https://arxiv.org/ftp/arxiv/papers/1801/1801.05863.pdf> [retrieved on 20181121] *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2622355A (en) * 2022-09-06 2024-03-20 The Blockhouse Tech Limited Enclave architecture

Also Published As

Publication number Publication date
CN113261252A (en) 2021-08-13
EP3857838A1 (en) 2021-08-04
CN113261252B (en) 2022-07-12

Similar Documents

Publication Publication Date Title
US8667269B2 (en) Efficient, secure, cloud-based identity services
US7757275B2 (en) One time password integration with Kerberos
Jeong et al. Integrated OTP-based user authentication scheme using smart cards in home networks
US20110179478A1 (en) Method for secure transmission of sensitive data utilizing network communications and for one time passcode and multi-factor authentication
JP2011515961A (en) Authentication storage method and authentication storage system for client side certificate authentication information
US10263782B2 (en) Soft-token authentication system
Chalaemwongwan et al. A practical national digital ID framework on blockchain (NIDBC)
ES2665887T3 (en) Secure data system
CN113261252B (en) Node and method for secure server communication
Alzuwaini et al. An Efficient Mechanism to Prevent the Phishing Attacks.
KR20090054774A (en) Method of integrated security management in distribution network
Riad et al. A blockchain-based key-revocation access control for open banking
KR100984275B1 (en) Method for generating secure key using certificateless public key in insecure communication channel
KR100970552B1 (en) Method for generating secure key using certificateless public key
Binu et al. A mobile based remote user authentication scheme without verifier table for cloud based services
Jesudoss et al. Enhanced certificate-based authentication for distributed environment
Jesudoss et al. Enhanced Kerberos authentication for distributed environment
Sudha et al. A survey on different authentication schemes in cloud computing environment
Gamlo et al. Mobile cloud computing: security analysis
CN110557365A (en) Safe single sign-on method based on message authentication code
Jang System Access Control Technique for Secure Cloud Computing
Mashima et al. User-centric identity management architecture using credential-holding identity agents
ALnwihel et al. A Novel Cloud Authentication Framework
US20240012933A1 (en) Integration of identity access management infrastructure with zero-knowledge services
Zhu et al. Research on data security access model of cloud computing platform

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18786776

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2018786776

Country of ref document: EP

Effective date: 20210426