[go: up one dir, main page]

WO2025210341A1 - Secure moving of secret data from an enclave to another enclave - Google Patents

Secure moving of secret data from an enclave to another enclave

Info

Publication number
WO2025210341A1
WO2025210341A1 PCT/GB2025/050667 GB2025050667W WO2025210341A1 WO 2025210341 A1 WO2025210341 A1 WO 2025210341A1 GB 2025050667 W GB2025050667 W GB 2025050667W WO 2025210341 A1 WO2025210341 A1 WO 2025210341A1
Authority
WO
WIPO (PCT)
Prior art keywords
secret data
enclave
administrator
encryption key
encrypted secret
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/GB2025/050667
Other languages
French (fr)
Inventor
Vedran Novoselac
Ivan PALJAK
Kristijan RUPIC
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Blockhouse Technology Ltd
Original Assignee
Blockhouse Technology Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Blockhouse Technology Ltd filed Critical Blockhouse Technology Ltd
Publication of WO2025210341A1 publication Critical patent/WO2025210341A1/en
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/20Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements
    • G06F11/202Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where processing functionality is redundant
    • G06F11/2023Failover techniques

Definitions

  • This invention relates to a system for securely storing secret data and methods of operating the same.
  • an enclave is a hardware-protected, private region of memory within which confidential data can be stored and within which software can be stored and securely executed.
  • the enclave is isolated from other regions of memory, including those regions of memory storing an operating system or other application software.
  • Incoming data may be decrypted and processed within the enclave.
  • Certain secret data such as a cryptographic private key, is conventionally stored only within a particular enclave in order to maintain the data’s confidentiality. If the enclave becomes unavailable, e g. due to hardware failure, then the secret data stored in the enclave is lost. The lifetime of the secret data is therefore tied to the lifetime of the enclave in which it is stored, and to the lifetime of the computing device hosting the enclave.
  • Some mechanisms exist for allowing secret data to persist across a restart of an enclave e.g. Intel SGX Sealing.
  • the secret data remains bound to the particular processor that is operating the enclave. This means that, if the processor is rendered inoperable (e.g. due to hardware failure), then the secret data is lost.
  • the lifetime of the secret data is still limited by the lifetime of the enclave or computing device in which it is stored.
  • Embodiments of the present invention seek to provide an improved method and system for securely storing secret data.
  • secret data stored in a first enclave
  • secret data may be transferred securely to a second enclave by first being backed-up to an administrator system, using the first procedure, and then subsequently being restored to the second enclave, using the second procedure.
  • the first procedure may be performed as a backup procedure (optionally in combination with one or more further steps).
  • the second procedure may be performed as a restore procedure (optionally in combination with one or more further steps).
  • the secret data is encrypted within the first enclave using an administrator encryption key before the encrypted secret data is output from the first enclave and sent to the administrator system.
  • the administrator system may be a trusted system, and has access to an administrator decryption key with which the encrypted secret data can be decrypted.
  • the administrator system may receive the destination encryption key from the second enclave before, during, or after the first procedure. Moreover, the administrator system need not decrypt the encrypted secret data or re-encrypt the secret data immediately after receiving the destination encryption key. The administrator system may decrypt the encrypted secret data or re-encrypt the secret data in response to receiving an initiation signal (e.g. indicating that the first enclave and/or the first computing device is unavailable).
  • an initiation signal e.g. indicating that the first enclave and/or the first computing device is unavailable.
  • the first computing device, hosting the first enclave is preferably different from the second computing device, hosting the second enclave.
  • the first computing device and/or the second computing device comprises a respective processor configured to provide a respective trusted execution environment (TEE), e.g. using Intel SGX, or AMD SEV, or Arm TrustZone.
  • TEE is preferably configured to implement the respective enclave of the first computing device or the second computing device.
  • Each of the first computing device, the second computing device and the administrator system may comprise a respective processor and a memory storing software for execution by the processor, wherein the software comprises instructions which, when executed by the processor, cause the processor to perform any of the method steps disclosed herein. At least some of the software instructions may be for execution within an enclave of the respective device or system.
  • the administrator encryption key is preferably different from the destination encryption key.
  • the administrator decryption key is preferably different from the destination decryption key.
  • the method comprises generating the destination encryption key (and, optionally, the destination decryption key).
  • the destination encryption key is preferably generated in the second enclave.
  • a plurality of administrator decryption keys is required in order for the administrator system to decrypt the encrypted secret data.
  • each of the plurality of administrator decryption keys corresponds to a respective administrator encryption key of a plurality of administrator encryption keys.
  • each of the plurality of administrator encryption keys is used to encrypt the secret data in the first enclave.
  • the secret data may be encrypted in the first enclave using a secret sharing algorithm, e.g. Shamir’s secret sharing algorithm.
  • the plurality of administrator encryption keys (e.g. and the plurality of administrator decryption keys) are preferably different to one another.
  • the first computing device is configured to encrypt periodically the secret data stored in the first enclave. This may generate a plurality of versions of encrypted secret data.
  • Each version of encrypted secret data may be output from the first enclave and sent to the administrator system.
  • each version of encrypted secret data is output from the first enclave and sent to the repository.
  • the repository may be configured to store only the most recent version of the encrypted secret data.
  • the repository is preferably configured to store a plurality of versions (e.g. each version) of the encrypted secret data.
  • the administrator system may receive each version of the encrypted secret data from the repository, or may receive only a subset of the versions of encrypted secret data (e.g. the most recent version of the encrypted secret data at the time).
  • Each version of encrypted secret data may be timestamped.
  • the secret data can be securely backed up. This can help to ensure that a recent version of the secret data is available for storing in the second enclave, and can also allow previous versions of the secret data to be stored in the second enclave, as necessary. This may be helpful in the event that it is determined that the secret data stored in the second enclave has become corrupted, for example.
  • the method comprises detecting that the first enclave is unavailable.
  • the method comprises, in response to detecting that the first enclave is unavailable, performing the second procedure.
  • the method may comprise, in response to detecting that the first enclave is unavailable, the administrator system decrypting the encrypted secret data using an administrator decryption key.
  • the method may comprise, in response to detecting that the first enclave is unavailable, the administrator system re-encrypting the secret data using the destination encryption key.
  • the administrator system (e.g. one or more or all of the administrator devices) is preferably configured to retrieve, from the cryptographic engine, some or all of the decrypted secret data.
  • the administrator system (e.g., one or more of the administrator devices) is preferably configured to provide the destination encryption key to the cryptographic engine.
  • each of the one or more administrator devices is configured to receive, from the second enclave, a respective copy of the destination encryption key.
  • each of the one or more administrator devices is configured to receive, from the second enclave, a respective portion of the destination encryption key.
  • the administrator system (e.g. one of the administrator devices) is preferably configured to generate the destination encryption key from one or more of the portions of the destination encryption key.
  • the portions of the destination encryption key may be shares of the destination encryption key obtained using a secret sharing algorithm, e.g. Shamir’s secret sharing algorithm.
  • the administrator system comprises an air-gapped device (i.e. a device not connected to any network, or not to any public network such as the Internet).
  • the air-gapped device preferably comprises the cryptographic engine.
  • the air-gapped device is preferably air-gapped from the network of the first and second computing devices and the administrator devices. This may help to reduce the vulnerability of the cryptographic engine to attacks that could compromise the confidentiality of the secret data.
  • the secret data and/or the administrator decryption key(s) and/or the destination encryption key is preferably communicated to the air-gapped device by a non-network channel (e.g. by the movement of a physical storage medium).
  • each of the plurality of administrator computing devices has access to the cryptographic engine.
  • the method comprises outputting the first attestation report from the first enclave.
  • the first attestation report may be sent to the administrator system (e.g. via the repository) together with the encrypted secret data, e.g. in a backup package.
  • the administrator system may receive the first attestation report (e.g. from the repository) together with the encrypted secret data, e.g. the administrator system may receive the backup package.
  • the method further comprises the administrator system validating the first attestation report.
  • the administrator system validates the first attestation report before sending the re-encrypted secret data to the second enclave, e.g. before re-encrypting the secret data using the destination encryption key, e.g. before decrypting the encrypted secret data.
  • the method further comprises generating a second attestation report for the destination encryption key.
  • the second attestation report may be generated within the second enclave. It may attest software stored for execution within the second enclave.
  • the second attestation report preferably associates the destination encryption key with an identity (e.g. a public key) of the second enclave.
  • the second attestation report may associate the destination encryption key with a public key of the second enclave.
  • the second attestation report may comprise a certificate signed by the public key of the second enclave.
  • the method comprises outputting the second attestation report from the first enclave.
  • the second attestation report may be sent (e.g. to the repository and/or the administrator system) together with the destination encryption key, e.g. in a restore package.
  • the administrator system may receive the second attestation report (e.g. from the repository) together with the destination encryption key.
  • the administrator system may receive the restore package.
  • the method further comprises the administrator system validating the second attestation report.
  • the administrator system validates the second attestation report before sending the re-encrypted secret data to the second enclave, e.g. before re-encrypting the secret data using the destination encryption key, e.g. before decrypting the encrypted secret data.
  • the method is aborted.
  • the method is aborted.
  • the administrator system may validate the first attestation report and/or the second attestation report using the air-gapped device. Validating the first attestation report and/or the second attestation report may help to maintain the integrity of the encrypted secret data and/or the destination encryption key, as it may be verified that the encrypted secret data and/or the destination encryption key has been provided by an expected trustworthy source, rather than by a potentially hostile unknown party.
  • the method further comprises the administrator system determining whether the secret data differs from an earlier version of secret data.
  • the method comprises the administrator system comparing the secret data with the earlier version of secret data.
  • the method may comprise the administrator system, in response to determining that the secret data differs from the earlier version of secret data, aborting the re-encryption of the secret data or the provision of the re-encrypted secret data to the second enclave. This can help to prevent secret data that is expected to be unchanged, e.g. a cryptographic key or a password, being stored in the second enclave in a modified, e.g. corrupted, state, which can help to maintain the integrity of the secret data.
  • the method comprises the administrator system sending the re-encrypted data to the second enclave directly.
  • the administrator system may send the re-encrypted data to the second enclave indirectly, i.e. via a further component of the system.
  • the administrator system may send the reencrypted data to the repository.
  • the re-encrypted data may be send to the second enclave from the repository.
  • Figure 1 is a schematic diagram of a computing system in accordance with an embodiment of the present invention
  • Figure 2 is a flow diagram showing a method for securely moving secret data from the first enclave of the system of Figure 1 to the second enclave in accordance with an embodiment of the present invention
  • Figure 3 is a schematic diagram of a computing system in accordance with a further embodiment of the present invention.
  • Figure 1 is a schematic of a system 2 in accordance with an embodiment of the present invention.
  • the system 2 includes a first computing device 4 and a second computing device 6, respectively comprising a first enclave 8 and a second enclave 10.
  • Each enclave 8, 10 is a protected private region of memory that is operated by a respective trusted execution environment (TEE), e.g. implementing Intel Software Guard Extensions (SGX) or Advanced Micro Devices Secure Encrypted Virtualization (AMD SEV) or Arm Trustzone.
  • TEE trusted execution environment
  • SGX Intel Software Guard Extensions
  • AMD SEV Advanced Micro Devices Secure Encrypted Virtualization
  • Arm Trustzone e.g. implementing Intel Software Guard Extensions (SGX) or Advanced Micro Devices Secure Encrypted Virtualization (AMD SEV) or Arm Trustzone.
  • the second computing device 6 is configured to generate and store a ‘destination’ encryption cryptographic key 14a within the second enclave 10 during a ‘restore’ procedure, as will be described in more detail below.
  • a first step S102 during operation of the first enclave 8, the secret data X stored within the first enclave 8 is periodically backed up by being encrypted and transmitted to the server 22 via the network for storage in the database 20 as part of a backup procedure.
  • an encrypted backup of the secret data X may be transmitted to the database 20 every ten minutes, although it could be more or less frequent, or may be irregular (e.g. being initiated by a human operator) rather than periodic.
  • the secret data X is encrypted using both the first and second administrator encryption cryptographic keys 12a, 12b to generate encrypted secret data X . Any suitable encryption mechanism may be used to encrypt the secret data X using both keys 12a, 12b.
  • the first computing device 4 generates an attestation report 24 that links the encrypted secret data X ⁇ to a public key of the first enclave 8, and then, in a second step S104, sends a “backup package” 26, comprising the attestation report 24 and the encrypted secret data X , to the server 22 for storage in the database 20.
  • the database 20 stores this latest version of the encrypted secret data X lt as well as one or more previous versions of encrypted secret data.
  • the attestation report 24 may uniquely link the encrypted secret data A ⁇ to the first enclave 8 and/or to a CPU of the first computing device 4 in a way that can be remotely attested.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Quality & Reliability (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

A method for securely moving secret data from a first enclave (8; 108) to a second enclave (10) comprises a first procedure and a second procedure. The first procedure includes, within the first enclave (8; 108), encrypting secret data using an administrator encryption key (12a; 112) and sending the encrypted secret data to an administrator system. The administrator system decrypts the encrypted secret data using an administrator decryption key (12b; 113) corresponding to the administrator encryption key (12a; 112), and re-encrypts the secret data using a destination encryption key (14a) received from the second enclave (10). The second procedure includes the administrator system sending the re-encrypted secret data to the second enclave (10) and, within the second enclave (10), decrypting the re-encrypted secret data using a destination decryption key (14b) corresponding to the destination encryption key (14a), and storing the secret data in the second enclave (10).

Description

Secure Data Storage
TECHNICAL FIELD
This invention relates to a system for securely storing secret data and methods of operating the same.
BACKGROUND
In a computer system, an enclave is a hardware-protected, private region of memory within which confidential data can be stored and within which software can be stored and securely executed. The enclave is isolated from other regions of memory, including those regions of memory storing an operating system or other application software. In order to avoid leakage of confidential data, all sensitive data crossing the boundary into and out of the enclave must be encrypted. Incoming data may be decrypted and processed within the enclave.
Enclaves may be provided by trusted execution environments (TEEs) such as Intel’s Software Guard Extensions (Intel SGX) or Advanced Micro Devices’ Secure Encrypted Virtualization (AMD SEV).
Certain secret data, such as a cryptographic private key, is conventionally stored only within a particular enclave in order to maintain the data’s confidentiality. If the enclave becomes unavailable, e g. due to hardware failure, then the secret data stored in the enclave is lost. The lifetime of the secret data is therefore tied to the lifetime of the enclave in which it is stored, and to the lifetime of the computing device hosting the enclave.
Some mechanisms exist for allowing secret data to persist across a restart of an enclave (e.g. Intel SGX Sealing). However, in such cases, the secret data remains bound to the particular processor that is operating the enclave. This means that, if the processor is rendered inoperable (e.g. due to hardware failure), then the secret data is lost. Thus, the lifetime of the secret data is still limited by the lifetime of the enclave or computing device in which it is stored.
Embodiments of the present invention seek to provide an improved method and system for securely storing secret data. SUMMARY OF THE INVENTION
From a first aspect, the invention provides a method for securely moving secret data from a first enclave to a second enclave, the method comprising: as a first procedure, i) within a first enclave, encrypting secret data stored in the first enclave using an administrator encryption key to create encrypted secret data; and ii) outputting the encrypted secret data from the first enclave and sending the encrypted secret data to an administrator system; the method further comprising: the administrator system receiving a destination encryption key from a second enclave; and the administrator system decrypting the encrypted secret data using an administrator decryption key, corresponding to the administrator encryption key, and re-encrypting the secret data using the destination encryption key to create reencrypted secret data; and the method further comprising: as a second procedure, i) the administrator system sending the re-encrypted secret data to the second enclave; and ii) within the second enclave, decrypting the re-encrypted secret data using a destination decryption key, corresponding to the destination encryption key, and storing the secret data in the second enclave.
When viewed from a further aspect, the invention provides a system for securely storing secret data, the system comprising: a first computing device hosting a first enclave storing secret data; a second computing device hosting a second enclave; and an administrator system; wherein: the first computing device is configured, within the first enclave, to encrypt the secret data using an administrator encryption key to create encrypted secret data; the first computing device is configured to output the encrypted secret data from the first enclave and to send the encrypted secret data to the administrator system; the administrator system is configured to: receive a destination encryption key from the second enclave; decrypt the encrypted secret data using an administrator decryption key, corresponding to the administrator encryption key; re-encrypt the secret data using the destination encryption key; and send the re-encrypted secret data to the second enclave; the second computing device is configured, within the second enclave, to decrypt the re-encrypted secret data using a destination decryption key, corresponding to the destination encryption key; and the second computing device is configured to store the secret data in the second enclave.
Thus it will be seen that, in accordance with embodiments of the invention, secret data, stored in a first enclave, may be transferred securely to a second enclave by first being backed-up to an administrator system, using the first procedure, and then subsequently being restored to the second enclave, using the second procedure. The first procedure may be performed as a backup procedure (optionally in combination with one or more further steps). The second procedure may be performed as a restore procedure (optionally in combination with one or more further steps). During the backup procedure, the secret data is encrypted within the first enclave using an administrator encryption key before the encrypted secret data is output from the first enclave and sent to the administrator system. The administrator system may be a trusted system, and has access to an administrator decryption key with which the encrypted secret data can be decrypted.
During the restore procedure, the administrator system receives, from a second enclave, a destination encryption key. Immediately or at a later time, the administrator system re-encrypts the decrypted secret data using the destination encryption key and sends the re-encrypted secret data to the second enclave. The re-encrypted secret data is decrypted in the second enclave using a destination decryption key.
In this way, the secret data can be protected from loss if the first enclave ceases to be available (e.g. through being erased or damaged, or due to a hardware or software failure of the first computing device, or a network error). In such a situation, the second procedure can be initiated to restore (i.e. clone) the secret data to the second enclave. In some embodiments, the secret data may always be encrypted whenever it is outside the first enclave or the second enclave or the administrator system, thereby helping to ensure the confidentiality of the secret data during the backup and restore procedures. Furthermore, the secret data may be, and preferably is, encrypted using different cryptographic keys depending on where it is being sent. This means that it is not required for cryptographic decryption keys to be send from one enclave to another. Instead, the secret data is decrypted by the administrator system using the administrator decryption key and is re-encrypted by the administrator system using the destination encryption key. As a result, the administrator decryption key need not be provided to the second enclave, which might otherwise risk compromising the security of data stored in the first enclave.
The administrator system may receive the destination encryption key from the second enclave before, during, or after the first procedure. Moreover, the administrator system need not decrypt the encrypted secret data or re-encrypt the secret data immediately after receiving the destination encryption key. The administrator system may decrypt the encrypted secret data or re-encrypt the secret data in response to receiving an initiation signal (e.g. indicating that the first enclave and/or the first computing device is unavailable).
The first computing device, hosting the first enclave, is preferably different from the second computing device, hosting the second enclave. In some embodiments, the first computing device and/or the second computing device comprises a respective processor configured to provide a respective trusted execution environment (TEE), e.g. using Intel SGX, or AMD SEV, or Arm TrustZone. The TEE is preferably configured to implement the respective enclave of the first computing device or the second computing device. Each of the first computing device, the second computing device and the administrator system may comprise a respective processor and a memory storing software for execution by the processor, wherein the software comprises instructions which, when executed by the processor, cause the processor to perform any of the method steps disclosed herein. At least some of the software instructions may be for execution within an enclave of the respective device or system. The administrator encryption key is preferably different from the destination encryption key. The administrator decryption key is preferably different from the destination decryption key.
The administrator key could be a symmetric key; however, preferably, the administrator encryption key and the administrator decryption key together form a first cryptographic key pair. The first cryptographic key pair is preferably an asymmetric key pair. The administrator encryption key may correspond to a public key of the first cryptographic key pair. The administrator decryption key may correspond to a private key of the first cryptographic key pair. The destination key could be a symmetric key; however, preferably, the destination encryption key and the destination decryption key together form a second cryptographic key pair. The second cryptographic key pair is preferably an asymmetric key pair. The destination encryption key may correspond to a public key of the second cryptographic key pair. The destination decryption key may correspond to a private key of the second cryptographic.
In some embodiments, the method comprises generating the destination encryption key (and, optionally, the destination decryption key). The destination encryption key is preferably generated in the second enclave.
In some embodiments, a plurality of administrator decryption keys is required in order for the administrator system to decrypt the encrypted secret data. Preferably each of the plurality of administrator decryption keys corresponds to a respective administrator encryption key of a plurality of administrator encryption keys. Preferably each of the plurality of administrator encryption keys is used to encrypt the secret data in the first enclave. The secret data may be encrypted in the first enclave using a secret sharing algorithm, e.g. Shamir’s secret sharing algorithm. The plurality of administrator encryption keys (e.g. and the plurality of administrator decryption keys) are preferably different to one another.
In some embodiments, the system comprises a repository for storing data, e.g. encrypted secret data. The repository preferably comprises a database. The system may comprise a server configured to host the repository. In some embodiments, the method comprises outputting the secret data from the first enclave to the administrator system via the repository. The method preferably further comprises the administrator system receiving the encrypted secret data from the repository.
Preferably the first computing device is configured to encrypt periodically the secret data stored in the first enclave. This may generate a plurality of versions of encrypted secret data.
Each version of encrypted secret data may be output from the first enclave and sent to the administrator system. Preferably each version of encrypted secret data is output from the first enclave and sent to the repository. The repository may be configured to store only the most recent version of the encrypted secret data. Preferably, however, the repository is preferably configured to store a plurality of versions (e.g. each version) of the encrypted secret data. The administrator system may receive each version of the encrypted secret data from the repository, or may receive only a subset of the versions of encrypted secret data (e.g. the most recent version of the encrypted secret data at the time). Each version of encrypted secret data may be timestamped.
By periodically sending versions of the encrypted data stored within the first enclave to the administrator system and/or the repository, the secret data can be securely backed up. This can help to ensure that a recent version of the secret data is available for storing in the second enclave, and can also allow previous versions of the secret data to be stored in the second enclave, as necessary. This may be helpful in the event that it is determined that the secret data stored in the second enclave has become corrupted, for example.
In some embodiments, all of the plurality of administrator decryption keys (e.g. each of the administrator decryption keys that corresponds to an administrator encryption key used to encrypt the secret data in the first enclave) are required in order to decrypt the encrypted secret data.
In some embodiments, a threshold number of the plurality of administrator decryption keys is required in order to decrypt the encrypted secret data. The threshold is preferably lower than the number of administrator decryption keys. This may allow the encrypted secret data to be decrypted only once a quorum of administrators has provided their respective decryption keys, which may increase security. Preferably, any combination of administrator decryption keys that reaches or exceeds the threshold number may allow the encrypted secret data to be decrypted. This may improve the flexibility of the decryption process.
In some embodiments, the administrator system comprises an administrator computing device. Preferably, the administrator system comprises a plurality of administrator computing devices. Preferably, each of the administrator computing devices stores a respective administrator decryption key of the plurality of administrator decryption keys.
Preferably one or more (e.g. all) of the first computing device, the second computing device, the administrator system, and the repository are configured to communicate with each other over a (e.g. wired and/or wireless) network.
In some embodiments, the method comprises detecting that the first enclave is unavailable. Preferably the method comprises, in response to detecting that the first enclave is unavailable, performing the second procedure. The method may comprise, in response to detecting that the first enclave is unavailable, the administrator system decrypting the encrypted secret data using an administrator decryption key. The method may comprise, in response to detecting that the first enclave is unavailable, the administrator system re-encrypting the secret data using the destination encryption key.
The administrator system and/or the second computing device and/or a further component of the system may be configured to detect that the first enclave is unavailable. The administrator system and/or the second computing device and/or the further component may be configured to output an initiation signal in response to detecting that the first enclave is unavailable. In some embodiments, the step of detecting unavailability of the first enclave is performed by a user.
The administrator system and/or the second computing device and/or a further component of the system may comprise an interface for a user to initiate the second procedure. The interface may be configured to output an initiation signal in response to a user interaction.
The administrator system preferably comprises a cryptographic engine for decrypting and re-encrypting the secret data. Preferably each of the administrator devices has access to the cryptographic engine.
The administrator system is preferably configured to provide the administrator decryption key to the cryptographic engine. Each of the administrator devices is preferably configured to provide, to the cryptographic engine, their respective administrator decryption key. The administrator system (e.g. one or more or all of the administrator devices) is preferably configured to provide some or all of the encrypted secret data to the cryptographic engine for decryption using the administrator decryption key(s).
The administrator system (e.g. one or more or all of the administrator devices) is preferably configured to retrieve, from the cryptographic engine, some or all of the decrypted secret data.
The administrator system (e.g., one or more of the administrator devices) is preferably configured to provide the destination encryption key to the cryptographic engine. In some embodiments, each of the one or more administrator devices is configured to receive, from the second enclave, a respective copy of the destination encryption key. In some embodiments, each of the one or more administrator devices is configured to receive, from the second enclave, a respective portion of the destination encryption key. The administrator system (e.g. one of the administrator devices) is preferably configured to generate the destination encryption key from one or more of the portions of the destination encryption key. For example, the portions of the destination encryption key may be shares of the destination encryption key obtained using a secret sharing algorithm, e.g. Shamir’s secret sharing algorithm.
In some embodiments, the administrator system comprises an air-gapped device (i.e. a device not connected to any network, or not to any public network such as the Internet). The air-gapped device preferably comprises the cryptographic engine. The air-gapped device is preferably air-gapped from the network of the first and second computing devices and the administrator devices. This may help to reduce the vulnerability of the cryptographic engine to attacks that could compromise the confidentiality of the secret data. The secret data and/or the administrator decryption key(s) and/or the destination encryption key is preferably communicated to the air-gapped device by a non-network channel (e.g. by the movement of a physical storage medium). Preferably each of the plurality of administrator computing devices has access to the cryptographic engine.
In some embodiments, the method further comprises generating a first attestation report for the encrypted secret data. The first attestation report may be generated within the first enclave. It may attest software stored for execution within the first enclave The first attestation report preferably associates the encrypted secret data with an identity (e.g. a public key) of the first enclave. The first attestation report may associate the encrypted secret data with a public key of the first enclave. The first attestation report may comprise a certificate signed by the public key of the first enclave.
Preferably the method comprises outputting the first attestation report from the first enclave. The first attestation report may be sent to the administrator system (e.g. via the repository) together with the encrypted secret data, e.g. in a backup package.
The administrator system may receive the first attestation report (e.g. from the repository) together with the encrypted secret data, e.g. the administrator system may receive the backup package.
In some embodiments, the method further comprises the administrator system validating the first attestation report. Preferably, the administrator system validates the first attestation report before sending the re-encrypted secret data to the second enclave, e.g. before re-encrypting the secret data using the destination encryption key, e.g. before decrypting the encrypted secret data.
In some embodiments, the method further comprises generating a second attestation report for the destination encryption key. The second attestation report may be generated within the second enclave. It may attest software stored for execution within the second enclave. The second attestation report preferably associates the destination encryption key with an identity (e.g. a public key) of the second enclave. The second attestation report may associate the destination encryption key with a public key of the second enclave. The second attestation report may comprise a certificate signed by the public key of the second enclave.
Preferably the method comprises outputting the second attestation report from the first enclave. The second attestation report may be sent (e.g. to the repository and/or the administrator system) together with the destination encryption key, e.g. in a restore package.
The administrator system may receive the second attestation report (e.g. from the repository) together with the destination encryption key. The administrator system may receive the restore package.
In some embodiments, the method further comprises the administrator system validating the second attestation report. Preferably, the administrator system validates the second attestation report before sending the re-encrypted secret data to the second enclave, e.g. before re-encrypting the secret data using the destination encryption key, e.g. before decrypting the encrypted secret data. Preferably, if the administrator system fails to validate the second attestation report, the method is aborted.
Preferably, if the administrator system fails to validate the first attestation report and/or the second attestation report, the method is aborted. The administrator system may validate the first attestation report and/or the second attestation report using the air-gapped device. Validating the first attestation report and/or the second attestation report may help to maintain the integrity of the encrypted secret data and/or the destination encryption key, as it may be verified that the encrypted secret data and/or the destination encryption key has been provided by an expected trustworthy source, rather than by a potentially hostile unknown party.
In some embodiments, the method further comprises the administrator system determining whether the secret data differs from an earlier version of secret data. In some embodiments, the method comprises the administrator system comparing the secret data with the earlier version of secret data. The method may comprise the administrator system, in response to determining that the secret data differs from the earlier version of secret data, aborting the re-encryption of the secret data or the provision of the re-encrypted secret data to the second enclave. This can help to prevent secret data that is expected to be unchanged, e.g. a cryptographic key or a password, being stored in the second enclave in a modified, e.g. corrupted, state, which can help to maintain the integrity of the secret data.
In some embodiments, the method further comprises the administrator system signing the secret data before encrypting the secret data using the destination encryption key. The administrator system may sign the secret data using a public key of the administrator system. One or more, e.g. each, of the plurality of administrator computing devices may sign the secret data, e.g. using a respective public key of the administrator computing device.
In some embodiments, the method comprises the administrator system sending the re-encrypted data to the second enclave directly. However, the administrator system may send the re-encrypted data to the second enclave indirectly, i.e. via a further component of the system. The administrator system may send the reencrypted data to the repository. The re-encrypted data may be send to the second enclave from the repository.
Features of any aspect or embodiment described herein may, wherever appropriate, be applied to any other aspect or embodiment described herein. Where reference is made to different embodiments or sets of embodiments, it should be understood that these are not necessarily distinct but may overlap.
BRIEF DESCRIPTION OF DRAWINGS
Certain embodiments of the invention will now be described, by way of example only, with reference to the accompanying drawings, in which:
Figure 1 is a schematic diagram of a computing system in accordance with an embodiment of the present invention; Figure 2 is a flow diagram showing a method for securely moving secret data from the first enclave of the system of Figure 1 to the second enclave in accordance with an embodiment of the present invention; and
Figure 3 is a schematic diagram of a computing system in accordance with a further embodiment of the present invention.
DETAILED DESCRIPTION
Figure 1 is a schematic of a system 2 in accordance with an embodiment of the present invention.
The system 2 includes a first computing device 4 and a second computing device 6, respectively comprising a first enclave 8 and a second enclave 10. Each enclave 8, 10 is a protected private region of memory that is operated by a respective trusted execution environment (TEE), e.g. implementing Intel Software Guard Extensions (SGX) or Advanced Micro Devices Secure Encrypted Virtualization (AMD SEV) or Arm Trustzone.
The first enclave 8 stores secret data X, a first ‘administrator’ encryption cryptographic key 12a, and a second ‘administrator’ encryption cryptographic key 12b. The first administrator encryption cryptographic key 12a and the second administrator encryption cryptographic key 12b are provisioned to the first enclave 8 via trusted configuration, and the first enclave 8 verifies the integrity of the configuration using a hardwired key.
The second computing device 6 is configured to generate and store a ‘destination’ encryption cryptographic key 14a within the second enclave 10 during a ‘restore’ procedure, as will be described in more detail below.
The system 2 further comprises an administrator system comprising two administrator devices 16a, 16b that are in communication with the second computing device 6 via a wired and/or wireless network. The administrator system further comprises an air-gapped (i.e. offline) device 18, to which the administrator devices 16a, 16b have physical access. The air-gapped device 18 comprises a cryptographic engine 19. The system 2 further comprises a server 22. The first computing device 4, the second computing device 6, and the administrator devices 16a, 16b are able to access a database 20, operated on the server 22, via the wireless network.
Operation of the system of Figure 1 will now be described with reference to the flow diagram of Figure 2.
In a first step S102, during operation of the first enclave 8, the secret data X stored within the first enclave 8 is periodically backed up by being encrypted and transmitted to the server 22 via the network for storage in the database 20 as part of a backup procedure. For example, an encrypted backup of the secret data X may be transmitted to the database 20 every ten minutes, although it could be more or less frequent, or may be irregular (e.g. being initiated by a human operator) rather than periodic. As part of this process, the secret data X is encrypted using both the first and second administrator encryption cryptographic keys 12a, 12b to generate encrypted secret data X . Any suitable encryption mechanism may be used to encrypt the secret data X using both keys 12a, 12b.
The first computing device 4 generates an attestation report 24 that links the encrypted secret data X± to a public key of the first enclave 8, and then, in a second step S104, sends a “backup package” 26, comprising the attestation report 24 and the encrypted secret data X , to the server 22 for storage in the database 20. The database 20 stores this latest version of the encrypted secret data Xlt as well as one or more previous versions of encrypted secret data. The attestation report 24 may uniquely link the encrypted secret data A^to the first enclave 8 and/or to a CPU of the first computing device 4 in a way that can be remotely attested.
As part of a restore procedure, which will now be described, the secret data X is transferred from the database 20 to the second enclave 10. This procedure may be performed if the first enclave 8 becomes unavailable (e.g. long-term or permanently) for any reason — e.g. due to a failure or unavailability of the first computing device 4. It may be initiated automatically (e.g. in response to a system, such as the second computing device 6, detecting its unavailability) or by a human user. In some embodiments it is initiated by, or using, the second computing device 6. The restore procedure involves the second computing device 6 operating the second enclave 10 in a restore mode of operation.
In a third step S106, a destination encryption cryptographic key 14a and a destination decryption cryptographic key 14b are generated within the second enclave 10, as well as an attestation report 28 that links the destination encryption cryptographic key 14a to a public key of the second enclave 10. The destination encryption cryptographic key 14a and the destination decryption cryptographic key 14b are respectively the public key and the private key of a key pair. The destination encryption cryptographic key 14a and the attestation report 28 are transmitted to and stored in the database 20 in a “restore package” 30. The attestation report 28 may uniquely link the destination encryption cryptographic key 14a to the second enclave 10 and/or to a CPU of the second computing device 6 in a way that can be remotely attested.
In a fourth step S108, once the restore package 30 has been stored in the database 20, the administrator devices 16a, 16b retrieve the restore package 30 and the backup package 26 from the database 20. If multiple backup packages are stored in the database (i.e. corresponding to previously-generated backup packages), then the administrator devices 16a, 16b retrieve the most recent backup package from the database 20.
Before decrypting the secret data X contained within the backup package 26, the administrator devices 16a, 16b use the offline device 18 to validate the respective attestation reports 24, 28 of the backup package 26 and the restore package 30 in order to verify the integrity of the backup package 26 and the restore package 30. The administrator devices 16a, 16b verify that the attestation reports 24, 28 are correct and that the backup package 26 is signed with the public keys of the first and second enclaves 8, 10. The administrator devices 16a, 16b also use the offline device 18 to determine whether the second enclave 10 is permitted to receive the secret data X according to a data flow policy. For example, the administrator devices 16a, 16b may use the offline device 18 to verify that both the first enclave 8 and the second enclave 10 have the same author (e.g. the same MRSIGNER value, in the case of Intel SGX enclaves). In a fifth step S110, once the validation steps have been completed, the administrator devices 16a, 16b use the cryptographic engine 19 of the offline device 18 to decrypt the secret data X stored in the backup package 26. The encrypted secret data Xt is decrypted using both a first administrator decryption key 13a, which is part of a key pair 12a, 13a also comprising the first administrator encryption key 12a, and a second administrator decryption key 13b, which is part of a key pair 12b, 13b also comprising the second administrator encryption key 13b.
The administrator devices 16a, 16b may additionally retrieve and decrypt a previous version of encrypted secret data from the database 20, and compare this previous version with the newly decrypted secret data X in order to determine whether the newly decrypted secret data X differs from the previous version of secret data. The previous version of encrypted secret data is the version of the secret data that was most recently restored to an enclave (e.g. the first enclave 8). In accordance with a ‘stage change policy’, the administrator devices 16a, 16b abort the restore procedure in response to determining that the newly decrypted secret data X differs from the previous version of secret data.
The administrator devices 16a, 16b then jointly sign the secret data X and, in a sixth step S112, use the cryptographic engine 19 of the offline device 18 to re-encrypt the secret data X using the destination encryption cryptographic key 14a, as provided by the second computing device 6 in the restore package 30. In a seventh step S114, the re-encrypted secret data X2 is sent from the administrators 16a, 16b to the database 20 via the wireless network, and is retrieved from the database 20 by the second computing device 6 for storage in the second enclave 10.
In an eighth step, the re-encrypted secret data X2 is decrypted within the second enclave 10 using the destination decryption cryptographic key 14b. The signature of the administrator devices 16a, 16b is verified within the second enclave 10 in order to validate the integrity of the secret data X received.
Figure 3 is a schematic of a system 102 in accordance with a further embodiment of the present invention. The system 102 is essentially the same as the system 2 of Figure 1 , except that the system 102 comprises four administrator computing devices 116a, 116b, 116c, 116d, rather than two 16a, 16b. Each of the administrator computing devices 116a, 116b, 116c, 116d stores a respective administrator decryption cryptographic key 113 that is part of a key pair that also comprises a corresponding administrator encryption key 112, stored in the first enclave 108.
Whereas, in the system 2 of Figure 1 , both of the administrator decryption cryptographic keys 13a, 13b are required in order to decrypt the encrypted secret data Xl t in the system 102 of Figure 3 a threshold of only three of the four administrator decryption cryptographic keys 113 are required. Any combination of three administrator decryption cryptographic keys 113 may be used with the cryptographic engine 119 of the offline device 118 to decrypt the encrypted secret data Xr.
It will be appreciated by those skilled in the art that the invention has been illustrated by describing one or more specific embodiments thereof, but is not limited to these embodiments; many variations and modifications are possible, within the scope of the accompanying claims.

Claims

1. A method for securely moving secret data from a first enclave to a second enclave, the method comprising: as a first procedure, i) within a first enclave, encrypting secret data stored in the first enclave using an administrator encryption key to create encrypted secret data; and ii) outputting the encrypted secret data from the first enclave and sending the encrypted secret data to an administrator system; the method further comprising: the administrator system receiving a destination encryption key from a second enclave; and the administrator system decrypting the encrypted secret data using an administrator decryption key, corresponding to the administrator encryption key, and re-encrypting the secret data using the destination encryption key to create reencrypted secret data; and the method further comprising: as a second procedure, i) the administrator system sending the re-encrypted secret data to the second enclave; and ii) within the second enclave, decrypting the re-encrypted secret data using a destination decryption key, corresponding to the destination encryption key, and storing the secret data in the second enclave.
2. The method of claim 1, further comprising detecting that the first enclave is unavailable and, in response to detecting that the first enclave is unavailable: the administrator system receiving the destination encryption key from the second enclave; the administrator system decrypting the encrypted secret data using the administrator decryption key, and re-encrypting the secret data using the destination encryption key to create re-encrypted secret data; and performing the second procedure.
3. The method of claim 1 or 2, wherein a plurality of administrator decryption keys is required in order for the administrator system to decrypt the encrypted secret data.
4. The method of claim 3, wherein the administrator system comprises a plurality of administrator computing devices.
5. The method of claim 4, wherein each of the administrator computing devices stores a respective administrator decryption key of the plurality of administrator decryption keys.
6. The method of claim 4 or 5, wherein a threshold number of the plurality of administrator decryption keys is required in order to decrypt the encrypted secret data.
7. The method of any of claims 4 to 6, wherein the administrator system comprises an air-gapped device that comprises a cryptographic engine for decrypting and re-encrypting the secret data, and wherein each of the plurality of administrator computing devices has access to the cryptographic engine.
8. The method of any preceding claim, further comprising: generating a first attestation report for the encrypted secret data that associates the encrypted secret data with an identity of the first enclave; outputting the first attestation from the first enclave; sending the first attestation to the administrator system; and the administrator system validating the first attestation before decrypting the encrypted secret data.
9. The method of any preceding claim, further comprising: generating a second attestation report for the destination encryption key that associates the destination encryption key with an identity of the second enclave; outputting the second attestation from the second enclave; sending the second attestation to the administrator system; and the administrator system validating the second attestation before decrypting the encrypted secret data.
10. The method of any preceding claim, wherein the encrypted secret data is sent to the administrator system via a repository.
11 . The method of any preceding claim, further comprising the administrator system determining whether the secret data differs from an earlier version of secret data.
12. The method of claim 11 , further comprising the administrator system aborting the re-encryption of the secret data or the provision of the re-encrypted secret data to the second enclave in response to determining that the secret data differs from the earlier version of secret data.
13. The method of any preceding claim, further comprising the administrator system signing the secret data before encrypting the secret data using the destination encryption key.
14. The method of any preceding claim, wherein the administrator encryption key and the administrator decryption key together form an asymmetric key pair and/or wherein the destination encryption key and the destination decryption key together form an asymmetric key pair.
15. A system for securely storing secret data, the system comprising: a first computing device hosting a first enclave storing secret data; a second computing device hosting a second enclave; and an administrator system; wherein: the first computing device is configured, within the first enclave, to encrypt the secret data using an administrator encryption key to create encrypted secret data; the first computing device is configured to output the encrypted secret data from the first enclave and to send the encrypted secret data to the administrator system; the administrator system is configured to: receive a destination encryption key from the second enclave; decrypt the encrypted secret data using an administrator decryption key, corresponding to the administrator encryption key; re-encrypt the secret data using the destination encryption key; and send the re-encrypted secret data to the second enclave; the second computing device is configured, within the second enclave, to decrypt the re-encrypted secret data using a destination decryption key, corresponding to the destination encryption key; and the second computing device is configured to store the secret data in the second enclave.
16. The system of claim 15, further comprising a repository, wherein the first computing device is configured to send the encrypted secret data to the administrator system via the repository.
17. The system of claim 16, wherein the first computing device is configured to encrypt periodically the secret data stored in the first enclave to generate a plurality of versions of encrypted secret data and to send each version of encrypted secret data from the first enclave to the repository.
PCT/GB2025/050667 2024-04-03 2025-03-28 Secure moving of secret data from an enclave to another enclave Pending WO2025210341A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB2404723.5A GB2636894A (en) 2024-04-03 2024-04-03 Secure data storage
GB2404723.5 2024-04-03

Publications (1)

Publication Number Publication Date
WO2025210341A1 true WO2025210341A1 (en) 2025-10-09

Family

ID=91023415

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2025/050667 Pending WO2025210341A1 (en) 2024-04-03 2025-03-28 Secure moving of secret data from an enclave to another enclave

Country Status (2)

Country Link
GB (1) GB2636894A (en)
WO (1) WO2025210341A1 (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9652631B2 (en) * 2014-05-05 2017-05-16 Microsoft Technology Licensing, Llc Secure transport of encrypted virtual machines with continuous owner access

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113111360A (en) * 2021-03-30 2021-07-13 卓尔智联(武汉)研究院有限公司 File processing method

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9652631B2 (en) * 2014-05-05 2017-05-16 Microsoft Technology Licensing, Llc Secure transport of encrypted virtual machines with continuous owner access

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
GUERREIRO JO�O ET AL: "TEEnder: SGX enclave migration using HSMs", COMPUTERS & SECURITY, ELSEVIER SCIENCE PUBLISHERS. AMSTERDAM, NL, vol. 96, 26 May 2020 (2020-05-26), XP086250850, ISSN: 0167-4048, [retrieved on 20200526], DOI: 10.1016/J.COSE.2020.101874 *
YOSHIMICHI NAKATSUKA ET AL: "CTR: Checkpoint, Transfer, and Restore for Secure Enclaves", ARXIV.ORG, CORNELL UNIVERSITY LIBRARY, 201 OLIN LIBRARY CORNELL UNIVERSITY ITHACA, NY 14853, 30 May 2022 (2022-05-30), XP091234904 *

Also Published As

Publication number Publication date
GB2636894A (en) 2025-07-02
GB202404723D0 (en) 2024-05-15

Similar Documents

Publication Publication Date Title
US20220114249A1 (en) Systems and methods for secure and fast machine learning inference in a trusted execution environment
CN108768978B (en) A method and system for remote storage service based on SGX
CN101213814B (en) security patching system
US11212095B2 (en) Allowing restricted external access to devices
EP2080148B1 (en) System and method for changing a shared encryption key
US20140096213A1 (en) Method and system for distributed credential usage for android based and other restricted environment devices
CN119397578A (en) Blockchain data management method and system
CN112565205B (en) Credible authentication and measurement method, server, terminal and readable storage medium
TW201502844A (en) Systems, methods and apparatuses for remote attestation
CN101452514A (en) User data protection method for safety computer
EP4423969B1 (en) Method to establish a secure channel
CN102986161A (en) Method for the cryptographic protection of an application
JP2021519452A (en) Secure communication methods and systems between protected containers
US11398906B2 (en) Confirming receipt of audit records for audited use of a cryptographic key
EP3641219A1 (en) Puf based securing of device update
KR20080033373A (en) Cancel Information Management
WO2025210341A1 (en) Secure moving of secret data from an enclave to another enclave
US11405201B2 (en) Secure transfer of protected application storage keys with change of trusted computing base
CN112995096A (en) Data encryption and decryption method, device and equipment
EP4423646A1 (en) Method to store data persistently by a software payload
CN114553566A (en) Data encryption method, device, equipment and storage medium
CN112260831A (en) Security authentication method based on dynamic key
CN114124366A (en) Key generation method of trusted chip and related equipment
WO2024194215A1 (en) A method, a computer program and an apparatus for an enclave entity, for a trusted entity, and for securing information about a master secret key of a backup of a private memory region, an enclave entity and a trusted entity
AU2016429414B2 (en) Balancing public and personal security needs

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 25718012

Country of ref document: EP

Kind code of ref document: A1