Integrating Remote Attestation with Transport Layer Security
This work addresses the need for enhanced security in untrusted environments by enabling attested TLS endpoints for SGX enclaves, though it is incremental as it builds on existing technologies without fundamental changes.
The paper tackled the problem of securely establishing a standard Transport Layer Security (TLS) connection by integrating Intel SGX remote attestation during setup, resulting in prototype implementations for three open-source TLS libraries without modifying the TLS protocol or existing implementations.
Intel(R) Software Guard Extensions (Intel(R) SGX) is a promising technology to securely process information in otherwise untrusted environments. An important aspect of Intel SGX is the ability to perform remote attestation to assess the endpoint's trustworthiness. Ultimately, remote attestation will result in an attested secure channel to provision secrets to the enclave. We seamlessly combine Intel SGX remote attestation with the establishment of a standard Transport Layer Security (TLS) connection. Remote attestation is performed during the connection setup. To achieve this, we neither change the TLS protocol, nor do we modify existing protocol implementations. We have prototype implementations for three widely used open-source TLS libraries: OpenSSL, wolfSSL and mbedTLS. We describe the requirements, design and implementation details to seamlessly bind attested TLS endpoints to Intel SGX enclaves.