In today’s digital sphere, we interact with government agencies, conduct online banking transactions, and manage professional relationships through digital platforms. This constantly evolving landscape profoundly influences our daily lives and shapes our global interactions. However, these advantages come with risks, particularly concerning data security. As our reliance on digital technology grows, so does our vulnerability to threats like data breaches, cyberattacks, and privacy infringements. That’s why we’re committed to providing solutions tailored to meet the needs of both users and businesses, safeguarding data privacy and security. One such solution is SafeGate, leveraging confidential computing and Trusted Execution Environments (TEEs), which will be showcased at the upcoming RSA Conference in San Francisco from May 6th to 9th. Additionally, our team on-site will demonstrate the capabilities of KeyConnect, a cryptographic platform for secure key management in HSMs.
To grasp how our solutions operate, it’s essential to understand TEEs, technologies enabling us to uphold the confidentiality, integrity, and privacy of our data in a constantly changing digital world.
What are TEEs?
TEE stands for Trusted Execution Environment, a device distinguished by its unique feature: an isolated secure area within the main processor, ensuring the confidentiality and integrity of data and code, even in compromised systems.
TEEs function by enabling direct communication between applications and processes with the underlying hardware, safeguarding information and preventing unauthorized access from lower software stack layers. This is achieved through two key features:
- Enhanced processor-level access control: Only applications can access their memory space, irrespective of user privileges, ensuring the protection of confidential data even if other system parts are compromised.
- Hardware component for RAM memory encryption: Information remains encrypted in RAM memory and is decrypted solely within the processor’s domain, allowing confidential data operations.
Initially designed for executing highly secure applications in local environments, TEEs have evolved into the cornerstone of a secure cloud. Besides confidentiality and integrity features, TEEs offer remote attestation capabilities, allowing remote users to verify communication with a legitimate TEE.
Current attestation protocols are based on Public Key Infrastructure (PKI), involving three crucial entities::
- Device manufacturer: During manufacturing, the manufacturer establishes unique cryptographic keys for each device.
- Device: Utilizing these keys, the device communicates with the manufacturer to obtain a digital certificate.
- Remote user: Verifies the digital certificate to ensure the authenticity of the TEE.
Attestation tests also consider firmware versions used at the time of communication, enabling remote users to discard outdated or insecure services.
Use Cases and Applications of TEEs
Over the years, we’ve applied Trusted Execution Environment technology in particularly sensitive sectors: finance and healthcare.
In the financial sector, TEEs play a critical role in protecting transactions, customer data, and confidential communications. For secure transactions, TEEs ensure that banking operations are conducted securely and confidentially. Additionally, concerning the protection of cryptographic keys, TEEs and HSMs securely manage these keys used in financial operations. Examples include SafeGate and KeyConnect, addressing specific needs within the financial sector.
In the healthcare sector, TEEs are essential for protecting medical data, ensuring the confidentiality of electronic medical records for patients. Regarding biomedical research, TEEs facilitate the secure processing of genomic and biomedical data. Moreover, concerning the protection of intellectual property, they enable the confidentiality of diagnostic algorithms. We’ve demonstrated this through the technological development implemented in the European alliance TRUMPET.
Future Work and New Challenges
Despite their potential and significant utility for businesses, TEEs face some significant challenges:
Enhancing efficiency, particularly in cases involving artificial intelligence, requires the inclusion of trusted devices beyond the processor.
The diversity of protocols adopted by different manufacturers complicates effective standardization, posing interoperability challenges.
While some TEEs integrate seamlessly with existing applications, others require substantial investments. Compatibility with enterprise operating systems and the need for constant updates are factors to consider.
Manufacturers must maintain trust in the technology and continuously improve security features to withstand sophisticated threats.
Adaptability and collaboration among industry stakeholders, researchers, and users are essential to address future challenges. Annual events like the RSA Conference provide an excellent forum for establishing communication among different stakeholders and gaining insights into future trends.
Author: Iago López, Head of Confidential Computing and Cryptographic Hardware; and Adrián Vázquez, Engineer-Researcher in the Security and Privacy Area
