TEE come in many forms, integrated enclaves in off-the-shelf servers, as software only solutions, e.g. sandboxes as add-ons integrated into existing hardware security modules.
Each of these solution offers unique benefits and downsides.
It is our belief that the best security level can only be achieved with a dedicated purpose-built hardware solution.
Software-only solutions have clear short comings
Software-only solutions have the obvious short comings of neither offering physical protection, nor protection from runtime environment modifications. Processor extension such as Intel’s SGX or AMDs SEE lack the secure physical environment, such as tamper proof box and additionally have the challenge, that they have to be both fully general purpose and co-exist with a standard non-secured processor core.
A dedicated HSM is the most secure choice
An HSM, with its tamper protected housing seems like a very good choice for adding TEE functionality. However, purpose-built for storing the digital keys protecting the most valuable digital assets, executing arbitrary, potentially malicious code compromises the purpose of the HSM. Thus, a dedicated device is the most secure choice.
What to expect from a TEE
The basic concept of a TEE is to execute code securely. This entails to have a mechanism to securely load code, protect code from alteration and extends to protecting the processed data and its output. A TEE must be able to prove, that a certain output was generated form a specific input, when that specific piece of code was executed. Therefore, a TEE acts similar to a notary that attest real world processes or facts. In the digital world attestation can be performed using digital signatures. Thus, a TEE also needs the ability to securely store and use attestation keys.
The added benefit of the combination of the TEE with an HSM
An HSM is agnostic to the data it processes; thus, it doesn’t look into the data being signed. However, there are cases, where it is beneficial to enforce input-based compliance rules before applying a signature.
Imagine the case, where multiple parties need to sign-off on a critical contract. Such multi-party rules can be enforced within Securosys’ Primus HSM by using Securosys’ multi-signature solution. However, in some case such rules must be automated, e.g. low value transactions, where the cost of a multi-sign-off is not feasible or an overkill in the light of the associated risk. The piece of code, making the decision of which rule to apply becomes a compliance relevant piece of software as it enforces the rule on what is considered a low value transaction. The compliance filter is running as artificial intelligence in a TEE as part of the sign-off rules. Thus, the combination of the HSM and a TEE can further reduce the IT risk exposure, while further automating the business processes.
When do you need TEE
Several use cases can add the Securosys Trusted Execution Environment to their existing HSM Portfolio.
Here are some examples.
Mobile Financial Services Mobile wallets, peer-to-peer payment apps or contactless payments using a mobile device are connected with the Securosys TEE and functionalities such as NFC or trusted backend systems provide the security required to enable financial transactions. The Securosys TEE can offer a trusted user interface to use for user authentication.
Authentication Many services running on mobile devices include biometric identification (facial recognition or fingerprint or voice), which is harder to steal. It is a sensitive area, where one wants to protect the personal identification metrics especially if this is implemented as a personal signature ID.
TEE for the Cloud with Securosys CloudsHSM To keep the handling of confidential information secure on a server infrastructure, the Securosys server-based TEE can protect against internal and external attacks against backed infrastructure by housing trusted applications and isolating them from malicious malware.
Why a Securosys TEE?
There are existing Trusted Execution Environment products and solutions out there, with many of them being confronted with serious flaws.
Some long-standing micro-chips products or enclave solutions similar to trusted execution environment were recently breached.These chips, running within server-infrastructures, were not isolated from other applications. By separating the attestation of a code or compliance filter from the actual transaction signing,any hacking attempt becomes exponentially harderand signing of transaction that have been approved by compromised apps are avoided.
Contact us if you want to know more about our products and offerings.