How Intel® SGX is hardening data privacy on the blockchain

Private information, such as financial records, can be used for a variety of proofs in business transactions. Intel® SGX provides a Trusted Execution Environment for sensitive data.

Key Takeaways

  • Access to sensitive data (e.g. financial and governance records) can speed up and improve business transactions. But it needs to be protected from data leaks.

  • Intel® Software Guard Extensions (Intel® SGX) provides processing in encrypted enclaves or trusted execution modules, helping to increase application security.

  • Attestation capabilities add in a trust layer that confirms data will not be improperly used, delivering granular-level control and protection at enclave and application levels.

author-image

By

Private business data, from financial information to governance records, contains all the information required to speed up business transactions and reduce fraud. But only if it’s handled securely. Businesses already have the technology to provide third-party access to their data via Application Programming Interfaces (APIs). But problems tend to arise with the mechanics of this shared access, as well as the threats posed by moving and processing data.

These issues grow when we talk about using the blockchain for data transactions. Blockchain can offer greater access to markets, such as energy trading. It also gives users the option to build digital proofs into financial transactions, e.g. proving the existence of funds in order to buy a Non Fungible Token (NFT). But as the blockchain is ‘public’, data stored on it is visible and this can pose a wider security problem.

The Problem with Blockchain

Adi Ben-Ari is the CEO and co-founder of Applied Blockchain [1], a company that uses the blockchain to build business applications to maximise trust, data privacy and security. As he explains: “A lot of our clients are large corporations. For them, one of the barriers to using blockchain technology is the fact that data could be exposed. So, we focus on confidential computing, secure enclaves, and advanced cryptography to help reduce their cyber risk.”

Even for private data use, there are security issues. Open banking, for example, is a European initiative that requires banks to have an API for secure access to customer accounts. The good news is that open banking has sparked a raft of innovative new solutions, from tax accounting and budget management apps to e-loans and financial product comparison services.

While initial access must be granted to third party services, open banking can allow full access to accounts for up to 90 days [2]. Furthermore, data processing takes place outside of the bank. So, by opening up their APIs, potentially banks have also opened up a greater attack surface to cyber criminals.

One solution to these problems is to limit access to data and to prevent it from being stored elsewhere. But there also needs to be a way of generating the necessary proof about the data in a secure way, one that doesn’t leak any other private or personal information. There must also be absolute trust in the system. For example, there needs to be further proof that all data processing is taking place securely without the possibility of a data breach or theft.

In cryptography, there is some early work going on to solve this kind of problem with software solutions that support zero-knowledge proofs. A zero knowledge proof is a way for one party to verify data to another, without revealing any other Personally Identifiable Information (PII). This might be proving that a customer has sufficient funds for a purchase without revealing their bank balance.

As exciting as these developments are, they’re still in their infancy. “They are not standardised either,” Adi Ben-Ari points out. “So, the solutions become very complex and bespoke. With that come greater security risks, because bespoke solutions haven't been well tested. At the moment, I’d say it's not a very mature space.”

Application Isolation with Intel® Software Guard Extensions

An alternative to software-based approaches is the concept of confidential computing [3], which aims to improve isolation of sensitive data payloads with hardware-based memory protections. Confidential computing protects data ‘in use’ by performing computation in a hardware-based Trusted Execution Environment. These secure and isolated environments help prevent unauthorised access or modification of applications and data.

Intel® SGX plays a critical role in this regard. Intel® Software Guard Extensions (Intel® SGX)1 2 offers hardware-based memory encryption that isolates specific application code and data in memory. Intel® SGX allows user-level code to allocate private regions of memory, called enclaves, which are designed to be protected from processes running at higher privilege levels. Only Intel® SGX offers such a granular level of control and protection and this protection applies to other high-level processes running at the time, and even the operating system.

Everything inside the enclave is encrypted and decrypted in real time by the latest Intel® Xeon® Scalable processors.

By limiting access in this way, data can be securely read into the enclave, where its exact details can never be revealed. On the other side, a digital certificate can be produced, demonstrating any proof required - such as the availability of funds - without exposing any other data. When the process is finished and the enclave is closed, all data is securely removed. So, nothing is stored outside of the original location.

Crucially, as Intel SGX runs on the server side only, it doesn’t need any implementation on the client side. Any existing API can be used to retrieve data into a secure privacy-preserving environment. As Ben-Ari explains: “With Intel SGX we've got a scalable environment out of the box, giving us the ability to produce solutions that enable data privacy.”

Remote Attestation is the Final Piece of the Puzzle

Of course, there’s still one issue. How can a third-party fully trust that their data is being handled securely? After all, a process could be written that dumps private data outside of a secure enclave, removing the point of this protected environment. The way to strengthen enclave trust is with remote attestation [4].

Attestation provides crucial information - the identity of the software being attested, details of an unmeasured state (such as the execution mode), plus an assessment of possible software tampering. After an enclave successfully attests itself to a relying party, an encrypted communication channel can be established between the two. Secrets, such as credentials or other sensitive data, can be provisioned directly to the enclave.

Applied Blockchain successfully uses remote attestation with Intel SGX in its open banking product SilentData. The solution was created to perform privacy-preserving bank account checks that don’t reveal personal or sensitive data. Adi Ben Ari explains how this attestation works.

“You've got your own code that you bring into the enclave environment,” he says, “and you ask Intel to attest to the fact that it's one of their enclaves. With that, you give them the code, or proof or some signature of the code, that you're about to run. Then, when someone else gives you some data to go into that enclave, you can prove to them that it's going into a secure Intel environment.”

Likewise, on the way out, Intel SGX and remote attestation enables you to prove that the output was created by processing the required data, again without exposing any other details.

With Intel technology providing this aspect of trust, Intel SGX provides a secure base for processing data while maintaining privacy. Through secure enclaves, any data can be pulled in for processing via existing APIs and processed in a secure way that generates necessary digital proofs. As data can’t escape the enclave, it means that businesses can share more data more openly, speeding up transactions and adding more trust into the system.

To see how Applied Blockchain uses Intel SGX technology to protect open banking transactions, read the case study.
Or for more information about how Intel Software Guard Extensions (Intel SGX) can enhance your code and data protection, visit:
https://www.intel.co.uk/content/www/uk/en/architecture-and-technology/software-guard-extensions.html