Launching Integritee’s Attesteer
Integritee uses a public blockchain to verify remote attestation of TEEs and its novel Attesteer service integrates with any 3rd party enclave to close the last gaps in the trust chain towards public auditability.
As secure and isolated environments, Trusted Execution Environments (TEEs) leverage hardware-security features that ensure the integrity of data and code as well as the confidentiality of the data while in use by that code. This way, not even the operator or superuser of the host machine has access to the data or can change the behavior of the TEE. If you are not running such a machine on your own desk but in a data center, how can you be sure there’s actually a real TEE on the other end? That’s what remote attestation (RA) is about. It provides verification for three things: (1) the application’s identity, (2) its integrity (that it has not been tampered with), and (3) that it is running securely and confidentially within a genuine machine.
More specifically, remote attestation is the process of authenticating the TEE hardware and providing a report confirming its genuineness. This process also measures the hash of the binary that the secure environment is executing, which confirms that what’s running inside the secure environment is, in fact, what you expect. Because such a report also includes the individual TEE’s public signing key, you can thereafter authenticate the TEE instance and its responses upon every interaction by verifying its signature.
Obtaining attestation for an instance of a service usually requires the use of a manufacturer-provided API (like IAS for Intel SGX), which is sometimes delegated to data centers (like DCAP for Intel SGX). This is an undesirable setup because the parties who offer RA can go offline or refuse the deliver RA (censorship). Integritee decouples RA to a public blockchain and ensures that RA can be performed by anyone without the consent of any 3rd party.
Source Code
It all starts with the code and if it really does what the end-user expects it to do. The code is the most critical piece of any secure setup because TEEs are worthless if the code has exploitable vulnerabilities or undesired features
Release
What’s the value of a code audit if we have to trust the operator that it executes a genuine build of the audited code? If a software vendor signs their build, we need to trust that vendor, which is — again — an undesirable trust requirement. The holy grail here is deterministic build: Anyone can build the software from source and yield the bit-exact equivalent of the build which is executed
Execution
In the case of TEEs, it doesn’t really matter who is executing an enclave, because the operator doesn’t need to be trusted. However, because of several hardware-based side-channel vulnerabilities of all known TEEs, we do suggest enforcing execution in certified data centers which enforce very strict policies for those who have physical access to the servers.
Attestation
This is where Integritee’s Attesteer comes in: Remote attestation (RA) is the process of proving that some remote device is genuine and that it executes the correct build inside an enclave. This is enabled by public-key authentication with a hardware key in the TEE device. With Integritee’s Attesteer and on-chain DCAP, there is no need to rely on an available or cooperative TEE manufacturer anymore.
User Verification
End users are already used to the green tick in the browser window which confirms that the webpage they visit has a valid certificate for its domain and that all communication with that site is encrypted. What the attesteer enables on top of that, is a confirmation of encrypted processing of your data in use and that nothing else happens with your data than just the functionality which has been audited by a 3rd party.
Audit
In the most favorable case, the code is open source for anyone to audit. Even if we should not expect end-users to review the code themselves, it strengthens trust that they could if they want to. We expect professional 3rd party auditors to publish reports on TEE-based services. If not open-sourced, these parties could be granted exclusive read access to the code for the audit.
Covering all TEE manufacturers
The Attesteer itself relies on Intel SGX technology because of its superior remote attestation capabilities. However, the Attesteer is able to remotely attest any kind of TEE through certificate verification with non-repudiation. The trust assumptions, however, are different for every TEE manufacturer:
- Intel SGX
Intel started RA with its EPID attestation service. Only legal entities with a commercial license could obtain RA with their API, which leaves room for censorship. Then, Intel came up with DCAP, which delegates RA to cloud providers. Still, DCAP is a complicated process that only cloud providers are expected to operate, so now the censorship risk is with the cloud providers. The Integritee Network offers a decentralized DCAP service on a public blockchain that cannot be stopped or censored. The Attesteer enables using that service with any Intel SGX enclave. - AMD SEV and AWS Nitro
These technologies provide execution with memory encryption, but they do not provide thorough RA. Here, the cloud provider has to be trusted to only sign for genuine devices running the correct software. Even if this leaves a gap in the trust chain, the Attesteer can verify the certificate from cloud providers inside an SGX enclave and supply publicly auditable RA for these technologies. - Open Source Hardware TEE
While still academic, projects like Sanctum and Keystone pave the way to production-ready open-source hardware TEEs. Such TEEs could be produced by multiple silicon fabs in parallel. RA, however, requires someone to testify to the genuineness of each individual device. In the best case, that entity is the silicon fab directly, certifying that they produced the untampered TEE design. The Integritee Network would offer a platform for public RA in this case: Manufacturers register the public key for each device on our immutable network when the devices leave the fab. Every RA process from then on would just require authentication with a lookup in our public ledger.
Why do you need the Attesteer?
Our attestation service is relevant to any user of TEEs seeking to benefit from public auditability and an effortless, seamlessly integrable service. A Proof of Execution is delivered by the Attesteer and registered on Integritee’s blockchain, delivering the transparency and trust of blockchain and the security of confidential computing technologies.
You don’t need to hold crypto tokens in order to use the service. Hence, a company rooted in Web2, which doesn’t want to expose itself to blockchain directly for whatever reason doesn’t need to do that but can still get all the guarantees that Web3 provides namely an immutable, decentralized, trustless attestation registry.
Our public ledger registration makes confidential computing verifiable to any third party, like institutions that want to prove to their customers that their data is secure. There are unparalleled benefits when using Integritee Attesteer, including:
- Transparency and trust — The data and processes’ integrity is verified and registered on our own public blockchain network
- Customizable — The Attesteer proves authenticity remotely at both the frequency and the duration of your choice, which is very advantageous because every project has its own structure and needs
- Interoperability — Our Attesteer can be used with Intel SGX machines and other TEE technologies in the future.
If you’re looking for a more decentralized, flexible, and customizable remote attestation service, you found it.
How to integrate with the service: Check it out here.
You Might Also Like
Bear With Us: Blockchain Technology is Still Relevant, Even when Crypto Declines
Series 2 – The Integritee Network | Episode 4 – Integritee Sidechains
The Imperative for Privacy in Blockchain: TEEs & Privacy-Preserving Software
Series 2 – The Integritee Network | Episode 3 – Integritee Technology
Monthly Wrap-Up October 2023: Joining an Accelerator Program, Launching the New Website, Educational Content & More!
Series 2 – The Integritee Network | Episode 2 – Integritee Architecture & Components
How Blockchain is Benefiting Numerous Industries: From Sustainability to Brand Quality Control
KYC in Web3: How DiD is Saving the Day for Projects & Companies
Series 2 – The Integritee Network | Episode 1 – Introducing Integritee
Monthly Wrap-Up September 2023: Winning an Award, Talking at Sub0, Partnering with OVH & More!
Series 1 – All you need to know about TEEs | Episode 6 – TEE Limitations
OVH Releases Whitepaper on How Integritee Is Re-Inventing Blockchain Security & Confidentiality Using Intel SGX Technology & OVHcloud
Series 1 – All you need to know about TEEs | Episode 5 – TEE Principles & Threat Models
Monthly Wrap-Up August 2023: Launching the Attesteer, Encointer’s PoP Badge & More
Series 1 – All you need to know about TEEs | Episode 4 – TEE Application Development
Series 1 – All you need to know about TEEs | Episode 3 – TEE Technologies
DAOs: How Fair can Decision-Making be and Why is Private Voting Essential?
Monthly Wrap-Up July 2023: Video Releases, Tech Updates & More
Series 1 – All you need to know about TEEs | Episode 2 – TEE Use Cases
Monthly Wrap-Up June 2023: Polkadot Decoded, New Add-Ons and More
Integritee’s Teeracle Available on the Securitee Platform as an Add-On
Monthly Wrap-Up May 2023: Governance Platform Launch, New Environments and More
Integritee Launches New Governance Platform with Polkassembly
Monthly Wrap-Up April 2023: Tech Upgrades, Partnerships & Upcoming News
Monthly Wrap-Up March 2023: Product Releases, a Privacy Sidechain & More
Securitee & enclaive Team Up to Offer Ready-To-Use TEE-Secured Solutions
Securitee Launches Confidential Computing Platform to Protect Data in Use
Introducing Integritee’s Teeracle: A Framework to Build TEE-Based Oracles
A Privacy Sidechain for All Polkadot & Kusama Chains
Monthly Wrap-Up February 2023: Launching Roadmap, Partnerships and More!
SDK v0.11.0: Increased Performance and Faster Processes
OLI Systems Develops Innovative Energy Market Place by Building on Integritee
Integritee Network: Roadmap 2023
Monthly Wrap-Up January 2023: Slot Swap, Davos Touchdown and Much More
Community Updates: Discord, Twitter Raids & More
2022 at Integritee: Winning Parachains, Hosting Events, Integrating with Projects & Much More
Monthly Wrap-Up November 2022: Lisbon Happenings, Bifrost Integration & More
XCM Integration of Integritee and Bifrost Completed
Integritee Welcomes Sergei Medvedev as New Advisory Board Member
Monthly Wrap-Up October 2022: Travels, Interviews, Tech Updates & More
Monthly Wrap-Up September 2022: Integritee SDK Release, Token2049 & More
Integritee & Securitee: Connecting the Dots
Integritee’s SDK: A New Era of Web3 Application Building
Monthly Wrap-Up August 2022
Integritee Sidechain Performance Benchmark
Integritee & Crust Team Up for Publicly Verifiable Decentralized Content Storage
Integritee’s Polkadot Crowdloan
Monthly Wrap-Up July 2022: Winning a Slot on Polkadot, Integrating with Karura & Much More
From Web 2.0 to Web3: A Step Forward
Polkadot: The Next Step in Integritee’s Growth and Development
Integritee Rewards Structure: Early Birds, Loyal Followers, Family, Friends, and More!
The Integritee Polkadot Crowdloan Campaign Starts Today!
XCM Integration: What Is It and How Does It Work?
Monthly Wrap-Up June 2022: Kraken listing, Talking at Polkadot Decoded & More!
XCM integration of Integritee & Moonriver Completed
Here’s What You Need to Know About XCM Integration on Polkadot
Integritee Completes 2 Key Milestones Towards Decentralization
Monthly Wrap-Up May 2022: Decentralization, International Events, Virtual Worlds & Much More
The Complete Guide to TEER Tokens
How Integritee combines the benefits of Web2 and Web3 technologies
Sidechain 101: What are sidechains and why do we need them on Polkadot?
Monthly Wrap-Up April 2022: Networking, Technical Updates and Business Growth
Monthly Wrap-Up March 2022: Migrating to Kusama & Building Our Community
Update On Integritee Parachain Migration
What Should Integritee Present at Polkadot Decoded 2022? You Decide.
TEE Time with Integritee
A Healthier Approach to Wearables
Event Series: Learn How Integritee Is Taking Gaming to the Next Level With Ajuna
Monthly Wrap-Up February 2022: A New Listing, Sidechains & Other Updates
TEE 101: How Intel SGX works and why we use it at Integritee
After the Crowdloan: What’s Happening Next
Integritee Achieves Feature-Complete Sidechains
Enterprise-Focused Securitee Expands Integritee’s Ecosystem
Kusama Parachain Bid – And the Slot Goes to Integritee!
Integritee Year in Review 2021: Milestones Reached, Partnerships Forged
Integritee Launches its First Web3 Oracle
Introducing the Integritee Ambassador Program
The Integritee Mainnet is Live!
All Systems Go: Mainnet, Token Sale and TEER Giveaway!
How Decentralized Networks Can Cure the Privacy Pandemic
Integritee and Fractal Team Up for Fair Data Exchange
Integritee to Collaborate with KILT Protocol for SocialKYC Authentication
Integritee Partners with Decentralized Gaming Platform Ajuna
Confidential Computing Will Secure Our Secrets in Web3
The How, Why and What of the Kusama Crowdlending