Skip to content

Security guarantees

The Secure Computation solution guarantees to each participant that:

  • they are actually running the computation on a secure hardware enclave (and not some simulator)
  • the operator of the enclave (Cosmian on its public platform) has not tampered with any parameter of the computation
  • their code/data can only be read by the secure enclave, neither its operator, nor its hoster (Azure on the public platform), nor any other participant
  • the list of participants is correct (number and identities)
  • the code provided by the Code Provider has the expected signature
  • the rest of the software stack is correct and correctly identified (hence verifiable)

The security protocol and cryptographic primitives used to achieve these goals are described in the next paragraphs

Protocol Overview

On the Cosmian public platform:

  1. The Computation Owner (CO) creates the computation with the list of all participants emails. The CO also provides a PGP public key to authenticate itself in the next step.

  2. All participants, Code Provider (CP), Data Providers (DP) and Result Consumers (RC) create a Cosmian account and register their PGP public key.

  3. The CP generates a symmetric key and send its code encrypted with it.

    As soon as every participant has registered and the CP has sent the code, Cosmian starts the secure enclave, which generates the enclave identity (an asymmetric key pair to secure the key exchange and some other parts allowing to check that the computation is secured by an Intel SGX enclave)

  4. From the Computation Checklist, The CO checks

    • the PGP keys of all the participants to verify their identities and
    • that Cosmian didn’t change any manifest parameter (added/removed keys, changed the code and its fingerprint,…) by verifying the manifest and its signature. The manifest is signed by the secure enclave so that Cosmian cannot tamper with it.

    The CO then signs the manifest to attest its approval. All participant can then check this signature against his public PGP key.

  5. The CP, DP and RC also verify the manifest and its signatures:

    -that of the enclave (attesting Cosmian has not tampered with any parameters) -that of the CO (attesting that the list of participants is correct)

    They then send their symmetric keys sealed with the public key of the secure enclave; only the secure enclave can decrypt the symmetric keys and using them, decrypt the code and the data as well as encrypt the results.

    As soon as all participant symmetric keys have been provisioned to the enclave, Cosmian starts the computation.

  6. All participants can check the status of the computation (exit code, stdout and stderr). If the computation is successful, the RC downloads the results and decrypts them locally with its symmetric key.

When not on the public platform, or when Cosmian is not the operator of the enclave, the process is identical save from the registration step on the public platform.

Flow diagram

Kroki

Enclave Identity

As soon as every participant has registered and the CP has sent the code the enclave identity is generated. The enclave identity is available inside the Computation object of the Cosmian clients (see examples as Computation Owner, Code Provider, Data Provider or as Result Consumer).

This identity is unique and ensure the participants that the code is running inside the Intel SGX enclave.

If the code change, the identity change

In case the code need to change (because of a problem or any other reason), the identity will be reset and re-generated. Every participant will need to check again the validity of the information and send back their symetric keys sealed with the new public key.

Enclave Public key

The enclave public key allows participants to send their symertic keys knowing that Cosmian or any other third-parties cannot read it. Their symetric keys can only be decrypted inside the enclave to read the code/data or encrypt the results.

Enclave Manifest

The enclave manifest lists all the binaries and librairies with corresponding signatures running on the enclave, including the secret code of the CP. The manifest is signed by the enclave (see quote) and guarantees what is actually running for this computation.

[loader]
entrypoint = \"file:/usr/lib/x86_64-linux-gnu/gramine/libsysdb.so\"
log_level = \"error\"
argv_src_file = \"file:scripts/args\"
pal_internal_mem_size = \"128M\"
preload = \"\"

[libos]
entrypoint = \"/usr/bin/python3.8\"

[sgx]
nonpie_binary = true
remote_attestation = true
enclave_size = \"16G\"
thread_num = 256
allowed_files = [ \"file:/tmp\", \"file:data/\", \"file:result/\",]
isvprodid = 0
isvsvn = 0
debug = false
require_avx = false
require_avx512 = false
require_mpx = false
require_pkru = false
require_amx = false
support_exinfo = false
enable_stats = false
[[sgx.trusted_files]]
uri = \"file:/usr/bin/python3.8\"
sha256 = \"2e833afd6114ff314d879486c01ec19d3d94ef6f8c808d193fb329c98c674097\"

[[sgx.trusted_files]]
uri = \"file:/usr/lib/x86_64-linux-gnu/gramine/libsysdb.so\"
sha256 = \"71b1ae48299dcdad622c5e32d910bb6aa6d457a79eca9b4824031ecb338c9512\"

[[sgx.trusted_files]]
uri = \"file:/usr/lib/x86_64-linux-gnu/gramine/runtime/glibc/crt1.o\"
sha256 = \"b3776343a45a120f700a5d19c0cf9b5caf185707770cb7d269326f0389eaf3de\"

... 

[[sgx.trusted_files]]
uri = \"file:/usr/lib/python3.8/runpy.py\"
sha256 = \"c653077012c19153838cae221f1ac73ecef8bcfc49e25e54c6bc7b187e18185f\"

[[sgx.trusted_files]]
uri = \"file:/usr/lib/python3.8/sched.py\"
sha256 = \"60006f906a2aad59a81a4e4e0ca36b69088848623edc8598c0b2a41d9f30565d\"

[[sgx.trusted_files]]
uri = \"file:/usr/lib/python3.8/secrets.py\"
sha256 = \"8fe91980080cc3f3d687bfa4078489ebe25fb28005170a8232a3eee75f94d3b4\"

[[sgx.trusted_files]]
uri = \"file:/usr/lib/python3.8/selectors.py\"
sha256 = \"37defeb4f5df6b41c62d8bcedab2f4bea24a2c2cc97f70e08c81e0ef17888246\"

...
 [many, many more lines]
...
Quote

The quote from the enclave is attested using a remote attestation process, guaranteeing that it is actually signed by a valid SGX enclave (and not some simulator).

{
    "exp": 1651104032,
    "iat": 1651075232,
    "is-debuggable": "False,",
    "iss": "https: //sharedneu.neu.attest.azure.net",
    "jti": "c0af5cf6f3116e7f6b668f362842268f7fdf925a405d17d48f67a84f891cf3bb",
    "maa-attestationcollateral": {
        "qeidcertshash": "a64d649198507d8b57e33f63ab266838f43f327bd4aacc78510b6976ed046e10",
        "qeidcrlhash": "3dbcd25597ba0548bf32240b3079d4310151756f17e5537d3015b16e399acad5",
        "qeidhash": "7701f64700b7f505d7b4b7a93e45d5cde8cfc865b60f1dd49ecbee9790c3372e",
        "quotehash": "0c330dd9b79d10228fa12c35a27062a8c9c5f73bf30f3be0cbd9bd34d2292754",
        "tcbinfocertshash": "a64d649198507d8b57e33f63ab266838f43f327bd4aacc78510b6976ed046e10",
        "tcbinfocrlhash": "3dbcd25597ba0548bf32240b3079d4310151756f17e5537d3015b16e399acad5",
        "tcbinfohash": "88149197195950562cc097ad0267a66de7c08e0189bddeb3977d8e2b6a05fd45"
    },
    "nbf": 1651075232,
    "product-id": 0,
    "sgx-mrenclave": "929f66c365fce9ebcd2e6a809f938b4305dfc2f9094a6b726e3e2b6abe9413a7",
    "sgx-mrsigner": "c1c161d0dd996e8a9847de67ea2c00226761f7715a2c422d3012ac10795a1ef5",
    "svn": 0,
    "tee": "sgx",
    "x-ms-attestation-type": "sgx",
    "x-ms-policy": {
        "is-debuggable": "False,",
        "product-id": 0,
        "sgx-mrenclave": "929f66c365fce9ebcd2e6a809f938b4305dfc2f9094a6b726e3e2b6abe9413a7",
        "sgx-mrsigner": "c1c161d0dd996e8a9847de67ea2c00226761f7715a2c422d3012ac10795a1ef5",
        "svn": 0,
        "tee": "sgx"
    },
    "x-ms-policy-hash": "bROrN897ZfWmWY2V0FLUlu3uwk5xatGnKYHn3zBbSlw",
    "x-ms-sgx-collateral": {
        "qeidcertshash": "a64d649198507d8b57e33f63ab266838f43f327bd4aacc78510b6976ed046e10",
        "qeidcrlhash": "3dbcd25597ba0548bf32240b3079d4310151756f17e5537d3015b16e399acad5",
        "qeidhash": "7701f64700b7f505d7b4b7a93e45d5cde8cfc865b60f1dd49ecbee9790c3372e",
        "quotehash": "0c330dd9b79d10228fa12c35a27062a8c9c5f73bf30f3be0cbd9bd34d2292754",
        "tcbinfocertshash": "a64d649198507d8b57e33f63ab266838f43f327bd4aacc78510b6976ed046e10",
        "tcbinfocrlhash": "3dbcd25597ba0548bf32240b3079d4310151756f17e5537d3015b16e399acad5",
        "tcbinfohash": "88149197195950562cc097ad0267a66de7c08e0189bddeb3977d8e2b6a05fd45"
    },
    "x-ms-sgx-is-debuggable": "False,",
    "x-ms-sgx-mrenclave": "929f66c365fce9ebcd2e6a809f938b4305dfc2f9094a6b726e3e2b6abe9413a7",
    "x-ms-sgx-mrsigner": "c1c161d0dd996e8a9847de67ea2c00226761f7715a2c422d3012ac10795a1ef5",
    "x-ms-sgx-product-id": 0,
    "x-ms-sgx-report-data": "21be4c8ec9c488fa0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
    "x-ms-sgx-svn": 0,
    "x-ms-ver": "1.0"
}
Serialized Args

The serialized arguments are sent to the gramine process and read inside the enclave. They contain all the fingerprints of the participants’ public keys. The participants can check the number of fingerprints and match these to the public PGP keys of the participants to ensure Cosmian didn’t add or remove participants from the computation.

Serialized Args binary format

The arguments are serialized for Gramine in binary, they can be difficult to parse so the Cosmian client will provide helpers to check the content. Feel free to create your own parser if you need to do your own checks.

Entrypoint

The entrypoint is the only unencrypted file from the code provider. His goal is to read the data, run the encrypted algorithm and save the results. Every participant can see this file and check that only authorized actions are performed. For example:

  • checking that Cosmian didn’t change the entrypoint to leak the data (thanks to the entrypoint hash inside the manifest)

Cryptographic Primitives

Most of the cryptographic primitives used are those from the NaCl-family: X25519 (RFC 7748) for Elliptic Curve Diffie-Hellman (ECDH) Key Exchange, Ed25519 (RFC 8032) for Digital Signature and XSalsa20-Poly1305 (RFC 7539) for Authenticated Encryption with Associated Data (AEAD).

Public Key Primitives

X25519 and ed25519 are based on Curve25519 using the Montgomery curve for the former and the bi-rationnally equivalent twisted Edwards curve for the latter.

Both forms have ~128-bit security level with 256-bit private/public key (see RFC 7748#section-4.1).

Symmetric Primitives

XSalsa20 symmetric-key stream cipher uses 256-bit key and 192-bit nonce (XSalsa20 is an extension of Salsa20 to use 192-bit nonce instead of the 64-bit nonce). The implementation used in crypto_box NaCl-family is using 20 rounds and offers ~251-bit security according to the best cryptanalysis technique as of 2021 (see draft-josefsson-salsa20-tls-04#security).

In addition, Poly1305 Message-Authentication Code (MAC) with 256-bit key is used to obtain the XSalsa20-Poly1305 AEAD algorithm.

Implementations

The tree dependency of the software implemented in Cosmian Secure Computation solution is the following:

Server      cosmian_lib_sgx [Python]
            ├── cosmian_sgx_crypto [C]
            │   ├── libsodium [C]
            │   └── Intel SGX instructions [ASM]
Client      cosmian_secure_computation_client [Python]
            ├── pynacl [Python]
            │   └── libsodium [C]

The server library cosmian_lib_sgx must be used by the CP in the Python code to manage I/O and cryptographic operations while the client librarycosmian_secure_computation_client is meant to be used by every participants (CP, DP and RC).

Software Stack

Secure enclaves such as Intel SGX© (Software Guard eXtension) are hardware technology designed to keep running processes memory data encrypted at anytime in a secure memory part. In that way, no malicious user, even with root privileges on the machine, can dump the memory process to steal the content.

We rely on the Gramine library OS (owned by Intel) to execute arbitrary Python code inside Intel SGX and it forces us to keep a consistent base software stack:

  • Ubuntu 20.04 LTS
  • Linux kernel >= 5.11
  • Gramine == v1.1
  • Intel SGX SDK >= 2.15.1
  • Intel SGX DCAP >= 1.12
  • Azure DCAP client >= 1.10 (for Microsoft Azure)

We currently only offer to run secure computations on Microsoft Azure where Intel SGX 2 is available. Other providers will be available soon.