ENCLAVE POOL SHARED KEY
First Claim
1. An apparatus, comprising:
- a device including at least one memory adapted to store run-time data for the device, and at least one processor that is adapted to execute processor-executable code that, in response to execution, enables the device to perform actions, including;
forming an enclave pool, wherein the enclave pool includes a plurality of enclaves, wherein the enclaves are secure execution environments, and wherein each enclave of the enclave pool has an enclave key pair including a private enclave key and a public enclave key;
generating a shared enclave pool key that is derived from the public enclave key of each enclave of the enclave pool;
allocating a first enclave of the enclave pool to a first cryptlet;
receiving a payload of the first enclave such that the payload of the first enclave has a first digital signature by the private enclave key of the first enclave;
allocating a second enclave of the enclave pool to the first cryptlet;
receiving a payload of the second enclave such that the payload of the second enclave has a second digital signature by the private enclave key of the second enclave; and
validating, via the shared enclave pool key, the first digital signature and the second signature.
1 Assignment
0 Petitions
Accused Products
Abstract
In one example, an enclave pool is formed. The enclave pool may include a plurality of enclaves. Each enclave may have a private enclave key and a public enclave key. A shared enclave pool key may be generated from or otherwise based on the public enclave key of each enclave of the enclave pool. A first enclave may be allocated from the enclave pool to a first cryptlet. A payload of the first enclave is received. The payload of the first enclave may be signed with a first digital signature by the private enclave key of the first enclave. A payload of the second enclave may be received. The payload of the second enclave may be signed with a second digital signature by the private enclave key of the second enclave. The first digital signature and the second signature may be validated via the shared enclave pool key.
99 Citations
20 Claims
-
1. An apparatus, comprising:
a device including at least one memory adapted to store run-time data for the device, and at least one processor that is adapted to execute processor-executable code that, in response to execution, enables the device to perform actions, including; forming an enclave pool, wherein the enclave pool includes a plurality of enclaves, wherein the enclaves are secure execution environments, and wherein each enclave of the enclave pool has an enclave key pair including a private enclave key and a public enclave key; generating a shared enclave pool key that is derived from the public enclave key of each enclave of the enclave pool; allocating a first enclave of the enclave pool to a first cryptlet; receiving a payload of the first enclave such that the payload of the first enclave has a first digital signature by the private enclave key of the first enclave; allocating a second enclave of the enclave pool to the first cryptlet; receiving a payload of the second enclave such that the payload of the second enclave has a second digital signature by the private enclave key of the second enclave; and validating, via the shared enclave pool key, the first digital signature and the second signature. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
8. The apparatus of claim A1, wherein the first enclave is a hardware enclave, and wherein the private key of the first enclave is etched in silicon.
-
9. A method, comprising:
-
deriving a shared enclave pool key from the public enclave key of each enclave of the enclave pool; fetching a first enclave of the enclave pool for a first cryptlet; receiving an output of the first enclave such that the output of the first enclave has a first certificate by a private enclave key of the first enclave; fetching a second enclave of the enclave pool for the first cryptlet; receiving an output of the second enclave such that the output of the second enclave has a second certificate by a private enclave key of the second enclave; and verifying the first certificate by comparing the first certificate with the enclave pool shared signature; and verifying the second certificate by comparing the second certificate with the enclave pool shared signature. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A processor-readable storage medium, having stored thereon process-executable code that, upon execution by at least one processor, enables actions, comprising:
-
creating an enclave pool, wherein the enclave pool includes a plurality of enclaves, the enclaves are secure execution environments, and wherein each enclave of the enclave pool stores an enclave key pair including a private enclave key and a public enclave key; receiving the public enclave key of each enclave of the enclave pool; generating a shared enclave pool key that is based upon the public enclave key of each enclave of the enclave pool; assigning a first enclave of the enclave pool to a first cryptlet; receiving a payload of the first enclave such that the payload of the first enclave has a first signature by the private enclave key of the first enclave; assigning a second enclave of the enclave pool to the first cryptlet; receiving a payload of the second enclave such that the payload of the second enclave has a second signature by the private enclave key of the second enclave; and using the shared enclave pool key to validate the first signature and the second signature. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification