Secure cryptlet tunnel
First Claim
1. An apparatus for secure transactions, comprising:
- a device including at least one memory adapted to store run-time data for the device, and at least one processor that is adapted to execute processor-executable code that, in response to execution, enables the device to perform actions, including;
storing, in an enclave, an enclave key pair including an enclave private key and an enclave public key, wherein the enclave is a secure execution environment;
registering the enclave as a member of an enclave pool, such that members of the enclave pool act as pooled resources, provisionable on demand, for executing smart contract logic off of a blockchain;
establishing and using a secure encrypted communication tunnel between the enclave and a hardware security module (HSM), enabling persistence of secrets across multiple members of the enclave pool, establishing and using the secure encrypted communication tunnel including;
deriving a session public/private enclave key pair, including a session enclave private key and a session enclave public key, from the enclave key pair;
sending the session enclave public key to the HSM;
receiving, from the HSM, a session HSM public key;
encrypting additional information with the session enclave private key;
sending the encrypted additional information to the HSM;
receiving further encrypted information from the HSM; and
decrypting the further encrypted information with the session enclave private key;
receiving, from a cryptlet fabric configured to manage the enclave pool, cryptlet code;
executing the cryptlet code in the enclave; and
signing a payload of the cryptlet code with the enclave private key.
1 Assignment
0 Petitions
Accused Products
Abstract
The disclosed technology is generally directed to secure transactions. In one example of the technology, a secure encrypted communication tunnel between the enclave and a hardware security module (HSM) may be established and used. Establishing the tunnel includes the following steps. A session public/private enclave key pair, including a session enclave private key and a session enclave public key, may be derived from the public/private key pair of the enclave. The session enclave public key may be sent to the HSM. A session HSM public key may be received from the HSM. Additional information may be encrypted with the session HSM public key. The encrypted additional information may be sent to the HSM. Further encrypted information may be received from the HSM. The further encrypted information may be decrypted with the session enclave private key.
97 Citations
23 Claims
-
1. An apparatus for secure transactions, comprising:
a device including at least one memory adapted to store run-time data for the device, and at least one processor that is adapted to execute processor-executable code that, in response to execution, enables the device to perform actions, including; storing, in an enclave, an enclave key pair including an enclave private key and an enclave public key, wherein the enclave is a secure execution environment; registering the enclave as a member of an enclave pool, such that members of the enclave pool act as pooled resources, provisionable on demand, for executing smart contract logic off of a blockchain; establishing and using a secure encrypted communication tunnel between the enclave and a hardware security module (HSM), enabling persistence of secrets across multiple members of the enclave pool, establishing and using the secure encrypted communication tunnel including; deriving a session public/private enclave key pair, including a session enclave private key and a session enclave public key, from the enclave key pair; sending the session enclave public key to the HSM; receiving, from the HSM, a session HSM public key; encrypting additional information with the session enclave private key; sending the encrypted additional information to the HSM; receiving further encrypted information from the HSM; and decrypting the further encrypted information with the session enclave private key; receiving, from a cryptlet fabric configured to manage the enclave pool, cryptlet code; executing the cryptlet code in the enclave; and signing a payload of the cryptlet code with the enclave private key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
16. A method, comprising:
-
receiving, from a cryptlet fabric configured to manage an enclave pool that includes a first enclave, cryptlet code, wherein members of the enclave pool act as pooled resources, provisionable on demand, for executing smart contract logic off of a blockchain; generating a session enclave key pair from an enclave key pair, wherein the enclave key pair includes an enclave private key and an enclave public key, and wherein the session enclave key pair includes a session enclave private key and a session enclave public key; communicating the session enclave public key to a hardware security module (HSM); receiving, from the HSM, a session HSM public key; encrypting additional information with the session HSM public key; and communicating the encrypted additional information to the HSM, enabling persistence of the encrypted additional information. - View Dependent Claims (17, 18, 19, 20)
-
-
21. A processor-readable storage medium, having stored thereon processor-executable code that, upon execution by at least one processor, enables actions, comprising:
-
establishing and using a secure encrypted communication channel between an enclave and a hardware security module (HSM), enabling persistence of enclave secrets, the enclave being configured to execute smart contract logic off of a blockchain, establishing and using the secure encrypted communication channel including; deriving a session enclave key pair from an enclave key pair, wherein the enclave key pair includes an enclave private key and an enclave public key, and wherein the session key pair includes a session enclave private key and a session enclave public key; sending the session enclave public key to the HSM; receiving, from the HSM, a session HSM public key; encrypting additional information with the session HSM public key; sending the encrypted additional information to the HSM; receiving further encrypted information from the HSM; and decrypting the further encrypted information with the session enclave private key; and signing a payload of the enclave with the enclave private key. - View Dependent Claims (22, 23)
-
Specification