Document Security Boundaries

[brunobowden]

worthwhile documenting for security review but not a blocker on v1

[cankisagun]

Hey all,

We are working on SafeTrace - an API that provides privacy-preserving storage and private computation service for contact tracing APIs. We are using Trusted Execution Environments to provide end-to-end data encryption. We have a functional MVP that can address your privacy requirements for the Covid App. You can use / test it today.

We are here to help if we can

[brunobowden]

@cankisagun - this is a deeply sensitive issue. The app is very focused on minimizing the impact on user privacy. Your system diagram showed cleartext on the server side, which raises significant concerns for me even if part of a secure enclave. You can email me directly if you have more question but please keep this issue focused on the stated topic.

A number of cryptographic and security teams have been developing proposals that use encrypted message exchange and minimize server data to try to be much more protective of privacy. Here's some pointers so you can separately research them. I would suggest investigating them and see if it's possible to pool resources as a single shared protocol can get the most public scrutiny.

https://ethics.harvard.edu/files/center-for-ethics/files/white_paper_5_outpacing_the_virus_final.pdf https://github.com/Co-Epi/CEN

[cankisagun]

Sharing this here to clarify potential misconceptions.

The concept of a secure enclave guarantees that data is encrypted client-side and sent to the enclave. The client-side encryption is done using Diffie-Hellman, which uses the private key of the user and the public key of the enclave. Decryption of the data is done when it's inside the enclave and when there's a computation, by using the private key of the enclave and public key of the user. The private key of the enclave is generated inside the enclave and cannot be accessed by anyone.

There have been attacks on enclaves, however these attacks are relevant if the server is untrusted or an attacker is able to access the actual enclave (which is less risky for an enclave that's stored in say the IBM cloud data center). We don't foresee these to be issues for SafeTrace.

CoEpi allows p2p data sharing and computing on edge (user device). However that limits the data to be used in any meaningful manner by public health authorities. This solution only delivers insight to the users. There are benefits for researchers or the public at large to access the outcomes of covid-19 related computations. For example the data can be used to create global heatmaps that inform not only individuals who have been around diagnosed patients but also authorities and the general public. This has been employed by Israel and Singapore. The only way to run this with increased privacy is by using secure enclaves. Such analysis are not possible with computation on edge devices, which can help users but has limited utility to researchers).

[brunobowden]

@cankisagun - there are some interesting elements here.... but I asked before and I'd kindly ask again, to please keep this GitHub issue focused on the issue description and email me directly if you'd like to have a discussion outside of that. My email is deliberately listed on my GitHub profile just for this reason

[rmspeers]

On the topic of documenting security boundaries, @brunobowden , if someone who knows the system can take even a first stab at this and share it over in Slack, we can help refine it but it would be a large help to understanding what components are intended to interact in the system.

[advayDev1]

@rmspeers check out https://drive.google.com/file/d/1BMEyOnVAvJkr0Rd8XB7DKELWiFKvQZRx/view?usp=sharing Closing this bug for now as it appears to be a bug that would be perpetually open (as our security boundaries change). We have a bug for our v1 security review: #16 - if there is something needed for v1 specifically, please note there or file a more narrow issue please.