SecureFUSEStream: A system for secure video processing and storage, using FUSE for a custom filesystem interface and TEE for enhanced data security. It ensures integrity and confidentiality in video handling.
Do some arbitrary operation in the TEE and attest it. For now we can:
Simply take a number from the client and do arithmetic on it
Hash the result
Sign the hash with the hardware key
[ ] Key Derivation: First, derive the necessary cryptographic keys from the EKBs using secure processes as outlined in the system’s security protocols. For example, using an EKB Root Key (EKB_RK) and Key Derivation Functions (KDFs) to derive a specific signing key.
[ ] Signing Key Preparation: The derived key used for signing (let’s call it EKB_SK, for EKB Signing Key) would typically be an asymmetric key pair if the signature needs to be verified by external parties, or a symmetric key if the verification remains within a trusted environment.
[ ] Data Signing: With the signing key ready, the data that needs to be attested is then signed. This involves creating a hash of the data and encrypting this hash with the private key of the signing key pair (in the case of asymmetric cryptography). The resulting digital signature can be appended to the data or stored separately.
[ ] Verification: To verify the signature, the corresponding public key (from the signing key pair) is used. Anyone with access to this public key can verify the signature by decrypting it and comparing the resulting hash with a newly computed hash of the original data. If the hashes match, it confirms both the integrity and authenticity of the data.
[ ] Attestation: In scenarios where attestation is required (e.g., proving that data or an operation originated from a trusted source), the signature serves as proof that the data was indeed signed by the holder of the private key, assumed to be a secure and trusted entity within the system.
Do some arbitrary operation in the TEE and attest it. For now we can:
Simply take a number from the client and do arithmetic on it
Hash the result
Sign the hash with the hardware key
[ ] Key Derivation: First, derive the necessary cryptographic keys from the EKBs using secure processes as outlined in the system’s security protocols. For example, using an EKB Root Key (EKB_RK) and Key Derivation Functions (KDFs) to derive a specific signing key.
[ ] Signing Key Preparation: The derived key used for signing (let’s call it EKB_SK, for EKB Signing Key) would typically be an asymmetric key pair if the signature needs to be verified by external parties, or a symmetric key if the verification remains within a trusted environment.
[ ] Data Signing: With the signing key ready, the data that needs to be attested is then signed. This involves creating a hash of the data and encrypting this hash with the private key of the signing key pair (in the case of asymmetric cryptography). The resulting digital signature can be appended to the data or stored separately.
[ ] Verification: To verify the signature, the corresponding public key (from the signing key pair) is used. Anyone with access to this public key can verify the signature by decrypting it and comparing the resulting hash with a newly computed hash of the original data. If the hashes match, it confirms both the integrity and authenticity of the data.
[ ] Attestation: In scenarios where attestation is required (e.g., proving that data or an operation originated from a trusted source), the signature serves as proof that the data was indeed signed by the holder of the private key, assumed to be a secure and trusted entity within the system.