Security

DeTEE RATLS

Implementation details of the Remote Attestation Transport Layer Security at DeTEE.

DeTEE uses a custom implementation of Remote Attestation Transport Layer Security (RATLS) to secure the communication between the different components of DeTEE network. The library for RATLS is implemented in Rust, check out the repository

So the RATLS is a special mode of TLS that uses the Remote Attestation (RA) certificates during the handshake. The RA certificates are generated during the remote attestation using the Intel SGX SDK and contain the MRENCLAVE, MRSIGNER, PRODID, SVN of the peer.

Two modes exist for the RATLS.

mRATLS

During Mutual Remote Attestation TLS (mRATLS) handshake, the peers exchange their RA certificates and verify them. Each peer has a whitelist of the MRENCLAVE, MRSIGNER PRODID, SVN of the other peer. If the RA certificate is not in the whitelist, the peer will reject the connection.

This is the mode that Hacker Challenge nodes and Brain nodes are using to only allow the trusted peers to connect. In the case of the Hacker Challenge, the whitelist contains only the mrenclave measurement of the currently running code to ensure that only identical copies of the code can connect.

hRATLS

This mode is used when one of the peers is not running inside the enclave. Thus the name Hybrid Remote Attestation TLS (hRATLS). The implementation for this mode is already completed by the DeTEE but was not publicized yet.

DeTEE Security

Technical security aspects of the DeTEE Cloud platform.

SGX Sealing

Technology for the secure file sealing on the foreign hardware.