Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SRAS: Self-governed Remote Attestation Scheme for Multi-party Collaboration

Linan Tian, Yunke Shen, Zhiqiang Li

TL;DR

SRAS addresses multi-party cloud attestation by introducing a decentralized, self-governed framework where each participant runs a Relying Party Enclave (RPE) that locally attests its own privacy enclave (PE) and participates in a virtual verifiable network with other parties. A negotiated policy governs all attestations, enabling RPEs to attest on behalf of others without leaking sensitive data, and a blockchain-based virtual network coordinates evidence exchange and certificate handling. The prototype, built with Gramine, RA-TLS, and Hyperledger Fabric, demonstrates sub-second latencies across registration, attestation, and secure channel establishment, validating practical viability. This approach reduces reliance on a centralized Relying Party, enhances privacy, and supports flexible integration of TEEs across multiple cloud tenants for collaborative workloads.

Abstract

Trusted Execution Environments (TEEs), such as Intel Software Guard Extensions (SGX), ensure the confidentiality and integrity of user applications when using cloud computing resources. However, in the multi-party cloud computing scenario, how to select a Relying Party to verify the TEE of each party and avoid leaking sensitive data to each other remains an open question. In this paper, we propose SRAS, an open self-governed remote attestation scheme with attestation and verification functions for verifying the trustworthiness of TEEs and computing assets, achieving decentralized unified trusted attestation and verification platform for multi-party cloud users. In SRAS, we design a Relying Party enclave, which can form a virtual verifiable network, capable of local verification on behalf of other participants relying parties without leaking sensitive data to others. We provide an open-source prototype implementation of SRAS to facilitate the adoption of this technology by cloud users or developers.

SRAS: Self-governed Remote Attestation Scheme for Multi-party Collaboration

TL;DR

SRAS addresses multi-party cloud attestation by introducing a decentralized, self-governed framework where each participant runs a Relying Party Enclave (RPE) that locally attests its own privacy enclave (PE) and participates in a virtual verifiable network with other parties. A negotiated policy governs all attestations, enabling RPEs to attest on behalf of others without leaking sensitive data, and a blockchain-based virtual network coordinates evidence exchange and certificate handling. The prototype, built with Gramine, RA-TLS, and Hyperledger Fabric, demonstrates sub-second latencies across registration, attestation, and secure channel establishment, validating practical viability. This approach reduces reliance on a centralized Relying Party, enhances privacy, and supports flexible integration of TEEs across multiple cloud tenants for collaborative workloads.

Abstract

Trusted Execution Environments (TEEs), such as Intel Software Guard Extensions (SGX), ensure the confidentiality and integrity of user applications when using cloud computing resources. However, in the multi-party cloud computing scenario, how to select a Relying Party to verify the TEE of each party and avoid leaking sensitive data to each other remains an open question. In this paper, we propose SRAS, an open self-governed remote attestation scheme with attestation and verification functions for verifying the trustworthiness of TEEs and computing assets, achieving decentralized unified trusted attestation and verification platform for multi-party cloud users. In SRAS, we design a Relying Party enclave, which can form a virtual verifiable network, capable of local verification on behalf of other participants relying parties without leaking sensitive data to others. We provide an open-source prototype implementation of SRAS to facilitate the adoption of this technology by cloud users or developers.
Paper Structure (20 sections, 8 figures, 4 tables)

This paper contains 20 sections, 8 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Background
  3. SGX
  4. DCAP
  5. Preliminary and Overview
  6. Threat Model
  7. Challenges and Key Insights
  8. Overview
  9. Detailed Design
  10. Registration
  11. Mutual Attestation
  12. Local Verification
  13. Collaborative Preparation
  14. Implementation
  15. Analysis and Evaluation
  16. ...and 5 more sections

Figures (8)

  • Figure 1: In passport pattern, Privacy Enclave sends the Quote to the Verifier for attestation and Relying Party verifies the attestation result. In background check pattern, Privacy Enclave first sends the Quote to Relying Party and Relying Party forwards the Quote to the Verifier, Relying Party then verifies the attestation result from the Verifier.
  • Figure 2: SRAS multi-party architecture overview. Each participant is an RP owner, and each of them acts as a verifier owner to provide endorsements and reference values to build a consensus $policy$. After attesting the local RPE, each party's trusted anchor is conducted by the RP owner to local RPE. The RPEs granted by each party establishe a virtual verifiable network through mutual attestation, implementing the validation of the trustworthiness of multi-party attestation and verification.
  • Figure 3: SRAS microservice architecture.
  • Figure 4: Registration Phase.
  • Figure 5: Mutual Attestation Phase. Assuming that there are two participants in multi-party cloud computing.
  • ...and 3 more figures