Ciphertext Policy Attribute Based Encryption with Intel SGX
Vivek Suryawanshi, Shamik Sural
TL;DR
The paper investigates securing CP-ABE in untrusted environments by integrating it with Intel SGX enclaves. It presents an architecture where CP-ABE setup, policy evaluation, encryption, and decryption run inside SGX, leveraging remote attestation and sealing to protect keys and policies, while data transfer occurs through ECALL/OCALL interfaces. A web-based Flask tool demonstrates practical deployment, porting CP-ABE components to SGX-capable libraries and providing secure encryption/decryption through a user-facing interface. Experimental results show that SGX introduces some overhead, particularly as policy size and file size grow, but the approach remains scalable across tested configurations, enhancing data confidentiality and integrity in hostile environments.
Abstract
Modern computing environments demand robust security measures to protect sensitive data and resources. Ciphertext-Policy Attribute-Based Encryption (CP-ABE) is a well-established encryption technique known for its fine-grained access control capabilities. However, as the digital landscape evolves, there is a growing need to enhance the security of CP-ABE operations. We propose an approach that utilizes CP-ABE with Intel SGX. It allows data to be encrypted and decrypted securely within the SGX enclave based on the rules in policy by ensuring that only authorized users gain access. We evaluate its performance through different experiments by focusing on key parameters such as the number of rules, attributes and file size. Our results demonstrate the performance and scalability of integrating SGX with CP-ABE in enhancing data security with only minimal increase in execution time due to enclave overhead.