Paper 2018/160

DelegaTEE: Brokered Delegation Using Trusted Execution Environments

Sinisa Matetic, Moritz Schneider, Andrew Miller, Ari Juels, and Srdjan Capkun

Abstract

We introduce a new concept called brokered delegation. Brokered delegation allows users to flexibly delegate credentials and rights for a range of service providers to other users and third parties. We explore how brokered delegation can be implemented using novel trusted execution environments (TEEs). We introduce a system called DelegaTEE that enables users (Delegatees) to log into different online services using the credentials of other users (Owners). Credentials in DelegaTEE are never revealed to Delegatees and Owners can restrict access to their accounts using a range of rich, contextually dependent delegation policies. DelegaTEE fundamentally shifts existing access control models for centralized online services. It does so by using TEEs to permit access delegation at the user's discretion. DelegaTEE thus effectively reduces mandatory access control (MAC) in this context to discretionary access control (DAC). The system demonstrates the significant potential for TEEs to create new forms of resource sharing around online services without the direct support from those services. We present a full implementation of DelegaTEE using Intel SGX and demonstrate its use in four real-world applications: email access (SMTP/IMAP), restricted website access using a HTTPS proxy, e-banking/credit card, and a third-party payment system (PayPal).

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Published elsewhere. Minor revision. Usenix Security Symposium 2018
Keywords
Credential delegationaccess controltrusted execution environmentIntel SGX
Contact author(s)
sinisa matetic @ inf ethz ch
History
2018-06-27: revised
2018-02-11: received
See all versions
Short URL
https://ia.cr/2018/160
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2018/160,
      author = {Sinisa Matetic and Moritz Schneider and Andrew Miller and Ari Juels and Srdjan Capkun},
      title = {DelegaTEE: Brokered Delegation Using Trusted Execution Environments},
      howpublished = {Cryptology ePrint Archive, Paper 2018/160},
      year = {2018},
      note = {\url{https://eprint.iacr.org/2018/160}},
      url = {https://eprint.iacr.org/2018/160}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.