In the last years, a need for secure computing on untrusted host has come up. To achieve this, Intel developed Secure Guard Extensions (SGX) [1,2] that allows developers to create secure compartments for their applications, called enclaves. Enclaves are a secure part of applications that can be entered to perform security critical computations while being guarded from an untrusted operating system and attackers by the processor itself. Enclaves operate in completely encrypted memory that only they can access. To ease development of enclaves, Intel released a Software Development Kit (SDK) [0].
During the SEP, we developed a prototype system for trusted input/output with an example application for encrypted e-mail based on OpenPGP. We want to further develop the parts of this prototype in multiple theses. This part focuses on GnuPG as application that enables encryption of messages (e.g. e-mails) using a mix of symmetric and asymmetric cryptography. Currently, the whole system used for processing of these messages needs to be trusted. We want to reduce the trust needed by incorporating Intel SGX enclaves and using features like sealing to bind a key to a platform.
In this thesis, we want to secure GnuPG [3] using Intel SGX. The main goal, is to move all cryptographic operations into an Intel SGX enclave as well as enabling saving PGP keys in SGX sealed storage. Generation of keys that never leave the enclave unencrypted shall also be performed.