Full Program »
TEEKAP: Self-Expiring Data Capsule using Trusted Execution Environment
Safeguarding privacy in data sharing is challenging, especially when data owners lose control over their data once it is passed to another party. Our work aims to build a data-sharing platform that enables data owners to regain control over their shared data. Specifically, sensitive data is encapsulated into a data capsule. The platform regulates functional accesses to the data capsules, i.e., the receiver can compute a predefined function on the data with its input and learn nothing else. The platform also enforces self-expiry of the data capsules. In addition, data capsules feature a notion of “send-and-forget” wherein data owners can go offline after releasing their data capsules. In other words, data capsules can be freely circulated.
Each data capsule is associated with an access policy and a usage transcript. The former specifies which functions are eligible to access the sensitive data and its expiry conditions, whereas the latter is used to determine if the expiry conditions have been met. An efficient solution is to employ a Trusted Execution Environment (TEE) to attest and regulate functional access. Nonetheless, we observe that TEEs alone is not sufficient to accomplish self-expiry, for TEEs are vulnerable to rollback attacks via which an adversary can “unwind” the usage transcript of an expired data capsule. Moreover, a straightforward implementation would need a single master key to be resided in the TEE, leading to single-point-of-failure issues. Our solution, namely TEEKAP, addresses the challenges by employing a committee of independent and mutually distrusting nodes to uphold the integrity of usage transcripts and the confidentiality of the encryption keys. TEEKAP integrates TEE, consensus protocol, and threshold secret sharing in a novel way. Experiments conducted in realistic deployment settings on Microsoft Azure show that TEEKAP can process access requests at scale.