Beyond Hacking with Sequestered Encryption
At Agita Labs, we do not build data security technologies that try to stop hacking. Instead, our data security solutions work despite ongoing hacking. This change in mindset is spearheaded by the work of Dr. Todd Austin and Dr. Valeria Bertacco, two computer science professors from the University of Michigan. In 2017, Austin and Bertacco built Morpheus, a secure computing platform that was designed to protect data from hacking. DARPA, the research arm of the US Department of Defense, put this system into a commercial red-teaming effort for three months, during which 500+ cybersecurity researchers were unable to successfully attack the system even a single time! Agita Labs’ technology is the commercialized evolution of this new approach to data security.
At the heart of Agita Labs’ solution is a novel patented technology called sequestered encryption (or SE, for short). Sequestered encryption builds a hardware-based cryptographic wall between all software and sensitive data. As SE-protected software runs, all sensitive data is encrypted all the time, even when it is processed and analyzed. In fact, no one, not even programmers or superuser IT staff, can see data protected by sequestered encryption except the data owner who originally encrypted the data. Thus, when you utilize SE, sensitive data remains safe, even if (or more likely, when) your organization gets hacked!
Under the Hood: Agita Labs’ Sequestered Encryption Enclave
Sequestered encryption is enforced using a small hardware component called the SE enclave. The SE enclave is a trusted hardware processing element that can expose a secret key from the data owner (using industry-standard public-key cryptography), and then operate directly on encrypted program data using simple processing commands, such as ADD, MULTIPLY, and XOR. Since the results of any computation are encrypted, the inputs and outputs of any computation remain secret. The SE enclave is deployed into the cloud using existing FPGA-class nodes in Azure and AWS or on-premises with Intel-Altera CPUs, making this powerful hardware security technology ready to use today!
Sequestered encryption provides a highly durable defense against the disclosure of sensitive data because it sequesters (hides) all decrypted sensitive data and the data owner’s keys used to access that data inside the hardware SE enclave. No software, including software from Agita Labs or the operating system, can access information inside the software-free SE enclave. Thus, even if the system’s software gets hacked, not even the hacked software can get access to sensitive decrypted data or keys. In addition, SE enclave computation is free of any control, memory and timing side channels, and thus, you can rest assured that if attackers are observing the computation, there is nothing to be learned about your sensitive data.
The SE enclave enforces the integrity of any computation using a powerful patented computational fingerprinting technology. Computational fingerprints allow users to verify that i) the intended inputs to the computation were used in creating a result, and ii) the full unperturbed computation was run on the expected inputs. Any form of hacking to rearrange, replay, or otherwise manipulate SE computation is readily detected. This facility is invaluable in its ability to detect if the system software is being actively hacked or modified with malicious intent (e.g., supply chain attacks).
Added to this, our novel patented safe datagrants technology forms the basis for analysis of encrypted data, monetization of 3rd-party encrypted data, selective release of computed results, and 3rd-party auditing of encrypted data storage and computation. Safe datagrants allow a specific computation to decrypt a computed value (or transfer it to another security domain), as long as the computation that produced the value was not perturbed in any way.