HTTPS is currently the main protocol for web applications It provides a fast and secure connection with a certain level of confidentiality and integrity. However, HTTPS cannot provide security guarantees on the application data in the calculation, so the IT environment presents risks and vulnerabilities.
Given this, two Intel employees believe that web services can be made more secure not only by performing calculations in trusted remote execution environments, or TEE, but also by verifying for clients that it has been done.
Gordon king, software engineer and Hans Wang, Intel Labs researcher, they proposed a protocol to make this possible. In an article titled: “Http: HTTPS Attestable Protocol ”, recently published on ArXiv, describe an HTTP protocol called HTTPS Attestable (HTTPA) to improve online security through remote certification.
A way for applications to gain assurance that data will be processed by trusted software in secure execution environments. A hardware-based Trusted Execution Environment (TEE), such as the Intel Software Guard Extension (Intel SGX), can be used.
Since Intel Software Guard Extension (Intel SGX) provides in-memory encryption to help protect running computers to reduce the risk of leakage or illegal modification of private information. SGX's core concept allows the calculation to take place within the enclosure, a protected environment that encrypts codes and data related to a security-sensitive calculation.
Furthermore, the SGX offers security guarantees through remote certification for the web client, including the provider's identity and verification identity.
"Here we offer an HTTPS Attestable HTTP Protocol (HTTPA), which includes the remote attestation process on the HTTPS protocol to address privacy and security concerns," says Intel.
"With HTTPA, we can provide security guarantees to establish the reliability of web services and ensure the integrity of the processing of requests for web users," say King and Wang. We believe that remote attestation will become a new trend. adopted to reduce the security risks of web services, and we offer the HTTPA protocol to unify web attestation and access to services in a standard and efficient way. «
Intel uses remote attestation as the basic interface for users or web services to establish trust as a secure trusted channel to deliver secrets or confidential information. To achieve this goal, we are adding a new set of HTTP methods, including HTTP preflight request / response, HTTP attestation request / response, HTTP trusted session request / response, to achieve remote attestation that allows users to and to the web services establish a connection directly to the running code.
HTTPA is designed to provide remote certification and confidential computer guarantees between a client and a server when using the web over the Internet. In the case of HTTPA, we assume that the client is trustworthy and the server is not. The customer user can check these guarantees to decide whether they can trust and run the computing workloads on the server or not. However, HTTPA does not offer any guarantee that the server is trustworthy. HTTPA has two parts: communication and computing.
Regarding the security of communication, HTTPA takes all the assumptions of HTTPS for communication security, including the use of TLS and secure communication, in particular the use of TLS and the verification of the identity of the person. With regard to computational security, the HTTPA protocol requires providing an additional assurance state of remote attestation for IT workloads to occur within the secure enclave, so that the customer user can run the workloads in encrypted memory.
King and Wang said:
“We believe that HTTPA could potentially be beneficial for certain industries, for example FinTech and healthcare. When asked if the protocol could interfere with services that have stringent bandwidth or latency requirements, they responded: “Further exploration would be needed to confirm any performance impact; however, we do not expect any significant performance changes from other HTTPS protocols. As to whether or when HTTPA could be adopted, it is unclear. When asked if there were plans to submit the specification as an RFC or to undertake some other form of standardization, they responded: “We have ongoing discussions that need to be reviewed by Intel's legal team before we can adopt HTTPA. «
Finally, if you are interested in knowing more about it, you can consult the details In the following link.