Intel Software Guard Extensions (SGX) is a new technology that enables so-called secure enclaves that are processes that are protected from processes running at higher privilege levels. The authenticity of the remote enclave can also be attested and trusted by a process called remote attestation. In other words, it enables running very sensitive code processing confidential information in insecure environments no matter where it resides. One example of an application where this could be used is a local key storage that can supply a remote service provider (such as a remote login) with a secret, without revealing the secret to other potentially malicious processes on the local system.
The Hyker Key Delegate is a technology based on Intel SGX. However, we reverse the approach. Instead of having a local key storage, we setup a remote key storage with a predefined procedure of later collecting the key from the key storage. This procedure involves a third-party trust provider that can attest to the identity of the collector. This means that one client can store a secret in the remote key storage for another client to later collect it, provided they can prove their identity to the third-party trust provider. The key storage becomes a key delegate.
This solution is also the key to solve recoverability. For instance, Alice wants to back up all her data, but she knows all of her devices might all break or be stolen, but she also wouldn’t trust cloud services with her data. Using the key delegate she can now preregister her own back-up identity. If she loses all of her keys, she can simply ask the key delegate to give her back-up identity to her and repeat the process.
This technology matches perfectly with the Hyker platform and Hyker’s end-to-end-protocol Riks. Traditionally, end-to-end-encryption requires both users to know each others identities and exchange public keys beforehand. Riks and the accompanying Key Delegate completely flips this image: Not only do clients not need to know each other’s identities beforehand, the receiving clients don’t even have to exist in the platform in order for end-to-end encryption to take place. All that is needed is a third-party trust provider that can confirm clients’ identities. We can finally build systems purely based on completely conditional trust.