US 12,445,300 B2
System and method for providing a verified privacy-preserving attestation of web service data properties
Adi Ben-Ari, London (GB)
Assigned to APPLIED BLOCKCHAIN LTD., London (GB)
Appl. No. 18/017,895
Filed by APPLIED BLOCKCHAIN LTD., London (GB)
PCT Filed Aug. 1, 2021, PCT No. PCT/IL2021/050928
§ 371(c)(1), (2) Date Jan. 25, 2023,
PCT Pub. No. WO2022/029762, PCT Pub. Date Feb. 10, 2022.
Claims priority of provisional application 63/060,077, filed on Aug. 2, 2020.
Prior Publication US 2023/0269093 A1, Aug. 24, 2023
Int. Cl. H04L 9/32 (2006.01); G06F 21/62 (2013.01); H04L 9/14 (2006.01)
CPC H04L 9/3247 (2013.01) [G06F 21/6245 (2013.01); H04L 9/14 (2013.01)] 22 Claims
OG exemplary drawing
 
1. A system for providing a verified, privacy-preserving attestation of properties of private data stored on a web service, the system comprising:
a data owner device;
a data attestation server comprising:
an untrusted host module; and
a secure enclave module;
a secure enclave attestation module; and
an attestation envelope verification module;
wherein:
the untrusted host module is configured to receive a data attestation request and to mediate communication with the secure enclave module;
the secure enclave attestation module is configured to generate a secure enclave attestation packet comprising:
a secure enclave attestation;
a secure enclave attestation signature;
an X.509 secure enclave attestation signing certificate; and
a unique measurement of a trusted computing base (TCB) code and public keys of the secure enclave module;
the untrusted host module is further configured to send the secure enclave attestation packet to the data owner device;
the data owner device is configured to:
request a public key of the secure enclave module;
verify that the public key of the secure enclave module matches the public key in the secure enclave attestation; and
send encrypted credentials, using a symmetric key, for accessing private data stored on a web server to the secure enclave module;
the secure enclave module is configured to:
initiate a Transport Layer Security (TLS)-encrypted Hypertext Transfer Protocol Secure (HTTPS) connection with the web server;
perform a TLS handshake with the web server and obtain a TLS service certificate of the web server;
decrypt an HTTPS response from the web server, the response comprising the private data;
compute one or more requisite properties of the private data; and
construct an attestation envelope comprising:
the web server TLS service certificate;
the computed properties of the private data; and
an attestation envelope signature generated by the secure enclave module;
the untrusted host module is further configured to:
receive the attestation envelope;
insert the secure enclave attestation, secure enclave attestation signature, and X.509 secure enclave attestation signing certificate into the attestation envelope; and
transmit the attestation envelope to an attestation envelope verification server;
the attestation envelope verification server is configured to:
verify the digital signature of the secure enclave attestation, including validation of a certificate chain and a root certificate issued by a hardware manufacturer;
confirm that the public keys in the attestation packet match the secure enclave public keys and include the unique measurement of the TCB code;
validate the TLS server certificate chain of the web server;
verify that the computed property is signed by a key associated with the secure enclave module; and
confirm that the untrusted host module has no known security vulnerabilities and that the secure enclave is correctly configured;
wherein the system is further configured to execute a smart contract transaction in response to a successful verification of the attestation envelope.