by Evan Sixtin
The esoteric world of cryptocurrencies and the larger, mainstream world of desktop computing have begun to merge with the partnership of Paris-based hardware wallet manufacturer, Ledger, and American multinational computer processor manufacturer, Intel.
By combining efforts and technologies, the two companies aim to pioneer a unique high security solution for using and storing cryptocurrencies. More specifically, Ledger’s BOLOS operating system will be integrated with Intel processors’ Software Guard Extensions (SGX) to physically limit access to sensitive data such as bitcoin private keys.
BOLOS Operating System
Ledger’s own Blockchain Open Ledger Operating System (BOLOS) is a unique operating system which was designed for cryptocurrency and blockchain applications and can be integrated into any secure element, whether it is a secure chip or a hardware security module. Essentially, BOLOS allows the building of source code portable native applications on top of a secure core. The result is that applications created with BOLOS can only be run within their own memory regions and do not overlap or interfere with each other. The obvious advantage of this is that applications are isolated from each other and any malicious application would not be able to gain access to another application.
Intel’s Software Guard Extensions (SGX) is a set of CPU instructions that can be used by applications to set aside private regions of code and data. It allows user-level code to allocate private regions of memory, called enclaves, that are protected from processes running at higher privilege levels. SGX was introduced in 2015 with the sixth generation Intel Core microprocessors based on the Skylake microarchitecture and was originally designed to be useful for implementing secure remote computation, secure browsing, and digital rights management.
By integrating the SGX CPU instructions with the BOLOS operating system, Ledger and Intel intend to create a no-brainer solution for generating and authenticating cryptocurrency keys that would allow average Joe users to transact simply and securely. Sensitive information would be stored within an Intel SGX enclave instead of in an application which could prevent many software-based attacks. However, there is still some doubt as to how secure the Intel SGX enclave actually is.
In March 2017 researchers at Austria’s Graz University of Technology developed a proof-of-concept that can grab RSA keys from SGX enclaves running on the same system within five minutes by using certain CPU instructions in lieu of a fine-grained timer to exploit cache DRAM side-channels.
The “Prime+Probe” attack, as it’s called, can retrieve RSA keys from an SGX secure enclave in a few steps:
“The PoC is specifically designed to recover RSA keys in someone else’s enclave in a complex three-step process: first, discovering the location of the victim’s cache sets; second, watch the cache sets when the victim triggers an RSA signature computation; and finally, extracting the key.”
On an SGX-capable Lenovo ThinkPad T460s running Ubuntu 16.10, researchers found that a single cache trace, captured in 72 seconds on average, provided access to 96% of a 4096-bit RSA key. With 11 traces, the full RSA key would be revealed. Without using protected I/O devices, SGX has a huge Achilles heel. Additionally, with SGX, malware would be able to, in principle, create its own enclaves and cloak itself or prevent itself from being detected from any other part of the system.
Barriers to Mainstream Consideration
As mainstream and cryptocurrency worlds begin to assimilate, many of the original intentions for the development of decentralized money may be lost as users make a u-turn back to trusting centralized, authoritative establishments to keep their assets safe. Intel is the leading CPU designer and manufacturer in the world, however their technology still cannot be completely trusted.
It stands to reason that cryptocurrency by itself will not sustain if it is not supported by, and held to, the principles with which it was founded on, including self-reliance and autonomy from centralized authorities. Despite the massive power and money that global corporations have at their disposal to try to create secure solutions that are full-proof and impenetrable, relying on yourself by utilizing a simple brain wallet might be a more effective security solution.