I was in a workshop about privacy recently and at some point, a passionate debate started about Intel’s Software Guard Extensions (SGX). Although I have a security background (Master in Information Security), I find it very difficult to understand exactly how SGX works. But I understand that it is an alternative to homomorphic encryption, since it can process data securely way faster than homomorphic encryption does.
At that workshop some people made the argument that there are no guarantees about privacy when it comes to SGX and that, by using SGX, you basically have to consider Intel a trusted third party.
My question is: What are the concerns, or drawbacks, regarding Intel’s SGX when it comes to privacy?
Intel SGX does not really replace homomorphic encryption. It is designed to protect from compromise of one of the communicating computers by verifying, that the other computer runs the correct, unmodified software and that any data the SW saves can be only read by the unmodified software. You have to trust Intel to achieve this. This can be used to for example make sure, that self-destructing messages are really deleted by the other party in communication. Signal wants to use it to confirm they don't keep user metadata and contact list.
On the other hand, to protect the data, you can still add your own encryption as an inner layer, whether in transport or at rest.
As for privacy and trust in Intel, this is a moot point considering the Intel Managment Engine is effectively a
backdoor into your computer black box with full access to your computer, that can not be fully removed or disabled.
Answered by Peter Harmann on November 4, 2020
Get help from others!