94:. Compromising data in use enables access to encrypted data at rest and data in motion. For example, someone with access to random access memory can parse that memory to locate the encryption key for data at rest. Once they have obtained that encryption key, they can decrypt encrypted data at rest. Threats to data in use can come in the form of
147:
and Loop-Amnesia modify the operating system so that CPU registers can be used to store encryption keys and avoid holding encryption keys in RAM. While this approach is not general purpose and does not protect all data in use, it does protect against cold boot attacks. Encryption keys are held
127:
processor is used as the substrate on which a full memory encryption solution is built. Process segments (for example, stack, code or heap) can be encrypted individually or in composition. This work marks the first full memory encryption implementation on a mobile general-purpose commodity
89:
Because of its nature, data in use is of increasing concern to businesses, government agencies and other institutions. Data in use, or memory, can contain sensitive data including digital certificates, encryption keys, intellectual property (software algorithms, design data), and
122:
presently has a commercial software product vCage to provide attestation along with full memory encryption for x86 servers. Several papers have been published highlighting the availability of security-enhanced x86 and ARM commodity processors. In that work, an
156:
Enclaves enable an “enclave” to be secured with encryption in RAM so that enclave data is encrypted while in RAM but available as clear text inside the CPU and CPU cache. Intel
Corporation has introduced the concept of “enclaves” as part of its
110:
Encryption, which prevents data visibility in the event of its unauthorized access or theft, is commonly used to protect Data in Motion and Data at Rest and increasingly recognized as an optimal method for protecting Data in Use.
198:
is a method by which one party (the prover) can prove to another party (the verifier) that they know a value x, without conveying any information apart from the fact that they know the value x.
177:, allow for the private computation of data on untrusted systems. Data in use could be operated upon while encrypted and never exposed to the system doing the processing.
222:
is a cryptography technique by which an agent can provide a service to a client in an encoded form without knowing either the real input or the real output.
261:
128:
processor. The system provides both confidentiality and integrity protections of code and data which are encrypted everywhere outside the CPU boundary.
148:
inside the CPU rather than in RAM so that data at rest encryption keys are protected against attacks that might compromise encryption keys in memory.
347:
81:(SaaS) providers refer to data in use as any data currently being processed by applications, as the CPU and memory are utilized.
216:(FPE), refers to encrypting in such a way that the output (the ciphertext) is in the same format as the input (the plaintext)
225:
207:
91:
365:
265:
201:
170:
161:. Intel revealed an architecture combining software and CPU hardware in technical papers published in 2013.
213:
204:
is a method for parties to jointly compute a function over their inputs while keeping those inputs private.
251:, "Proceedings of the 11th international conference on applied cryptography and network security", 2013
31:
term referring to active data which is stored in a non-persistent digital state typically in computer
158:
248:
285:
219:
392:
189:
174:
28:
210:(NIZKs) are zero-knowledge proofs that require no interaction between the prover and verifier.
135:. Intel has promised to deliver its Total Memory Encryption (TME) feature in an upcoming CPU.
397:
78:
195:
32:
131:
For x86 systems, AMD has a Secure Memory
Encryption (SME) feature introduced in 2017 with
8:
95:
286:
GCN, John Moore, March 12, 2014:"How to lock down data in use -- and in the cloud"
249:"Beyond full disk encryption:protection on security-enhanced commodity processors"
55:
386:
297:
124:
66:
61:
46:
40:
119:
36:
328:
310:
118:
systems are designed to provide memory encryption and the company
99:
192:
is a form of encryption that allows computation on ciphertexts.
144:
114:
There have been multiple projects to encrypt memory. Microsoft
366:"Intel Software Guard Extensions (SGX) Is Mighty Interesting"
132:
115:
20:
264:. Searchstorage.techtarget.com. 2012-09-06. Archived from
77:
Data in use refers to data in computer memory. Some cloud
348:"Intel promises Full Memory Encryption in upcoming CPUs"
279:
186:
Also see
Alternative Definition section of Data At Rest
262:"CipherCloud encrypts data across multiple cloud apps"
298:"Memory encryption: a survey of existing techniques"
300:, "ACM Computing Surveys volume 46 issue 4", 2014
384:
16:Data being processed (not in transit / at rest)
358:
49:data scientist Daniel Allen in 1996 proposed
164:
72:
65:which together define the three states of
105:
143:Operating system kernel patches such as
138:
169:Several cryptographic tools, including
385:
345:
311:"Secure Memory Encryption (SME) - x86"
226:Example privacy-enhancing technologies
329:"Total Memory Encryption (TME) - x86"
243:
241:
208:Non-interactive zero-knowledge proof
92:personally identifiable information
13:
254:
14:
409:
238:
346:Salter, Jim (26 February 2020).
339:
321:
303:
290:
202:Secure multi-party computation
171:secure multi-party computation
98:, malicious hardware devices,
1:
231:
53:as a complement to the terms
214:Format-preserving encryption
7:
180:
151:
84:
10:
414:
159:Software Guard Extensions
296:M. Henson and S. Taylor
247:M. Henson and S. Taylor
368:. Securosis. 2013-07-15
165:Cryptographic protocols
73:Alternative definitions
190:Homomorphic encryption
175:homomorphic encryption
106:Full memory encryption
29:information technology
139:CPU-based key storage
79:software as a service
196:Zero-knowledge proof
33:random-access memory
96:cold boot attacks
405:
377:
376:
374:
373:
362:
356:
355:
343:
337:
336:
325:
319:
318:
307:
301:
294:
288:
283:
277:
276:
274:
273:
258:
252:
245:
413:
412:
408:
407:
406:
404:
403:
402:
383:
382:
381:
380:
371:
369:
364:
363:
359:
344:
340:
327:
326:
322:
309:
308:
304:
295:
291:
284:
280:
271:
269:
260:
259:
255:
246:
239:
234:
183:
167:
154:
141:
108:
87:
75:
56:data in transit
17:
12:
11:
5:
411:
401:
400:
395:
379:
378:
357:
338:
320:
302:
289:
278:
253:
236:
235:
233:
230:
229:
228:
223:
217:
211:
205:
199:
193:
187:
182:
179:
166:
163:
153:
150:
140:
137:
107:
104:
102:and bootkits.
86:
83:
74:
71:
15:
9:
6:
4:
3:
2:
410:
399:
396:
394:
393:Computer data
391:
390:
388:
367:
361:
353:
349:
342:
334:
330:
324:
316:
312:
306:
299:
293:
287:
282:
268:on 2013-10-29
267:
263:
257:
250:
244:
242:
237:
227:
224:
221:
218:
215:
212:
209:
206:
203:
200:
197:
194:
191:
188:
185:
184:
178:
176:
172:
162:
160:
149:
146:
136:
134:
129:
126:
125:ARM Cortex-A8
121:
117:
112:
103:
101:
97:
93:
82:
80:
70:
68:
64:
63:
58:
57:
52:
48:
44:
42:
41:CPU registers
38:
34:
30:
26:
23:
22:
398:Cryptography
370:. Retrieved
360:
352:Ars Technica
351:
341:
332:
323:
314:
305:
292:
281:
270:. Retrieved
266:the original
256:
168:
155:
142:
130:
113:
109:
88:
76:
67:digital data
62:data at rest
60:
54:
50:
47:Scranton, PA
45:
24:
19:
18:
120:PrivateCore
51:Data in use
387:Categories
372:2013-11-08
272:2013-11-08
232:References
37:CPU caches
333:WikiChip
315:WikiChip
220:Blinding
181:See also
152:Enclaves
100:rootkits
85:Concerns
35:(RAM),
145:TRESOR
27:is an
25:in use
39:, or
173:and
133:Epyc
116:Xbox
59:and
21:Data
389::
350:.
331:.
313:.
240:^
69:.
43:.
375:.
354:.
335:.
317:.
275:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.