Proof-of-Device AKA yet another authentication mechanism

Permissionless and anonymous decentralized networks like Golem Network have to provide countermeasures against Sybil attacks, for instance. One way is that users have to prove their identity or uniqueness in an anonymous manner. We researched whether SGX can be a source of such identity. Then we realized that these solutions are applicable far beyond decentralized networks. We decided to share and develop a proof of concept. At a high level, via Proof of Device, users can automatically validate their hardware, to further prove their identity in an anonymous yet trusted manner. This feature can be useful for any online service that needs to authenticate users.

What is this Proof-of-device? It does not replace internet authentication mechanisms, rather it is their complement. Proof-of-device, or PoD , is another take on 2FA or U2F authentication methods. Here, the burden of storing keys for signing and proving your identity is managed by the SGX enclave.

Consider an online service. A user logs in using their login/password with any authentication mechanism in place.  Then the online service sends a challenge. It requires a signature from the SGX enclave and for that signature to be returned.  And the online service verifies whether it was properly signed. The enclave has to be assigned to the user in advance, therefore the private key is embedded within the enclave and the public key is stored by the online service.

PoD mechanism proves that the user has physical access to the given device. In other words, the user can only log in from pre-assigned devices. The system is very secure, not even the user has knowledge of the private key that's stored within the enclave. SGX technology guarantees that the enclave can be run only with an originating CPU.  Even if an adversary steals the login and password, it cannot access the service. Stealing the enclave does not help either. Solution security is up to SGX guarantees. We used SGX as it is the most advanced technology, but PoD has the potential to be run by other TEEs.

PoD can be used for many things. For the proof of concept, we demonstrated it with an enhanced login service to the bank. Adding an extra layer of verification to online banking is a must, especially as new security breaches arise and some banks lack the infrastructure to protect their users on the lower level. This demonstrates the usefulness of PoD very well. Our PoC consists of the PoD enclave, web browser as a client, and a web service. What is interesting and noticeable, we integrated the enclave with the web browser through an extension. A user has to have SGX enabled, and running the PoD setup, including the web browser extension. But later on, PoD works in a transparent manner. The user does not have to keep additional hardware, type codes or use a mobile device. It does not need to be registered with Intel, as the online service does the attestation. This is a PoC, it is limited to Linux and Mozilla, but that is just a matter of work.

Even if just a PoC, the Proof of Device mechanism is a promising avenue, worth exploring for software developers and companies looking for those extra security guarantees. You can check out the repo here. Golem’s been working on SGX for almost three years now since we started the cooperation with Invisible Things Lab. In 2019, Graphene took the spotlight - a project stemming from cooperation with Intel, ITL, and the original creators. Graphene’s v1 was released later that year, and the project has become a common good for the open-source community. There are a few more ideas in our boilerplate, and more will be possibly added. As we evolve towards The Next Milestone, we have reassessed our resource allocation to focus more on Golem. Therefore, the Proof of Device remains a PoC for now, but feel free to contact us with further questions.

This PoC was developed by Golem, in cooperation with Invisible Things Lab. Mainly, thanks go to Jakub Konka and Muhammed Tanrikulu.

Check the PoC in our Github here!