Abstract: Methods and devices for secure data sharing with granular access control are described. A modified attribute-based encryption (ABE) scheme is used to perform cryptographically-enforced ABE using attributes of a file access policy. A sender sends to a receiver a file encrypted using a file encryption key, the file encryption key encrypted using ABE based on a file access policy set by the sender, and a set of private ABE keys decryptable using a key stored in a trusted execution environment (TEE) of the receiver. The private ABE keys are decrypted by the receiver TEE when the file is accessed, decrypting a file encryption key only when the attributes of the receiver access action satisfy the file access policy. The decrypted file encryption key grants access to the file contents via a trusted viewer application. A user password may also be required and cryptographically enforced as part of the ABE decryption.

Abstract: A method for executing a machine learning (ML) application in a computing environment includes receiving a secret from a trusted execution environment (TEE) of a user computing device into a TEE of a server. The user computing device is authenticated by an identity and access management service. The TEE validates the secret against a time-limited token. The method further receives from a TEE of a model release tool a model encryption key bound to the ML application. The method receives into the TEE of the server, an ML model of the ML applications encrypted with the MEK. The method decrypts using the MEK the ML model. The method receives into the TEE of the server the ML application and a descriptor of the ML application encrypted by a cryptographic key derived from the secret. The method executes the ML application using the ML model and the descriptor.

Abstract: Methods and devices for secure data sharing with granular access control are described. A modified attribute-based encryption (ABE) scheme is used to perform cryptographically-enforced ABE using attributes of a file access policy. A sender sends to a receiver a file encrypted using a file encryption key, the file encryption key encrypted using ABE based on a file access policy set by the sender, and a set of private ABE keys decryptable using a key stored in a trusted execution environment (TEE) of the receiver. The private ABE keys are decrypted by the receiver TEE when the file is accessed, decrypting a file encryption key only when the attributes of the receiver access action satisfy the file access policy. The decrypted file encryption key grants access to the file contents via a trusted viewer application. A user password may also be required and cryptographically enforced as part of the ABE decryption.

Abstract: Methods and systems for providing an endpoint device with access to a remote resource are disclosed. A first secure tunnel with the endpoint device is established from an intermediate device, the first tunnel terminating within a trusted execution environment (TEE) in the intermediate device. At least one credential is received within the TEE and via the first secure tunnel from the endpoint device. The at least one credential is transmitted from the intermediate device to the remote resource via a second secure tunnel, the second tunnel located between the remote resource and the intermediate device and originating within the TEE. In response to the at least one credential being accepted by the remote resource, communications between the endpoint device and the remote resource via the TEE in the intermediate device through the first and second secure tunnels are enabled.

Abstract: Methods and systems for providing an endpoint device with access to a remote resource are disclosed. A first secure tunnel with the endpoint device is established from an intermediate device, the first tunnel terminating within a trusted execution environment (TEE) in the intermediate device. At least one credential is received within the TEE and via the first secure tunnel from the endpoint device. The at least one credential is transmitted from the intermediate device to the remote resource via a second secure tunnel, the second tunnel located between the remote resource and the intermediate device and originating within the TEE. In response to the at least one credential being accepted by the remote resource, communications between the endpoint device and the remote resource via the TEE in the intermediate device through the first and second secure tunnels are enabled.