Cryptography is only as strong as the management of its keys, and poor practices can undermine even the most secure algorithms. The REWIRE Project addresses this challenge by introducing a Harmonised Key Management (HKM) framework designed to unify cryptographic interfaces, secure the entire key lifecycle, and enable crypto-agility across multiple platforms. By embedding a Key Management System (KMS) into the Security Monitor—the most trusted component of the system—REWIRE ensures that critical assets are managed securely, even though this slightly increases the Trusted Computing Base. This approach tackles the common problem of fragmented key management in Trusted Execution Environments (TEEs) and system-of-systems.
A central benefit of REWIRE’s HKM lies in its harmonisation of cryptographic interfaces. Developers no longer need to navigate multiple APIs across TEE platforms, as the common interface layer reduces complexity and supports cross-platform portability. This design not only streamlines development but also ensures crypto-agility, allowing algorithms to be seamlessly updated or replaced, such as in the move toward post-quantum cryptography, without altering application logic. By combining robust lifecycle security, cross-platform compatibility, and future-proof flexibility, REWIRE positions itself as a pioneer in confidential computing, where reliable key management forms the foundation of digital trust.
The REWIRE HKM is designed with global interfaces that provide common APIs for key operations, independent of the underlying hardware. Inspired by GlobalPlatform TEE standards (such as OP-TEE), REWIRE’s system covers the full key lifecycle.
| Key Generation
|
· Secure generation inside the Security Monitor, leveraging tested cryptographic libraries.
· Keys are tied to enclaves and securely stored in isolated areas |
| Key Retrieval | · Only public components of keys (e.g., for signature verification) are retrievable.
· Keys remain isolated from enclaves and operating systems. |
| Cryptographic Operations | · Encryption, decryption, signing, verification, hashing, and message authentication are supported.
· All operations are executed securely inside the Security Monitor. |
| Sealing/Unsealing | · Data can be encrypted (sealed) with enclave-specific keys for storage in untrusted memory.
· Upon restart, enclaves can unseal data using derived keys. |
REWIRE’s ecosystem supports a diverse set of cryptographic keys, each with a clear role. Below is a simplified view of the REWIRE Keys.
- Root ID Key: Hardware-based asymmetric key embedded at manufacturing. Serves as the immutable device identifier.
- Attestation Key: Tied to the Root ID Key; used for device attestation. Can be elevated to Direct Anonymous Attestation (DAA) for privacy-preserving attestation.
- Attribute-based Signing and Encryption Keys: Used in Attribute-Based SignCryption (ABSC) protocols to prove attribute possession.
- LRBC Key: Hardware key securing the channel for software updates.
- Sealing Keys of the TEE: Enable secure storage in untrusted memory by binding data to enclave/processor identity.
- DH-based Symmetric Keys: Derived during live migration between devices to secure inter-device channels.
- BBS+ Keys: Support authentic and potentially anonymous channels between devices across domains.
This comprehensive set of keys enables REWIRE to support attestation, onboarding, update, migration, and cross-domain communication within one unified ecosystem.
Finally, the REWIRE HKM delivers multiple benefits by strengthening security and simplifying management. Confidentiality is ensured as keys are generated and stored within the most privileged software component, while integrity is maintained through strong validation mechanisms that prevent operations from being manipulated. Resilience is achieved by binding keys to hardware, such as the Root ID Key, which protects against cloning and tampering. At the same time, auditability is enhanced since each key type has clearly defined roles, enabling effective policy-based lifecycle management. Finally, interoperability is supported through harmonised interfaces, making integration across diverse platforms more seamless and efficient.