SEEDS: Secure Decentralized Storage for Authentication Material

Abstract

Applications that use passwords or cryptographic keys to authenticate users or perform cryptographic operations rely on centralized solutions. Trusted Platform Modules (TPMs) do not offer a way to replicate material, making accessing this information in a heterogeneous environment difficult. Meanwhile, remote services require a constant network connection and are a central point of failure.

We present SEEDS, a secure decentralized multi-user data store that generates, stores, and operates on users’ authentication material such as passwords and cryptographic keys on local machines. To ensure the confidentiality and integrity of user accounts and cryptographic keys, SEEDS leverages Intel SGX—a hardware-based trusted execution environment, to store and operate on this data while protecting from a compromised host. We support user-defined policies that restrict users’ operations to protect against a malicious user attempting to access data without sufficient privileges. In addition, we replicate data across machines to improve accessibility and support offline participants for high availability. We implement the storage data structure using Conflict Free Replicated Data Types (CRDTs) to replicate data, recover from network partitions gracefully and offer a horizontally scalable system.

We developed two applications that demonstrate the benefits of our system. First, we address centralized user authentication issues by implementing a database module that replaces and decentralizes LDAP user authentication. Next, we improve the management of users’ cryptographic keys by developing a software U2F token that replicates this material across machines for high availability.