File sharing applications using cloud storage are in- creasingly popular for personal and business use. Due to data pro- tection concerns, end-to-end encryption is often a desired feature of these applications. Many attempts at designing cryptographic solutions fail to be adopted due to missing relevant features. We present SeGShare, a new architecture for end-to-end encrypted, group-based file sharing using trusted execution environments (TEE), e.g., Intel SGX. SeGShare is the first solution to protect the confidentiality and integrity of all data and management files; enforce immediate permission and membership revocations; support deduplication; and mitigate rollback attacks. Next to authentication, authorization and file system management, our implementation features an optimized TLS layer that enables high throughput and low latency. The encryption overhead of our implementation is extremely small in computation and storage resources. Our enclave code comprises less than 8500 lines of code enabling efficient mitigation of common pitfalls in deploying code to TEEs.
Introduction
File sharing is essential in both personal and professional contexts, with cloud platforms like Google Drive and Dropbox widely used for their convenience. However, these platforms raise privacy and control concerns because users lose visibility and control over data once uploaded, and cloud providers may have access to files. Client-side encryption services like MEGA offer better privacy but face scalability issues in managing group access and revocation, often requiring complex re-encryption processes.
Researchers have explored various cryptographic solutions, but many are complex, slow, or hard to scale, and revocation without re-encryption remains difficult. Trusted Execution Environments (TEEs), such as Intel SGX, offer hardware-based security by running sensitive operations in isolated enclaves, protecting data and keys even if the system is compromised.
SeGShare is a new file sharing system leveraging Intel SGX to handle encryption, decryption, and access control entirely inside a server-side enclave. Users authenticate with tokens, and files are encrypted/decrypted on the fly within the enclave, eliminating the need for complex key distribution or client-side software. This design supports dynamic, large groups, enables instant access revocation without re-encryption, preserves deduplication, and protects against rollback attacks.
SeGShare's implementation uses a lightweight enclave with optimized secure communication and switchless calls for performance, achieving fast upload/download speeds and policy updates. Its security model ensures data confidentiality, integrity, and robust access control, while maintaining minimal code complexity to reduce vulnerabilities. Overall, SeGShare provides a practical, scalable, and high-performance secure group file sharing solution that balances security with usability and efficiency.
Conclusion
SeGShare introduces a novel approach to secure, group-based file sharing by combining cutting-edge security techniques with high-performance optimizations. By leveraging Intel SGX and Trusted Execution Environments (TEEs), SeGShare ensures that data confidentiality, integrity, and access control are maintained even in the presence of untrusted cloud infrastructures.
The system achieves an exceptional level of security by protecting both file data and management information inside the enclave. It addresses major concerns such as unauthorized data access, key leakage, and rollback attacks. Furthermore, SeGShare’s efficient handling of immediate membership and permission revocations ensures that changes are implemented in real-time, without the need for costly re-encryption processes. This makes SeGShare a highly adaptable solution for dynamic and large groups.
In terms of performance, SeGShare stands out by delivering low-latency file uploads and downloads, even with the added complexity of end-to-end encryption and access control. The system outperforms traditional file-sharing services in various benchmark tests, demonstrating that robust security features do not have to come at the cost of performance. With an overhead of just 1.06% for storing encrypted files across multiple groups, SeGShare also proves to be highly efficient in terms of storage resources. Additionally, the system\'s minimal trusted computing base (TCB)—comprising only 8441 lines of code—not only ensures high maintainability and low risk of vulnerabilities but also facilitates faster audits and security assessments.
In summary, SeGShare provides a scalable, secure, and efficient solution for group file sharing, offering significant advancements over traditional cryptographic methods. Its ability to scale to large, dynamic groups, enforce real-time access control, and offer fast, secure file sharing makes it a compelling choice for both personal and enterprise use cases. Future work will explore further optimizations, integration with additional TEE platforms, and extending its capabilities to handle more complex scenarios.
References
[1] V. Costan and S. Devadas, \"Intel SGX Explained,\" Cryptology ePrint Archive, Report 2016/086, pp. 1-118, 2016.
[2] M. Sabt, M. Achemlal, and A. Bouabdallah, \"Trusted Execution Environment: What It Is, and What It Is Not,\" in 2015 IEEE Trustcom/BigDataSE/ISPA, 2015, pp. 57-64.
[3] S. Arnautov, B. Trach, F. Gregor, T. Knauth, A. Martin, C. Priebe, J. Lind, D. Muthukumaran, and C. Fetzer, \"SCONE: Secure Linux Containers with Intel SGX,\" in 12th USENIX Symposium on Operating Systems Design and Implementation, 2016, pp. 689-703.
[4] Oracle, \"Java Platform, Standard Edition Documentation,\" Oracle Corporation, 2022. [Online]. Available: https://docs.oracle.com/javase/.
[5] MySQL Documentation, \"MySQL 8.0 Reference Manual,\" Oracle Corporation. [Online]. Available: https://dev.mysql.com/doc/.
[6] Spring.io, \"Spring BootReference Documentation,\" [Online]. Available: https://docs.spring.io/springboot/docs/current/reference/htmlsingle/.
[7] Eclipse Foundation, \"Eclipse IDE for Java Developers,\" [Online]. Available: https://www.eclipse.org/.
[8] Intel Corporation, \"Intel® Software Guard Extensions (Intel® SGX),\" [Online]. Available: https://www.intel.com/content/www/us/en/architecture-and-technology/software-guard-extensions.html.
[9] Open Web Application Security Project (OWASP), \"Security Testing Guidelines,\" [Online]. Available: https://owasp.org/.
[10] NIST, \"Digital Identity Guidelines,\" NIST Special Publication 800-63B, pp. 1-40, 2018.
[11] T. Ristenpart, E. Tromer, H. Shacham, and S. Savage, \"Hey, You, Get Off of My Cloud: Exploring Information Leakage in ThirdParty Compute Clouds,\" in ACM Conference on Computer and Communications Security (CCS), 2009, pp. 199–212.
[12] M. Dworkin, \"Recommendation for Block Cipher Modes of Operation,\" NIST Special Publication 800-38A, pp. 1-52, 2001.
[13] Postman, \"API Development Environment,\" [Online]. Available: https://www.postman.com/.