Alibaba Group Holding Limited
Method and system for preventing data leakage from trusted network to untrusted network

Abstract:

One embodiment provides a system for establishing a secure network. During operation, a server can distribute at least one symmetric encryption key among a plurality of hosts to enable the hosts to communicate securely with each other. Each host comprises at least a smart network interface card and a central processing unit (CPU) of each host computer supports remote attestation. Distributing the symmetric encryption key among the hosts can include performing a remote attestation operation to establish a trusted channel between the server and a protected region within the CPU of a respective host; and transmitting, over the trusted channel, the symmetric encryption key to the CPU of the respective host, which in turn forwards the symmetric encryption key to the smart network interface card of the respective host over a secure channel established between the protected region within the CPU and the smart network interface card.