Secure Client-Server Communication with the CoApp Browser Extension and Nitro Enclave: A Confidential Computing Approach

In today’s digital landscape, the demand for secure and private communication between clients and servers has never been greater. As companies increasingly rely on web-based applications to handle sensitive data, ensuring the confidentiality and integrity of this data during transmission is paramount. This blog post will walk you through how our Browser Extension interacts securely with our application running in a Nitro Enclave, the CoApp Confidential Application, utilizing advanced confidential computing techniques to protect data both in transit and at rest.

The Challenge: Secure Data Transmission

The CoApp Browser Extension and Confidential Application are incredibly powerful pieces of software in CoApp’s ecosystem. In order to unleash CoApp’s full potential, customers can leverage the Extension and Confidential Application to obtain data that is not immediately available to the Extension on the browser. Upon request, the Confidential Application can retrieve patient data – for example, patient notes or appointment history – by opening a secure connection with the customer database. Protecting our customer’s data is our highest priority and therefore full encryption of requests leaving the Extension going to the Confidential Application and back has been built to guarantee that nobody, even CoApp, can spy on customer data.

The Solution: End-to-End Encryption with Confidential Computing

To address these challenges, we designed a system that leverages the power of confidential computing through AWS Nitro Enclaves and advanced encryption techniques. Here’s how it works:

  1. Key Pair Generation in the Browser Extension:
    • Each client’s Browser extension generates a public-private RSA key pair using the Web Crypto API. The private key is securely stored within the extension, while the public key is shared with our backend services during specific requests.
    • The public key is used to encrypt sensitive data such as AES keys, which are then used for encrypting larger data payloads that are to be returned to the Web Extension.
  2. Encrypted Requests from the Browser Extension:
    • When the client makes a request, such as retrieving patient data, the extension encrypts the request payload, including the client’s public key, using the RSA-OAEP algorithm. This ensures that only our application server, running in a secure Nitro Enclave, can decrypt and process the request.
    • The actual patient data is encrypted with an AES key, which is then encrypted with the server’s public key, further enhancing security.
  3. Processing in the Nitro Enclave:
    • Our server, securely running within an AWS Nitro Enclave, receives the encrypted request. The enclave, isolated from other processes and the outside world, decrypts the AES key using its private key.
    • The server then decrypts the patient data with the AES key, processes it, and prepares a response. This response, including any data sent back to the client, is encrypted with the client’s public key.
  4. Secure Response Decryption:
    • Once the Browser Extension receives the encrypted response, it uses the stored private key to decrypt the AES key. The AES key is then used to decrypt the actual data payload, ensuring that sensitive data is never exposed in transit or at rest on our servers.

Why Nitro Enclaves?

AWS Nitro Enclaves provide a powerful environment for confidential computing by creating isolated environments that offer strong security boundaries. Our application runs within this secure enclave, ensuring that data is protected from external threats, including potential vulnerabilities in the operating system or hypervisor.

Zero Trust: We Can’t Intercept Your Data

One of the most significant advantages of our approach is that it adheres to a “zero trust” model. The encryption protocols we’ve implemented ensure that no one—not even our administrators or engineers—can intercept or decrypt the data as it passes through our infrastructure. This level of security and privacy is critical for industries such as healthcare and finance, where data protection is not just a priority but a regulatory requirement.

Conclusion

By combining the robust security of AWS Nitro Enclaves with advanced encryption techniques in the Browser Extension, we’ve created a system that ensures complete data privacy and security for our clients. Whether it’s sensitive patient records or financial transactions, you can trust that your data remains confidential and protected at all times, both in transit and at rest.

If you’re looking for a solution that offers unparalleled security for your web-based applications, our approach provides the peace of mind that your data is always safe, no matter where it travels.