Documentation Index
Fetch the complete documentation index at: https://nexaid.hashkey.com/docs/llms.txt
Use this file to discover all available pages before exploring further.
Security of Attestor Nodes
The security of attestor nodes is critical and must be safeguarded to protect both node maintainers and network clients. A key security concern in the zkTLS protocol is how to enforce the computational integrity of the attestor node. Note this aspect is not covered by the original protocol security.
To strengthen attestor security, the NexaID adopts a hardware-based approach. Specifically, Phala’s TEE technology
is integrated with the NexaID attestor node software to ensure nodes always execute correctly, while critical assets such as node keys remain protected and securely utilized.
Key Management
The attestor node leverages Phala’s TEE solution, including a secure Key Management Service (KMS), to safeguard node keys throughout their entire lifecycle. These node keys are the most critical assets within the attestor node, primarily used for signing zkTLS sessions and issuing proofs. Key generation is performed exclusively by the KMS inside the TEE, ensuring that the attestor node software never has direct access to the key material. Signing operations can only be performed within TEE, and only after the correct execution of the zkTLS protocol.
Version Managemnt
Another security concern involves the attestor’s DevOps process. To prevent attacks such as code injection or malware hijacking, only official, verified software versions are allowed to be deployed and maintained within the network. This policy is further enforced by TEE, as the entire attestor node software always runs inside the enclave, ensuring runtime integrity and protection against unauthorized modifications.