What's a practical example of encryption "in use" or "in process"?

Question

I'm studying for the CCSP and from a high-level, I keep hearing encryption described in three forms:

• Protecting data at rest.
• Protecting data in transit.
• Protecting data in use.

The first two make sense to me, but then I'm struggling to think of a practical example for the third scenario. Can someone elaborate? Unfortunately, my study material doesn't elaborate.

One scenario I could think of would be (perhaps) masking some sensitive information (like only showing the last four digits of a credit card number to a customer service rep). That might be a stretch though... because technically wouldn't the data still be at rest?

Answer 1

Lets first define what encryption-in-use is. Its a capabilitiy that lets you run your computation on encrypted data or run encrypted application.

There are two ways to do this. There are pros and cons to each, but they are complementary in most use cases.

• Hardware-based trusted execution environment (TEE). Intel's SGX or ARM TrustZone is a good example.

• Software-based. This is relatively new and not used much outside of the research currently. Multi-Party Computation (MPC) and Homomorphic Encryption are two popular choices.

Answer 2

Protecting data at rest

Data at rest is data on disk rather than in memory. This data is typically protected using disk encryption, file encryption, database encryption or encryption of the specific piece of data.

Protecting data in transit

Data in movement is protected within channels. Examples would be IPsec VPN, HTTPS(SSL, TLS)

Protecting data in use

Data in use could be handled in protected memory or the data can be transformed for use. An example would be the use of a hash of the original data for comparison purposes like when performing password verifications.

Example: password verification

• The user password is protected at rest through hashing (usually with a salt)
• The user's entered password is protected in use through hashing
• The user's password hash is protected in transit between the authentication requesting system and the centralised authentication server over an encrypted channel (TLS, SSH)

Answer 3

In my opinion, "encryption in-use" is a mechanism by which we can protect compute data (RAM, processes or anything which is by definition not considered data at-rest nor in-transit/motion) while employing cryptography.

To this end, I've always considered, virtualisation-based security (VBS) as such and since you're asking for examples:

• Credential Guards - https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-how-it-works & https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs
• Secure Enclave - https://support.apple.com/en-au/guide/security/sec59b0b31ff/web
• https://www.amd.com/en/developer/sev.html

Sure, one can argue, this is not "encryption in-use" but logical separation/segregation/layerisation or the like, but this isn't possible without encryption, and it does certainly protect data in-use.