<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Good morning David, I hope in Intel® Software Guard Extensions (Intel® SGX)</title>
    <link>https://community.intel.com/t5/Intel-Software-Guard-Extensions/Importing-key-using-CNG-API/m-p/1179876#M3476</link>
    <description>&lt;P&gt;Good morning David, I hope this post finds your day starting well.&lt;/P&gt;&lt;P&gt;Normally I would recommend porting the KDF code to run in an enclave but the Argon code may be a poor fit for running in a trusted environment.&amp;nbsp; Argon, however, may be a poor candidate for incorporation into an enclave secondary to its generic dependency on threading.&amp;nbsp; The other challenge for these memory hard algorithms is that their security guarantees are based on the need to distribute the calculation over a specified size of memory in order to achieve their 'hardness' guarantees.&lt;/P&gt;&lt;P&gt;A common scheme for running Argon is to use a 64 megabyte memory region.&amp;nbsp; Given the common 3-level Merkle tree hardware implementations that limit EPC memory to 96 megabytes this memory requirement is problematic.&amp;nbsp; At a minimum you would probably want to be on an SGX2 platform that supports Enclave Dynamic Memory Management (EDMM) for an optimum implementation.&lt;/P&gt;&lt;P&gt;Given all this your idea of generating the hash in untrusted space and conveying it into an enclave would seem to be the most effective strategy.&amp;nbsp; There are two ways to do this, either compute the hash and supply it as an arguement to an ECALL or architect an OCALL that prompts for a password and then generates the hash and returns it to the enclave.&amp;nbsp; Usually the OCALL strategy tends to be a more 'natural' fit for most enclave applications.&lt;/P&gt;&lt;P&gt;Have a good day.&lt;/P&gt;&lt;P&gt;Dr. Greg&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
    <pubDate>Tue, 02 Apr 2019 08:51:18 GMT</pubDate>
    <dc:creator>Dr__Greg</dc:creator>
    <dc:date>2019-04-02T08:51:18Z</dc:date>
    <item>
      <title>Importing key using CNG API</title>
      <link>https://community.intel.com/t5/Intel-Software-Guard-Extensions/Importing-key-using-CNG-API/m-p/1179875#M3475</link>
      <description>&lt;P&gt;Hello,&lt;/P&gt;&lt;P&gt;Is it possible to import key generated from 3rd party library (Argon2 KDF) into SGX using CNG API.&lt;/P&gt;&lt;P&gt;I know there is possibility to generate key inside SGX using CNG API and then use it to en/decrypt operation. But as SGX does not support Argon2 key derivation function I am forced to use 3rd party library, but I&amp;nbsp;was not able to find a way to import generated key.&lt;/P&gt;&lt;P&gt;Regards,&lt;/P&gt;&lt;P&gt;David K.&lt;/P&gt;</description>
      <pubDate>Mon, 01 Apr 2019 12:55:58 GMT</pubDate>
      <guid>https://community.intel.com/t5/Intel-Software-Guard-Extensions/Importing-key-using-CNG-API/m-p/1179875#M3475</guid>
      <dc:creator>Komarek__David</dc:creator>
      <dc:date>2019-04-01T12:55:58Z</dc:date>
    </item>
    <item>
      <title>Good morning David, I hope</title>
      <link>https://community.intel.com/t5/Intel-Software-Guard-Extensions/Importing-key-using-CNG-API/m-p/1179876#M3476</link>
      <description>&lt;P&gt;Good morning David, I hope this post finds your day starting well.&lt;/P&gt;&lt;P&gt;Normally I would recommend porting the KDF code to run in an enclave but the Argon code may be a poor fit for running in a trusted environment.&amp;nbsp; Argon, however, may be a poor candidate for incorporation into an enclave secondary to its generic dependency on threading.&amp;nbsp; The other challenge for these memory hard algorithms is that their security guarantees are based on the need to distribute the calculation over a specified size of memory in order to achieve their 'hardness' guarantees.&lt;/P&gt;&lt;P&gt;A common scheme for running Argon is to use a 64 megabyte memory region.&amp;nbsp; Given the common 3-level Merkle tree hardware implementations that limit EPC memory to 96 megabytes this memory requirement is problematic.&amp;nbsp; At a minimum you would probably want to be on an SGX2 platform that supports Enclave Dynamic Memory Management (EDMM) for an optimum implementation.&lt;/P&gt;&lt;P&gt;Given all this your idea of generating the hash in untrusted space and conveying it into an enclave would seem to be the most effective strategy.&amp;nbsp; There are two ways to do this, either compute the hash and supply it as an arguement to an ECALL or architect an OCALL that prompts for a password and then generates the hash and returns it to the enclave.&amp;nbsp; Usually the OCALL strategy tends to be a more 'natural' fit for most enclave applications.&lt;/P&gt;&lt;P&gt;Have a good day.&lt;/P&gt;&lt;P&gt;Dr. Greg&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Tue, 02 Apr 2019 08:51:18 GMT</pubDate>
      <guid>https://community.intel.com/t5/Intel-Software-Guard-Extensions/Importing-key-using-CNG-API/m-p/1179876#M3476</guid>
      <dc:creator>Dr__Greg</dc:creator>
      <dc:date>2019-04-02T08:51:18Z</dc:date>
    </item>
    <item>
      <title>Hello Dr. Greg,</title>
      <link>https://community.intel.com/t5/Intel-Software-Guard-Extensions/Importing-key-using-CNG-API/m-p/1179877#M3477</link>
      <description>&lt;P&gt;Hello Dr. Greg,&lt;/P&gt;&lt;P&gt;Thank you for your reply.&lt;/P&gt;&lt;P&gt;From your answer, I suppose there is no&amp;nbsp;possibility to generate hash in untrusted environment and then import generated hash to enclave using MS CNG API. I would like to avoid using enclave via SGX API.&lt;/P&gt;&lt;P&gt;Thank you,&lt;/P&gt;&lt;P&gt;David K.&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Tue, 02 Apr 2019 11:34:58 GMT</pubDate>
      <guid>https://community.intel.com/t5/Intel-Software-Guard-Extensions/Importing-key-using-CNG-API/m-p/1179877#M3477</guid>
      <dc:creator>Komarek__David</dc:creator>
      <dc:date>2019-04-02T11:34:58Z</dc:date>
    </item>
    <item>
      <title>Hello David, I hope this post</title>
      <link>https://community.intel.com/t5/Intel-Software-Guard-Extensions/Importing-key-using-CNG-API/m-p/1179878#M3478</link>
      <description>&lt;P&gt;Hello David, I hope this post finds the end of your week going well.&amp;nbsp; My apologies for the delay in getting a response back to you on this issue.&lt;/P&gt;&lt;P&gt;To my knowledge there is no method or API for plugging enclaves into the 'back-end' of the MS CNG API.&amp;nbsp; I believe that you will need to use the SGX API's, either in the form of an ECALL or OCALL, in order to convey the hash into the enclave.&amp;nbsp; Scott from Intel may have more visibility into what is available or possibly pending with respect to higher level constructs between Microsoft operating system primitives and enclave technology.&lt;/P&gt;&lt;P&gt;I'm not sure that I understand your reluctance to use the SGX API.&amp;nbsp; I don't have visibility into your application architecture but, at a minimum, your application will need at least one ECALL in order to obtain enclave services.&amp;nbsp; It would be straight forward to add a pointer to the hash value to the argument signature of the function that you will be using to request some type of enclave based service.&lt;/P&gt;&lt;P&gt;Once again, an OCALL is often a more 'natural' way of requesting this type of service from untrusted space but as I have noted a lot of this depends on the application and what you are attempting to accomplish.&lt;/P&gt;&lt;P&gt;Have a good weekend.&lt;/P&gt;&lt;P&gt;Dr. Greg&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Fri, 12 Apr 2019 07:57:34 GMT</pubDate>
      <guid>https://community.intel.com/t5/Intel-Software-Guard-Extensions/Importing-key-using-CNG-API/m-p/1179878#M3478</guid>
      <dc:creator>Dr__Greg</dc:creator>
      <dc:date>2019-04-12T07:57:34Z</dc:date>
    </item>
    <item>
      <title>Hello Dr. Greg,</title>
      <link>https://community.intel.com/t5/Intel-Software-Guard-Extensions/Importing-key-using-CNG-API/m-p/1179879#M3479</link>
      <description>&lt;P&gt;Hello Dr. Greg,&lt;/P&gt;&lt;P&gt;Thank you for your reply. I appreciate your suggestions.&lt;/P&gt;&lt;P&gt;David K.&lt;/P&gt;</description>
      <pubDate>Mon, 15 Apr 2019 05:37:35 GMT</pubDate>
      <guid>https://community.intel.com/t5/Intel-Software-Guard-Extensions/Importing-key-using-CNG-API/m-p/1179879#M3479</guid>
      <dc:creator>Komarek__David</dc:creator>
      <dc:date>2019-04-15T05:37:35Z</dc:date>
    </item>
  </channel>
</rss>

