topic Hey, if I understand your in Intel® Software Guard Extensions (Intel® SGX)

Question about remote attestation

Varky__Jacek — Sat, 13 Jan 2018 14:28:18 GMT

Hey everyone, I am currently reading up on SGX and wondering about remote attestation.

Let us consider, we have 2 different applications, whereby each has an enclave and they are remote.

Enclave A and enclave B want to perform remote attestation. Let's take the following protocol:
1) A => B: QUOTE{pk_A}
2) B => A: QUOTE{pk_B}
pk_Aand pk_B are public keys and each enclave has the corresponding secret key.

My question is now:
We have a MitM attacker, who intercepts whose QUOTE messages. Is the attacker able to read out the public keys or are they somehow encrypted?

Regards

Hi:

you_w_ — Tue, 16 Jan 2018 01:49:23 GMT

Hi:

In remote attestation scenario, before sent MSG3 which contains SGX quote we have already established a protected channel though a sigma liked protocol. And actually there is no pk in quote data structure. Only a signature contained in it.

typedef struct _quote_t
{
	uint16_t version; //2 byte
	uint16_t sign_type; //2 byte
	sgx_epid_group_id_t epid_group_id;  //4 byte
	sgx_isv_svn_t qe_svn; //2 byte
	sgx_isv_svn_t pce_svn; //2 byte
	uint32 xeid; //4byte
	sgx_basename_t basename; //32 byte
	sgx_report_body_t report_body;
	uint32_t signature_len;
	uint8_t signature[];
} sgx_quote_t;

typedef struct _report_body_t
{
	sgx_cpu_svn_t cpu_svn; /* ( 0) Security Version of the CPU */
	sgx_misc_select_t misc_select; /* ( 16) Which fields defined in SSA.MISC */
	uint8_t reserved1[28]; /* ( 20) */
	sgx_attributes_t attributes; /* ( 48) Any special Capabilities the Enclave possess */
	sgx_measurement_t mr_enclave; /* ( 64) The value of the enclave's ENCLAVE measurement */
	uint8_t reserved2[32]; /* ( 96) */
	sgx_measurement_t mr_signer; /* (128) The value of the enclave's SIGNER measurement */
	uint8_t reserved3[96]; /* (160) */
	sgx_prod_id_t isv_prod_id; /* (256) Product ID of the Enclave */
	sgx_isv_svn_t isv_svn; /* (258) Security Version of the Enclave */
	uint8_t reserved4[60]; /* (260) */
	sgx_report_data_t report_data; /* (320) 64 byte Data provided by the user */ 
} sgx_report_body_t;

Regards

you

Hey, if I understand your

Varky__Jacek — Wed, 17 Jan 2018 15:34:00 GMT

Hey, if I understand your answer correct, this means, that the quote is sent through a protected channel and therefore it would be not possible to read the quote in cleartext by a third party, am I right?

You are right, the data structure does not contain a pk. I picked this writing to indicate that a party is using the data field report_data in the _report_body_t structure. I should have mentioned that.

Hi Varky:

you_w_ — Fri, 19 Jan 2018 06:35:17 GMT

Hi Varky:

Yes, It's impossible for a third party to read the quote.

Kind Regards

you