topic Re:Does sgx support certificate-based remote authentication? in Intel® Software Guard Extensions (Intel® SGX)

Does sgx support certificate-based remote authentication?

Clinale — Fri, 05 Feb 2021 15:02:18 GMT

I recently started learning SGX technology and if I understand correctly, SGX supports EPID-based remote authentication. I wonder whether SGX supports certificate-based authentication, such as the X509 specification of the PKI standard.

Because I want SGX to attest ARM TrustZone, if SGX supports certificate-based authentication, then I think it is possible to implement remote authentication between SGX and ARM TrustZone.

Re:Does sgx support certificate-based remote authentication?

JesusG_Intel — Fri, 05 Feb 2021 18:35:51 GMT

Hello Clinale,

The Intel Attestation Service (IAS), or remote attestation service, attests clients that run Intel SGX and cannot be used to attest clients that run ARM TrustZone. The remote attestastion service does not run SGX. Servers and other clients that run SGX use the IAS to prove to service providers that the SGX enclave's:

Its identity
That it has not been tampered with
That it is running on a genuine platform with Intel SGX enabled
That it is running at the latest security level, also referred to as the Trusted Computing Base (TCB) level

I highly recommend you read the Remote Attestation End-to-End Example for more details.

Sincerely,

Jesus G.

Intel Customer Support

Re: Re:Does sgx support certificate-based remote authentication?

Clinale — Sat, 06 Feb 2021 03:05:18 GMT

Hi JesusG_Intel,

Thanks for your information, and I browsed the web link you posted.

I noticed a sentence mentioning that SGX supports certificate-based attestation.

I wonder what certificate-based authentication means. Does it mean that SGX support authenticate-based authentication, like PKI X509? If it does, will SGX always support certificate-based authentication?

Thanks for your reply.

Re:Does sgx support certificate-based remote authentication?

JesusG_Intel — Mon, 08 Feb 2021 19:03:00 GMT

Hello Clinale,

Intel no longer on-boards new customers using the old cert-based authentication. It’s only there for legacy IAS customers and will soon be EOL’d.

The old, cert-based authentication was simply a mutual TLS authentication mechanism. The customer had to purchase an x.509 client cert from a publicly recognized cert authority (ie. Thawte, DigiCert, etc) just like you would for a secure web site. Intel would use that cert to authenticate them when they connected to IAS.

Sincerely,

Jesus G.

Intel Customer Support

Re:Does sgx support certificate-based remote authentication?

JesusG_Intel — Tue, 16 Feb 2021 23:38:27 GMT

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.