https://community.intel.com/t5/Intel-Software-Guard-Extensions/A-question-about-program-integrity-with-remote-attestation/m-p/1431976#M5544 <P>Hi,</P> <P>&nbsp;</P> <P>In order for Remote Attestation to work, the client's enclave must proves the following:</P> <P>&nbsp;</P> <OL> <LI><SPAN>The identity</SPAN></LI> <LI><SPAN>That it has not been tampered with</SPAN></LI> <LI><SPAN>That it is running on a genuine platform with Intel SGX enabled</SPAN></LI> <LI><SPAN>That it is running at the latest security level, also referred to as the Trusted Computing Base (TCB) level</SPAN></LI> </OL> <P>&nbsp;</P> <P>After all these conditions are met, only then is a connection between client and server established and the remote server can safely provision secrets to the enclave.</P> <P>&nbsp;</P> <P>The Remote Attestation utilizes a modified <A href="https://en.wikipedia.org/wiki/Proof_of_knowledge#Sigma_protocols" target="_blank" rel="noopener noreferrer">Sigma</A> protocol to facilitate a Diffie-Hellman Key Exchange (DHKE) between the client and server. The shared key obtained from this exchange can be used by the service provider to encrypt secrets to be provisioned to the client. The client enclave is able to derive the same key and use it to decrypt the secret.</P> <P>&nbsp;</P> <P>Here is the complete attestation flow figure for your reference.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="KFPW_Intel_0-1669081441416.png" style="width: 400px;"><img src="https://community.intel.com/t5/image/serverpage/image-id/35356i640E1482488909A6/image-size/medium?v=v2&amp;px=400&amp;whitelist-exif-data=Orientation%2CResolution%2COriginalDefaultFinalSize%2CCopyright" role="button" title="KFPW_Intel_0-1669081441416.png" alt="KFPW_Intel_0-1669081441416.png" /></span></P> <P>&nbsp;</P> <P>Refer this <A href="https://www.intel.com/content/www/us/en/developer/articles/code-sample/software-guard-extensions-remote-attestation-end-to-end-example.html" target="_blank" rel="noopener noreferrer">Article</A> (Provisioning Secrets with Remote Attestation) for more information. Hope this is helpful.</P> <P>&nbsp;</P> <P>Regards,</P> <P>Ken</P> <P>&nbsp;</P> Tue, 22 Nov 2022 01:44:17 GMT KFPW_Intel 2022-11-22T01:44:17Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/A-question-about-program-integrity-with-remote-attestation/m-p/1431590#M5541 <P>Intel SGX provides a remote attestation, which means that the client can trust the program running in the Enclave of the SGX application running on the server. However, since the communication between the client and server runs in the untrusted area, I believe that the client cannot guarantee that the data sent by the client will be processed correctly (e.g., a process in the untrusted area is tampered with and does not transition into the Enclave). Is this correct?</P> Sun, 20 Nov 2022 14:49:50 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/A-question-about-program-integrity-with-remote-attestation/m-p/1431590#M5541 wwfbear789 2022-11-20T14:49:50Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/A-question-about-program-integrity-with-remote-attestation/m-p/1431976#M5544 <P>Hi,</P> <P>&nbsp;</P> <P>In order for Remote Attestation to work, the client's enclave must proves the following:</P> <P>&nbsp;</P> <OL> <LI><SPAN>The identity</SPAN></LI> <LI><SPAN>That it has not been tampered with</SPAN></LI> <LI><SPAN>That it is running on a genuine platform with Intel SGX enabled</SPAN></LI> <LI><SPAN>That it is running at the latest security level, also referred to as the Trusted Computing Base (TCB) level</SPAN></LI> </OL> <P>&nbsp;</P> <P>After all these conditions are met, only then is a connection between client and server established and the remote server can safely provision secrets to the enclave.</P> <P>&nbsp;</P> <P>The Remote Attestation utilizes a modified <A href="https://en.wikipedia.org/wiki/Proof_of_knowledge#Sigma_protocols" target="_blank" rel="noopener noreferrer">Sigma</A> protocol to facilitate a Diffie-Hellman Key Exchange (DHKE) between the client and server. The shared key obtained from this exchange can be used by the service provider to encrypt secrets to be provisioned to the client. The client enclave is able to derive the same key and use it to decrypt the secret.</P> <P>&nbsp;</P> <P>Here is the complete attestation flow figure for your reference.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="KFPW_Intel_0-1669081441416.png" style="width: 400px;"><img src="https://community.intel.com/t5/image/serverpage/image-id/35356i640E1482488909A6/image-size/medium?v=v2&amp;px=400&amp;whitelist-exif-data=Orientation%2CResolution%2COriginalDefaultFinalSize%2CCopyright" role="button" title="KFPW_Intel_0-1669081441416.png" alt="KFPW_Intel_0-1669081441416.png" /></span></P> <P>&nbsp;</P> <P>Refer this <A href="https://www.intel.com/content/www/us/en/developer/articles/code-sample/software-guard-extensions-remote-attestation-end-to-end-example.html" target="_blank" rel="noopener noreferrer">Article</A> (Provisioning Secrets with Remote Attestation) for more information. Hope this is helpful.</P> <P>&nbsp;</P> <P>Regards,</P> <P>Ken</P> <P>&nbsp;</P> Tue, 22 Nov 2022 01:44:17 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/A-question-about-program-integrity-with-remote-attestation/m-p/1431976#M5544 KFPW_Intel 2022-11-22T01:44:17Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/A-question-about-program-integrity-with-remote-attestation/m-p/1433044#M5547 <P>Hi,</P> <P>&nbsp;</P> <P>Thank you for your question and the accepted solution. Hope the information provided is helpful. If you need any additional information from Intel, please submit a new question as this thread is no longer being monitored.</P> <P>&nbsp;</P> <P>Regards,</P> <P>Ken</P> <P>&nbsp;</P> Fri, 25 Nov 2022 04:12:17 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/A-question-about-program-integrity-with-remote-attestation/m-p/1433044#M5547 KFPW_Intel 2022-11-25T04:12:17Z