- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Intel!
With Regards to Remote Attestation:
As I understood the documentation so far, it revolves around the fact that client already has an Attestation Key. Which it will use to sign/create a QUOTE that will serve as a response to a challenge by a Challenger/Server...
Question is: Where did this Attestation Key come from? Is it already there in the Intel CPU out of the box like the Root Provisioning Key?
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Francis.
You can find the information about the EPID provisioning here: https://software.intel.com/en-us/blogs/2016/03/09/intel-sgx-epid-provisioning-and-attestation-services
Cheers,
Rodolfo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rodolfo S. wrote:
Hi, Francis.
You can find the information about the EPID provisioning here: https://software.intel.com/en-us/blogs/2016/03/09/intel-sgx-epid-provisi...
Cheers,
Rodolfo
Hi Rodolfo,
Thanks! It's getting a bit clearer now... Just a few more clarification to finish the big picture:
1) In "4.4.3 Message 3: Client Response" it mentioned that:
"...the provisioning enclave conducts the EPID blind join protocol with Intel, including the liveness challenge issued in message 2. At the completion of this protocol, the provisioning enclave will have a private EPID key, and Intel will not know what it is. "
So after proving its TCB to the Provisioning server, does this mean that the EPID/Attestation_Key won't travel along the wire, rather it is computed by the SGx client application itself?
2) In "4.4.4 Message 4: Server Completion":
What is then the "...the verification of the proof of platform TCB and the blind join are verified and the member’s key is certified..."?
I mean, since the client now has computed its own EPID, what is this data being sent in Message 4, what it will be used for making it security sensitive that a secured connection is needed for it?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Rodolfo, ive got the same question as you..did you have a clearer answer about it now? thanks
Hi Rodolfo,
Thanks! It's getting a bit clearer now... Just a few more clarification to finish the big picture:
1) In "4.4.3 Message 3: Client Response" it mentioned that:
"...the provisioning enclave conducts the EPID blind join protocol with Intel, including the liveness challenge issued in message 2. At the completion of this protocol, the provisioning enclave will have a private EPID key, and Intel will not know what it is. "
So after proving its TCB to the Provisioning server, does this mean that the EPID/Attestation_Key won't travel along the wire, rather it is computed by the SGx client application itself?
2) In "4.4.4 Message 4: Server Completion":
What is then the "...the verification of the proof of platform TCB and the blind join are verified and the member’s key is certified..."?
I mean, since the client now has computed its own EPID, what is this data being sent in Message 4, what it will be used for making it security sensitive that a secured connection is needed for it?

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page