Community
cancel
Showing results for 
Search instead for 
Did you mean: 
francis_l_
Beginner
94 Views

Attestation Key source entity?

Hi Intel!

With Regards to Remote Attestation:

As I understood the documentation so far, it revolves around the fact that client already has an Attestation Key. Which it will use to sign/create a QUOTE that will serve as a response to a challenge by a Challenger/Server...

 

Question is: Where did this Attestation Key come from? Is it already there in the Intel CPU out of the box like the Root Provisioning Key?

0 Kudos
3 Replies
Rodolfo_S_
New Contributor III
94 Views

Hi, Francis.

You can find the information about the EPID provisioning here: https://software.intel.com/en-us/blogs/2016/03/09/intel-sgx-epid-provisioning-and-attestation-services

Cheers,

Rodolfo

francis_l_
Beginner
94 Views

Rodolfo S. wrote:

Hi, Francis.

You can find the information about the EPID provisioning here: https://software.intel.com/en-us/blogs/2016/03/09/intel-sgx-epid-provisi...

Cheers,

Rodolfo

 

Hi Rodolfo,

Thanks! It's getting a bit clearer now... Just a few more clarification to finish the big picture:

1) In "4.4.3 Message 3: Client Response" it mentioned that:
"...the provisioning enclave conducts the EPID blind join protocol with Intel, including the liveness challenge issued in message 2. At the completion of this protocol, the provisioning enclave will have a private EPID key, and Intel will not know what it is. "

So after proving its TCB to the Provisioning server, does this mean that the EPID/Attestation_Key won't travel along the wire, rather it is computed by the SGx client application itself?

 

2) In "4.4.4 Message 4: Server Completion":

What is then the "...the verification of the proof of platform TCB and the blind join are verified and the member’s key is certified..."?

I mean, since the client now has computed its own EPID, what is this data being sent in Message 4, what it will be used for making it security sensitive that a secured connection is needed for it?

jamason
Beginner
94 Views

Hi Rodolfo, ive got the same question as you..did you have a clearer answer about it now? thanks

Hi Rodolfo,

Thanks! It's getting a bit clearer now... Just a few more clarification to finish the big picture:

1) In "4.4.3 Message 3: Client Response" it mentioned that:
"...the provisioning enclave conducts the EPID blind join protocol with Intel, including the liveness challenge issued in message 2. At the completion of this protocol, the provisioning enclave will have a private EPID key, and Intel will not know what it is. "

So after proving its TCB to the Provisioning server, does this mean that the EPID/Attestation_Key won't travel along the wire, rather it is computed by the SGx client application itself?

 

2) In "4.4.4 Message 4: Server Completion":

What is then the "...the verification of the proof of platform TCB and the blind join are verified and the member’s key is certified..."?

I mean, since the client now has computed its own EPID, what is this data being sent in Message 4, what it will be used for making it security sensitive that a secured connection is needed for it?

Reply