Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1448 Discussions

Does sgx support certificate-based remote authentication?

Clinale
Beginner
746 Views

    I recently started learning SGX technology and if I understand correctly, SGX supports EPID-based remote authentication. I wonder whether SGX supports certificate-based authentication, such as the X509 specification of the PKI standard.  

    Because I want SGX to attest ARM TrustZone, if SGX supports certificate-based authentication, then I think it is possible to implement remote authentication between SGX and ARM TrustZone.

0 Kudos
1 Solution
JesusG_Intel
Moderator
715 Views

Hello Clinale,


Intel no longer on-boards new customers using the old cert-based authentication. It’s only there for legacy IAS customers and will soon be EOL’d.


The old, cert-based authentication was simply a mutual TLS authentication mechanism. The customer had to purchase an x.509 client cert from a publicly recognized cert authority (ie. Thawte, DigiCert, etc) just like you would for a secure web site. Intel would use that cert to authenticate them when they connected to IAS.


Sincerely,

Jesus G.

Intel Customer Support


View solution in original post

4 Replies
JesusG_Intel
Moderator
738 Views

Hello Clinale,


The Intel Attestation Service (IAS), or remote attestation service, attests clients that run Intel SGX and cannot be used to attest clients that run ARM TrustZone. The remote attestastion service does not run SGX. Servers and other clients that run SGX use the IAS to prove to service providers that the SGX enclave's:


  • Its identity
  • That it has not been tampered with
  • That it is running on a genuine platform with Intel SGX enabled
  • That it is running at the latest security level, also referred to as the Trusted Computing Base (TCB) level


I highly recommend you read the Remote Attestation End-to-End Example for more details.


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
Clinale
Beginner
731 Views

Hi JesusG_Intel,

Thanks for your information, and I browsed the web link you posted.

I noticed a sentence mentioning that SGX supports certificate-based attestation. 

Clinale_0-1612579668433.png

I wonder what certificate-based authentication means. Does it mean that SGX support authenticate-based authentication, like PKI X509? If it does, will SGX always support certificate-based authentication?

Thanks for your reply.

0 Kudos
JesusG_Intel
Moderator
716 Views

Hello Clinale,


Intel no longer on-boards new customers using the old cert-based authentication. It’s only there for legacy IAS customers and will soon be EOL’d.


The old, cert-based authentication was simply a mutual TLS authentication mechanism. The customer had to purchase an x.509 client cert from a publicly recognized cert authority (ie. Thawte, DigiCert, etc) just like you would for a secure web site. Intel would use that cert to authenticate them when they connected to IAS.


Sincerely,

Jesus G.

Intel Customer Support


JesusG_Intel
Moderator
682 Views

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


0 Kudos
Reply