Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Clinale
Beginner
170 Views

Does sgx support certificate-based remote authentication?

Jump to solution

    I recently started learning SGX technology and if I understand correctly, SGX supports EPID-based remote authentication. I wonder whether SGX supports certificate-based authentication, such as the X509 specification of the PKI standard.  

    Because I want SGX to attest ARM TrustZone, if SGX supports certificate-based authentication, then I think it is possible to implement remote authentication between SGX and ARM TrustZone.

0 Kudos

Accepted Solutions
JesusG_Intel
Moderator
139 Views

Hello Clinale,


Intel no longer on-boards new customers using the old cert-based authentication. It’s only there for legacy IAS customers and will soon be EOL’d.


The old, cert-based authentication was simply a mutual TLS authentication mechanism. The customer had to purchase an x.509 client cert from a publicly recognized cert authority (ie. Thawte, DigiCert, etc) just like you would for a secure web site. Intel would use that cert to authenticate them when they connected to IAS.


Sincerely,

Jesus G.

Intel Customer Support


View solution in original post

4 Replies
JesusG_Intel
Moderator
162 Views

Hello Clinale,


The Intel Attestation Service (IAS), or remote attestation service, attests clients that run Intel SGX and cannot be used to attest clients that run ARM TrustZone. The remote attestastion service does not run SGX. Servers and other clients that run SGX use the IAS to prove to service providers that the SGX enclave's:


  • Its identity
  • That it has not been tampered with
  • That it is running on a genuine platform with Intel SGX enabled
  • That it is running at the latest security level, also referred to as the Trusted Computing Base (TCB) level


I highly recommend you read the Remote Attestation End-to-End Example for more details.


Sincerely,

Jesus G.

Intel Customer Support


Clinale
Beginner
155 Views

Hi JesusG_Intel,

Thanks for your information, and I browsed the web link you posted.

I noticed a sentence mentioning that SGX supports certificate-based attestation. 

Clinale_0-1612579668433.png

I wonder what certificate-based authentication means. Does it mean that SGX support authenticate-based authentication, like PKI X509? If it does, will SGX always support certificate-based authentication?

Thanks for your reply.

JesusG_Intel
Moderator
140 Views

Hello Clinale,


Intel no longer on-boards new customers using the old cert-based authentication. It’s only there for legacy IAS customers and will soon be EOL’d.


The old, cert-based authentication was simply a mutual TLS authentication mechanism. The customer had to purchase an x.509 client cert from a publicly recognized cert authority (ie. Thawte, DigiCert, etc) just like you would for a secure web site. Intel would use that cert to authenticate them when they connected to IAS.


Sincerely,

Jesus G.

Intel Customer Support


View solution in original post

JesusG_Intel
Moderator
106 Views

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


Reply