Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

Enclave Signing Key public exponent & HSM restrictions

Anandakumar
New Contributor II
‎03-17-2020 11:02 PM
1,044 Views

Hi Team,

We are in the process of gathering documents and setting up environment to apply for Intel SGX production licenese.

As listed in the license requirements, we are planning to store Enclave Signing Key in our HSM. But the problem is, our HSM only accept 65537 as public exponent in FIPS mode enabled. 

Other public exponent 3 and 17 are not allowed in FIPS mode.

HSM details:

 Safenet HSM Luna 7.0.

HSM doc : https://thalesdocs.com/gphsm/luna/7.4/docs/pci/Content/PDF_PCI/Utilities%20Reference%20Guide.pdf

in the above document page #28 they mentaioned that only 65537 allowed in FIPS mode.

Note : When we tried with public exponent 3 we are getting generation failed message.

anyone please clarify this to me.

Thanks,

Anand

 

 

 

0 Kudos

Link Copied

3 Replies
JesusG_Intel
Moderator
‎03-19-2020 03:20 PM
1,044 Views

Hello Anand,

SGX has a hard requirement for RSA keys with public exponent of 3 only. The document you site lists "3" as a valid exponent. Maybe you should not configure it in FIPS mode.

Regards,

Jesus

0 Kudos
Copy link
Anandakumar
New Contributor II
‎03-20-2020 01:47 AM
1,044 Views

Hi Garcia,

Thanks for your response.

We cannot diable FIPS mode since the same HSM is consumed by other services.

We also have KeyManagement tool without HSM in the backend where keys are encrypted and stored. Access to the keys are protected by role based authentication.

Can we store the enclave signing key in our KeyManagement tool ?
Will you accecpt a Non HSM Keystore for storing enclave signing key in Commercial license request ?

Thanks,

Anand

0 Kudos
Copy link
JesusG_Intel
Moderator
‎03-20-2020 11:32 AM
1,044 Views

Hello Anand,

Intel recommends you use an HSM but it is not a requirement. The application for a commercial license will ask how you will protect your keys. Please see the licensee guide for additional information. The last section, "Enclave Signing Key Management" states:

"Intel recommends that developers and Licensees use a protected environment such as an HSM-managed enclave signing system for production signing (NOTE: This is only needed for production signing, not development (debug) signing. Production signing of enclaves is recommended to be performed after completing code reviews, security reviews, and functional validation).

Intel also recommends that developers and Licensees use industry best practices for key management to protect the enclave signing private key from theft (by insiders or external agents), compromise (accidental release or discovery due to negligence) or other abuse."

The PDF at the end of the licensee guide mentions FIPS-compliant HSMs but do not take this as a requirement. The PDF was not written by Intel and is meant as a helpful resource NOT as a guide to requirements.

I hope this helps.

Regards,

Jesus

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.