Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
74 Views

Enclave Signing Key public exponent & HSM restrictions

Hi Team,

We are in the process of gathering documents and setting up environment to apply for Intel SGX production licenese.

As listed in the license requirements, we are planning to store Enclave Signing Key in our HSM. But the problem is, our HSM only accept 65537 as public exponent in FIPS mode enabled. 

Other public exponent 3 and 17 are not allowed in FIPS mode.

HSM details:

 Safenet HSM Luna 7.0.

HSM doc : https://thalesdocs.com/gphsm/luna/7.4/docs/pci/Content/PDF_PCI/Utilities%20Reference%20Guide.pdf

in the above document page #28 they mentaioned that only 65537 allowed in FIPS mode.

Note : When we tried with public exponent 3 we are getting generation failed message.

anyone please clarify this to me.

Thanks,

Anand

 

 

 

Tags (1)
0 Kudos
3 Replies
Highlighted
Moderator
74 Views

Hello Anand,

SGX has a hard requirement for RSA keys with public exponent of 3 only. The document you site lists "3" as a valid exponent. Maybe you should not configure it in FIPS mode.

Regards,

Jesus

0 Kudos
Highlighted
74 Views

Hi Garcia,

Thanks for your response.

We cannot diable FIPS mode since the same HSM is consumed by other services.

We also have KeyManagement tool without HSM in the backend where keys are encrypted and stored. Access to the keys are protected by role based authentication.

Can we store the enclave signing key in our KeyManagement tool ?
Will you accecpt a Non HSM Keystore for storing enclave signing key in Commercial license request ?

Thanks,

Anand

0 Kudos
Highlighted
Moderator
74 Views

Hello Anand,

Intel recommends you use an HSM but it is not a requirement. The application for a commercial license will ask how you will protect your keys. Please see the licensee guide for additional information. The last section, "Enclave Signing Key Management" states:

"Intel recommends that developers and Licensees use a protected environment such as an HSM-managed enclave signing system for production signing (NOTE: This is only needed for production signing, not development (debug) signing. Production signing of enclaves is recommended to be performed after completing code reviews, security reviews, and functional validation).

Intel also recommends that developers and Licensees use industry best practices for key management to protect the enclave signing private key from theft (by insiders or external agents), compromise (accidental release or discovery due to negligence) or other abuse."

The PDF at the end of the licensee guide mentions FIPS-compliant HSMs but do not take this as a requirement. The PDF was not written by Intel and is meant as a helpful resource NOT as a guide to requirements.

I hope this helps.

Regards,

Jesus

0 Kudos