Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1457 Discussions

Enclave Signing Key

Toshi_O
Beginner
‎06-22-2023 09:25 AM
1,347 Views

According to the developers reference,

https://download.01.org/intel-sgx/sgx-linux/2.19/docs/Intel_SGX_Developer_Reference_Linux_2.19_Open_Source.pdf

P.23

 

the private key scheme for Enclave signing seems to be RSA 3072bit publicExponent=3. Are these algorithms and parameters specified in the SGX protocol?

For example, is it possible to specify a key algorithm other than RSA, bit, and publicExpornent value?

0 Kudos

Link Copied

7 Replies
Wan_Intel
Moderator
‎06-26-2023 08:36 PM
1,292 Views

Hi Toshi_O,

Thanks for reaching out to us.

 

For your information, the example in Developer Reference Page 23 is based on OpenSSL. Referring to OpenSSL genrsa, the public exponent to use is either 65537 or 3. The default is 65537. We encourage you to try out specific use cases with your public or private exponent available.

 

On another note, if you would like to use another type of key algorithm, you can try the 265 bit ECC key which is equivalent to a 3072-bit RSA key, however the examples given in the Developer Reference only works in RSA key. Let us know if 265 bit ECC key is working for you

 

 

Regards,

Wan


0 Kudos
Copy link
Toshi_O
Beginner
‎06-27-2023 08:49 PM
1,274 Views

 

Thanks for the reply.

 

I understand that 65537 can be specified for publicExponent in RSA and that ECC with a key size of 265bit (256bit?) can be used.
What curve parameters (e.g., prime256v1) can be specified for ECC?

 

We are requesting an IntelSGX production license and are required to submit an MRSIGNER. We are using an HSM to manage the Enclave signing keys that are required for MRSIGNER derivation.Is there a list of key algorithms, key sizes, and parameters that are supported when generating Enclave signing keys? It would be very helpful to have such a list when we are selecting HSM.
 
thanks
0 Kudos
Copy link
Wan_Intel
Moderator
‎06-29-2023 02:38 AM
1,246 Views

Hi Toshi_O,

Thanks for your information.

Let me check with the relevant team and I'll update here as soon as possible.



Regards,

Wan


0 Kudos
Copy link
Wan_Intel
Moderator
‎06-30-2023 12:12 AM
1,221 Views

Hello Toshi_O,

Thanks for your patience. We've discussed with the development team.

 

According to the reference as shown below, there is only one allowed enclave signing key format: RSA 3072-bit key with a public exponent of 3.

Snipaste_2023-06-30_15-13-40.jpg

 

On another note, regarding the license, we have forwarded your request to the Intel SGX team and they will contact you shortly via email.

 

 

Regards,

Wan

 

0 Kudos
Copy link
Toshi_O
Beginner
‎07-02-2023 06:39 PM
1,133 Views

Thanks.

I understand about the schema of keys available for signatures.

 

I appreciate your support.

0 Kudos
Copy link
Wan_Intel
Moderator
‎07-03-2023 03:29 PM
1,101 Views

Hello Toshi_O,

Just wanted to follow up to ensure you have been contacted by our SGX team via email.



Regards,

Wan


0 Kudos
Copy link
Wan_Intel
Moderator
‎07-05-2023 05:31 PM
1,047 Views

Hello Toshi_O,

Thanks for your question.

 

If you need any additional information from Intel, please submit a new question as this thread will no longer be monitored.

 

 

Regards,

Wan


Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.