Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

How to authenticate between two remote enclaves!?

Anandakumar
New Contributor II
‎07-24-2019 06:21 AM
682 Views

Hi All,

I am implementing an enclave to create and store secrets.For high availability reasons i need to replicate the secrets by deploying same enclave in different machines. To securely transfer the secrets to enclave in different machine how can i make use of remote attestation here?

Thanks,

Anandakumar N

0 Kudos

Link Copied

2 Replies
Wojciech_M_Intel
Moderator
‎08-09-2019 05:36 AM
682 Views

Hi Anandakumar,
from remote attestation sample page  https://software.intel.com/en-us/articles/code-sample-intel-software-guard-extensions-remote-attestation-end-to-end-example :

Using the Remote Attestation flow, a client's enclave can attest to a remote entity that it is trusted, and establish an authenticated communication channel with that entity. As part of attestation, the client's enclave proves the following:

  • Its identity
  • That it has not been tampered with
  • That it is running on a genuine platform with Intel SGX enabled
  • That it is running at the latest security level, also referred to as the Trusted Computing Base (TCB) level

At that point, the remote server can safely provision secrets to the enclave.

My understanding of what you are saying is that when your new enclave(NE) wants to get secrets from your enclave with secrets(SE).
So in your case both NE and SE should attest to each other.
NE wants do get secrets from SE. SE should attest to NE, if SE is ok NE sends request for secrets. Then NE should attest to SE. If NE is ok, then SE can share its secrets with NE.


https://github.com/intel/sgx-ra-sample ; - here you can find source code for remote attestation sample. It's server client architecture, but I think it should help you with your implementation.

Regards,
Wojtek

0 Kudos
Copy link
Anandakumar
New Contributor II
‎08-09-2019 06:11 AM
682 Views

HI @Marcinkowski, Wojciech, thanks for you reply!

I found a way to do it without complete RemoteAttestation flow.Solution is using sgx_report_data_ field in sgx_report_t. 

My NE will generate report with a temp ecc256 publickey included as report_data and quote will be generated using the report and quote will be send to my SE. SE will verify the quote by contacting IAS and if it is valid quote then secrets will be shared using that temp pubkey! 

Above solution is somewhat similar to Sawtooth POET verification procedure.

Thanks!

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.