- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I'm new in SGX and I have a question about how DCAP remote attestation works.
I generated a quote in azure cloud using quote generation example from that repo . Certification data type of the quote is 5 (Concatenated PCK Cert Chain) so I parsed the quote, extracted the certificate chain and verified it. The root certificate has been issued by Intel and is self-signed.
But, how can i check if the root certificate extracted from that quote hasn't been faked and has actually been issued by Intel? It seems important in case of receiving a quote from third parties.
For example, the EPID remote attestation root certificate is published here. But i can't find something simular for DCAP attestation.
The certificate i'm talking about is:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
22:65:0c:d6:5a:9d:34:89:f3:83:b4:95:52:bf:50:1b:39:27:06:ac
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN = Intel SGX Root CA, O = Intel Corporation, L = Santa Clara, ST = CA, C = US
Validity
Not Before: May 21 10:45:10 2018 GMT
Not After : Dec 31 23:59:59 2049 GMT
Subject: CN = Intel SGX Root CA, O = Intel Corporation, L = Santa Clara, ST = CA, C = US
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:0b:a9:c4:c0:c0:c8:61:93:a3:fe:23:d6:b0:2c:
da:10:a8:bb:d4:e8:8e:48:b4:45:85:61:a3:6e:70:
55:25:f5:67:91:8e:2e:dc:88:e4:0d:86:0b:d0:cc:
4e:e2:6a:ac:c9:88:e5:05:a9:53:55:8c:45:3f:6b:
09:04:ae:73:94
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:22:65:0C:D6:5A:9D:34:89:F3:83:B4:95:52:BF:50:1B:39:27:06:AC
X509v3 CRL Distribution Points:
Full Name:
URI:https://certificates.trustedservices.intel.com/IntelSGXRootCA.der
X509v3 Subject Key Identifier:
22:65:0C:D6:5A:9D:34:89:F3:83:B4:95:52:BF:50:1B:39:27:06:AC
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:1
Signature Algorithm: ecdsa-with-SHA256
30:46:02:21:00:e5:bf:e5:09:11:f9:2f:42:89:20:dc:36:8a:
30:2e:e3:d1:2e:c5:86:7f:f6:22:ec:64:97:f7:80:60:c1:3c:
20:02:21:00:e0:9d:25:ac:7a:0c:b3:e5:e8:e6:8f:ec:5f:a3:
bd:41:6c:47:44:0b:d9:50:63:9d:45:0e:dc:be:a4:57:6a:a2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
At a high level, the SGX ECDSA Quote Verification Library contains a Quote Verification Enclave (QvE) that will verify the quote generated by the ECDSA-based Quoting Enclave. The QvE is developed and signed by intel. The root certificate derived from this quote will therefore be authentic.
You will find more relevant information in this document and on this page.
I hope this information is helpful.
Sincerely,
Sahira
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
At a high level, the SGX ECDSA Quote Verification Library contains a Quote Verification Enclave (QvE) that will verify the quote generated by the ECDSA-based Quoting Enclave. The QvE is developed and signed by intel. The root certificate derived from this quote will therefore be authentic.
You will find more relevant information in this document and on this page.
I hope this information is helpful.
Sincerely,
Sahira
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page