Is it possible to import key generated from 3rd party library (Argon2 KDF) into SGX using CNG API.
I know there is possibility to generate key inside SGX using CNG API and then use it to en/decrypt operation. But as SGX does not support Argon2 key derivation function I am forced to use 3rd party library, but I was not able to find a way to import generated key.
Good morning David, I hope this post finds your day starting well.
Normally I would recommend porting the KDF code to run in an enclave but the Argon code may be a poor fit for running in a trusted environment. Argon, however, may be a poor candidate for incorporation into an enclave secondary to its generic dependency on threading. The other challenge for these memory hard algorithms is that their security guarantees are based on the need to distribute the calculation over a specified size of memory in order to achieve their 'hardness' guarantees.
A common scheme for running Argon is to use a 64 megabyte memory region. Given the common 3-level Merkle tree hardware implementations that limit EPC memory to 96 megabytes this memory requirement is problematic. At a minimum you would probably want to be on an SGX2 platform that supports Enclave Dynamic Memory Management (EDMM) for an optimum implementation.
Given all this your idea of generating the hash in untrusted space and conveying it into an enclave would seem to be the most effective strategy. There are two ways to do this, either compute the hash and supply it as an arguement to an ECALL or architect an OCALL that prompts for a password and then generates the hash and returns it to the enclave. Usually the OCALL strategy tends to be a more 'natural' fit for most enclave applications.
Have a good day.
Hello Dr. Greg,
Thank you for your reply.
From your answer, I suppose there is no possibility to generate hash in untrusted environment and then import generated hash to enclave using MS CNG API. I would like to avoid using enclave via SGX API.
Hello David, I hope this post finds the end of your week going well. My apologies for the delay in getting a response back to you on this issue.
To my knowledge there is no method or API for plugging enclaves into the 'back-end' of the MS CNG API. I believe that you will need to use the SGX API's, either in the form of an ECALL or OCALL, in order to convey the hash into the enclave. Scott from Intel may have more visibility into what is available or possibly pending with respect to higher level constructs between Microsoft operating system primitives and enclave technology.
I'm not sure that I understand your reluctance to use the SGX API. I don't have visibility into your application architecture but, at a minimum, your application will need at least one ECALL in order to obtain enclave services. It would be straight forward to add a pointer to the hash value to the argument signature of the function that you will be using to request some type of enclave based service.
Once again, an OCALL is often a more 'natural' way of requesting this type of service from untrusted space but as I have noted a lot of this depends on the application and what you are attempting to accomplish.
Have a good weekend.