Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1540 Discussions

Inquiry: Any Plans to Update Enclave Signing Scheme from using the PCKS#1 V1.5 Padding?

AndyZong
Beginner
‎07-09-2025 09:21 AM
4,641 Views

Hi Intel SGX team,

 

As of now, SGX enclaves are signed using RSA3072 with PKCS#1 V1.5 padding. However, PKCS#1 v1.5 is known to have certain cryptographic vulnerabilities, particularly in the context of signature forgery and padding oracle attacks, and is generally discouraged in favor of more secure alternatives such as RSASSA-PSS and thus has been deprecated in many companies for security concerns.

 

Given the growing emphasis on modern cryptographic standards and best practices, I would like to ask:

 

Are there any plans to migrate the enclave signing scheme to a more secure padding method such as RSASSA-PSS or another recommended standard? If so, is there a roadmap or timeline for this transition?

 

I appreciate your insights and any guidance you can provide on this matter.

 

Here is the description of the enclave signing key from P21 of Intel® Software Guard Extensions Developer Reference for Linux* OS 

"The signature should follow the RSAPKCS1.5 padding scheme. The signature should be generated using the v1.5 version of the RSA scheme with
an SHA-256 message digest."

 

Thank you!

0 Kudos

Link Copied

0 Replies
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.