Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Integrating PKCS#11 with SGX SDK demo

das__batsayan
New Contributor I
1,214 Views

This of off topic, yet I want some guideline/help on integrating SGX demo ( for example sgxsdk/SampleCode/SampleEnclave) with PKCS#11 bases demo ( say crypto-api-toolkit/src/test)

Our current solution without PKCS#11 roughly does the following

1. SGX service running in machine-1
2. Client request for keys from machine-2
3. Client gets keys from the enclave running in m/c1

In the above scenario, how the PKCS#11 based approach will fit in?
what will be possible design ?

Thanks for any help

0 Kudos
1 Solution
JesusG_Intel
Moderator
1,140 Views

Hello Batsayan,


Do you need further assistance with the SGX aspects of your issue?


Sincerely,

Jesus G.

Intel Customer Support


View solution in original post

0 Kudos
5 Replies
JesusG_Intel
Moderator
1,186 Views

Hello Batsayan,


Please clarify your scenario.


The Crypto API Toolkit allows one to write any PKCS#11-compliant application and uses SGX enclaves in the background implementation without the developer having to worry about writing enclaves. So, write your PKCS#11 application as you normally would, and use the Crypto API Toolkit to build it.


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
das__batsayan
New Contributor I
1,175 Views

The current applications ( there are two applications) is designed in the following way


Client Application

1. Sends REST request ( using JMeter) with <ClientID , Request_for_PUB_key> to SGX server
2. Receives <PUB key> in base64 format from SGX server

SGX server Application

1. The untrusted part of this application binds REST framework libulfius, and waits for request from client
2. On receiving REST request from Client, it does the following ( at the trusted part )
a) check if PUB key file for that client ID is present , if yes, then sends PUB key to client
b) For new/unseen client, it generates, saves and finally sends the PUB key to client; corresponding Private key is saved in encalave.

The SGX application is built using sgx_* apis ( like sgx_fopen_auto_key etc) , and openssl apis ( like EC_KEY_generate_key, BN_bn2bin etc). I am not very sure where the crypto-apis will be placed in the above design, any help will be appreciated.

I am bit confused who will be doing the above checking (like For new/unseen client do some specific task etc) if the above design is implemented using crypto-apis. My understanding is, if crypto-apis are used then there is no need to use SGX SDK apis or openssl apis, is this correct assumption?

TIA for any help

0 Kudos
JesusG_Intel
Moderator
1,163 Views

Hello Batsayan,


You are correct, you can use the PKCS#11 APIs without having to worry about the SGX or OpenSSL APIs. Use the PKCS#11 APIs for the key generation and management functions in your scenario and the CTK will use SGX under the hood. It is up to you how to use PKCS#11. We can help you with SGX-related questions, but PKCS#11 APIs and design is out of scope.


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
JesusG_Intel
Moderator
1,141 Views

Hello Batsayan,


Do you need further assistance with the SGX aspects of your issue?


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
JesusG_Intel
Moderator
1,129 Views

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


0 Kudos
Reply