Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

Intel SGX Key Management and password management

Ziidev
New Contributor I
‎11-08-2021 11:19 AM
1,713 Views
Solved Jump to solution

My question is that does how does SGX stores keys, what is the key management model for SGX? Simply, when the system shuts down, all the will be store in memory. Let's say it encrypts the data while going off then where it going to store the keys. How it is going to retrieve the data while system boots?

Is it possible to use SGX on the client machine? When i was reading the about SGX I found out that SGX does not provide us context switching, then if client needs to enter a password for authentication or authorization, how we are going to do that? Please answer my questions that would be helpful.

0 Kudos
1 Solution
JesusG_Intel
Moderator
‎11-10-2021 12:24 PM
1,635 Views
Solved Jump to solution

Hello Ziidev,


While your question seems simple, it requires a complex answer. Therefore, I will point you to further resources for your reference.


SGX does not prevent a system from being compromised. That is why in the SGX security model, SGX does not trust system software - it assumes the OS has been compromised!

 

This paper, SGXIO: Generic Trusted I/O Path for Intel SGX, provides the guidance you seek: "SGXIO surpasses traditional use cases in cloud computing and makes SGX technology usable for protecting user-centric, local applications against kernel-level keyloggers and likewise"

 

This article SGX and Side-Channel Attacks addresses SGX's position on side-channel attacks. The article has an outdated link to the SGX Developer Guide, but this is the correct link: Intel SGX Developer Guide.

 

The section on Protection from Side-Channel Attacks is on page 51 of the SGX Developer Guide.

 

Be sure to read more details about the SGX security model in the SGX workshop tutorial at the International Symposium on Computer Architecture in 2015, the slides for which can be found her[slides 109-121].

 

Sincerely,

Jesus G.

Intel Customer Support


View solution in original post

Copy link

Link Copied

8 Replies
Victor_G_Intel
Employee
‎11-09-2021 11:03 AM
1,685 Views
Solved Jump to solution

Hello Ziidev,


Thank you for posting on the Intel® communities.


Please let me review this information internally, and kindly wait for an update.


Once we have more information to share, we will post it on this thread.


Regards,


Victor G.

Intel Technical Support Technician


0 Kudos
Copy link
Victor_G_Intel
Employee
‎11-09-2021 12:49 PM
1,677 Views
Solved Jump to solution

Hello Ziidev,


Thank you for your patience.


Your query will be best answered by our Intel® Software Guard Extensions (Intel® SGX) support team. We will help you to move this post to the designated team to further assist you.


Regards,


Victor G.

Intel Technical Support Technician


Copy link
Ziidev
New Contributor I
‎11-09-2021 05:53 PM
1,652 Views
Solved Jump to solution
In response to Victor_G_Intel

Please let me know how to move this post to Intel SGX forum. I would be happy.

Best Regards,

Ziidev

In response to Victor_G_Intel
0 Kudos
Copy link
JesusG_Intel
Moderator
‎11-09-2021 02:40 PM
1,661 Views
Solved Jump to solution

Hello Ziidev,


This thread explains the concept of data sealing using SGX.


It is possible to use SGX on client machines. Please explain further your scenario about "enter a password for authentication or authorization." If you want SGX to be used to store passwords, then you must write an SGX application specifically for this purpose. The operating system does not use SGX for authentication and authorization. This Password Manager using SGX tutorial may help although it is outdated.


Sincerely,

Jesus G.

Intel Customer Support


Copy link
Ziidev
New Contributor I
‎11-09-2021 05:51 PM
1,652 Views
Solved Jump to solution

Hi JesusG_intel,

Our situation is different. We would like to run SGX on both server and client systems. But we faces issues on client side. Our application requires that when application is running, it requests a password from user and then seal it and send it to the server.

But as far as I know,  we can only enter password in insecure zone not directly into the enclave. And if the system is compromised then keylogging or any other type of attack is possible. How we can make sure the user who is running the system or opened this application is a valid user?

Thank you for your consideration,

Best Regards,

Ziidev

0 Kudos
Copy link
JesusG_Intel
Moderator
‎11-10-2021 12:24 PM
1,636 Views
Solved Jump to solution

Hello Ziidev,


While your question seems simple, it requires a complex answer. Therefore, I will point you to further resources for your reference.


SGX does not prevent a system from being compromised. That is why in the SGX security model, SGX does not trust system software - it assumes the OS has been compromised!

 

This paper, SGXIO: Generic Trusted I/O Path for Intel SGX, provides the guidance you seek: "SGXIO surpasses traditional use cases in cloud computing and makes SGX technology usable for protecting user-centric, local applications against kernel-level keyloggers and likewise"

 

This article SGX and Side-Channel Attacks addresses SGX's position on side-channel attacks. The article has an outdated link to the SGX Developer Guide, but this is the correct link: Intel SGX Developer Guide.

 

The section on Protection from Side-Channel Attacks is on page 51 of the SGX Developer Guide.

 

Be sure to read more details about the SGX security model in the SGX workshop tutorial at the International Symposium on Computer Architecture in 2015, the slides for which can be found her[slides 109-121].

 

Sincerely,

Jesus G.

Intel Customer Support


Copy link
Ziidev
New Contributor I
‎11-13-2021 09:04 AM
1,596 Views
Solved Jump to solution
In response to JesusG_Intel

Hi JesusG_Intel,

I read this paper. It is a very good good paper. Now I am sure that SGX does not provide I/O key security. So we have to follow this paper for further guideline.

Thanks you for kind reply.

Best regards,

Ziidev

In response to JesusG_Intel
0 Kudos
Copy link
JesusG_Intel
Moderator
‎11-15-2021 03:05 PM
1,570 Views
Solved Jump to solution

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.