Intel® Software Guard Extensions (Intel® SGX)
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.

Intel SGX Key Management and password management

Ziidev
New Contributor I
934 Views

My question is that does how does SGX stores keys, what is the key management model for SGX? Simply, when the system shuts down, all the will be store in memory. Let's say it encrypts the data while going off then where it going to store the keys. How it is going to retrieve the data while system boots?

Is it possible to use SGX on the client machine? When i was reading the about SGX I found out that SGX does not provide us context switching, then if client needs to enter a password for authentication or authorization, how we are going to do that? Please answer my questions that would be helpful.

0 Kudos
1 Solution
JesusG_Intel
Moderator
856 Views

Hello Ziidev,


While your question seems simple, it requires a complex answer. Therefore, I will point you to further resources for your reference.


SGX does not prevent a system from being compromised. That is why in the SGX security model, SGX does not trust system software - it assumes the OS has been compromised!

 

This paper, SGXIO: Generic Trusted I/O Path for Intel SGX, provides the guidance you seek: "SGXIO surpasses traditional use cases in cloud computing and makes SGX technology usable for protecting user-centric, local applications against kernel-level keyloggers and likewise"

 

This article SGX and Side-Channel Attacks addresses SGX's position on side-channel attacks. The article has an outdated link to the SGX Developer Guide, but this is the correct link: Intel SGX Developer Guide.

 

The section on Protection from Side-Channel Attacks is on page 51 of the SGX Developer Guide.

 

Be sure to read more details about the SGX security model in the SGX workshop tutorial at the International Symposium on Computer Architecture in 2015, the slides for which can be found her[slides 109-121].

 

Sincerely,

Jesus G.

Intel Customer Support


View solution in original post

8 Replies
Victor_G_Intel
Moderator
906 Views

Hello Ziidev,


Thank you for posting on the Intel® communities.


Please let me review this information internally, and kindly wait for an update.


Once we have more information to share, we will post it on this thread.


Regards,


Victor G.

Intel Technical Support Technician


Victor_G_Intel
Moderator
898 Views

Hello Ziidev,


Thank you for your patience.


Your query will be best answered by our Intel® Software Guard Extensions (Intel® SGX) support team. We will help you to move this post to the designated team to further assist you.


Regards,


Victor G.

Intel Technical Support Technician


Ziidev
New Contributor I
873 Views

Please let me know how to move this post to Intel SGX forum. I would be happy.

Best Regards,

Ziidev

JesusG_Intel
Moderator
882 Views

Hello Ziidev,


This thread explains the concept of data sealing using SGX.


It is possible to use SGX on client machines. Please explain further your scenario about "enter a password for authentication or authorization." If you want SGX to be used to store passwords, then you must write an SGX application specifically for this purpose. The operating system does not use SGX for authentication and authorization. This Password Manager using SGX tutorial may help although it is outdated.


Sincerely,

Jesus G.

Intel Customer Support


Ziidev
New Contributor I
873 Views

Hi JesusG_intel,

Our situation is different. We would like to run SGX on both server and client systems. But we faces issues on client side. Our application requires that when application is running, it requests a password from user and then seal it and send it to the server.

But as far as I know,  we can only enter password in insecure zone not directly into the enclave. And if the system is compromised then keylogging or any other type of attack is possible. How we can make sure the user who is running the system or opened this application is a valid user?

Thank you for your consideration,

Best Regards,

Ziidev

JesusG_Intel
Moderator
857 Views

Hello Ziidev,


While your question seems simple, it requires a complex answer. Therefore, I will point you to further resources for your reference.


SGX does not prevent a system from being compromised. That is why in the SGX security model, SGX does not trust system software - it assumes the OS has been compromised!

 

This paper, SGXIO: Generic Trusted I/O Path for Intel SGX, provides the guidance you seek: "SGXIO surpasses traditional use cases in cloud computing and makes SGX technology usable for protecting user-centric, local applications against kernel-level keyloggers and likewise"

 

This article SGX and Side-Channel Attacks addresses SGX's position on side-channel attacks. The article has an outdated link to the SGX Developer Guide, but this is the correct link: Intel SGX Developer Guide.

 

The section on Protection from Side-Channel Attacks is on page 51 of the SGX Developer Guide.

 

Be sure to read more details about the SGX security model in the SGX workshop tutorial at the International Symposium on Computer Architecture in 2015, the slides for which can be found her[slides 109-121].

 

Sincerely,

Jesus G.

Intel Customer Support


Ziidev
New Contributor I
817 Views

Hi JesusG_Intel,

I read this paper. It is a very good good paper. Now I am sure that SGX does not provide I/O key security. So we have to follow this paper for further guideline.

Thanks you for kind reply.

Best regards,

Ziidev

JesusG_Intel
Moderator
791 Views

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


Reply