- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good afternoon,
I have questions about using mrenclave for a purpose I have in mind. Let's say we have a peer to peer network with a service provider and IAS. With this I want to ensure that all members of the network run exactly the same same enclave (same source code). First, all network members must perform remote attestation towards the service provider. Then my idea was for a network member to send the IAS signed attestation report, which he obtained in the remote attestation process, to another network member as a way of proving that he runs the code that the report recipient trusts. The attestation report receiver would verify the IAS signature and then compare his mrenclave with that of the report and if the values were equal then the receiver would be sure that the report issuer runs exactly the same enclave (source code) as itself.
So with all this, can mrenclave be used this way or to prove to a network member that I run the same trusted code I have to do another process ?
Thank you and I look forward to a reply.
- Tags:
- General Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Stevie,
I believe that what you want to do can be done using the following considerations:
* When peers communicate with each other, they should mutually perform the remote attestation process (IAS comes in this step). There are several resources provided by Intel indicating how to perform the Remote Attestation process, including this example. Receiving confirmation from IAS indicates that the QUOTE structure received was indeed produced inside a genuine Intel SGX enclave, now the peers still need to verify if the identity of the peer enclave is the same as theirs.
* To verify if the identity of the peer enclave is the same, an enclave can obtain its own identity following the process described here, and check if it matched the identity contained in the QUOTE structure.
Regards,
Rodolfo
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now sure whether I have caught your point:
1. Are you want to make sure: every member has the same environment: the same enclave?
2. Or you want to make sure: every member should have one trusted execution environment?
And in your post, when you say: send the IAS signed attestation report, could you please explain what are your mean: the IAS signed attestation report?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By the way, please consider the local attestation process: whether it could meet your requirement.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good Morning,
Answering your questions:
1. Are you want to make sure: every member has the same environment: the same enclave?
2. Or you want to make sure: every member should have one trusted execution environment?
I want to guarantee both. I want to make sure all members run the enclave (source code) that I, the developer, produced. And I want to make sure that all members run that enclave on an machine with a processor with SGX enabled, genuine, trustworthy, non-revoked platform.
By the way, please consider the local attestation process: whether it could meet your requirement.
How can I use local attestation on a peer-to-peer network? Each enclave is on a different machine in a network, the only solution i can see here is inter-platform attestation (in my case I'm thinking using Intel Attestation Service (IAS).
And in your post, when you say: send the IAS signed attestation report, could you please explain what are your mean: the IAS signed attestation report?
I mean the return of the request to IAS endpoint /attestation/v3/report
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For this point: every member should have one trusted execution environment
you use IAS to ensure it.
For another point: every member has the same environment: the same enclave
MRENCLAVE indeed can be used to achieve the target.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JUNLI S. (Intel) wrote:For this point: every member should have one trusted execution environment
you use IAS to ensure it.
For another point: every member has the same environment: the same enclave
MRENCLAVE indeed can be used to achieve the target.
So using these guarantees, in a peer-to-peer network of enclaves how can I attest one enclave to another using the IAs?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Stevie,
I believe that what you want to do can be done using the following considerations:
* When peers communicate with each other, they should mutually perform the remote attestation process (IAS comes in this step). There are several resources provided by Intel indicating how to perform the Remote Attestation process, including this example. Receiving confirmation from IAS indicates that the QUOTE structure received was indeed produced inside a genuine Intel SGX enclave, now the peers still need to verify if the identity of the peer enclave is the same as theirs.
* To verify if the identity of the peer enclave is the same, an enclave can obtain its own identity following the process described here, and check if it matched the identity contained in the QUOTE structure.
Regards,
Rodolfo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JUNLI S. (Intel) wrote:For this point: every member should have one trusted execution environment
you use IAS to ensure it.
For another point: every member has the same environment: the same enclave
MRENCLAVE indeed can be used to achieve the target.
Thanks for the answer, it's completely clear
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rodolfo S. wrote:Hi Stevie,
I believe that what you want to do can be done using the following considerations:
* When peers communicate with each other, they should mutually perform the remote attestation process (IAS comes in this step). There are several resources provided by Intel indicating how to perform the Remote Attestation process, including this example. Receiving confirmation from IAS indicates that the QUOTE structure received was indeed produced inside a genuine Intel SGX enclave, now the peers still need to verify if the identity of the peer enclave is the same as theirs.
* To verify if the identity of the peer enclave is the same, an enclave can obtain its own identity following the process described here, and check if it matched the identity contained in the QUOTE structure.Regards,
Rodolfo
This is really the peer-to-peer way of solving the problem. But there is still room for two final questions:
- When obtaining IAS API keys a SPID is provided. Do all peers use the same SPID to communicate with IAS?
- Having done mutual attestation and identity verification between two peers in the network, if perhaps one of them wants to send some type of information, what information do I associate this information with? Given the anonymous EPID group signature scheme, I cannot identify which peer communicates with which.
A big thank you in advance for all the answers I've already received.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Stevie,
Platforms cannot share the SPID, they each must have their own unique SPID. The T&Cs when you sign up with IAS explicitly say the SPID and keys cannot be shared.
To identify peers within your network you can have each peer pass a randomized, unique GUID that is associated with the remote party. You can pass this GUID as a shared secret. Does this help?
Regards,
Jesus
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page