Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

Local Attestation Man in the Middle

AlvaroPastor
Beginner
‎07-01-2021 05:41 AM
739 Views
Solved Jump to solution

Hi, 

when I was working with Local Attestation, I came up with a problem. 

- Enclave A and B start communication.

- Enclave B sends MRENCLAVE to Enclave A.

- Enclave C (MITM) intercepts this message and gets MRENCLAVE's from B. Enclave C calls EREPORT to create REPORT with his own data and MRENCLAVE from B. I know that this will create MAC from data from enclave C and signed with report key with MRENCLAVE from B. Enclave C sends this REPORT to enclave B.

- Enclave B decrypt it with the report key (and no error occured) but, how Enclave B knows that the data in the report belongs to A (and not to other enclave, in this case, C)? Is this part of the programmer to check something in special, or am I missing something?.

Thanks.

0 Kudos
1 Solution
JesusG_Intel
Moderator
‎07-01-2021 12:10 PM
720 Views
Solved Jump to solution

Hello Alvaro,


The man in the middle attack you describe is not possible because a third enclave cannot intercept the messages.

 

In local attestation, the two enclaves do not communicate directly with each other. Instead, the enclaves communicate using encrypted channels via the untrusted application as an intermediary.

 

Read the section Local Attestation in the SGX SDK Developer Reference Guide for full details. In summary, section Protected Channel Establishment states:

 

The application initiates a session between the source enclave and the destination enclave by doing an ECALL into the source enclave, passing in the enclave id of the destination enclave. Upon receiving the enclave id of the destination enclave, the source enclave does an OCALL into the core untrusted code which then does an ECALL into the destination enclave to exchange the messages required to establish a session using ECDH Key Exchange* protocol.


Sincerely,

Jesus G.

Intel Customer Support


View solution in original post

0 Kudos
Copy link

Link Copied

4 Replies
JesusG_Intel
Moderator
‎07-01-2021 12:10 PM
721 Views
Solved Jump to solution

Hello Alvaro,


The man in the middle attack you describe is not possible because a third enclave cannot intercept the messages.

 

In local attestation, the two enclaves do not communicate directly with each other. Instead, the enclaves communicate using encrypted channels via the untrusted application as an intermediary.

 

Read the section Local Attestation in the SGX SDK Developer Reference Guide for full details. In summary, section Protected Channel Establishment states:

 

The application initiates a session between the source enclave and the destination enclave by doing an ECALL into the source enclave, passing in the enclave id of the destination enclave. Upon receiving the enclave id of the destination enclave, the source enclave does an OCALL into the core untrusted code which then does an ECALL into the destination enclave to exchange the messages required to establish a session using ECDH Key Exchange* protocol.


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
Copy link
AlvaroPastor
Beginner
‎07-02-2021 01:51 AM
702 Views
Solved Jump to solution

Hi, 

as I seen in: https://community.intel.com/t5/Intel-Software-Guard-Extensions/How-Local-Attestation-Prevent-Man-in-the-Middle-Attack/m-p/1153885 Dr Greg said "An interposing enclave attempting to mount an MITM attack cannot change the contents of any of the identity characteristics in the SGX_reportbody structure without causing a perturbation in the computed MAC value.  In addition, it cannot generate the symmetric key on which the MAC is predicated.  If it were to attempt to abstract the reportdata element from the SGX_reportbody structure and generate its own report, that report would contain the identity characteristics of the interposing enclave and not those of the attesting enclave."

So actually, before the encryption of messages, another enclave can intercept the message and create his own report? Then, my original message could happen if the text above is correct, no?

0 Kudos
Copy link
JesusG_Intel
Moderator
‎07-06-2021 01:36 PM
687 Views
Solved Jump to solution

Hello Alvaro,


Enclaves encrypt the messages within their own isolated, protected memory space so another enclave cannot access the messages before they get encrypted. Dr. Greg described why a MITM attack cannot succeed.


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
Copy link
JesusG_Intel
Moderator
‎07-09-2021 01:31 PM
676 Views
Solved Jump to solution

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.