Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Question about SGX remote attestation

Sijie_D_
Beginner
7,656 Views

Hi,

I'm looking into the sample code shipped with the SGX windows sdk as well as the user guide document.

It seems that the last step of attestation is service provider receiving and verifying MSG3 which includes the REPORT_DATA generated by the quoting enclave.

I'm wondering, how could a service provider verify that the REPORT is actually generated by the quoting enclave, but not some fake report generated by some malware. I know that the report should be signed by the quoting enclave using hardware based EPID, but how could the service provider get the public key corresponding to the EPID?

In the sample code, it used a simulated Intel attestation service (IAS). Should the verification mentioned above done by IAS? Is the IAS a mandatory component of remote attestation framework?

 

0 Kudos
1 Solution
Surenthar_S_Intel
7,672 Views

Hi Shivani,

Here’s how the message flow works starting at MSG2:

Client receives MSG2 from the Service Provider

    MSG2 = gb || SPID || QUOTETYPE || SigSP(gb,ga) || CMACSMK(gb || SPID || QUOTETYPE || SigSP(gb,ga)) || SigRL

    Where || is concatenation. 

What this boils down to is MSG2 is constructed from this data:

    gb (the random data from the server) || SPID || QUOTETYPE || SigSP(gb,ga) followed by a CMAC of that data, followed by the revocation list.

Client processes MSG2 and generates MSG3

    MSG3 = CMAC(SMKCMAC, M) || M

    Where M = ga || PS_SECURITY_PROPERTY || QUOTE

So what is happening here is that MSG3 is a CMAC of ( the CMAC from MSG2 || M ) followed by M. It’s the CMAC from MSG2 that includes the random data generated by the server.

Thanks and Regards,

Surenthar Selvaraj

View solution in original post

0 Kudos
37 Replies
Sijie_D_
Beginner
2,818 Views

Hi Kuppusamy,

I've tried the sample code shipped with the SGX SDK. The sample "remote attestation" project is not interacting with IAS. The sample code project only demonstrated necessary steps of the remote attestation, but it did not execute all the steps in the real.

e.g., a code snippet of service_provider.cpp in the RemoateAttestation project is like this:

 // Check to see if we have registered with the IAS yet?
        if(!g_is_sp_registered)
        {
            do
            {
                // @IAS_Q: What are the sp credentials?
                // @IAS_Q: What is in the authentication token
                // In the product, the SP will establish a mutually
                // authenticated SSL channel. The authentication token is
                // based on this channel.
                // @TODO: Convert this call to a 'network' send/receive
                // once the IAS server is a vaialable.
                ret = ias_enroll(g_sp_credentials, &g_spid,
                                 &g_authentication_token);
                if(0 != ret)
                {
                    ret = SP_IAS_FAILED;
                    break;
                }

                // IAS may support registering the Enclave Trust Policy.
                // Just leave a place holder here
                // @IAS_Q: What needs to be sent to the IAS with the policy
                // that identifies the SP?
                // ret = ias_register_enclave_policy(g_enclave_policy,
                // g_authentication_token);
                // if(0 != ret)
                // {
                //     break;
                // }

                g_is_sp_registered = true;
                break;
            } while(0);
        }

the function ias_enroll() is not doing anything in the sample code. It is just a... sample. Also, in the body of function "ias_get_sigrl", it is said that "we should try to get sig_rl from IAS, but right now we will just skip it until the IAS backend is ready." Now, given that Intel IAS is online, how should we modify these sample functions so that they can really work but not just return a "SUCCESS"?

I've read the the "Intel Attestation Service API" white paper but I still feel that there lacks the source code level support. More specifically, section 2.3 in the white paper says that "Intel Attestation Service accepts connections protected by TLS 1.2 at minimum. IAS will drop any incoming connections utilizing SSL protocol in any version (widely considered as insecure at the moment)." So, how should I make a correct "connection request"? I have some experience programming with windows socket in C, but I have no experience with HTTP services and protocols. I've googled with "TLS, connection, c++, HTTP etc." After several days of struggling, I still cannot get things to work, I still can't get any response from https://test-as.sgx.trustedservices.intel.com:443

Would somebody point out what should I do now? Any code snippet or link of some tutorial would help a lot

 

Sincerely,

Sijie

0 Kudos
Fan
Beginner
2,818 Views

Kuppusamy R. (Intel) wrote:

Hi Luis,

Spec details of Intel® Attestation Service API document https://software.intel.com/sites/default/files/managed/3d/c8/IAS_1_0_API_spec_1_1_Final.pdf 

Thanks,
Kuppusamy.R

This is indeed helpful. I didn't come across it anywhere else. Can you guys disclose more info regarding IAS? E.g. the exact procedure for registration.

Thanks!

Fan

0 Kudos
Kuppusamy_R_Intel
2,818 Views

Hi Sijie,

We have a code sample that is nearing release. It should be ready soon (weeks, not months).

Thanks,
Kuppusamy.R

0 Kudos
Kuppusamy_R_Intel
2,818 Views

Hi Fan,

For testing remote attestation, Sandbox is available for testing purpose Goto : https://software.intel.com/formfill/sgx-onboarding

This link is available from the SGX landing zone (software.intel.com/sgx). Go to “Resource Library” and then select “Access Development Services” from the sidebar.

Thanks,
Kuppusamy.R

0 Kudos
Chenghong_W_
Beginner
2,818 Views

Hi Kuppusamy,

I saw your previous post, said that you are going to release some new sample codes related to the attestation process few weeks ago. Just want to know that when you plan to release the new sample codes, and where we can access them.

Thanks,

Chen

0 Kudos
Kuppusamy_R_Intel
2,818 Views

Hi Chenghong,

New sample codes will be release at the end of June' 2016

Thanks,
Kuppusamy.R

 

0 Kudos
shivani_g_
Beginner
2,818 Views

Hi

In the RemoteAttestation, message 3 is generated by the sgx_ra_proc_msg2(), but I'm confused about how is nonce, which is provided by the service provider as challenge,  incorporated in the generation of QUOTE.

0 Kudos
Surenthar_S_Intel
7,673 Views

Hi Shivani,

Here’s how the message flow works starting at MSG2:

Client receives MSG2 from the Service Provider

    MSG2 = gb || SPID || QUOTETYPE || SigSP(gb,ga) || CMACSMK(gb || SPID || QUOTETYPE || SigSP(gb,ga)) || SigRL

    Where || is concatenation. 

What this boils down to is MSG2 is constructed from this data:

    gb (the random data from the server) || SPID || QUOTETYPE || SigSP(gb,ga) followed by a CMAC of that data, followed by the revocation list.

Client processes MSG2 and generates MSG3

    MSG3 = CMAC(SMKCMAC, M) || M

    Where M = ga || PS_SECURITY_PROPERTY || QUOTE

So what is happening here is that MSG3 is a CMAC of ( the CMAC from MSG2 || M ) followed by M. It’s the CMAC from MSG2 that includes the random data generated by the server.

Thanks and Regards,

Surenthar Selvaraj

0 Kudos
shivani_g_
Beginner
2,818 Views

Thanks Surenthar

But I'm still confused about what is the challenge sent by the service provider at the begin used for. Isn't it the nonce ? How and where is it used?

 

0 Kudos
Kuppusamy_R_Intel
2,818 Views

Hi Shivani,

There is the initial “challenge” issued by the Remote Attestation service at the start of a connection. This occurs when the client connects to the remote service because it wants to access something that the server has—maybe a movie, a user’s bank account information, etc.—and the server “challenges” the client to prove that it is a legitimate SGX application. The “challenge” in this context just means that the server is telling the client “please attest so that I can determine whether or not I trust you”. This happens before Remote Attestation begins.

Then, there is a “liveness challenge” sent in message 2,  which is a nonce. This nonce is so that a client can’t replay a previous response to message 2 back to the server as message 3. It has to generate a new message 3 because the nonce forces the signatures in message 2 to be different each time it is generated. It’s referred to as a “liveness challenge” because the point is to ensure that the client response is “live”, not pre-recorded.

Thanks,

Kuppusamy.R

0 Kudos
shivani_g_
Beginner
2,818 Views

Hello

Since sample crypto library provided in Remote Attestation Sample code cannot be used in production code, does that mean we need to implement crypto library ourself? Is there any crypto library available that can be linked as static library in service provider code and be used in Remote attestation. We cannot use sgx_tcrypto.h at service provider side ( which does not have enclave) ?

0 Kudos
Surenthar_S_Intel
2,818 Views

Hi Sivani,

The Intel® Software Guard Extensions Evaluation SDK includes a trusted cryptography library named sgx_tcrypto. It includes the cryptographic functions used by other trusted libraries included in the SDK, such as the sgx_tservice library. Thus, the functionality provided by this library might be somewhat limited. If you need additional cryptographic functionality, you would have to develop your own trusted cryptographic library.

Thanks and Regards,
Surenthar Selvaraj

0 Kudos
shivani_g_
Beginner
2,818 Views

Hi Surenthar

I understand the functionality is limited in sgx_tcrypto, but can it be used on service provider side which does not have intel sgx enabled hardware?

Thank You

0 Kudos
Surenthar_S_Intel
2,818 Views

Hi Shivani,

No, sgx_tcrypto can't be used on service provider side which does not have intel SGX enabled Hardware.
sgx_tcrypt is trusted library and its part of Intel SGX SDK

Thanks and Regards,
Surenthar Selvaraj

0 Kudos
Joe63
Beginner
2,818 Views

Kuppusamy R. (Intel) wrote:

Then, there is a “liveness challenge” sent in message 2,  which is a nonce. This nonce is so that a client can’t replay a previous response to message 2 back to the server as message 3. ...

Do you know in which field the nonce is? In sgx_ra_msg2_t i cant see a field with a nonce!? 

 

https://software.intel.com/en-us/node/709237

0 Kudos
Surenthar_S_Intel
2,818 Views

Hi,

Please refer the latest Remote attestation code https://software.intel.com/en-us/articles/intel-software-guard-extensions-remote-attestation-end-to-end-example for your reference.

-Surenthar

0 Kudos
Reply