Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1496 Discussions

Remote attestation client-server

Svart_K_
Beginner
‎11-23-2016 09:33 AM
623 Views

I want to perform remote attestation of the server's platform to an application running on a client. So basically the server is supposed to send the secret message containing the attestation to the client.

In the Intel documentation and the example code https://github.com/01org/linux-sgx, I got a bit confused. The application "isv_app" is creating an enclave which performs the message exchange with the "Service Provider".
Can the Service Provider in this case be considered as the server for the remote attestation?
Shouldn't the server that provides the attestation also create an enclave as well or am I just misinterpreting the scenario!?

 

 

0 Kudos

Link Copied

2 Replies
Rodolfo_S_
New Contributor III
‎11-23-2016 11:29 AM
622 Views

Hi, Svart.

I believe you are confusing some concepts there.

In the remote attestation process we have three main "participants":

  1. isv_app - contains the application code which will receive some secret. It is divided into two parts, the untrusted code, and the SGX enclave. The enclave part is the one that will be attested and, as a result of the process, have a shared symmetric key used to safely communicate with the SP.
  2. Service Provider (SP) - in this context, the SP is the one that has some sensitive data (secrets) that are to be sent to the isv_app's enclave. Before sending the secrets to the isv_app's enclave, it needs to attest that it is really running an SGX enclave, and that it is the exact enclave that should be running.
  3. Intel Attestation Service (IAS) - IAS is the actual "attestation server". It is able to verify the authenticity of a QUOTE structure generated by an SGX enclave. It is a Web server accessible via HTTPS requests. More information about IAS here.

The SP communicates with IAS to verify the QUOTE structure sent by the isv_app's enclave, and thus doesn't need to use the SGX SDK nor to have an enclave.

0 Kudos
Copy link
Svart_K_
Beginner
‎11-23-2016 11:34 AM
622 Views

Thanks for the clarification

0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.