Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

Remote attestation with multiple SP

adukots
Novice
‎09-15-2022 06:38 PM
1,052 Views
Solved Jump to solution

Hello,

I have a question about how to do this when one enclave does RA with multiple SP.

 

I envision the following scenario: there is one data user and multiple data providers, and the user processes personal information provided by multiple providers within a single Enclave.

 

I believe that Remote Attestation is necessary in order to verify the program running in Enclave before sending personal information from data providers to the user. If this Remote Attestation is to be done with EPID, the data user would need to send a quote to data providers, and data providers would need to contact the IAS. However, assuming multiple data providers, it seems that the data providers need to share SPID and Subscription Key.
To avoid this sharing, I think it would be better if the data user queries the IAS and sends the result of the query to data providers.
Since this IAS report is guaranteed not to be tampered with by the IAS signature, there should be no problem if it is provided to data providers via an untrusted data user. When performing Remote Attestation in such a scenario, is it acceptable for the data user, the Enclave owner, to query the IAS and send it to data providers?

 

Thank you.

Labels (1)
Labels:
0 Kudos
1 Solution
Sahira_Intel
Moderator
‎09-21-2022 02:25 PM
967 Views
Solved Jump to solution

This scenario would be possible with a few modifications:

  1. Data user enclave creates (or somehow gets) an asymmetric key pair.
  2. Data user enclave generates a quote, including the hash of the public key of the aforementioned key pair in the REPORT_DATA when generating the report to be turned into a quote.
  3. Data user sends the quote to IAS.
  4. IAS replies with a signed attestation verification report, which includes the original quote and therefore includes the public key hash originally included in REPORT_DATA .
  5. Data user can then send the IAS report and the public key to the data provider.
  6. Data provider verifies it’s a valid report from IAS and the state of the platform and the enclave identity, as well as verifying ownership of the private key by checking the hash of the public key. There should probably be some type of lifetime to this, such that they need to redo the process… New IAS report with new/rotated keys.
  7. Data provider has then verified the platform and enclave and can use the public key to encrypt data destined for the data user enclave that only it can decrypt, or establish up a trusted channel such as TLS.


I hope this is helpful, please let me know if you have further questions.


Sincerely,

Sahira


View solution in original post

0 Kudos
Copy link

Link Copied

5 Replies
Sahira_Intel
Moderator
‎09-19-2022 10:15 PM
1,008 Views
Solved Jump to solution

Hi,

Thanks for your patience, I will respond to this shortly!

 

Sincerely,

Sahira 

0 Kudos
Copy link
Sahira_Intel
Moderator
‎09-21-2022 02:25 PM
968 Views
Solved Jump to solution

This scenario would be possible with a few modifications:

  1. Data user enclave creates (or somehow gets) an asymmetric key pair.
  2. Data user enclave generates a quote, including the hash of the public key of the aforementioned key pair in the REPORT_DATA when generating the report to be turned into a quote.
  3. Data user sends the quote to IAS.
  4. IAS replies with a signed attestation verification report, which includes the original quote and therefore includes the public key hash originally included in REPORT_DATA .
  5. Data user can then send the IAS report and the public key to the data provider.
  6. Data provider verifies it’s a valid report from IAS and the state of the platform and the enclave identity, as well as verifying ownership of the private key by checking the hash of the public key. There should probably be some type of lifetime to this, such that they need to redo the process… New IAS report with new/rotated keys.
  7. Data provider has then verified the platform and enclave and can use the public key to encrypt data destined for the data user enclave that only it can decrypt, or establish up a trusted channel such as TLS.


I hope this is helpful, please let me know if you have further questions.


Sincerely,

Sahira


0 Kudos
Copy link
adukots
Novice
‎09-22-2022 12:21 AM
936 Views
Solved Jump to solution
In response to Sahira_Intel

Hi Sahira,

 

Thank you for your reply.

 

I think this solution will solve the problem. One more question, This solution is similar to the RA-TLS method, but this method embeds the quote in the X.509 certificate. Is there any problem with replacing this with the IAS report? (For RA-TLS, I referred to Gramine.)

 

I don't think there is a problem, but I am asking this question just in case.

 

Best Regards,

adukots

In response to Sahira_Intel
0 Kudos
Copy link
Sahira_Intel
Moderator
‎09-26-2022 04:37 PM
917 Views
Solved Jump to solution

Hi Adukots,

Yes that would work since the IAS report is the quote plus everything else in the IAS reply.

The RA-TLS docs even talk about embedding the hash of the public key in the quote’s report data like we mentioned earlier.


Sincerely,

Sahira


0 Kudos
Copy link
adukots
Novice
‎09-26-2022 06:16 PM
906 Views
Solved Jump to solution
In response to Sahira_Intel

Thank you so much for your answers.  It helped me a lot!

In response to Sahira_Intel
0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.