Intel® Software Guard Extensions (Intel® SGX)
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.

Remote attestation with multiple SP

adukots
Novice
514 Views

Hello,

I have a question about how to do this when one enclave does RA with multiple SP.

 

I envision the following scenario: there is one data user and multiple data providers, and the user processes personal information provided by multiple providers within a single Enclave.

 

I believe that Remote Attestation is necessary in order to verify the program running in Enclave before sending personal information from data providers to the user. If this Remote Attestation is to be done with EPID, the data user would need to send a quote to data providers, and data providers would need to contact the IAS. However, assuming multiple data providers, it seems that the data providers need to share SPID and Subscription Key.
To avoid this sharing, I think it would be better if the data user queries the IAS and sends the result of the query to data providers.
Since this IAS report is guaranteed not to be tampered with by the IAS signature, there should be no problem if it is provided to data providers via an untrusted data user. When performing Remote Attestation in such a scenario, is it acceptable for the data user, the Enclave owner, to query the IAS and send it to data providers?

 

Thank you.

Labels (1)
0 Kudos
1 Solution
Sahira_Intel
Moderator
429 Views

This scenario would be possible with a few modifications:

  1. Data user enclave creates (or somehow gets) an asymmetric key pair.
  2. Data user enclave generates a quote, including the hash of the public key of the aforementioned key pair in the REPORT_DATA when generating the report to be turned into a quote.
  3. Data user sends the quote to IAS.
  4. IAS replies with a signed attestation verification report, which includes the original quote and therefore includes the public key hash originally included in REPORT_DATA .
  5. Data user can then send the IAS report and the public key to the data provider.
  6. Data provider verifies it’s a valid report from IAS and the state of the platform and the enclave identity, as well as verifying ownership of the private key by checking the hash of the public key. There should probably be some type of lifetime to this, such that they need to redo the process… New IAS report with new/rotated keys.
  7. Data provider has then verified the platform and enclave and can use the public key to encrypt data destined for the data user enclave that only it can decrypt, or establish up a trusted channel such as TLS.


I hope this is helpful, please let me know if you have further questions.


Sincerely,

Sahira


View solution in original post

5 Replies
Sahira_Intel
Moderator
470 Views

Hi,

Thanks for your patience, I will respond to this shortly!

 

Sincerely,

Sahira 

Sahira_Intel
Moderator
430 Views

This scenario would be possible with a few modifications:

  1. Data user enclave creates (or somehow gets) an asymmetric key pair.
  2. Data user enclave generates a quote, including the hash of the public key of the aforementioned key pair in the REPORT_DATA when generating the report to be turned into a quote.
  3. Data user sends the quote to IAS.
  4. IAS replies with a signed attestation verification report, which includes the original quote and therefore includes the public key hash originally included in REPORT_DATA .
  5. Data user can then send the IAS report and the public key to the data provider.
  6. Data provider verifies it’s a valid report from IAS and the state of the platform and the enclave identity, as well as verifying ownership of the private key by checking the hash of the public key. There should probably be some type of lifetime to this, such that they need to redo the process… New IAS report with new/rotated keys.
  7. Data provider has then verified the platform and enclave and can use the public key to encrypt data destined for the data user enclave that only it can decrypt, or establish up a trusted channel such as TLS.


I hope this is helpful, please let me know if you have further questions.


Sincerely,

Sahira


adukots
Novice
398 Views

Hi Sahira,

 

Thank you for your reply.

 

I think this solution will solve the problem. One more question, This solution is similar to the RA-TLS method, but this method embeds the quote in the X.509 certificate. Is there any problem with replacing this with the IAS report? (For RA-TLS, I referred to Gramine.)

 

I don't think there is a problem, but I am asking this question just in case.

 

Best Regards,

adukots

Sahira_Intel
Moderator
379 Views

Hi Adukots,

Yes that would work since the IAS report is the quote plus everything else in the IAS reply.

The RA-TLS docs even talk about embedding the hash of the public key in the quote’s report data like we mentioned earlier.


Sincerely,

Sahira


adukots
Novice
368 Views

Thank you so much for your answers.  It helped me a lot!

Reply