- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello everyone,
I'm pretty new to SGX, still reading through the docs and just tested/compiled some initial examples. Our particular application involves a smartcard connected to an SGX-capable computer. The SGX enclave is supposed to offer additional services (such as network access or certified time) to the smartcard, but the smartcard needs to be sure that the enclave runs authorized software and is not modifying the network traffic in any way (since we can't run a TLS client directly on the card itself).
So I was wondering if the remote attestation process could be run inside the smartcard, without resorting to the IAS. Can the quote issued by the Quotation Enclave be verified somehow offline (on the card in our case) without the IAS or is the IAS absolutely required at this time?
Thank you,
Razvan
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Razvan.
To the best of my knowledge, it is not possible to do what you want there.
Regards,
Rodolfo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is your sgx-enabled computer be able to connect IAS ? There are two ways to do remote attestation:
1. sgx-enabled computer generate msg3 which include the quote(enclave-report), and then send it to sp (here in your situation is smart card), sp communicate with ias and get IAS attestation report.
sgx-enabled computer--->quote===========> smart card===============>IAS-------------->verify IAS report
2. The other way is that sgx-enabled computer generate msg3 and get the quote, directly send it to IAS for the attestation report. then sent IAS report together with report signature (which is inside IAS response header field) to sp, sp verify the report with IAS public key.Then go on the rest remote attestation processes.
sgx-enabled computer--->quote===========> IAS------>IAS report=========> smartcard------->verify IAS report signature & IAS report
If your sgx-enabled computer is able to connect IAS you can do remote attestation follow the second scenario. And your smart card can be "offline". But you should verify the IAS report signature first to make sure the report is generated by IAS.
Regards you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi you,
That alternative you pointed out is very insecure. This would allow a man-in-the-middle or even a replay attack.
Regards,
Rodolfo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Rodolfo S:
I'm a little confused, can you clarify how can this happen? The smart card can verify IAS attestation response signature to test the authenticity of the report. Since the report is signed with intel's private key, Is that right?
Kind regards
you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, you.
I'm sorry for the confusion. This kind of attacks that I mentioned were only possible in version 1 of the IAS API, because it didn't include the quote itself in the response. In the current API version your solution may work without problems.
Regards,
Rodolfo
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page