I'm pretty new to SGX, still reading through the docs and just tested/compiled some initial examples. Our particular application involves a smartcard connected to an SGX-capable computer. The SGX enclave is supposed to offer additional services (such as network access or certified time) to the smartcard, but the smartcard needs to be sure that the enclave runs authorized software and is not modifying the network traffic in any way (since we can't run a TLS client directly on the card itself).
So I was wondering if the remote attestation process could be run inside the smartcard, without resorting to the IAS. Can the quote issued by the Quotation Enclave be verified somehow offline (on the card in our case) without the IAS or is the IAS absolutely required at this time?
Is your sgx-enabled computer be able to connect IAS ? There are two ways to do remote attestation:
1. sgx-enabled computer generate msg3 which include the quote(enclave-report), and then send it to sp (here in your situation is smart card), sp communicate with ias and get IAS attestation report.
sgx-enabled computer--->quote===========> smart card===============>IAS-------------->verify IAS report
2. The other way is that sgx-enabled computer generate msg3 and get the quote, directly send it to IAS for the attestation report. then sent IAS report together with report signature (which is inside IAS response header field) to sp, sp verify the report with IAS public key.Then go on the rest remote attestation processes.
sgx-enabled computer--->quote===========> IAS------>IAS report=========> smartcard------->verify IAS report signature & IAS report
If your sgx-enabled computer is able to connect IAS you can do remote attestation follow the second scenario. And your smart card can be "offline". But you should verify the IAS report signature first to make sure the report is generated by IAS.
Hi Rodolfo S:
I'm a little confused, can you clarify how can this happen? The smart card can verify IAS attestation response signature to test the authenticity of the report. Since the report is signed with intel's private key, Is that right?
I'm sorry for the confusion. This kind of attacks that I mentioned were only possible in version 1 of the IAS API, because it didn't include the quote itself in the response. In the current API version your solution may work without problems.