Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1452 Discussions

Seal - Unseal in the same enclave vs. in two different enclaves

Criston__Anna
New Contributor I
‎07-09-2020 12:18 PM
769 Views
Solved Jump to solution

Hi, I was wondering if there is any difference between unsealing a secret message in the same enclave that you used to seal it vs. in another enclave, signed with the same private key, in terms of security?

One thing I have read in the developer guide is that the smaller the enclave, the more secure, so I guess that manipulating the secret data before sealing and after unsealing in two different enclaves makes each enclave smaller than having one enclave that you reload (because they would not run in parallel, but the unsealing one after the sealing one is destroyed). Are there any other aspects I should consider in terms of security when choosing between having one or two enclave for sealing-unsealing?

Thanks,

Anna

1 Solution
JesusG_Intel
Moderator
‎07-09-2020 12:50 PM
767 Views
Solved Jump to solution

Hello Anna,


Your thinking is spot on with regard to using two enclaves instead of one. Notice that the SealUnseal sample in the SGX SDK uses two different enclaves. By using two enclaves you minimize the attack surface of each enclave.


View solution in original post

0 Kudos
Copy link

Link Copied

1 Reply
JesusG_Intel
Moderator
‎07-09-2020 12:50 PM
768 Views
Solved Jump to solution

Hello Anna,


Your thinking is spot on with regard to using two enclaves instead of one. Notice that the SealUnseal sample in the SGX SDK uses two different enclaves. By using two enclaves you minimize the attack surface of each enclave.


0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.