Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1452 Discussions

Verify EPID Signature

Ernesto_F_
Beginner
‎11-14-2016 09:38 AM
781 Views

Hi,

I would like to be able to verify the signature of a Quote. I have looked into the sdk and on different online resoucers, and the verification seems quite complex, if not impossible. I assume that once I have obtained EPID signature, I can use the ISK public key to verify it. Unfortunately it appears that the EPID signature is encrypted with quite a complex and undocumented process. If this unofficial docs are correct, https://github.com/kudelskisecurity/sgxfun/blob/master/GETQUOTE.md, then the (symmetric) encryption key used to encrypt the EPID signature is encrypted itself using an RSA_OAEP_256 encryption algorithm. But how is this RSA-2048 key generated? 

Is it actually possible to indipendently verify the signature of a quote or it is something that only Intel can do?

Kind Regards

0 Kudos

Link Copied

5 Replies
Surenthar_S_Intel
Employee
‎11-15-2016 01:33 AM
781 Views

Please go through the below link for your reference

https://software.intel.com/en-us/blogs/2016/03/09/intel-sgx-epid-provisioning-and-attestation-services

-Surenthar

0 Kudos
Copy link
Ernesto_F_
Beginner
‎11-15-2016 03:53 AM
781 Views

That document is not sufficient. There is no mention on how to actually perform the EPID signature verification, since the signature I am seeing is encrypted. I saw on another document that "EPID name based (NB) Quotes only leave the platform encrypted with an Intel public key". Does it mean that the Random Based Quotes are not encrypted and therefore verifiable with the EPID group public key? I am currently using Name Base/Linkable Quotes.

 

0 Kudos
Copy link
Surenthar_S_Intel
Employee
‎11-15-2016 10:09 PM
781 Views

Intel is not currently supporting 3rd party attestation verifications of EPID signatures for either Linkable or unlinkable.

-Surenthar.

0 Kudos
Copy link
Ernesto_F_
Beginner
‎11-17-2016 01:37 AM
781 Views

I see. I am a bit disappointed and surprised, since in the documentation more than once there are hints to a possible open EPID verification, although without details.

 Is it in the plan to support it in the foreseable future?  The Intel Attestation Service is not sufficient for my needs, since the signed Attestation Report it returns cannot be linked in any way to the quote I am sending to IAS.

0 Kudos
Copy link
Kirchengast__Felix
Beginner
‎09-18-2018 04:38 AM
781 Views

I have the same question in 2018...

Is there any documentation on how to perform the EPID signature verification using the IAS group public key?

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.