Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

What's the usage of the Report Key assigned when registering for IAS

Fan
Beginner
‎06-10-2016 06:09 PM
1,206 Views
Solved Jump to solution

First of all, I'm extremely happy to see that IAS is up for open testing. Kudos!

So I registered and got assigned a Report Key (an RSA public key as it appears), which, according to the API doc, can be used to verify the Attestation Verification Reports returned by IAS. But I'm wondering what is the real benefit of having individually assigned report keys. A critical question is whether Intel is endorsing the report keys. In other words, is there a way to verify if a given report key is indeed issued by Intel? If not, I didn't see any benefit of issuing report key, since Intel can simply sign all reports using a single key and publish the corresponding public key, which is much simpler. So I assume the report keys must be endorsed by Intel somehow. Am I right?

0 Kudos
1 Solution
Kuppusamy_R_Intel
Employee
‎06-13-2016 11:55 PM
1,204 Views
Solved Jump to solution

The Report Key is used to sign the attestation report from the Intel Attestation Server. The intent is for the remote service provider to verify the signature of the report. The public key is provided to the developers in an email they receive after registering their certificate with Development Services for an SPID. The key is the same for everybody. 

View solution in original post

0 Kudos
Copy link

Link Copied

4 Replies
Kuppusamy_R_Intel
Employee
‎06-12-2016 11:25 PM
1,204 Views
Solved Jump to solution

SGX provides sgx_remote() with which the programmers can readily generate a remote attestation request in an enclave program through a single API. It uses sgx_getkey() and sgx_getreport() to get a report key and create a report. By specifying the socket information of a target enclave, a challenger can issue a remote attestation to check

(1) the correctness of the target program (based on the hash of EPC contents) and

(2) whether it is actually running inside an enclave on the SGX-enabled platform (MAC with report key)

0 Kudos
Copy link
Fan
Beginner
‎06-12-2016 11:33 PM
1,204 Views
Solved Jump to solution

Kuppusamy R. (Intel) wrote:

SGX provides sgx_remote() with which the programmers can readily generate a remote attestation request in an enclave program through a single API. It uses sgx_getkey() and sgx_getreport() to get a report key and create a report. By specifying the socket information of a target enclave, a challenger can issue a remote attestation to check

(1) the correctness of the target program (based on the hash of EPC contents) and

(2) whether it is actually running inside an enclave on the SGX-enabled platform (MAC with report key)

Thanks. I'm not sure if we're talking about the same thing. I know there is a Report Key on SGX that works exactly as you describe. However what I'm asking here is the key assigned to me when registering for EPID. I received another so called "report key" from email, along with my SPID. I think they just happen to have the same name.  

0 Kudos
Copy link
Kuppusamy_R_Intel
Employee
‎06-13-2016 11:55 PM
1,205 Views
Solved Jump to solution

The Report Key is used to sign the attestation report from the Intel Attestation Server. The intent is for the remote service provider to verify the signature of the report. The public key is provided to the developers in an email they receive after registering their certificate with Development Services for an SPID. The key is the same for everybody. 

0 Kudos
Copy link
Fan
Beginner
‎06-14-2016 06:56 AM
1,204 Views
Solved Jump to solution

Kuppusamy R. (Intel) wrote:

The Report Key is used to sign the attestation report from the Intel Attestation Server. The intent is for the remote service provider to verify the signature of the report. The public key is provided to the developers in an email they receive after registering their certificate with Development Services for an SPID. The key is the same for everybody. 

Thank you! "The key is the same for everybody. " is exactly what I'm looking for. Perfect.

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.