Who can explain clearly about the following key usage and difference? It is strange I can't find any explanations in the document.
SGX_RA_KEY_MK, SGX_RA_KEY_SK, SGX_RA_VK.
Launch key, Provisioning key, Provisioning seal key, Report key, Seal key.
- SK (Signing Key/Symmetric Key)
- MK (Master Key/Masking Key)
- SMK (SIGMA protocol)
- VK: Verification key
- ISV can use the sgx_ra_init_ex API to provide a callback function to generate the remote attestation keys used in the SIGMA protocol (SMK) and returned by the API sgx_ra_get_keys (SK, MK, and VK). The decision to use a different KDF is a policy of the ISV, but it should be approved by the ISV’s security process.
- sgx_ ra_derive_secret_keys_t function takes the Diffie-Hellman shared secret as input to allow the ISV enclave to generate their own derived shared keys (SMK, SK, MK and VK).
- VK is derived from the Diffie-Hellman shared secret elliptic curve field element between the service provider and the application enclave.
VK = AES-CMAC (0x00, gab x coordinate|| 0x03)
- Remote Attestation context was generated by sgx_ra_init, the returned SGX_RA_ KEY_MK, SGX_RA_KEY_SK or SGX_RA_VK is derived from the Diffie-Hellman shared secret elliptic curve field element between the service provider and the application enclave using the following Key Derivation Function (KDF):
- KDK = AES-CMAC(key0, gab x-coordinate)
- SGX_RA_KEY_VK = AES-CMAC(KDK, 0x01||’VK’||0x00||0x80||0x00)
- SGX_RA_KEY_MK = AES-CMAC(KDK, 0x01||’MK’||0x00||0x80||0x00)
- SGX_RA_KEY_SK = AES-CMAC(KDK, 0x01||’SK’||0x00||0x80||0x00)
- The key0 used in the key extraction operation is 16 bytes of 0x00. The plain text used in the Key derivation calculation is the Diffie-Hellman shared secret elliptic curve field element in Little Endian format.
- The plain text used in each key calculation includes:
- a counter (0x01)
- a label: the ASCII representation of one of the strings 'VK', 'MK' or 'SK' in Little Endian format
- a bit length (0x80)
Thanks for your reply firstly. but I am still confused about key usage. I want to know where/when/how to use them? Hope we have some documents about key usage.
Another question, which key (Launch key, Provisioning key, Provisioning seal key, Report key, Seal key.) is device-specific key?