Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Beginner
55 Views

key usage difference

Who can explain clearly about the following key usage and difference? It is strange I can't find any explanations in the document.

SGX_RA_KEY_MK, SGX_RA_KEY_SK,  SGX_RA_VK.

Launch key, Provisioning key, Provisioning seal key, Report key, Seal key.

Thanks,

Peter

0 Kudos
2 Replies
Highlighted
55 Views

Hi Peter,

  • SK (Signing Key/Symmetric Key)
  • MK (Master Key/Masking Key)
  • SMK (SIGMA protocol)
  • VK: Verification key
  • ISV can use the sgx_ra_init_ex API to provide a callback function to generate the remote attestation keys used in the SIGMA protocol (SMK) and returned by the API sgx_ra_get_keys (SK, MK, and VK). The decision to use a different KDF is a policy of the ISV, but it should be approved by the ISV’s security process. 
  • sgx_ ra_derive_secret_keys_t function takes the Diffie-Hellman shared secret as input to allow the ISV enclave to generate their own derived shared keys (SMK, SK, MK and VK).
  • VK is derived  from the Diffie-Hellman shared secret elliptic curve field element between the service provider and  the application enclave.
    VK  = AES-CMAC (0x00, gab  x coordinate|| 0x03)
  • Remote Attestation context was generated by sgx_ra_init, the returned SGX_RA_ KEY_MK, SGX_RA_KEY_SK or SGX_RA_VK is derived from the Diffie-Hellman shared secret elliptic curve field element between the service provider and the application enclave using the following Key Derivation Function (KDF):
    • KDK = AES-CMAC(key0, gab x-coordinate)
    • SGX_RA_KEY_VK = AES-CMAC(KDK, 0x01||’VK’||0x00||0x80||0x00)
    • SGX_RA_KEY_MK = AES-CMAC(KDK, 0x01||’MK’||0x00||0x80||0x00)
    • SGX_RA_KEY_SK = AES-CMAC(KDK, 0x01||’SK’||0x00||0x80||0x00)
  • The key0 used in the key extraction operation is 16 bytes of 0x00. The plain text used in the Key derivation calculation is the Diffie-Hellman shared secret elliptic curve field element in Little Endian format.
  • The plain text used in each key calculation includes:
    • a counter (0x01)
    • a label: the ASCII representation of one of the strings 'VK', 'MK' or 'SK' in Little Endian format
    • a bit length (0x80)

 

Regards

Shivananda

0 Kudos
Highlighted
Beginner
55 Views

Hi Shivananda,

Thanks for your reply firstly. but I am still confused about key usage. I want to know where/when/how to use them? Hope we have some documents about key usage.

Another question, which key (Launch key, Provisioning key, Provisioning seal key, Report key, Seal key.) is device-specific key?

Thanks,
Peter

 

0 Kudos