Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1370 Discussions

usages of sgx_ecc256_create_key_pair/sgx_aes_ctr_encrypt/sgx_rijndael128GCM_encrypt api

New Contributor I

What is the general process to encrypt "hello world" text/string inside an enclave?  I would like to know
1. How the key pairs are generated ( should I use sgx_ecc256_create_key_pair or other api?)
2. What apis to use for encrypt ( Should I use sgx_aes_ctr_encrypt() , sgx_rijndael128GCM_encrypt() ? ) 
3. How the keys are to be stored and retrieve for future decreption? 
Thanks a lot

0 Kudos
2 Replies
New Contributor III


1. To encrypt something by using sgx_aes_ctr_encrypt/sgx_rijndael128GCM_encrypt, you need to get a  Symmetric key, you can use  sgx_get_key, sgx_read_rand or your own function to generate a 128 bit key  for encrypt and decrypt.

2. sgx_ecc256_create_key_pair is used to generate ecc 256 key pair.  sgx_aes_ctr_encrypt() and sgx_rijndael128GCM_encrypt() is used for Symmetric encryption. If you want to use asymmetric encryption, maybe you can use intel_sgx_ssl this library provides RSA_public_encrypt and RSA_private_decrypt.

3.  You can use sgx_seal_data api  to seal your keys and store it on your hard drive or database.



New Contributor I

Thanks for your response. I followed to experiment with sgx_rijndael128GCM_encrypt() and sgx_rijndael128GCM_decrypt() APIs. Noticed that const uint8_t *p_iv, and sgx_aes_gcm_128bit_tag_t *p_out_mac has to be passed from encrypt() api to decrypt() api for successful decryption.

I used sgx_fopen_auto_key(), sgx_fwrite(), sgx_fclose() to write const uint8_t *p_iv value from the encrypt. When the decrypt tries to use p_iv, SGX_ERROR_MAC_MISMATCH error happens. 

What is the wrong I might be doing? 
It looks like sgx_fwrite() is changing p_iv , which it should not be. ( This is also the question asked by the above thread)