usages of sgx_ecc256_create_key_pair/sgx_aes_ctr_encrypt/sgx_rijndael128GCM_encrypt api

das__batsayan · ‎05-01-2018

What is the general process to encrypt "hello world" text/string inside an enclave? I would like to know
1. How the key pairs are generated ( should I use sgx_ecc256_create_key_pair or other api?)
2. What apis to use for encrypt ( Should I use sgx_aes_ctr_encrypt() , sgx_rijndael128GCM_encrypt() ? )
3. How the keys are to be stored and retrieve for future decreption?
Thanks a lot

you_w_ · ‎05-02-2018

Hi：

1. To encrypt something by using sgx_aes_ctr_encrypt/sgx_rijndael128GCM_encrypt, you need to get a Symmetric key, you can use sgx_get_key, sgx_read_rand or your own function to generate a 128 bit key for encrypt and decrypt.

2. sgx_ecc256_create_key_pair is used to generate ecc 256 key pair. sgx_aes_ctr_encrypt() and sgx_rijndael128GCM_encrypt() is used for Symmetric encryption. If you want to use asymmetric encryption, maybe you can use intel_sgx_ssl this library provides RSA_public_encrypt and RSA_private_decrypt.

3. You can use sgx_seal_data api to seal your keys and store it on your hard drive or database.

Regards

you.

das__batsayan · ‎05-07-2018

Thanks for your response. I followed https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/754253 to experiment with sgx_rijndael128GCM_encrypt() and sgx_rijndael128GCM_decrypt() APIs. Noticed that const uint8_t *p_iv, and sgx_aes_gcm_128bit_tag_t *p_out_mac has to be passed from encrypt() api to decrypt() api for successful decryption.

I used sgx_fopen_auto_key(), sgx_fwrite(), sgx_fclose() to write const uint8_t *p_iv value from the encrypt. When the decrypt tries to use p_iv, SGX_ERROR_MAC_MISMATCH error happens.

What is the wrong I might be doing?
It looks like sgx_fwrite() is changing p_iv , which it should not be. ( This is also the question asked by the above thread)