2

I am currently reading up on Intel's SGX, especially the remote attestation part. I am having a questions regarding this topic.

Let us consider the following protocol:

Enclave A and B do remote attestation. Each of them generates an asymmetric key pair (sk_X, pk_X). They exchange the quotes:

A -> B: QUOTE{pk_A}
B -> A: QUOTE{pk_B}

Let us consider there is a MitM attacker, who intercepts whose quotes and forwards them. Is it possible for the attacker to read out the public keys or are they somehow encrypted? I could not find proper information in the documentation.

I found the following document: intel-sgx-developer-guide

A quote includes the following data:

  • Measurement of the code and data in the enclave.
  • A hash of the public key in the ISV certificate presented at enclave initialization time.
  • The Product ID and the Security Version Number (SVN) of the enclave.
  • Attributes of the enclave, for example, whether the enclave is running in debug mode.
  • User data included by the enclave in the data portion of the report structure. Allows establishing a secure channel bound to the remote attestation process so a remote server may provision secrets to the entity that has been attested
  • A signature block over the above data, which is signed by the Intel EPID group key

It sounds like everyone would be able to read the data. In order to prevent a MitM attack, the enclaves have to verify the hash of the public key of the ISV (independent software vendor) and maybe the product ID.

Community
  • 1
Donut
  • 141
  • 4
  • Note that the question was also [asked and answered in an Intel forum](https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/754576). – Oren Milman Jan 23 '19 at 14:55

1 Answers1

1

The article Code Sample: Intel Software Guard Extensions Remote Attestation End-to-End Example (by John M. from Intel), describes an example of remote attestation. (The source code of most of the functions described in the article can be found here.)

Among others, the article mentions the structure of the remote attestation quote, sgx_quote_t:

The structure of the quote is defined in sgx_quote.h:

typedef struct _quote_t
{
    uint16_t            version;        /* 0   */
    uint16_t            sign_type;      /* 2   */
    sgx_epid_group_id_t epid_group_id;  /* 4   */
    sgx_isv_svn_t       qe_svn;         /* 8   */
    sgx_isv_svn_t       pce_svn;        /* 10  */
    uint32_t            xeid;           /* 12  */
    sgx_basename_t      basename;       /* 16  */
    sgx_report_body_t   report_body;    /* 48  */
    uint32_t            signature_len;  /* 432 */
    uint8_t             signature[];    /* 436 */
} sgx_quote_t;

One of the members of the struct sgx_report_body_t (defined in sgx_report.h) is report_data, whose type is sgx_report_data_t.
report_data is the arbitrary information that an enclave can include inside its remote attestation quote. It is only 512 bits, so you would probably put there a hash of a public key (and send the public key itself alongside the quote).

Either way, if I understand correctly, report_data isn't encrypted by default.


Note that assuming the attacker cannot execute arbitrary code inside an enclave, they can't perform the classic MitM of a Diffie-Hellman key exchange (as described here), as they cannot create a quote with a valid signature.

Oren Milman
  • 149
  • 7