Abstract
Intel Software Guard Extensions (SGX) allows users to perform secure computation on platforms that run untrusted software. To validate that the computation is correctly initialized and that it executes on trusted hardware, SGX supports attestation providers that can vouch for the user’s computation. Communication with these attestation providers is based on the Extended Privacy ID (EPID) protocol, which not only validates the computation but is also designed to maintain the user’s privacy. In particular, EPID is designed to ensure that the attestation provider is unable to identify the host on which the computation executes. In this work we investigate the security of the Intel implementation of the EPID protocol. We identify an implementation weakness that leaks information via a cache side channel. We show that a malicious attestation provider can use the leaked information to break the unlinkability guarantees of EPID. We analyze the leaked information using a lattice-based approach for solving the hidden number problem, which we adapt to the zero-knowledge proof in the EPID scheme, extending prior attacks on signature schemes.
Highlights
Mainstream processors have recently employed Trusted Execution Environments that allow running sensitive computation on potentially-compromised computers owned by untrusted third parties
Because the Enhanced Privacy ID (EPID) signatures in the quoting enclave implementation are encrypted to a hard-coded RSA public key before being transmitted to the remote attestation provider, as described in Section 3, we modified the quoting enclave to encrypt to our own public key so that we could decrypt the messages
As only the version offering 128-bit security is implemented in Intel’s Software Guard Extensions (SGX) Software Development Kit (SDK), we focus on this version of EPID which operates over the Fp256BN curve as standardized in [Int09]
Summary
Mainstream processors have recently employed Trusted Execution Environments that allow running sensitive computation on potentially-compromised computers owned by untrusted third parties. 172 CacheQuote: Efficiently Recovering Long-term Secrets of SGX EPID via Cache Attacks protocol that allows users to verify the legitimacy of the enclave before sending sensitive data to the enclave. Microarchitectural side-channel attacks extract otherwise-unavailable secret information by artificially creating observable contentions between different CPU execution units. Since their introduction over a decade ago [Pag, TTMH02, TSS+03, Per, Ber, OST06], microarchitectural side channel attacks have been used to break the security of numerous implementations, including attacks on cryptographic primitives [ASK07, AS08, BvdPSY14], measurement of keystroke timings [LGS+16, LGS+17], website fingerprinting [GZES17], attacks from within the target’s browser [OKSK15, AKM+15, GMM16], from inside or against SGX enclaves [XCP15, LSG+17, VBWK+17, SWG+17, MIE17, BMD+17, MES17], or even on third party compute clouds [LYG+15, IAES15, IGI+16]. In this paper we investigate the following questions: How do side-channel attacks affect SGX’s EPID attestation protocol? can side-channel attacks be used to violate EPID’s forward or backward privacy?
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: IACR Transactions on Cryptographic Hardware and Embedded Systems
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
