Now Reading
Unifying Distant Attestation Protocol Implementations – Confidential Computing Consortium

Unifying Distant Attestation Protocol Implementations – Confidential Computing Consortium

2023-08-01 05:21:01

Shanwei Cen (@shnwc), Dan Middleton (@dcmiddle)

We’re excited to announce some current attestation information. One of many hallmarks of confidential computing is the flexibility to construct trusted communication with an utility working in a hardware-based trusted execution atmosphere. To make attestation simply accessible it may be integrated into frequent protocols. That manner builders don’t want to determine all the main points to construct a safe protocol themselves. Certainly one of these protocols is known as Distant Attestation TLS (RA-TLS), which builds on the ubiquitously used Transport Layer Safety protocol underlying most safe web communication. It seems a number of tasks independently applied RA-TLS with tiny however incompatible variations. Within the CCC Attestation SIG, we’ve agreed on and, in some instances, already applied modifications to make all of them be capable of interoperate.

The CCC Attestation SIG is chartered to develop attestation-related software program aimed toward enhancing interoperability, and to attain harmonization and de-fragmentation between a number of tasks. One method is to establish and evaluate tasks in SIG conferences, suggest enhancements for interoperability and standardization, and work with these tasks for implementation and exams. Interoperable RA-TLS is a good instance showcasing how the SIG delivers on its constitution.

RA-TLS (Distant Attestation TLS) structure is outlined within the white paper Integrating Remote Attestation with Transport Layer Security, to allow Intel® Software program Guard Extensions (Intel® SGX) distant attestation through the institution of a typical Transport Layer Safety (TLS) connection. In a TLS server / shopper state of affairs, the TLS server runs inside an SGX enclave. It generates a public-private keypair, creates an SGX report with a hash of the general public key in its user-data area, and will get an SGX quote for this report. It then creates an X.509 certificates with a customized extension containing this SGX quote. This custom-made certificates is shipped to a TLS shopper within the TLS handshake protocol. The shopper will get the SGX quote from the certificates and performs distant attestation to confirm that the related server runs inside an genuine Intel® SGX enclave.

There are a number of points of RA-TLS structure that weren’t lined on this white paper. Among the gaps embrace the particular X.509 extension OID worth for the SGX quote, the supported forms of SGX quote, and the way the general public secret is hashed. Moreover, because the white paper was printed, new TEEs like Intel® Belief Area Extensions (Intel® TDX) and new quote codecs have turn out to be out there. The extent of specificity within the RA-TLS paper left room for incompatibility between totally different implementations and prevented their interoperability.

RA-TLS has been supported in a number of open-source tasks, together with Gramine, RATS-TLS, Open Enclave Attested TLS, and SGX SDK Attested TLS. The CCC Attestation SIG invited these tasks to its conferences for evaluate, and really useful additional investigation to look into harmonization between them for interoperability. Following up on this advice, we carried out an in-depth investigation and recognized areas of incompatibility. We documented our findings, created a draft proposal for an interoperable RA-TLS structure, and introduced our work again to the SIG.

See Also

Primarily based on the interoperable RA-TLS draft proposal, we refined the design, and aligned it with the upcoming DICE Attestation Structure v1.1 draft customary on X.509 extension OID worth and proof format definition (as a tagged CBOR byte string). We created an CCC Attestation SIG github mission interoperable-ra-tls to host the design paperwork and interoperability exams. This mission additionally facilitates dialogue amongst members of the RA-TLS tasks and the CCC Attestation SIG group normally. As well as, we registered the wanted CBOR tags with the IANA registration service. Within the course of, we supplied suggestions to the DICE Attestation Structure workgroup for refinement of their draft customary specification.

Nice progress has been made to implement this proposed interoperable RA-TLS scheme within the RA-TLS tasks. We’ve labored with all of the tasks to create points and pull requests for his or her implementations. Particularly, as mentioned in a number of the interoperable-ra-tls mission issues, Gramine and RATS-TLS have accomplished their implementation, and have been energetic in interoperability exams.

In abstract, the interoperable RA-TLS work demonstrated the worth of the CCC Attestation SIG in offering a constructive discussion board to collaborate on attestation know-how. We invite you to check out the brand new unified implementations in Gramine and RATS-TLS. In case you are concerned with getting extra concerned, please be a part of us on the CCC Attestation SIG or some other aspect of our Confidential Computing Consortium open supply group. All are welcome right here.

Source Link

What's Your Reaction?
In Love
Not Sure
View Comments (0)

Leave a Reply

Your email address will not be published.

2022 Blinking Robots.
WordPress by Doejo

Scroll To Top