Question about remote attestation

Question about remote attestation

Hey everyone, I am currently reading up on SGX and wondering about remote attestation.

Let us consider, we have 2 different applications, whereby each has an enclave and they are remote.

Enclave A and enclave B want to perform remote attestation. Let's take the following protocol:
1) A => B: QUOTE{pkA}
2) B => A: QUOTE{pkB}
pkand pkB are public keys and each enclave has the corresponding secret key.

My question is now:
We have a MitM attacker, who intercepts whose QUOTE messages. Is the attacker able to read out the public keys or are they somehow encrypted?



4 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.


In remote attestation scenario, before sent  MSG3 which contains SGX quote we have already established a protected channel though a sigma liked  protocol. And actually there is no pk in quote data structure.  Only a signature contained in it.

typedef struct _quote_t
	uint16_t version; //2 byte
	uint16_t sign_type; //2 byte
	sgx_epid_group_id_t epid_group_id;  //4 byte
	sgx_isv_svn_t qe_svn; //2 byte
	sgx_isv_svn_t pce_svn; //2 byte
	uint32 xeid; //4byte
	sgx_basename_t basename; //32 byte
	sgx_report_body_t report_body;
	uint32_t signature_len;
	uint8_t signature[];
} sgx_quote_t;
typedef struct _report_body_t
	sgx_cpu_svn_t cpu_svn; /* ( 0) Security Version of the CPU */
	sgx_misc_select_t misc_select; /* ( 16) Which fields defined in SSA.MISC */
	uint8_t reserved1[28]; /* ( 20) */
	sgx_attributes_t attributes; /* ( 48) Any special Capabilities the Enclave possess */
	sgx_measurement_t mr_enclave; /* ( 64) The value of the enclave's ENCLAVE measurement */
	uint8_t reserved2[32]; /* ( 96) */
	sgx_measurement_t mr_signer; /* (128) The value of the enclave's SIGNER measurement */
	uint8_t reserved3[96]; /* (160) */
	sgx_prod_id_t isv_prod_id; /* (256) Product ID of the Enclave */
	sgx_isv_svn_t isv_svn; /* (258) Security Version of the Enclave */
	uint8_t reserved4[60]; /* (260) */
	sgx_report_data_t report_data; /* (320) 64 byte Data provided by the user */ 
} sgx_report_body_t;



Hey, if I understand your answer correct, this means, that the quote is sent through a protected channel and therefore it would be not possible to read the quote in cleartext by a third party, am I right?

You are right, the data structure does not contain a pk. I picked this writing to indicate that a party is using the data field report_data in the _report_body_t structure. I should have mentioned that.

Hi Varky:

Yes, It's impossible for a third party to read the quote.

Kind Regards


Leave a Comment

Please sign in to add a comment. Not a member? Join today