Implement SGX encrypted channel demo #30
Conversation
lkatalin
force-pushed
the
encrypted-connection
branch
from
3900cd0 to
a38b88d
Compare
|
I fixed the cipher to be AES256GCM and also added the capability to add u32s. |
| // field of the enclave's attestation Report, which will be transmitted to the tenant. | ||
| let mut entropy = Rdseed; | ||
| let mut rng = CtrDrbg::new(&mut entropy, None)?; | ||
| let mut ec_key = Pk::generate_ec(&mut rng, curve.clone())?; |
There was a problem hiding this comment.
Does this need a check, if the point is on the curve and not identity? A quick search in the mbed-tls source didn't reveal such a check.
There was a problem hiding this comment.
In the update I'm about to push, I'm now using https://github.com/fortanix/rust-mbedtls/blob/master/mbedtls/src/pk/mod.rs#L312, though I'm not completely sure I'm using it correctly.
|
|
||
| // The enclave handles each incoming connection from attestation daemon. | ||
| for stream in TcpListener::bind(LISTENER_ADDR).unwrap().incoming() { | ||
| for stream in daemon_streams.incoming() { |
There was a problem hiding this comment.
since we are only handling one connection, we could get rid of the for loop and instead use:
// The enclave handles _one_ incoming connection from the attestation daemon.
let mut stream = daemon_streams
.incoming()
.next()
.unwrap_or(Err(std::io::ErrorKind::ConnectionReset.into()))?;There was a problem hiding this comment.
For some reason, when I make this change, the program hangs. So I have left it alone for now.
| let tenant_key = iterator.next().unwrap()?; | ||
| let ad = iterator.next().unwrap()?; | ||
| let iv1 = iterator.next().unwrap()?; | ||
| let iv2 = iterator.next().unwrap()?; | ||
| let tag1 = iterator.next().unwrap()?; | ||
| let tag2 = iterator.next().unwrap()?; | ||
| let ciphertext1 = iterator.next().unwrap()?; | ||
| let ciphertext2 = iterator.next().unwrap()?; |
There was a problem hiding this comment.
This is related to another change requested by @mbestavros to not limit the length of data being sent, since in the future we will send larger chunks of data (ex. binary files). Should I add checks for the current type of data being passed, or get rid of such artificial size limits? Does this matter for the demo? @haraldh @npmccallum
| raw::CipherMode::GCM, | ||
| (symm_key.len() * 8) as _, | ||
| ) | ||
| .unwrap(); |
| raw::CipherMode::GCM, | ||
| (symm_key.len() * 8) as _, | ||
| ) | ||
| .unwrap(); |
|
|
||
| // TODO: This line exits the program after one run. Otherwise, it appears as though the tenant can be run | ||
| // again, but instead the program just hangs the second time. Why? | ||
| break; |
There was a problem hiding this comment.
Well, you would have to open a new connection from the tenant with TcpStream::connect(ENCL_CONN) to get a new loop iteration without the break.
| let mut iterator = deserializer.into_iter::<Vec<u8>>(); | ||
|
|
||
| let tenant_key = iterator.next().unwrap()?; | ||
| let ad = iterator.next().unwrap()?; |
There was a problem hiding this comment.
As far as I understand ad is authenticated data. So it's unencrypted but signed. Maybe we can use it to send a hash of the plaintext data and check the integrity with it after decryption?
@npmccallum ?
There was a problem hiding this comment.
I changed this field to hold a sha256 hash of the plaintext both in the tenant and the enclave.
| // TODO: Is this a good curve to use for ECDH keys? | ||
| pub fn new_pair_secp256r1() -> Result<Self, Box<dyn Error>> { | ||
| let curve = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1)?; | ||
| let eckey_priv = EcKey::generate(&curve)?; |
There was a problem hiding this comment.
again.. needs eckey_priv.check_key() I guess
mbestavros
changed the title
There was a problem hiding this comment.
A very targeted change, but a needed one:
As we begin to think about sending more varied (read: larger) data over the encrypted channel, we should not artificially limit the size of the data being sent and arriving to a few bytes.
For now, removing the size declaration for the input/output arrays completely will be easiest, though we may want to consider re-adding a more thought-about higher limit further down the road to address potential security and denial-of-service concerns.
| let mut plaintext1 = [0u8; 32]; | ||
| let mut plaintext2 = [0u8; 32]; |
There was a problem hiding this comment.
We should not artificially limit the plaintext length here.
| let mut val1_as_bytes = [0u8; 4]; | ||
| NativeEndian::write_u32(&mut val1_as_bytes, val1); | ||
| let mut val2_as_bytes = [0u8; 4]; | ||
| NativeEndian::write_u32(&mut val2_as_bytes, val2); |
There was a problem hiding this comment.
We should not artificially limit the plaintext length here.
| NativeEndian::write_u32(&mut sum_as_bytes, sum); | ||
|
|
||
| // The sum is encrypted. | ||
| let mut ciphersum = [0u8; 5]; |
There was a problem hiding this comment.
One more quick one I forgot, sorry!
lkatalin
force-pushed
the
encrypted-connection
branch
from
a38b88d to
52eac95
Compare
I'm submitting this as PR not because I think it's done, but because I hope to solicit extra comments and reviews over the next week to add to my to-do list for when I get back.
I have many
TODOcomments and questions in the code. Anything that is a question I would especially like feedback or ideas on.Some things that I plan to do before the PR is merged (and would love ideas on any of these):
Currently this gives a key length error and I have not had a chance to debug it. Possibly it has something to do with the length oftagoraad, but unsure.This requires changing the way the streams interact and making the datau32instead ofu8, which adds complication. It's probably not that hard, but seems fiddly.This just seems more logical. However, it requires changing more things about stream handling. For example, having the daemon pass the tenant's pubkey to the enclave before attestation means the pubkey goes out of scope after the daemon's stream is handled. Thus it is not usable when handling the tenant<-->enclave stream.