remote attestation example for python

141 views
Skip to first unread message

Sylvain Bellemare

unread,
Jul 28, 2021, 10:42:13 PM7/28/21
to sup...@graphene-project.io
Hi,

 I was wondering whether there are some examples that demonstrate how to implement remote attestation for Python-based applications.

I asked the question in https://github.com/oscarlab/graphene/issues/2588, but I don't want just secret provisioning. I want to be able to also validate the outputs by say .. verifying the signature on the outputs. The TLS example I guess does that ... but what I wonder is whether another party, other than the client endpoint of the TLS connection could also verify the output. For instance, could the client send the RA-TLS certificate to another party along with the output such that the party could verify the output?

I want to be able to do what some call "self-attestation", something similar as to what is done in DECENT (https://arxiv.org/abs/2004.02020).

For instance, if I was just using the SGX SDK, I would:
  1. generate an ecc key pair in the enclave
  2. call sgx_create_report() such that the public key is in the report_data field
  3. get a quote for that report and send it to IAS for verification
  4. broadcast the verification report, signed by Intel, to external parties of the protocol
  5. the enclave would sign any output, and broadcast them to the external parties, who would verify the signature with the public key which they extracted out from the report
Thanks!
Sylvain

Michał Kowalczyk

unread,
Aug 6, 2021, 4:02:15 PM8/6/21
to Sylvain Bellemare, sup...@graphene-project.io
// sorry for sending again, but seems the mailing list dropped my previous message

Hey,

For instance, could the client send the RA-TLS certificate to another party along with the output such that the party could verify the output?
I think it should be doable with the current version of RA-TLS, but we don't have any examples which cover this scenario. You can also try to use lower-level interfaces which are used by RA-TLS implementation itself, they are pretty flexible and not as hard as they may seem.

For instance, if I was just using the SGX SDK, I would:
<snip>

This should be pretty straightforward with these lower-level attestation interfaces, but as I said above, we don't have any examples for this, so you're unfortunately on your own there :)
--
You received this message because you are subscribed to the Google Groups "Graphene Support Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to graphene-suppo...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/graphene-support/CAKfqe1jst58LBvyZsn2LDpRR_xjefMTPWtNHS0FDhyAtNqxLrg%40mail.gmail.com.


Sylvain Bellemare

unread,
Aug 6, 2021, 8:15:57 PM8/6/21
to Graphene Support Mailing List
Ok thanks!
Reply all
Reply to author
Forward
0 new messages