Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Get{Product|Unique}SealKey does not use KeyID #189

Open
the729 opened this issue Nov 24, 2022 · 1 comment
Open

Get{Product|Unique}SealKey does not use KeyID #189

the729 opened this issue Nov 24, 2022 · 1 comment

Comments

@the729
Copy link

the729 commented Nov 24, 2022

When sealing data, ego first uses oe_get_seal_key_by_policy to get product or unique seal key, then uses a standard go implementation of AES-GCM go encrypt the data.

However, after a deeper dive into OpenEnclave project, I found oe_get_seal_key_by_policy has flaw that it does not populate KeyID field when calling EGETKEY. And the function is not recommended (although not deprecated). The new recommended way of sealing is oe_seal/oe_unseal, which does populate KeyID. See the discussion here: openenclave/openenclave#4665

IMO, possible solutions would be either

  • persuade OE this function indeed has a use case,
  • and push OE an update to fix the flaw in oe_get_seal_key_by_policy,

or

  • abandon oe_get_seal_key_by_policy,
  • deprecate SealKey related functions in ego/enclave,
  • and use oe_seal/oe_unseal in ego/ecrypto package (is the sealed blob format compatible? )
@the729 the729 mentioned this issue Nov 24, 2022
Open
@thomasten
Copy link
Member

Thanks for taking this to Open Enclave. We try going with your first suggestion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@the729 @thomasten