TY - JOUR
T1 - CacheQuote: Efficiently Recovering Long-term Secrets of SGX EPID via Cache Attacks
AU - Dall, Fergus
AU - Micheli, Gabrielle De
AU - Eisenbarth, Thomas
AU - Genkin, Daniel
AU - Heninger, Nadia
AU - Moghimi, Ahmad
AU - Yarom, Yuval
PY - 2018/5/8
Y1 - 2018/5/8
N2 - Intel Software Guard Extensions (SGX) allows users to perform secure computation on platforms that run untrusted software. To validate that the computation is correctly initialized and that it executes on trusted hardware, SGX supports attestation providers that can vouch for the user’s computation. Communication with these attestation providers is based on the Extended Privacy ID (EPID) protocol, which not only validates the computation but is also designed to maintain the user’s privacy. In particular, EPID is designed to ensure that the attestation provider is unable to identify the host on which the computation executes. In this work we investigate the security of the Intel implementation of the EPID protocol. We identify an implementation weakness that leaks information via a cache side channel. We show that a malicious attestation provider can use the leaked information to break the unlinkability guarantees of EPID. We analyze the leaked information using a lattice-based approach for solving the hidden number problem, which we adapt to the zero-knowledge proof in the EPID scheme, extending prior attacks on signature schemes.
AB - Intel Software Guard Extensions (SGX) allows users to perform secure computation on platforms that run untrusted software. To validate that the computation is correctly initialized and that it executes on trusted hardware, SGX supports attestation providers that can vouch for the user’s computation. Communication with these attestation providers is based on the Extended Privacy ID (EPID) protocol, which not only validates the computation but is also designed to maintain the user’s privacy. In particular, EPID is designed to ensure that the attestation provider is unable to identify the host on which the computation executes. In this work we investigate the security of the Intel implementation of the EPID protocol. We identify an implementation weakness that leaks information via a cache side channel. We show that a malicious attestation provider can use the leaked information to break the unlinkability guarantees of EPID. We analyze the leaked information using a lattice-based approach for solving the hidden number problem, which we adapt to the zero-knowledge proof in the EPID scheme, extending prior attacks on signature schemes.
U2 - 10.13154/tches.v2018.i2.171-191
DO - 10.13154/tches.v2018.i2.171-191
M3 - Journal articles
VL - 2018
SP - 171
EP - 191
JO - IACR Trans. Cryptogr. Hardw. Embed. Syst.
JF - IACR Trans. Cryptogr. Hardw. Embed. Syst.
IS - 2
ER -