ego icon indicating copy to clipboard operation
ego copied to clipboard

Published 20 hours ago verified publisher icon edgelesssys

Get{Product|Unique}SealKey does not use KeyID

Open the729 opened this issue 2 years ago • 1 comments

When sealing data, ego first uses oe_get_seal_key_by_policy to get product or unique seal key, then uses a standard go implementation of AES-GCM go encrypt the data.

However, after a deeper dive into OpenEnclave project, I found oe_get_seal_key_by_policy has flaw that it does not populate KeyID field when calling EGETKEY. And the function is not recommended (although not deprecated). The new recommended way of sealing is oe_seal/oe_unseal, which does populate KeyID. See the discussion here: https://github.com/openenclave/openenclave/issues/4665

IMO, possible solutions would be either

  • persuade OE this function indeed has a use case,
  • and push OE an update to fix the flaw in oe_get_seal_key_by_policy,

or

  • abandon oe_get_seal_key_by_policy,
  • deprecate SealKey related functions in ego/enclave,
  • and use oe_seal/oe_unseal in ego/ecrypto package (is the sealed blob format compatible? )

the729 avatar Nov 24 '22 03:11 the729

Thanks for taking this to Open Enclave. We try going with your first suggestion.

thomasten avatar Nov 25 '22 10:11 thomasten