You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@teaclave.apache.org by GitBox <gi...@apache.org> on 2020/06/29 01:00:39 UTC

[GitHub] [incubator-teaclave] xinuo opened a new issue #372: 怎么去证明teaclave是可行计算的环境呢?

xinuo opened a new issue #372:
URL: https://github.com/apache/incubator-teaclave/issues/372


   你好:
         1,在使用teaclave项目的过程中,我有一个疑问,我怎么去证明teaclave乃至Intel-SGX是可信环境?
         2,从examples里可以看到,teaclave是读取加密文件,但是key以及cmac都是以明文的形式硬编码在脚本里(),同时我使用该key就可以解密数据.怎样去保证链路中的安全呢?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org

[GitHub] [incubator-teaclave] mssun commented on issue #372: 怎么去证明teaclave是可行计算的环境呢?

Posted by GitBox <gi...@apache.org>.

mssun commented on issue #372:
URL: https://github.com/apache/incubator-teaclave/issues/372#issuecomment-651484773


   我们使用了 rustls [1]，是 Rust rewrite 的 TLS 库，很大程度上避免了内存安全相关的漏洞，OpenSSL 的 heartbleed 漏洞 [2] 就是由内存安全问题引起的。
   
   - [1] https://github.com/ctz/rustls
   - [2] https://heartbleed.com/


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org

[GitHub] [incubator-teaclave] xinuo commented on issue #372: 怎么去证明teaclave是可行计算的环境呢?

Posted by GitBox <gi...@apache.org>.

xinuo commented on issue #372:
URL: https://github.com/apache/incubator-teaclave/issues/372#issuecomment-650987824


   谢谢解答.
   不过对于明文的key在脚本(builtin_private_join_and_compute.py)里还存在疑惑:
   是不是只能保证这个py文件不被别人窃取,不然,别人得到这些key也是可以通过cli进行解密?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org

[GitHub] [incubator-teaclave] xinuo closed issue #372: 怎么去证明teaclave是可行计算的环境呢?

Posted by GitBox <gi...@apache.org>.

xinuo closed issue #372:
URL: https://github.com/apache/incubator-teaclave/issues/372


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org

[GitHub] [incubator-teaclave] yc-huang commented on issue #372: 怎么去证明teaclave是可行计算的环境呢?

Posted by GitBox <gi...@apache.org>.

yc-huang commented on issue #372:
URL: https://github.com/apache/incubator-teaclave/issues/372#issuecomment-651477482


   @mssun attested TLS用到的TLS的实现是谁提供的，实际是运行在什么环境的，会不会因为这块的实现有漏洞（比如以前open ssl的很多漏洞）从而导致泄密？


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org

[GitHub] [incubator-teaclave] mssun commented on issue #372: 怎么去证明teaclave是可行计算的环境呢?

Posted by GitBox <gi...@apache.org>.

mssun commented on issue #372:
URL: https://github.com/apache/incubator-teaclave/issues/372#issuecomment-650948414


   client/service 以及 service/service 之间使用 RPC 通信。RPC 是基于 attested TLS，简单来说，1) 通过 remote attestation 证明 Teaclave service 运行于可信环境，2) 通过 TLS 保证链路安全。
   
   RPC 的文档有简单的介绍：http://teaclave.apache.org/docs/codebase/rpc/，但对于 attested TLS 可能需要一个专门的文档去描述，后续也会加入到文档中。


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org

[GitHub] [incubator-teaclave] xinuo commented on issue #372: 怎么去证明teaclave是可行计算的环境呢?

Posted by GitBox <gi...@apache.org>.

xinuo commented on issue #372:
URL: https://github.com/apache/incubator-teaclave/issues/372#issuecomment-651199872


   @qinkunbao 
   非常感谢解答!
   听你这样说,我应该明白了.
   我可能被example所"迷惑",是我自己误解了.因为我看到是放在2个用户的key都放在同一个py文件内.
   真实的场景应该是
   1,用户1,用户2(相当于A1,A2)各自提交自己的payload(通过SDK方式)来创建自己的task
   2,最终由平台(B)来runTask.
   3,A1,A2各自等待返回的结果.
   这也是我的理解,也欢迎各位指正.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org

[GitHub] [incubator-teaclave] qinkunbao commented on issue #372: 怎么去证明teaclave是可行计算的环境呢?

Posted by GitBox <gi...@apache.org>.

qinkunbao commented on issue #372:
URL: https://github.com/apache/incubator-teaclave/issues/372#issuecomment-651182586


   我最近也在看SGX，这是我的理解。如有不对欢迎指出来。
   
   A <---------> B
   假设A是Client，B是encalve里面的代码，首先你信任client，因为这是在你本地上的，换言之这是你自己。B是Teaclave，但是你怎么需要保证Teaclave是你相信的那个版本（比如没有篡改。。。。。。），以及它跑在一个可信的环境里面（真的在encalve里面）呢？这就需要Remote Attestation （RA），你可以查阅Intel SGX的相关文档。
   
   但是问题还有，比如你说的key的问题。理论上应该只有A和B知道key，A是你自己的client，你不能通过网络明文传输key是什么。这就需要A和B之间的通信是加密的。这里是通过TLS来保证。在remote attestation的过程中，attestaiton的report有可以包含程序自定义的64 byte数据，RA的过程中放入用于TLS handshake的数据，从而建立一个A和B之间的Attested TLS。


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org

[GitHub] [incubator-teaclave] mssun edited a comment on issue #372: 怎么去证明teaclave是可行计算的环境呢?

Posted by GitBox <gi...@apache.org>.

mssun edited a comment on issue #372:
URL: https://github.com/apache/incubator-teaclave/issues/372#issuecomment-650948414


   client/service 以及 service/service 之间使用 RPC 通信。RPC 是基于 attested TLS，简单来说，1) 通过 remote attestation 证明 Teaclave service 运行于可信环境，2) 通过 TLS 保证链路安全。
   
   RPC 的文档有简单的介绍：http://teaclave.apache.org/docs/codebase/rpc/ ，但对于 attested TLS 可能需要一个专门的文档去描述，后续也会加入到文档中。


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org