Attestation of public keys to authenticate Keyfork shard requests #23

Open
opened 2024-01-25 06:32:54 +00:00 by ryan · 2 comments
Owner

Target: Keyfork headless enclave

Sign public keys using an attestation certificate known by shardholders, whose private key is only accessible in the enclave.

Target: Keyfork headless enclave Sign public keys using an attestation certificate known by shardholders, whose private key is only accessible in the enclave.
Author
Owner

Generate ephemeral keys using TPM2 API, have operators perform attestation when they generate the QR code to use for airgap machine.

NOTE: attested ephemeral key replay attacks are not a concern as the TPM is trusted to not leak private key data.

Generate ephemeral keys using TPM2 API, have operators perform attestation when they generate the QR code to use for airgap machine. NOTE: attested ephemeral key replay attacks are not a concern as the TPM is trusted to not leak private key data.
lrvick added this to the Custody Framework project 2024-11-25 10:21:10 +00:00
Author
Owner

Potential idea:

The enclave should be in control of an in-memory singing key. It should be provided, along with the nonce, to the attestation document request as user data. Then, when a bootproof-compatible enclave client connects, they can send a nonce, and receive the attestation document with both the requested nonce and the public key used for signing.

Potential idea: The enclave should be in control of an in-memory singing key. It should be provided, along with the nonce, to the attestation document request as user data. Then, when a bootproof-compatible enclave client connects, they can send a nonce, and receive the attestation document with both the requested nonce and the public key used for signing.
Sign in to join this conversation.
No Label
No Milestone
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: public/keyfork#23
No description provided.