bidirectional authentication RA

[reclock]

If app1 runs in the enclave of container 1 and app2 runs in the enclave of container 2, does it require bidirectional ra verification? At present, there is only one-way RA, how can we achieve bidirectional authentication?

[reclock]

ra-tls with DCAP

[kailun-qin]

@reclock Thanks for the question!

If app1 runs in the enclave of container 1 and app2 runs in the enclave of container 2, does it require bidirectional ra verification?

It actually depends on your use case and threat model, but in general yes -- you probably want/need mutual RA/LA in this case.

At present, there is only one-way RA, how can we achieve bidirectional authentication?

For this purpose, your application has to be adjusted to serve as both the attester and the verifier. If you're using Gramine RA-TLS, one option is to start from our ra-tls-mbedtls example, where you could implement both the logic of the server (generating a self-signed RA-TLS cert with the SGX quote embedded) and the client (using an RA-TLS verification callback to verify the server RA-TLS certificate) in your app.

[reclock]

thanks~~

1. If my app1 is used for computing tasks and it runs in enclave1 (machine 1), and app2 on other businesses runs in enclave2 (machine 2), will I only perform one-way remote verification on app1?

2. If ra tls nginx runs in enclave, can it still receive standard SSL links? How can it adapt to the two types of connections of tls and ra tls?

[dimakuv]

1. If my app1 is used for computing tasks and it runs in enclave1 (machine 1), and app2 on other businesses runs in enclave2 (machine 2), will I only perform one-way remote verification on app1?

If I understand correctly, App2 needs to verify that App1 is trustworthy, but App1 doesn't care about who connect to it? And I guess App2 will be verified itself by some other party (e.g. by a remote user herself)?

In this case, yes, it is sufficient to perform a one-way remote verification of App1 in App2.

2. If ra tls nginx runs in enclave, can it still receive standard SSL links? How can it adapt to the two types of connections of tls and ra tls?

Yes, you can mix and match RA-TLS and normal TLS connections in the same application. But you'll have to use different TLS configs for these two: the RA-TLS connections should use one config (that uses the ra_tls_* APIs) and normal TLS connections should use another config (the "normal" config of the original application).