I have a situation:
I have a scenario that I must connect to a web server and I need to keep the response data safe: I connect to a REST API that will return credit card data. I sign the key in the trusted code and I sent the HTTP request in the untrusted part using the signature via and OCALL. The app receives the HTTP response in the untrusted part and is sent to the trusted part immediately to the enclave via an ECALL. However, from my point of view, I have a security leak in the app: the user credit data should be received in the untrusted part.
From my research, and also because of some posts in here I think there is no way to do an HTTP call from the enclave. @JesusG_Intel wrote at https://community.intel.com/t5/Intel-Software-Guard-Extensions/Rest-API-or-HTTP-API-call-from-inside...:
"It is not possible to make calls directly to the outside world from inside an enclave. You must create ocalls from the enclave to your application, then the application can make the REST API or HTTP requests on behalf of the enclave."
I am new to sgx technology and I know if this is a real security leak or not. I think intel won't allow this security risk. What I am missing? Can you guide me on how to make a safe HTTP request using sgx tech?
Thanks
I might be a bit late, but I think this question deserves a bit more details.
When using Imte; SGX to create a TEE, your app is divided into two parts:
The latter is the most secure. Due to its limited resources (128/256Mb of RAM), it should be reserved for processes requiring a great amount of security: encryption, anonymization, and such.
To be clearer: the enclave is NOT the place to make HTTP calls.
For example, let's say your app calls an API, retrieves encrypted data, and decrypts it. The process would be the following (T = trusted = the enclave, U = untrusted = the app)
In other words, the enclave must be reserved for the sensitive part of the process, leaving the rest to the untrusted part of the app.