Is there some bytes limit in Encrypt or AsymmetricEncrypt?

Question

Is there some bytes limit in Encrypt or AsymmetricEncrypt?

ksy980418 opened this issue 9 months ago · comments

Hello

I'm trying to create some encrypting application using ehsm.

But I faced some error when I request Encrypt or AsymmetricEncrypt with more than some bytes of data.

For Encypt, the whole server exit with some malloc error.
And for AsymmetricEncrypt, it just fail with server exception.

Is there some limit with the bytes of data?

Thanks

Huang Yang · Answer 1 · Fri Sep 01 2023 17:32:43 GMT+0800 (China Standard Time)

https://github.com/intel/ehsm/blob/main/docs/API_Reference.md#createkey
6KB for symm. And for rsa, 318B if I remember correctly.
But if there is a server exception, could you provide a simple sample for us to reproduce?
Thanks.

ksy980418 · Answer 2 · Mon Sep 04 2023 22:00:55 GMT+0800 (China Standard Time)

Oh I see.
The limits is because of using SGX? or any other reasons?

When I send 1336 bytes for symm enc & dec, the server shows below result.

wbs79-System-Product-Name 19825 2023-09-04T22:58:40.422 INFO [function.js: line 427] - {"body":{"appid":"2648ee74-94c4-41fc-8d3a-3298112e8409","payload":{"aad":"dGVzdA==","keyid":"32f4d29f-5c79-4a8b-a67d-98c8ee628232","plaintext":"Mk0yeC4/P0JdPWc8ejU+SF1LIjd5SkJeeVc4anBKbUp7QlY8R1ZUMl89dXZUUWJtWChERCJ9cXd3SnlaNjotVF9QXk5KaV4nWEtFTm4ya0VYVE1vJGc9Qm0hXjhfMzl7MW8rbiIne3FcLT9HSihVM0xge01KTTw2PidOUTN1MlltVWw9Yi00Y0twcnp3LGQxWVBcTD95cERqZDFBaDd7RWxZcXQhdmJ+ZCV9W3xJVDc/VVtQc2JbYT4oTF9vWjczak42cCIjK35gSEwhKVNyUEcncGJxPyxDa1J0KyNHaDhLeXYiKFp1e0p1QXpsJm9jfjs4eylLQTlfdC53a31OLXBzK0Y+PyNNU1lDbUFHdGxzNCVoNGd8fjUtcCk8ISIpeT9RUjxVcH1uY3goYiknYnhPTip5PXl9aWQ4UnwzbydodS9AQjE+dlw6OXJ4J1ooUioofnt5ITNERkhXPHcsLmZAczcvLF1YbTpGIiZZWDA2Ol9JYTBQV3Q7PmVJY19ZQXFcLXw9QUBUXDdvQ2F8eyI2LFdOQGd5OV96VW1XOm4uKHVyfXMjQzVrYE8nLExtKiFBLjk1QHB7SExAIXowbl5OM2Ayfk10TVs6IWVnbzRKXW4oJkxWI1IqUnleXzovPiYvNT12Pj0xTnxROm1vNWhkR2tONF1BVjpyZzNxLyExQFx1en4wUzRwUThkMSxSWUEmO0xxZlFSSDdaJFtlYkovXCZNOzJWcWNpKEpdTlF9UUUueHJTbXMuZ0lPM1NwRFZHLXE/ZTJcTld2WHIvPSMxdnVTYlVWWypHQXNwW2Q0Z3cxenxYN2xyOlpHdXdGJHt8eXxUKFFPOj8uZ2hIM3R1OT9oK0d6dS4xQU1YcSV1P0t7VSxyO3FQLX5YQ2ordWIqUnt1ODJMU3tTcztye0wxPmBUfkk7LGREK3prMikjbVkmJCZIVU5DQU4tXiwoISN3LCEtQXUiSSx4UlpNLWBGQzNUTzd9N2tYa2Y3Y3F6MC50QmxgMzthdy4kPGhrVz9jJCtVeFYxemszcFhNPW1QL3hFJyEwUlZ6U3snUU0iL3JIKWdtdFVubHJEQEAlMHhlND4rVTNPekppI2l6Nn5CXUVKPT5uLS8iamV8RXlDWXF2V09HOWxHUTZDJFo2V1RcW0FaeWJ1an1adCZXKTIhfUd6dWlHPTYrOHRmbjstTytgfj5iImZ7UDNqPGtveVFWL0NZImJ8LT1DXTg9Y0xeWU9mM1hTVW82QTM0MClpIS4vKF1jXUMmNCRWOlF+Ul5LfnhgS2xnalhIR15HIjQ/PUdyVkpuJXM4Pz07YHdSLWNcZTVTNg=="},"timestamp":"1693835920419","sign":"/X3SV98zdaxrOxpWDCNA8R8M9lNwMc442LMIukb/kB0="},"query":{"Action":"Encrypt"},"ip":"143.248.249.162"}
wbs79-System-Product-Name 19825 2023-09-04T22:58:40.430 INFO [function.js: line 427] - {"body":{"appid":"2648ee74-94c4-41fc-8d3a-3298112e8409","payload":{"aad":"dGVzdA==","ciphertext":"ANrL5eidNeqR8f4UQ2F+0PIxBbRJ7ciPZi6cDcPLIvG+yGrBCRAtWsNz5qelGDt35PjORdUcpI4xKaHMTEjpnSD3RFMqZyNHnavzgeXjqm54g7TPNif7GrCnwKfLviB92/++kJpHOuf1uhyUsetKyJjyImPUbQmHQZ5pDtxMfO+qKWGKfgTU5fIQgeQ3tPi6+6c5RJjbRGs3UrcC0g47YJ+Izf14frsz2ZiEEH6/CiLze6f70G3sErckC5Hh5ojdp1RiaVsUnR9HC/4eFf0qfCJbjJTSzuj361OFGhr/iEN9KhqIh9o2sdAREsMzQEjfOAbQp4kcZqV0HzXfTfAwJW6TvmG/ACvGVnEcNQVmS8rqqrycv/sM5grHzgtG8kHUdtYnAmq7uJuBjFWfL0XVISP2yvJJMOLl+eGuDepsh3LaRY10MONye5aoJWw03YusoQ1OYKuofkQgDY6oesw5yNYSoeKxw16OChLg9VFR/PzyghGr/gwYW6FgGzWtJSZKpf4h1JBeMkL11qVsvE0RRUloaCcLGgAq/EOpqY5qP8Lx6cFRLRlKqmKdQOMT9B0TjvrWMb0/tUiZxZQne/yKPIhBwGVTQoUC8rrqL+VLtLHEPltcvifLJyJ3fid2WdBXcoYw+FnAjr87ViY1g8bLBtQ31hz/6h+GErSAWgFME0H/5Q3touYEctB+wQ9CAQE2YtxtPwH4iP7azV79Q0HxoAmU4LC4EAyJ8uIkIDU92+QM4SnJbITkMucLaf8+0HHGWDEal7xHDri86BjikMSNac0eXH9IX+WWpmCxu9hNSMbm6n7WBqKi/G9P65TxuI7mMCs8tY71HDYp6lZIszetUfJ7/v3BqA6p5AWlPUayIPNy0k+ZHASq6IkNQc7albGO4lR60MVsn8q1gyR64RYp700MAoV8j1n4WFM/2YsXRl14VihI72J6uyY21GWEX41Wj9S0DVuVLcKaauv9TdsF69sNMpDphihP2BuwXXHNj9+mw6GEXv8+KA0AYSzjgm8Xqro2WfWig1ENx8WQ0ZAvfg5ErQCPFhvqDIqtlE0WsTOHL1wLkGOQ7bjZciQSV9WX5IHzC1jBbPAQnVGyVzdzHDGQf8GvvxP+bJIsBHcIQdH2k2cZMw0kZUwTesyuXld2EqZRyKcUsaD4OSCCL5XXrLZULDHDq6HuZGX2rJwhljtNmlfDFKCirdvsNDYk427yyJ4c7ej7dlV/2K3utaxaxbj7GMFfs5A34pxOKnlZOnXRpDEebf3GT3gJODitAZ4LNfD0y/KlA3v6AKQfpdH9SxGn+EmYg6rAh3MLB91tWHFuplKVFU5at2dlv7XGPW4VxmdLEDQ5dFfQLrajGXMiSZSc1Ko=","keyid":"32f4d29f-5c79-4a8b-a67d-98c8ee628232"},"timestamp":"1693835920426","sign":"w/y7ggLVKzaUJ/nnRfbcOsztNZ2Uqd7Q2fuLPtKa3FA="},"query":{"Action":"Decrypt"},"ip":"143.248.249.162"}
malloc(): invalid size (unsorted)
./run_with_single.sh: line 70: 19824 Aborted                 sudo node ./ehsm_kms_server.js run_mode=$EHSM_RUN_MODE port=$EHSM_KMS_PORT

Huang Yang · Answer 3 · Tue Sep 05 2023 10:25:18 GMT+0800 (China Standard Time)

Thanks. We will have a try. Your data is less than 6K. It should be supported.
If your data is greater than 6K, you can get a data key from ehsm by https://github.com/intel/ehsm/blob/main/docs/API_Reference.md#GenerateDataKey, and use the key to encrypt/decrypt in your own side.
The reasons of such size limitation are 1. SGX EPC is limited. 2. Align with Cloud KMS e.g. Amazon and Alibaba. Resource is also limited in HSM.

Thanks.

Huang Yang · Answer 4 · Wed Sep 13 2023 16:14:10 GMT+0800 (China Standard Time)

Can you try the latest code for symm enc/dec? It should be fixed.
For asymm, the supported length varies by mode, padding and key length:

RSA2048 PKCS1 245
PKCS1_OAEP 214
RSA3072 PKCS1 373
PKCS1_OAEP 342
RSA4096 PKCS1 501
PKCS1_OAEP 470
SM2 - 255

You can also refer to this function:
get_asymmetric_max_encrypt_plaintext_size: https://github.com/intel/ehsm/blob/main/core/Enclave/enclave_hsm.cpp#L42