SafeKeeper is a server-side technology for protecting password databases. SafeKeeper's server-side password protection service is a drop-in replacement for standard password hashing functions. It computes a cipher-based message authentication code (CMAC) on passwords before they are stored in the database. An adversary must obtain the CMAC key in order to perform offline guessing attacks against a stolen password database. SafeKeeper generates and protects this key within a Trusted Execution Environment, realized using Intel's Software Guard Extensions (SGX) technology.
-
Install SGX SDK:
- Download and install Intel SGX SDK for Linux
- Set the SGX-SDK variable in the Makefile to the location of your SGX SDK (by default this variable is set to /opt/intel/sgxsdk).
- Set the SIGNING-KEY variable in the Makefile to point to an enclave signing key. If needed, generate a signing key following Intel's Enclave Signing Examples. If you do not already have a signing key, you can generate one following Intel's OpenSSL Examples (by default this variable is set to ./src/enclave/enclave_private.pem).
-
Build the 3rd party and SafeKeeper libraries
- Clone and build the safekeeper-libs
- Make sure that the Makefile Lib_Dir variable points to the right directory (
safekeeper-libs), and the paths to the 3rd party libraries are correct. - Run
make. This will generate objects underbuilddirectory and safekeeper executable. The enclave will be put underbuild/enclave. By default, SafeKeeper will be built in hardware (HW) mode. To build in simulation mode, runmake SGX_MODE=SIMor change the SGX_MODE variable in the Makefile. - To test the build run
./testing_app. There is no need to build the PHP extension for that.
Run ./safekeeper. Note that the in order to deploy SafeKeeper in production,
the safekeeper server should be running as a service. Details on how to do it
depend on the particular Linux distribution.
By default, the server listens on port 7000 at localhost.
It is possible to pass the port to the server at command line.
In order for the Remote Attestation to work, fill in the SPID obtained from Intel in safekeeper.cpp
-
To build the PHP extension:
- Install
php-devpackage of your Linux distribution. It is necessary to build PHP-CPP library. Refer to its README file for more details. - From the safekeeper-libs repo, run
git submodule initandgit submodule updatethat will fetch PHP-CPP library from its GitHub repository at PHP-CPP - In the php_cpp directory, build the PHP-CPP library and install it.
- In the safekeeper-server repo, run
make php. The PHP extension will be atbuild/php/safekeeper.so.
- Install
-
To install the PHP extension
- Run
$ sudo make install
It will copy the extension and the enclave library to the PHP
extensions directory (on Ubuntu 16.04 with PHP version 7.0 it is
/usr/lib/php/20151012/, the following instructions assume the same OS and PHP version).
- To enable the extension, copy
src/php/safekeeper.inito/etc/php/7.0/mods-available. Depending on the way PHP is run, enable the extension by creating a corresponding symlink under/etc/php/7.0/(cgi)/conf.d. For example, to have the extension available on the command-line PHP server:
$ sudo ln -s /etc/php/7.0/mods-available/safekeeper.ini /etc/php/7.0/cli/conf.d/30-safekeeper.ini
-
Install WordPress for PHP (e.g. on Ubuntu run
sudo apt-get install wordpress) and locate the wordpress root directory (e.g. /usr/share/wordpress on Ubuntu). This contains your wp-includes directory. -
Ensure your PHP include path includes the wordpress root directory e.g. by editing the include_path variable in /etc/php/7.0/cli/php.ini.
-
In the wp-includes directory, rename class-phpass.php to class-phpass-original.php.
-
Copy class-phpass.php from safekeeper-server/src/php into the wp-includes directory.
-
The PHP extension connects to default port 7000 of SafeKeeper service. If the port is to be changed, edit
src/php/php_module.cpp. Specifying the port in the PHP extension configuration file is a desirable feature. -
Test the setup:
$ php -f tests/perf.php
If the setup was successful, it will output how long it took to CMAC 1,000 passwords with SGX and without SGX.