Skip to content
Using SGX to harden password hashing
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Using SGX to harden password hashing

SGX is a way of running security-sensitive user-mode code in an 'enclave'. Code running in an enclave has its memory encrypted and authenticated, and cannot be observed by code running anywhere else. It's able to use device-specific keys to encrypt ('seal') data to future executions of itself or enclaves signed by the same key.

This project does PBKDF2 password hashing inside an SGX enclave. Password hashes are only available to enclaves which have been enrolled in a 'region', and therefore no amount of database leakage will jeopardise user passwords. Your stack of GPUs are useless here.

A region is represented with a AES key, and enclaves in a region have a copy of it sealed to them. The key itself can be kept offline and only used when enrolling new enclaves or doing disaster recovery.

See my corresponding blog post here.


This is extremely experimental. Use at your own risk. There is no warranty.

This repo includes a trivial region key, the enclave signing private key and the enclave runs in debug mode, so this in fact provides no meaningful security.


Interesting files:


You will need:

  • The Intel SGX SDK.
  • Visual Studio 2012 (a prerequisite of the SGX SDK).
  • The Intel SGX Platform Software (comes with SDK) along with SGX-supporting hardware (a Skylake CPU and working BIOS). The SDK supports a simulator; I haven't tried that.

As a fairly obvious result of all this, this is Windows only for the moment.

Once you've got all that sorted, you should merely be able to load the solution and hit run.

I've tested this on a Dell Inspiron 5559 laptop.

You can’t perform that action at this time.