Managing Groups with iKGF

Table of Contents

• Contacting iKGF
• Tools for Creating Revocation Requests
  • Requesting Group Revocation
  • Requesting Private Key Revocation
  • Requesting Signature Revocation
• Tools for Extracting Keys from iKGF Files
  • Extracting Group Public Keys
  • Extracting Member Private Keys

The issuer handles group membership and revocation. To provision devices with Intel® EPID keys, you need to process data provided by the issuer. Also, in order to revoke a member, you have to generate a revocation request and send it to the issuer.

This section assumes you are using iKGF as your issuer, and describes how to do the following:

• Create group revocation request for iKGF
• Create member private key revocation request for iKGF
• Create signature revocation request for iKGF
• Extract group public keys from iKGF files
• Extract member private keys from iKGF files

After you send revocation requests with the issuer, the issuer updates the revocation lists as needed.

The Intel® EPID SDK provides tools designed to make it easier to generate revocation requests and extract keys from iKGF files.

Contacting iKGF

If you want to use the Intel Key Generation Facility (iKGF) as the issuer, contact info@.nosp@m.digi.nosp@m.tal-c.nosp@m.p.co.nosp@m.m to get started.

Tools for Creating Revocation Requests

The Intel® EPID SDK includes tools to help you request that iKGF add a revoked group, member private key, or signature to a revocation list.

These tools are designed to create a revocation request in the specific format required by iKGF. After one of these tools generates a revocation request, the request must be submitted to the issuer in order for the revocation to take effect.

To access the tools, go to _install/epid-sdk/tools in the SDK directory.

You need to build the SDK before you can use these tools. For more information, refer to Building from Source.

The following tools are available:

Tool	Purpose ----------—
revokegrp	Create group revocation request
revokekey	Create member private key revocation request
revokesig	Create signature revocation request

Requesting Group Revocation

The revokegrp tool adds a group to the revocation request file.

Usage: revokegrp [OPTION]...
Revoke Intel(R) EPID group

Options:
  --gpubkey=FILE
      load group public key from FILE (default: pubkey.bin)

  --capubkey=FILE
      load IoT Issuing CA public key from FILE

  --reason=NUM
      revocation reason (default: 0)

  --req=FILE
      append group revocation request to FILE (default: grprlreq.dat)

  -h, --help
      display this help and exit

  -v, --verbose
      print status messages to stdout

Requesting Private Key Revocation

The revokekey tool adds a member private key to the revocation request file.

Usage: revokekey [OPTION]
Revoke Intel(R) EPID private key

Options:
    --mprivkey=FILE
        load private key to revoke from FILE (default: mprivkey.dat)

    --req=FILE
        append private key revocation request to FILE (default: privreq.dat)

    -h, --help
        display this help and exit

    -v,--verbose
        print status messages to stdout

The following options are only needed for compressed keys:

    --gpubkey=FILE
        load group public key from FILE (default: pubkey.bin)

    --capubkey=FILE
        load IoT Issuing CA public key from FILE

Requesting Signature Revocation

The revokesig tool creates a request to add a signature to the revocation request file.

revokesig only accepts valid signatures for addition to the revocation request.

Usage: revokesig [OPTION]...
Revoke Intel(R) EPID signature

Options:
  --sig=FILE
      load signature to revoke from FILE (default: sig.dat)

  --msg=MESSAGE
      MESSAGE used to generate signature to revoke

  --msgfile=FILE
      FILE containing message used to generate signature to revoke

  --gpubkey=FILE
      load group public key from FILE (default: pubkey.bin)

  --capubkey=FILE
      load IoT Issuing CA public key from FILE

  --req=FILE
      append signature revocation request to FILE (default: sigrlreq.dat)

  -h, --help
      display this help and exit

  -v, --verbose
      print status messages to stdout

Tools for Extracting Keys from iKGF Files

The Intel® EPID SDK includes tools to help you extract individual keys from files provided by the Intel Key Generation Facility (iKGF).

To access the tools, go to _install/epid-sdk/tools in the SDK directory.

You need to build the SDK before you can use these tools. For more information, refer to Building from Source.

The following tools are available:

Tool	Purpose ------------—
extractgrps	Extracts group public keys
extractkeys	Extracts member private keys

Extracting Group Public Keys

The extractgrps tool extracts group public keys from the input file to the current directory.

Usage: extractgrps [OPTION]... [FILE] [NUM]
Extract the first NUM group certs from FILE to current directory

Options:
  -h, --help
      display this help and exit

  -v, --verbose
      print status messages to stdout

Extracting Member Private Keys

The extractkeys tool extracts member private keys from the input file to the current directory.

Usage: extractkeys [OPTION]... [FILE] [NUM]
Extract the first NUM private keys from FILE to current directory.

Options:
  -c, --compressed
      extract compressed keys

  -h, --help
      display this help and exit

  -v, --verbose
      print status messages to stdout