Attestation is a feature provided by enclaves to help verify that the user is communicating with a known enclave. Using hashing algorithms and public key cryptography, the user is able to verify that the enclave is the enclave they are expecting and create a secure channel of communication. AWS Nitro Enclaves provide platform configuration registers (PCRs) which contain hexadecimal values that help the user determine exactly what is running inside the enclave. These hexadecimal values are hashes of the software running inside the enclave, as well as hashes of the certificate that signed the software.
We will use the Cape CLI and running a function on Cape as an example. Attestation will work exactly the same way with any SDK provided by Cape. Only what happens after attestation will be different.
When a user runs the command
cape run <ID> -f input, the CLI begins the step-by-step process of bootstrapping a secure connection with the enclave. The first step in this process is establishing a websocket connection with the enclave. During this step, the CLI sends an authentication token that can be validated by the enclave to confirm the identity of the caller. After this the enclave returns the attestation document back to the client. The first thing the CLI does is decode the message, then extracts the certificate stored on the payload to verify that that certificate signed the message. To be able to trust this certificate, the CLI must also validate the certificate chain against the AWS Nitro Enclave root certificate. After these two steps the CLI has confirmed that it is correctly communicating with an enclave running in the AWS Nitro Enclave service.
For further confirmation that the CLI is communicating with the Cape software, it needs to validate that the PCRs returned in the attestation document match expected values. We provide access to the enclave image files (EIFs) that we run in the enclave. These can be downloaded, inspected, and the PCRs can be directly extracted from them. These PCRs can then be used to compare with the PCRs that are returned during attestation. We provide a CLI command called
cape get-pcrs that extracts the PCRs from the latest version of the Cape EIF. These can then be passed to any of the Cape features (i.e. run, deploy, encrypt) to additionally verify the PCRs.
After the attestation there is a secure channel open between the client and the enclave which is an end to end TLS connection. For further protection, the CLI automatically uses the public key sent in the attestation document to encrypt input data that only the enclave can decrypt.