Remote attestation
As a best practice, your application should use remote attestation to prove its authenticity to clients.
As described in Attestation with Anjuna for AWS Nitro Enclaves, an attestation report proves that a specific application is running in a secure enclave. This prevents an attacker from impersonating your application and gaining unauthorized access to sensitive data.
There are two ways to use remote attestation with the Anjuna Nitro Runtime: boot-time secrets, and the enclave’s internal attestation endpoint.
Boot-time secrets
The Anjuna Nitro Runtime integrates with AWS KMS and (optionally) AWS S3 to securely provide secrets to Anjuna Nitro Enclaves at boot time. For example, your application may need access to database credentials or a TLS certificate. The boot-time secrets functionality can automatically retrieve these secrets by using remote attestation to authenticate to KMS. This ensures that no one else can access those secrets.
For more information, see Providing Secrets to the AWS Nitro Enclave.
Attestation endpoint
The Anjuna Nitro Runtime exposes an internal HTTP endpoint, only accessible from within an Anjuna Nitro Enclave, for generating attestation reports. This can be used to prove that a trusted Anjuna Nitro Enclave produced certain data, and to prevent replay attacks.
For example, a machine learning (ML) application can embed its inference result (or a hash of the result) in an attestation report. The client can verify that attestation report to confirm that a trusted application running in an enclave generated the result.
Your application can generate attestation reports using a Go library, or by using the HTTP endpoint directly:
-
HTTP example
$ userData=$(echo "Hello World!" | basenc --base64url)
$ curl http://localhost:50123/api/v1/attestation/report?userData=${userData} > report.bin
$ cat report.bin | basenc --base64 # to print the report's bytes in base64
A client can use the Go library to verify the resulting attestation report to confirm the authenticity of the enclave and the application-provided user data.
For more information on the attestation endpoint and example code, see Github: anjuna-security/go-nitro-attestation.