Attesting Remote Services and Applications
Problem Description
Consider that you operate a confidential service S or an application A consisting of a set of multiple services. In both cases, clients connect to a service S via TLS.
Each client wants to ensure that S (and all services used by S) runs inside of an enclave, runs the expected code, and it was properly configured. A client C is running at a remote site, i.e., not in the same cluster as S.
How can C attest that S is properly set up?
Approach
Service Deployment
The provide of S / A performs the following steps:
- Create a policy P_S for service S and all services of application A
- stores this in a CAS CS via
scone session create. - ensure that these policies do not define any explicit secrets values
- if you need explicit secret values, import them from another policy with very limited read access (see secret sharing)
- permit clients to read the service policy P_S (see access control)
- P_S generates or imports a CA certificate and generates with this a certificate Ce for the service S,
- P_S exports CA certificate that generated C (see
export_public).
- stores this in a CAS CS via
- service S will use Ce and its private key for TLS (see secret injection files)
Client (Runtime)
Each client C
- when connecting to S via TLS, C only accepts CA as valid certificate authority for the TLS certificate provided by S (by limiting the root certificates to CA or by defining name constraints for the root certificates)
- since the policy of S ensures that only a correctly configured service, executing inside of an enclave, can get access to a certificate Ce issued by CA,
- being able to establish a TLS connection to S means, that S satisfies all constraints of its security policy P_S.
Client (Development/Deployment)
When client C is built or, alternatively, during deployment time, one:
- attests CAS CS via CLI
scone cas attest, - one verifies the policy (a.k.a. session) of each services of application A using
scone session verify, and - retrieve the CA certificate from CAS via its REST API (see flask demo).