Remote Attestation Protocol
Hardware-backed trust verification using Trusted Execution Environments.
Overview
Section titled “Overview”Remote Attestation enables machine-verifiable proof that an agent’s identity operations are running in a secure, uncompromised environment. This is the foundation for the long-term goal of moving Identity Sentinel into a TEE.
What is Remote Attestation?
Section titled “What is Remote Attestation?”┌─────────────────────────────────────────────────────────────────┐│ Remote Attestation Flow │├─────────────────────────────────────────────────────────────────┤│ ││ Attester (TEE) Verifier Relying Party ││ │ │ │ ││ │ 1. Generate evidence │ │ ││ │ (quote/attestation) │ │ ││ │─────────────────────────▶│ │ ││ │ │ │ ││ │ │ 2. Validate evidence │ ││ │ │ - Cert chain │ ││ │ │ - Measurements │ ││ │ │ - Security version │ ││ │ │ │ ││ │ │ 3. Issue verdict │ ││ │ │─────────────────────▶│ ││ │ │ │ ││ │ │ 4. Grant access ││ │◀─────────────────────────────────────────────────│ ││ │ │ │ │└─────────────────────────────────────────────────────────────────┘TEE Technologies
Section titled “TEE Technologies”Intel SGX
Section titled “Intel SGX”Intel Software Guard Extensions provides hardware-isolated enclaves.
┌──────────────────────────────────────────┐│ Application ││ ┌──────────────────────────────────┐ ││ │ SGX Enclave │ ││ │ ┌──────────────────────────┐ │ ││ │ │ Identity Sentinel Core │ │ ││ │ │ • Master Key custody │ │ ││ │ │ • Signing operations │ │ ││ │ │ • Policy enforcement │ │ ││ │ └──────────────────────────┘ │ ││ └──────────────────────────────────┘ ││ ││ Untrusted Code (OS, hypervisor) │└──────────────────────────────────────────┘Key Properties:
- CPU encrypts enclave memory
- OS/hypervisor cannot read enclave data
- Remote attestation via Intel DCAP
Attestation Flow:
1. Enclave generates REPORT │ ▼2. Quoting Enclave creates QUOTE │ ▼3. Quote contains: - MRENCLAVE (code measurement) - MRSIGNER (signer identity) - Security version number - Custom data (nonce, pubkey) │ ▼4. Verifier checks against Intel certsAWS Nitro Enclaves
Section titled “AWS Nitro Enclaves”AWS Nitro Enclaves provide isolated compute environments on EC2.
┌────────────────────────────────────────────────────────┐│ EC2 Instance ││ ┌────────────────────────────────────────────────┐ ││ │ Nitro Enclave │ ││ │ ┌────────────────────────────────────────┐ │ ││ │ │ Identity Sentinel Service │ │ ││ │ │ • Key unwrap via KMS attestation │ │ ││ │ │ • Sign/verify operations │ │ ││ │ └────────────────────────────────────────┘ │ ││ └────────────────────────────────────────────────┘ ││ │ ││ vsock only ││ │ ││ ┌────────────────────────────────────────────────┐ ││ │ Parent Instance │ ││ │ • No direct access to enclave memory │ ││ │ • Communicates via vsock │ ││ └────────────────────────────────────────────────┘ │└────────────────────────────────────────────────────────┘KMS Integration:
// Enclave requests key unwrap with attestationconst attestationDoc = await getAttestationDocument({ publicKey: ephemeralPubKey, nonce: randomNonce});
// KMS policy validates attestationconst unwrappedKey = await kms.decrypt({ ciphertext: wrappedMasterKey, attestationDocument: attestationDoc});
// Master key now in enclave memory onlySAP Attestation Architecture
Section titled “SAP Attestation Architecture”Long-Term Goal
Section titled “Long-Term Goal”Move Identity Sentinel from a local library to a TEE-backed service:
┌─────────────────────────────────────────────────────────────────┐│ SAP TEE Architecture (Future) │├─────────────────────────────────────────────────────────────────┤│ ││ ┌────────────────────┐ ┌────────────────────┐ ││ │ Agent Runtime │ RPC │ TEE: Identity │ ││ │ (untrusted) │─────────▶│ Sentinel Service │ ││ │ │ │ │ ││ │ • Planner │ │ • Master Key │ ││ │ • Tools │ │ • Sign/verify │ ││ │ • UI │ │ • Policy eval │ ││ └────────────────────┘ └────────┬───────────┘ ││ │ ││ attestation ││ │ ││ ▼ ││ ┌────────────────────┐ ││ │ Verifier + KMS │ ││ │ Key Release │ ││ └────────────────────┘ ││ │└─────────────────────────────────────────────────────────────────┘Attestation-Gated Key Provisioning
Section titled “Attestation-Gated Key Provisioning”Pattern: No Key at Rest
1. Enclave starts with NO secrets │ ▼2. Generate ephemeral keypair inside TEE │ ▼3. Request attestation document - Binds ephemeral pubkey to measurement │ ▼4. Verifier validates attestation - Check measurement against allowlist - Check security version - Check debug flags │ ▼5. Wrap Master Key to ephemeral pubkey │ ▼6. Enclave unwraps Master Key - Key exists only in TEE memory - Host never sees plaintextWhat to Attest
Section titled “What to Attest”For autonomous agents, attestation should cover the security-critical core:
| Component | Include in Measurement? | Reason |
|---|---|---|
| Identity Sentinel | ✅ Yes | Key handling, signing |
| Tool policies | ✅ Yes | Security boundaries |
| Build provenance | ✅ Yes | Supply chain |
| LLM weights | ❌ No | Too dynamic |
| Prompts | ❌ No | Frequently changing |
Principle: Measure a stable Identity/Policy Kernel, not the entire agent.
Attestation-Driven Workflow
Section titled “Attestation-Driven Workflow”Workload Identity Token
Section titled “Workload Identity Token”1. TEE produces attestation evidence │ ▼2. Verifier validates, issues short-lived token │ ▼3. Token authorizes: - Master Key unwrap - Capability token requests - Tool access │ ▼4. Re-attest periodically for long-running agentsContinuous Controls
Section titled “Continuous Controls”| Control | Implementation |
|---|---|
| Freshness | Nonces/timestamps in attestation |
| Re-attestation | Periodic checks for long runs |
| Revocation | Deny known-bad measurements |
| Rollback defense | External monotonic anchor |
Implementation Roadmap
Section titled “Implementation Roadmap”Phase A: AWS Nitro (Pragmatic)
Section titled “Phase A: AWS Nitro (Pragmatic)”Target: Production-ready TEE deploymentComponents:- Nitro Enclave for Identity Sentinel- KMS attestation-gated key access- vsock RPC interfacePhase B: Multi-TEE Abstraction
Section titled “Phase B: Multi-TEE Abstraction”Target: Portable across TEE backendsComponents:- Standardized evidence format- Plugin architecture for SGX/TDX/SEV- Unified verification interfacePhase C: Attested Capabilities
Section titled “Phase C: Attested Capabilities”Target: Tool access requires attestationComponents:- Capability tokens from verified workloads- Per-tool attestation requirements- Audit trail of attested operationsSecurity Analysis
Section titled “Security Analysis”Threat Model
Section titled “Threat Model”| Threat | TEE Mitigation |
|---|---|
| Host OS compromise | Enclave memory isolated |
| Admin access | Cannot read enclave secrets |
| Memory inspection | Hardware encryption |
| Code tampering | Measurement verification |
Limitations
Section titled “Limitations”| Limitation | Reality |
|---|---|
| Side channels | Possible (research ongoing) |
| Physical access | Depends on threat model |
| Supply chain | Need signed builds |
| Bugs in enclave code | Logic errors still possible |
TEEs are risk-reducing, not magic. They protect key custody and provide attestation, but don’t prevent logical vulnerabilities.
Example: Nitro Enclave Key Release
Section titled “Example: Nitro Enclave Key Release”// Inside Nitro Enclaveconst { getAttestationDocument } = require('aws-nitro-enclaves-nsm-api');
async function getMasterKey(wrappedKey) { // Generate ephemeral key for this session const ephemeralKey = crypto.generateKeyPairSync('x25519');
// Get attestation document binding our pubkey const attestation = await getAttestationDocument({ publicKey: ephemeralKey.publicKey, userData: Buffer.from('identity-sentinel-v1') });
// Request KMS decrypt with attestation const result = await kmsClient.decrypt({ CiphertextBlob: wrappedKey, Recipient: { KeyEncryptionAlgorithm: 'RSAES_OAEP_SHA_256', AttestationDocument: attestation } });
// Unwrap with our ephemeral key const masterKey = decryptWithEphemeral( result.Plaintext, ephemeralKey.privateKey );
return masterKey; // Only exists in enclave memory}Related
Section titled “Related”- Identity Sentinel — Current local implementation
- Key Hierarchy — Keys to protect
- TEE Research — Full analysis
- Key Management Guide — Best practices