Overview

Attestation in Continuum is a cornerstone of the platform's security architecture, ensuring that all AI workloads are executed in a trusted environment. This process verifies the integrity and authenticity of AI workers and the underlying infrastructure before any data processing begins. By leveraging attestation, Continuum guarantees that only verified and trusted code can operate, safeguarding both the confidentiality and integrity of your data.

Attestation flow in Continuum

The attestation process in Continuum is designed to provide end-to-end security through the following steps:

1. Client request: The process begins when client software sends a request to the Continuum platform, including a demand for attestation. The client verifies the identity and integrity of the attestation service by comparing its hardware attestation report against the configured manifest that contains the expected reference values. Once the client confirms the attestation service's integrity, it securely transmits the encryption keys to the attestation service.

2. Attestation service verification: The attestation service verifies the AI worker's integrity by comparing their attestation report against the predefined manifest. This manifest contains the expected measurements and configurations that define a secure and trusted environment. The attestation service ensures that only AI workers meeting these strict criteria are allowed to proceed.

3. Key distribution: Once the attestation service confirms the AI worker's integrity, it securely grants them access to the necessary encryption keys. The client-side initially encrypts the prompt and sends it to the AI worker. This attestation-based key release ensures that the AI worker can decrypt and process the data only within a verified, trusted environment.

4. Data processing: With successful attestation and key distribution, the AI worker processes the encrypted data within the sandbox of its confidential VM. This guarantees that all operations are conducted in a trusted and protected environment, maintaining the security and integrity of the entire process.

A user verifies the attestation service and securely transmits the prompt encryption keys. The attestation service attests the AI workers and securely distributes the prompt encryption keys to them.

Components of attestation

• Manifest: The manifest is a detailed record that lists the expected measurements and configurations for the attestation service and the AI workers. It serves as a reference point for a client to verify the attestation service and for the attestation service to verify the AI worker's environment before any data processing begins. By ensuring that only trusted configurations are allowed to execute, the manifest forms a critical part of Continuum's security model.

• Encryption and key management: Continuum tightly integrates encryption and key management with attestation. Encryption keys are distributed to AI workers only after successful attestation, ensuring that data remains protected at all times. This process guarantees that sensitive data is accessible only to verified and trusted workers, with keys securely transferred from the client to the attestation service and then to the AI worker.

• Trust anchors: Trust anchors are the fundamental elements in the attestation process, providing the necessary foundation for establishing a chain of trust. These include hardware-based roots of trust and predefined reference values, ensuring that only known and trusted entities can process sensitive data.

Chain of trust

In summary, there's a chain of trust based on cryptographic signatures that goes from the user to the AI worker via the attestation service. This is illustrated in the following diagram.