Encrypting everything with AWS - SEP402 - AWS re:Inforce 2019

© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Encrypting everything with AWS
Colm MacCáthaigh
Senior Principal Engineer
Amazon Web Services
S E P 4 0 2

Encryption at AWS
WARNING:
CONTAINS MATH

Encryption at AWS

Encryption at AWS
• Several internal organizations with deep cryptography expertise
AWS Cryptography
AWS Security
Automated Reasoning Group
Annapurna Labs
Service teams: Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Block Store (Amazon EBS),
Amazon Simple Storage Service (Amazon S3), more
• Participants in NIST competitions, protocol standardization, vulnerability
research and mitigation, Open Source projects

Encryption basics

AWS KMS

AWS KMS
Import, store, control, manage access to, rotate, and delete keys at scale
Backed by FIPS 140-2 Hardware
Integrated with 117 AWS Services and more AWS SDKs
Integrated with AWS CloudTrail for auditing

AWS KMS
Principle of least privilege is KMS’ core DNA
KMS only gives AWS services access to keys when they are acting on behalf of a
customer who owns those keys.
Sensitive KMS administrative actions are partitioned and require multiple
administrators
Threshold cryptography required for bootstrapping

AWS KMS
Support for custom key stores
KMS generates and stores non-
extractable key material in an AWS
CloudHSM cluster that you own and
manage
Satisfy regulatory and compliance
requirements

Client side encryption

Client side encryption
Support for client-side encryption in AWS service SDKs including S3, Amazon
DynamoDB, Amazon Kinesis and more.
Encrypt data at a document, row, or field level
There are trade-offs between client-side encryption and what can be performed
on the server side

Clock math

Clock Math

Linear congruential generator
𝑐
𝑚
y
x

5
13
29
61
125
253
0
50
100
150
200
250
300
1 2 3 4 5 6
X
𝑿 𝒏+𝟏 = 𝒂𝑿 𝒏 + 𝒄

0
3
4
1
0
3
4
1
0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
1 2 3 4 5 6
X
𝑿 𝒏+𝟏 = 𝒂𝑿 𝒏 + 𝒄 (mod m)

Modern symmetric encryption
Algorithms such as AES-GCM take a very similar form
Start off with a key and a seed value, generate a deterministic pseudo-random
stream of data

Modern symmetric encryption
⊕
=

XOR
x y output
0 0 0
1 0 1
0 1 1
1 1 0

AES-GCM

AES-GCM
• AES has a block size of 2128 bits
• That’s an extremely big clock, much more than there are particles in the
universe
• At AWS scale, we would still run in to this limit without workarounds

Symmetric encryption takeaways
Key + Initialization Vector = Stream of random data
The same key and IV will produce the same stream every time
We can’t re-use the same key and IV pair
If a key is known, all data encrypted under that key can be decrypted

Server side encryption

Storage encryption
• Amazon EBS encryption by default!
• Implemented as part of the AWS Nitro security system
• We’re encrypting an enormous volume of data, using reassuringly boring
cryptography

Server-side encryption
• Available in S3, DynamoDB, Kinesis and more
• AWS performs the encryption, on AWS hardware, using similar techniques and
formats available in the cryptography SDK
• Provides defense in depth and a more secure model for data re-encryption if
necessary

Network encryption
• Attacks on modern network encryption are usually based on side-channels
• Traffic may be encrypted, but the size of the data, and the rate of transmission
are still visible
• This makes it surprisingly easy to compromise the confidentiality of some
common workloads
• Defense: Information hiding, Anonymization, and layered encryption

TLS

TLS—Forward secrecy

TLS—Forward secrecy
Forward secrecy is really about how much data is at risk if a key were to be
compromised
By default at AWS, every TLS session has forward secrecy
In real terms, this provides strong “post-compromise security”
How does it work?

Understanding Diffie-Hellman—Prerequisites
𝑥 𝑦
𝑥 𝑚𝑜𝑑 𝑦

Understanding Diffie-Hellman—The magic
(𝑔 𝑎 % 𝑝) 𝑏 𝑚𝑜𝑑 𝑝
=
(𝑔 𝑏 % 𝑝) 𝑎 𝑚𝑜𝑑 𝑝

Understanding Diffie-Hellman—The math
(𝑔 𝑎
𝑚𝑜𝑑 𝑝) 𝑏
𝑚𝑜𝑑 𝑝 = (𝑔 𝑏
𝑚𝑜𝑑 𝑝) 𝑎
𝑚𝑜𝑑 𝑝
Alice Bob Eve
p = 23 , g = 5 p = 23 , g = 5 p = 23 , g = 5

(𝑔 𝑎
𝑚𝑜𝑑 𝑝) 𝑏
𝑚𝑜𝑑 𝑝 = (𝑔 𝑏
𝑚𝑜𝑑 𝑝) 𝑎
𝑚𝑜𝑑 𝑝
Alice Bob Eve
p = 23 , g = 5 p = 23 , g = 5 p = 23 , g = 5
a = 6 b = 15
A B

(𝑔 𝑎 𝑚𝑜𝑑 𝑝) 𝑏 𝑚𝑜𝑑 𝑝 = (𝑔 𝑏 𝑚𝑜𝑑 𝑝) 𝑎 𝑚𝑜𝑑 𝑝
Alice Bob Eve
p = 23 , g = 5 p = 23 , g = 5 p = 23 , g = 5
a = 6 b = 15
A = 𝟓 𝟔
mod 23 = 8 B = 𝟓 𝟏𝟓
mod 23 = 19 A = 8 , B = 19
A B

Alice Bob Eve
p = 23 , g = 5 p = 23 , g = 5 p = 23 , g = 5
a = 6 b = 15
A = 𝟓 𝟔
mod 23 = 8 B = 𝟓 𝟏𝟓
mod 23 = 19 A = 8 , B = 19
S = 𝐁 𝟔
mod 23 S = 𝐀 𝟏𝟓
mod 23
A B

Alice Bob Eve
p = 23 , g = 5 p = 23 , g = 5 p = 23 , g = 5
a = 6 b = 15
A = 𝟓 𝟔
mod 23 = 8 B = 𝟓 𝟏𝟓
mod 23 = 19 A = 8 , B = 19
S = 𝟏𝟗 𝟔
mod 23 = 2 S = 𝟖 𝟏𝟓
mod 23
= 2
A B

TLS handshake with forward secrecy
Client Hello
Server Hello
Server Cert
Client DH
Server DH
Client Finished
Server Finished

TLS1.3—Let’s re-order the messages
Client Hello
Server Hello
Server Cert
Client DH
Server DH
Client Finished
Server Finished

TLS1.3—1xRTT regular handshake
Client Hello
Server Hello
Server Cert
Client DH
Server DH
Server Finished
Client Finished

TLS—Post quantum risks

VPC Encryption

VPC encryption
• Implemented in AWS hardware, by Annupurna Labs, as part of Nitro
• We encrypt your data AND our network virtualization protocol
• Encryption is applied within and between availability zones
• Forward-secrecy for between hours and one day

VPC inter-region peering

VPC inter-region peering
• Allows peering and exchange of traffic between VPCs in different regions
• Implemented on our ”Blackfoot” layer of edge devices
• We encrypt your data AND our network virtualization protocol
• Forward-secrecy for between hours and one day

Amazon VPN

Amazon VPN
• Site-to-site and client VPN options
• Based on the IPSec and OpenVPN protocols
• Both include per-session forward secrecy that lasts ~hours
• If you’re using site-to-site VPN: watch out for “Group 2”

Physical network encryption

Physical network encryption
• Any link outside of AWS physical control, including between AWS datacenters,
and the AWS backbone is protected
• Reminder: all traffic between AWS regions (except China) is carried on the AWS
backbone
• Most links are protected with MACSEC and Optical encryption using AES-256
• Small number of short-distance links use laser monitoring

How do they fit together?
end-to-end anonymity
anti-
replay
Forward-secrecy Post-quantum
TLS
Client to
server
weak yes Seconds to hours Rarely
VPC Encryption
Instance to
Instance
Strong no Hours to one day yes
Inter-Region
Peering
Hop by hop Stronger no Hours to one day yes
Physical
Network
Encryption
Hop by hop Strongest no Hours to one day no

Secure key distribution
• If AES-GCM is strong, then the security of our system rests on how securely
authentication and encryption keys can be distributed
• VPC encryption, inter-region peering, and physical network encryption each use
multi-party key distribution
• Two parties independently distribute pre-key-material, which is then only
combined where the encryption happens
• Result: no control system knows the sensitive keys

Secure key distribution

Thank you!
Colm MacCárthaigh
@colmmacc

Encrypting everything with AWS - SEP402 - AWS re:Inforce 2019

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Encrypting everything with AWS - SEP402 - AWS re:Inforce 2019

Semelhante a Encrypting everything with AWS - SEP402 - AWS re:Inforce 2019 (20)

Mais de Amazon Web Services

Mais de Amazon Web Services (20)

Encrypting everything with AWS - SEP402 - AWS re:Inforce 2019