Encryption at Scale on AWS Matt Campagna campagna@amazon.com
Agenda • Describe the AWS Key Management Service • Client Side Encryption • AWS Encryption SDK • Server Side Encryption • S3 Object Encryption
Amazon Simple Storage Service (S3) • Every object (file) is stored in a bucket (a Amazon S3 container of objects). • Upload and download objects (PutObject/GetObject) • 10s of trillions of objects today. • 60 terabytes/seconds in some regions. • Can upload parts in parallel to increase throughput • Upload 5TB in 1m 12s, and read in 42s. • Designed for 11 9s of durability. • One of over 100+ services
Goals for encryption at scale • Customers want • Root keys stored in FIPS certified hardware, • Control over these keys through fine grain usage policies, • Integrate into services to make encryption easy, • Provide detail audit records for all use of their keys, and • Us to manage basic key usage issues – algorithm selection, IV generation, key rotation, etc., • Not feasible to run all data encryption through a single service. • Provide data keys to encrypt data • Keys durability must exceed that of the data it protects.
AWS Key Management Service HSM AWS KMS DK ß $ CreateKey(policy) CMK ß $ EKT EKT = E(DK, CMK) policy _______ _______ EKT _______ CMK = D(DK, EKT) EKT, AAD, pt OID ß $ ct = Encrypt( keyID, AAD, pt ) ct OK = KDF(CMK, OID) ct = E(OK, AAD, pt)
AWS Key Management Service Last year Shay Gueron presented the KMS derived-key mode for GCM to encrypt at scale up to 2 40 customer master keys, and each master key can be used to perform 2 50 encryptions, While ensuring the probability of a (key, iv) collision and an adversary‘s PRP-PRF distinguishability advantage remains below 2 -32 .
AWS Key Management Service Region Availability zone 1 Availability zone 2 Availability zone 3 KMS KMS KMS KMS KMS KMS EKT EKT EKT EKT EKT EKT HSM HSM HSM HSM HSM HSM Fl Fleet of HSM SMs
AWS KMS Integrated Services Alexa for Business Amazon Glacier Amazon WorkMail AWS Snowball Amazon Athena Amazon Kinesis Data Streams Amazon WorkSpaces AWS Snowmobile Amazon Aurora Amazon Kinesis Firehose AWS Certificate Manager AWS Snowball Edge Amazon CloudWatch Logs Amazon Kinesis Video Streams AWS Cloud9 AWS Storage Gateway Amazon Comprehend Amazon Lex AWS CloudTrail AWS X-Ray Amazon Managed Streaming for Kafka (MSK) Amazon Lightsail AWS CodeBuild AWS Lambda AWS Database Migration Service Amazon Elastic Transcoder AWS CodeCommit Amazon S3 Amazon DynamoDB Accelerator (DAX) Amazon Elasticsearch Service AWS CodeDeploy Amazon EMR Amazon Simple Email Service (SES) Amazon Neptune AWS CodePipeline Amazon EBS Amazon Simple Queue Service (SQS) Amazon Redshift Amazon DynamoDB Amazon EFS Amazon Relational Database Service (RDS) Amazon SageMaker AWS Secrets Manager AWS Systems Manager Amazon FSx for Windows File Server Amazon Translate Amazon Connect AWS Glue
Envelope encryption with AWS KMS 1) Alice calls KMS to generate a data key. AWS KMS 2) Receive an encrypted data key edk , and a data key dk . edk, dk = GenerateDataKey( keyID ) 3) For plaintext pt , encrypt, ct = E(dk, pt). 4) Send/store the pair (edk, ct).
Authorization and key policy Alice can encrypt { "Sid": ”Alice", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::012345678901:user/alice" }, "Action": [ "kms:GenerateDataKey", "kms:Encrypt"], "Resource": "*", }, { Bob and Charlie "Sid": ”Recipients", can decrypt "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam:: 012345678901:user/bob", "arn:aws:iam:: 012345678901:user/charlie"] }, "Action": "kms:Decrypt", "Resource": "*", }
Envelope encryption with AWS KMS 1) Bob starts with valid ciphertext (edk, ct) 2) Call KMS to decrypt an encrypted data key AWS KMS dk = Decrypt( edk ) 3) Receive the data key dk . 4) Encrypt alternate message ct’ = E(dk, pt’) 5) Send (edk, ct’) of to Charlie
AWS Encryption SDK • Make it easy for AWS KMS customer to encrypt securely • Use envelope encryption to protect large plaintext values • Enable the policy on the customer master key to extend to the envelope encrypted data. • Encrypt/decrypt many plaintexts under a single call to AWS KMS.
AWS Encryption SDK part 1 part 1 part 2 part 2 plaintext 2 plaintext 1 part 3 part 3 part F part F cache d ß $, Q public key dk, edk = GenerateDataKey(keyId, AAD), where Q is contained in AAD msg_id 1 ß $ msg_id 2 ß $ k 2 = KDF(dk, msg_id 2 ) k = KDF(dk, msg_id 1 ) (iv i ++, cpart i , tag i ) = E(k 2 , part i ) (iv i ++, cpart i , tag i ) = E(k, part i ) msg_id 1 msg_id 2 h_tag 2 h_tag 1 tag 1 tag 2 tag 3 tag F sig 1 sig 2 Q edk cpart 1 cpart 2 cpart 3 cpart F iv 1 iv 2 iv 3 iv F AWS KMS sig 2 = sign(d, *) sig 1 = sign(d, *)
AWS Encryption SDK • Consider a k i,j collision for a set of N cached data keys dk j Single-user multi-cached-key for multi-key encryption scenario • Probability of k i,j collisions for (Q*N) many random 256-bit values is large keys (256 bits) + deterministic IV’s < (Q*N) 2 /2 257 = 2 -129 , negligible, when N and Q < 2 32 . make the probabilities for “bad event” sufficiently small • Probability of two equal dk j ’s in N is < N 2 /2 257 < 2 -192 when N < 2 32 , negligible. Multi-user scenario matters less, as SDK contexts are separate application • For any fixed dk j , the probability of k i,j collision < 2 -64 , for Q < 2 32 spaces • For N -many such dk’ s, we have a probability < 1 – (1 – 2 -64 ) N ≈ N*2 -64 . • Prob k i,j collision for N cached data keys dk j doing at most Q encryptions < N*Q 2 /2 257 < 2 -33 , when N, Q < 2 32 .
AWS Encryption SDK • Supports Advanced Encryption Standard with 256-bit keys in Galois Counter Mode (AES-256-GCM) for authenticated encryption. • Supports Elliptic Curve Digital Signature Algorithm (ECDSA) with SHA384 on the curve NIST P-384 (secp384r1). • Open source solution that supports • Supports messages of size ~2 63 bytes. • Supports framing data for streaming. • Supports caching AWS KMS data key across multiple messages, based on a security context, time, number of derived keys, or total bytes encrypted. • Extensible to additional key management infrastructures.
AWS Kinesis VPC DynamoDB AWS KMS producer consumer
Amazon Simple Storage Service (S3) Amazon S3 TLS Server Side Encryption Client Side Encryption
Amazon S3 Amazon S3 SSE-KMS meta- data iv edk E( ) chunk ct tag iv PutObject using S3 SSE E( ) chunk ct edk = KMS.GenerateDataKey(keyId) tag iv Object Object Store edk in object meta-data E( ) chunk ct tag (iv, ct, tag) = AES_256_GCM(K, chunk) iv E( ) chunk ct Adds 12-byte IV and 16-byte MAC per tag chunk. iv E( ) chunk ct tag
Amazon S3 Amazon S3 SSE-KMS meta- data iv edk ct tag iv iv GetObject with range [x, y] D( ) chunk ct ct dk = KMS.Decrypt(edk) tag tag range range iv iv Fetch necessary chunks D( ) chunk ct ct tag tag Decrypt and verify the necessary chunks iv ct Assemble and return the range tag iv ct tag
Amazon S3 SSE • 5 terabyte limit for S3 objects ~2 43 bytes Chunk Size Number of Chunks Probability of IV Max size while collision collision probability < 2 -32 2048 = 2 11 ~2 32 - 2 30 < 2 -32 8 terabytes 32768 = 2 15 ~ 2 28 < 2 -41 140 terabytes 262144 = 2 18 ~2 27 < 2- 47 1.125 petabytes • Larger chunk – less storage overhead, increase size limit, increase ‘Get’ latency • Smaller chunk – more storage overhead, lower size limit, decrease ‘Get’ latency
Summary • AWS is making encryption of customer data easy with secure default configurations. • Tension between one-size fits all and every application requires a custom solution. • Want to minimize design patterns and tools we need to maintain and reason about. • Managing state across distributed systems is performance inhibiting for encryption. • IV-collisions probabilities are exasperated by data volume across distributive systems. • An efficient and standardized wide block encryption primitive would ease these tension.
Thank you! https://aws.amazon.com/kms/ https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf https://github.com/aws/aws-encryption-sdk-java https://github.com/aws/aws-encryption-sdk-python https://github.com/aws/aws-encryption-sdk-cli https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
Recommend
More recommend
