Encryption at Scale on AWS Matt Campagna campagna@amazon.com - - PowerPoint PPT Presentation

encryption at scale on aws
SMART_READER_LITE
LIVE PREVIEW

Encryption at Scale on AWS Matt Campagna campagna@amazon.com - - PowerPoint PPT Presentation

Oct 09, 2022 158 likes •389 views

Encryption at Scale on AWS Matt Campagna campagna@amazon.com Agenda Describe the AWS Key Management Service Client Side Encryption AWS Encryption SDK Server Side Encryption S3 Object Encryption Amazon Simple Storage Service

slide-1
SLIDE 1

Encryption at Scale on AWS

Matt Campagna campagna@amazon.com

slide-2
SLIDE 2

Agenda

  • Describe the AWS Key Management Service
  • Client Side Encryption
  • AWS Encryption SDK
  • Server Side Encryption
  • S3 Object Encryption
slide-3
SLIDE 3

Amazon Simple Storage Service (S3)

  • Every object (file) is stored in a bucket (a

container of objects).

  • Upload and download objects

(PutObject/GetObject)

  • 10s of trillions of objects today.
  • 60 terabytes/seconds in some regions.
  • Can upload parts in parallel to increase

throughput

  • Upload 5TB in 1m 12s, and read in 42s.
  • Designed for 11 9s of durability.
  • One of over 100+ services

Amazon S3

slide-4
SLIDE 4

Goals for encryption at scale

  • Customers want
  • Root keys stored in FIPS certified hardware,
  • Control over these keys through fine grain usage policies,
  • Integrate into services to make encryption easy,
  • Provide detail audit records for all use of their keys, and
  • Us to manage basic key usage issues – algorithm selection, IV

generation, key rotation, etc.,

  • Not feasible to run all data encryption through a single service.
  • Provide data keys to encrypt data
  • Keys durability must exceed that of the data it protects.
slide-5
SLIDE 5

AWS KMS

CreateKey(policy) EKT ct = Encrypt(keyID, AAD, pt) CMK = D(DK, EKT) OID ß $ OK = KDF(CMK, OID) ct = E(OK, AAD, pt) DK ß $ CMK ß $ EKT = E(DK, CMK) EKT, AAD, pt ct

policy

_______ _______ _______

EKT

HSM

AWS Key Management Service

slide-6
SLIDE 6

Last year Shay Gueron presented the KMS derived-key mode for GCM to encrypt at scale up to 240 customer master keys, and each master key can be used to perform 250 encryptions, While ensuring the probability of a (key, iv) collision and an adversary‘s PRP-PRF distinguishability advantage remains below 2-32.

AWS Key Management Service

slide-7
SLIDE 7

AWS Key Management Service

Fl Fleet of HSM SMs HSM HSM HSM HSM HSM HSM KMS KMS KMS KMS KMS KMS

Availability zone 1 Availability zone 2 Availability zone 3

EKT EKT EKT EKT EKT EKT

Region

slide-8
SLIDE 8

Alexa for Business Amazon Glacier Amazon WorkMail AWS Snowball Amazon Athena Amazon Kinesis Data Streams Amazon WorkSpaces AWS Snowmobile Amazon Aurora Amazon Kinesis Firehose AWS Certificate Manager AWS Snowball Edge Amazon CloudWatch Logs Amazon Kinesis Video Streams AWS Cloud9 AWS Storage Gateway Amazon Comprehend Amazon Lex AWS CloudTrail AWS X-Ray Amazon Managed Streaming for Kafka (MSK) Amazon Lightsail AWS CodeBuild AWS Lambda AWS Database Migration Service Amazon Elastic Transcoder AWS CodeCommit Amazon S3 Amazon DynamoDB Accelerator (DAX) Amazon Elasticsearch Service AWS CodeDeploy Amazon EMR Amazon Simple Email Service (SES) Amazon Neptune AWS CodePipeline Amazon EBS Amazon Simple Queue Service (SQS) Amazon Redshift Amazon DynamoDB Amazon EFS Amazon Relational Database Service (RDS) Amazon SageMaker AWS Secrets Manager AWS Systems Manager Amazon FSx for Windows File Server Amazon Translate Amazon Connect AWS Glue

AWS KMS Integrated Services

slide-9
SLIDE 9

Envelope encryption with AWS KMS

3) For plaintext pt, encrypt, ct = E(dk, pt). 4) Send/store the pair (edk, ct). 1) Alice calls KMS to generate a data key. 2) Receive an encrypted data key edk, and a data key dk.

edk, dk = GenerateDataKey(keyID) AWS KMS

slide-10
SLIDE 10

Authorization and key policy

{ "Sid": ”Alice", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::012345678901:user/alice" }, "Action": [ "kms:GenerateDataKey", "kms:Encrypt"], "Resource": "*", }, { "Sid": ”Recipients", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam:: 012345678901:user/bob", "arn:aws:iam:: 012345678901:user/charlie"] }, "Action": "kms:Decrypt", "Resource": "*", }

Alice can encrypt Bob and Charlie can decrypt

slide-11
SLIDE 11

4) Encrypt alternate message ct’ = E(dk, pt’) 5) Send (edk, ct’) of to Charlie 1) Bob starts with valid ciphertext (edk, ct) 2) Call KMS to decrypt an encrypted data key 3) Receive the data key dk. dk = Decrypt(edk)

Envelope encryption with AWS KMS

AWS KMS

slide-12
SLIDE 12
  • Make it easy for AWS KMS customer to encrypt securely
  • Use envelope encryption to protect large plaintext values
  • Enable the policy on the customer master key to extend to the

envelope encrypted data.

  • Encrypt/decrypt many plaintexts under a single call to AWS KMS.

AWS Encryption SDK

slide-13
SLIDE 13

plaintext1 sig1 edk Q h_tag1 msg_id1

dk, edk = GenerateDataKey(keyId, AAD), where Q is contained in AAD dß $, Q public key k = KDF(dk, msg_id1) sig1 = sign(d, *)

AWS Encryption SDK

(ivi++, cparti, tagi) = E(k, parti)

AWS KMS

msg_id1 ß $

h_tag2 msg_id2

k2 = KDF(dk, msg_id2) msg_id2 ß $

sig2

sig2 = sign(d, *) (ivi++, cparti, tagi) = E(k2, parti)

part1 part2 part3 partF cpart1 iv1 tag1 cpart2 iv2 tag2 cpart3 iv3 tag3 cpartF ivF tagF plaintext2 part1 part2 part3 partF

cache

slide-14
SLIDE 14
  • Consider a ki,j collision for a set of N cached data keys dkj
  • Probability of ki,j collisions for (Q*N) many random 256-bit values is

< (Q*N)2/2257 = 2-129, negligible, when N and Q < 232.

  • Probability of two equal dkj’s in N is < N2/2257 < 2-192 when N < 232,

negligible.

  • For any fixed dkj, the probability of ki,j collision < 2-64, for Q < 232
  • For N-many such dk’s, we have a probability < 1 – (1 – 2-64)N ≈ N*2-64.
  • Prob ki,j collision for N cached data keys dkj doing at most Q encryptions

< N*Q2/2257 < 2-33, when N, Q < 232.

AWS Encryption SDK

Single-user multi-cached-key for multi-key encryption scenario large keys (256 bits) + deterministic IV’s make the probabilities for “bad event” sufficiently small Multi-user scenario matters less, as SDK contexts are separate application spaces

slide-15
SLIDE 15
  • Supports Advanced Encryption Standard with 256-bit keys in Galois Counter

Mode (AES-256-GCM) for authenticated encryption.

  • Supports Elliptic Curve Digital Signature Algorithm (ECDSA) with SHA384 on the

curve NIST P-384 (secp384r1).

  • Open source solution that supports
  • Supports messages of size ~263 bytes.
  • Supports framing data for streaming.
  • Supports caching AWS KMS data key across multiple messages, based on a

security context, time, number of derived keys, or total bytes encrypted.

  • Extensible to additional key management infrastructures.

AWS Encryption SDK

slide-16
SLIDE 16

AWS Kinesis

producer consumer

DynamoDB AWS KMS

VPC

slide-17
SLIDE 17

Amazon Simple Storage Service (S3)

Amazon S3 TLS Client Side Encryption Server Side Encryption

slide-18
SLIDE 18

meta- data edk

Amazon S3 SSE-KMS

Adds 12-byte IV and 16-byte MAC per chunk.

Object

ct iv tag chunk chunk chunk chunk chunk

edk = KMS.GenerateDataKey(keyId) Store edk in object meta-data (iv, ct, tag) = AES_256_GCM(K, chunk)

Object

ct iv tag ct iv tag ct iv tag ct iv tag

E( ) E( ) E( ) E( ) E( ) Amazon S3

PutObject using S3 SSE

slide-19
SLIDE 19

meta- data edk

Amazon S3 SSE-KMS

GetObject with range [x, y] Decrypt and verify the necessary chunks Assemble and return the range

ct iv tag ct iv tag ct iv tag ct iv tag ct iv tag

Amazon S3

ct iv tag ct iv tag chunk chunk range

D( ) D( )

dk = KMS.Decrypt(edk) Fetch necessary chunks

range

slide-20
SLIDE 20
  • 5 terabyte limit for S3 objects ~243 bytes
  • Larger chunk – less storage overhead, increase size limit, increase ‘Get’ latency
  • Smaller chunk – more storage overhead, lower size limit, decrease ‘Get’ latency

Amazon S3 SSE

Chunk Size Number of Chunks Probability of IV collision Max size while collision probability < 2-32 2048 = 211 ~232 - 230 < 2-32 8 terabytes 32768 = 215 ~ 228 < 2-41 140 terabytes 262144 = 218 ~227 < 2-47 1.125 petabytes

slide-21
SLIDE 21

Summary

  • AWS is making encryption of customer data easy with secure default configurations.
  • Tension between one-size fits all and every application requires a custom solution.
  • Want to minimize design patterns and tools we need to maintain and reason about.
  • Managing state across distributed systems is performance inhibiting for encryption.
  • IV-collisions probabilities are exasperated by data volume across distributive systems.
  • An efficient and standardized wide block encryption primitive would ease these tension.
slide-22
SLIDE 22

Thank you!

https://aws.amazon.com/kms/ https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf https://github.com/aws/aws-encryption-sdk-java https://github.com/aws/aws-encryption-sdk-python https://github.com/aws/aws-encryption-sdk-cli https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html