, 21 tweets, 4 min read Read on Twitter
Tuesday Tweet Thread: Today, AWS CISO @StephenSchmidt unveiled VPC Encryption and our "Lever" link encryption initiative. They work in-concert to make pervasive network encryption the default, and to deliver new protections against traffic analysis and post-quantum risks. 1/n
Let's start with VPC Encryption. We're encrypting all of the VPC traffic between supported instance types. This blurb with the details has been in our public documentation for a months now, but we held off saying much about it until now: docs.aws.amazon.com/AWSEC2/latest/…
We encrypt traffic between instances in the same VPC, or if their VPCs are peered in the same region. We encrypt the entire customer packet, nothing is visible. We also encrypt our own network virtualization header.
This provides powerful anonymity on the wire; there is no customer ID or VPC ID there in plaintext. This has the effect of making traffic correlation and traffic analysis attacks many many orders of magnitude harder.
The traffic is encrypted using AES-256. Many protocols, such as TLS, do not have strong post-quantum security in their handshakes. This new layer means that those handshakes are protected on the wire by AES, which is safe against post-quantum risks.
If you're worried about someone collecting data today, and decrypting it later when Quantum Computing is practical, this is nice defense in depth.
To avoid Post-Quantum problems itself, VPC Encryption uses symmetric keys that are shared between senders. They are frequently rotated and revoked to provide forward secrecy.
To avoid having any sensitive system that knows all of the keys; there are two independent, very different, key distribution mechanisms. Each distributes "pre-key material" which is then only combined in our Nitro security system to derive the real key.
The effect of that is that if one of the distribution systems were some how compromised, this would not disclose the actual encryption keys. Very nice pattern to have!
VPC Encryption compliments VPC Inter-Region Peering, which we've been similarly encrypting (with similar key derivation) from the day it launched.

Underneath, and in addition to, all of this is the Lever Link Encryption Project.
The Lever Link Encryption Project has been a truly massive endeavor to strongly encrypt, for now and all time, every network link that is in any way out of AWS physical control.
Physical control means inside a facility we own and operate; and sometimes it means secure ducting over short distances with cool lasers that can detect any interference.
If a link is outside our premises, or crossing an ocean, we encrypt it. For encryption, we use AES-256 again, with MACsec or Optical Layer encryption, with some more clever key agreement schemes that we had to invent! But don't worry, they are reassuringly boring.
Incidentally "Lever" is named for en.wikipedia.org/wiki/Mavis_Bat…
Lever encryption and VPC Encryption or Inter-Region Peering often happen at the same time, e.g. packets crossing between AZs or regions. That's two layers of no-configuration required pervasive cryptography.
h/t to my colleague and Lever lead David Sinn for all that info!
Now, none of this means that you should not use TLS or other encryption protocols in your own applications. Network Encryption is awesome, but does not provide anti-replay, or application-to-application authentication. These new protocols are designed to fill gaps.
Of course it's great too to have a built-in mechanism to protect legacy traffic that is not encrypted at all.
These are first features I've ever worked on where is no API, nothing for you to do. This is all under the hood. There is no change to your experience running on AWS. Customers never see the encrypted traffic, we do the encryption and decryption for you.
All of the encryption and decryption happens in hardware; and for VPC Encryption, it's custom silicon designed and built by Annapurna labs as part of our Nitro security system. That means we can all of this with no impact on performance. We've been in production for months!
O.k. there you have it. VPC Encryption, Lever Link Encryption, Multi-Party key distribution, AES-256, no API or settings, just "on". AMA.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Colm MacCárthaigh
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!