Profile picture
Colm MacCárthaigh
@colmmacc
, 14 tweets, 3 min read Read on Twitter
At re:Inforce we revealed two previously unannounced AWS network encryption features. One is embedded in our Nitro hardware security system, the other is for network links. But I want to take a second to zoom in just on multi-party key distribution ...
The root of trust in any cryptographic or authentication system is usually based on one or two things: key distribution, and high-quality randomness. With Nitro we also have our own high-quality hardware secure random number generators. Key distribution is a harder problem.
If your system depends on asymmetric keys; RSA, ECDSA, Ed25519, etc. then best practice is to generate public-private keys on a secure system and then only export the private key. This is a good practice but it comes with some challenges.
Firstly, you likely have to have a whole PKI infrastructure to make that practical. We do make it easier than ever to have a private certificate authority: aws.amazon.com/certificate-ma…
Secondly, RSA, ECDSA, Ed25519, etc, aren't great with respect to Post-Quantum Security, which people are worrying about. There are fixes; they can supplemented with hybrid algorithms, and static pre-shared keys, but those need a way to share those keys.
Thirdly, and most mundanely, sometimes you just need the same key on multiple hosts. That means we need a key distribution system! But key distribution systems make for very rich targets. That's not something to do lightly.
The best answer here is to use a secure Key Management Service. We have aws.amazon.com/kms/. KMS uses envelope encryption and support for bootstrapped mechanisms such as instance role accounts to get around all of this.
With envelope encryption, there's a hierarchy of keys that encrypt other keys, ultimately protected by a hardware root of trust, which mean that KMS can distribute keys without ever having plaintext access to the keys themselves. Very cool. O.k. but ...
VPC Encryption and our Lever Link Encryption project sit at the very bottom of the AWS networking stacks. And KMS runs on top of this! We'd have a circular dependency if we "just" used KMS, so how do we achieve the same security properties?
We distribute multiple "pre-secrets". One is distributed in a dedicated key distribution system. The other is distributed using existing configuration distribution systems. These "pre-secrets" are then mixed, using the HKDF key derivation function to make the actual key.
This is incredibly simple; but it has the effect that if the pre-secrets in the key distribution systems become known somehow, that's not fatal to the system security, it doesn't disclose the actual keys we use.
This technique works trivially for symmetric keys, but can also be used with a deterministic key generation algorithm to generate the same asymmetric keys on multiple hosts, without central knowledge.
Boring, simple, patterns are re-assuring in cryptography and I really love this one, because for very little cost, it gives a very meaningful security property. It really surprises me that it isn't more common pattern.
O.k. when I wrote "only export the private key" I *cough* meant "only export the PUBLIC key"! /end-of-thread
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Colm MacCárthaigh
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @colmmacc see all

Profile picture
Colm MacCárthaigh
@colmmacc
Tuesday Tweet Thread: Today, AWS CISO @StephenSchmidt unveiled VPC Encryption and our "Lever" link encryption initiative. They work in-concert to make pervasive network encryption the default, and to deliver new protections against traffic analysis and post-quantum risks. 1/n
Let's start with VPC Encryption. We're encrypting all of the VPC traffic between supported instance types. This blurb with the details has been in our public documentation for a months now, but we held off saying much about it until now: docs.aws.amazon.com/AWSEC2/latest/…
We encrypt traffic between instances in the same VPC, or if their VPCs are peered in the same region. We encrypt the entire customer packet, nothing is visible. We also encrypt our own network virtualization header.
Read 21 tweets
Profile picture
Colm MacCárthaigh
@colmmacc
@copyconstruct I work for a competitor and have my own biases, but reading this I feel a sad sense that hubris in Google's engineering culture has come to this and continues to blind. The proposed fixes read as dangerously wrong to me. 1/n
@copyconstruct "we will harden Google's cluster management software such that it rejects such requests regardless of origin, providing an additional layer of defense in depth and eliminating other similar classes of failure." ... this feels like more layering, more complexity. 2/n
@copyconstruct Why does automation even have access to multiple regions? Why add more logic, which could have its own bugs and problems, instead of enforcing more robust separation; compartmentalization with their own local fail-safes. 3/n
Read 5 tweets
Profile picture
Colm MacCárthaigh
@colmmacc
Tuesday Tweet thread time! Warning, because this one is *shameless* promotion and a very minor, but still crass, personal victory lap 🤣. I'm going to compare the work it took at my former startup jobs that would now take ... oh, seconds, with EC2.
At my last job, I built 6 multi-rack installations of servers. Most were SUN (RIP) boxes in Level3 (RIP) colos. Our biggest was in our own datacenter, which we converted from office space. Job before that I built out two room-sized installations.
Anyway, at my last job (Joost), we were streaming video using p2p (until we abandoned p2p). We needed to build our own "Long Tail Sites" CDN. We couldn't use commercial CDNs, because we used our own protocol. That was very dumb, but there you go.
Read 26 tweets

Related threads

Profile picture
FILM CRIT HULK
@FilmCritHULK
OKAY. NEON GENESIS EVANGELION THREAD TIME!
Gonna watch the first ep! But first, groundrules:
-No spoilers, duh, but don't talk about future episodes. Every time I try to watch anime someone's like "oh if liked that moment just WAIT til this episode when..." Like. don't do that!
... that's it... I guess it's more of a groundrule.
This is fun!
Read 62 tweets
Profile picture
Ben Riley-Smith
@benrileysmith
**Exclusive**

British spy chiefs were briefed on Christopher Steele’s dossier before Donald Trump knew of its existence.

Heads of MI5, MI6 + one of Theresa May’s most trusted security advisers all knew of the Russian links claims before Trump.

Summary thread below...
Lots is known about how the FBI handled the Steele dossier - 17 memos compiled by former MI6 agent Christopher Steele about Trump campaign’s Russia links.

But the story of what UK intelligence leaders knew is revealed for the first in tomorrow’s @Telegraph. Story with @rmendick.
Throughout the summer + autumn of 2016 Steele had uncovered a string of concerning allegations.

Among them - that Trump campaign figures had secretly met Russians, the Kremlin was trying to tilt the election + there was “kompromat” on the candidate himself (always denied).
Read 17 tweets
Profile picture
💧💧Blue Ëpster Cult
@Epidiah
Fuck yeah, calculator & PAIN points. I'm in.
You have no idea how much I want this to be true!
It does not disappoint!
Read 31 tweets
Profile picture
Blogger Me
@BloggerMe3
"Understanding #encryption & the #aabil" for #dumbbastards like me
.#Encryption & #privacy are strongly & deeply connected.
"Privacy", as understood in AU, is an individual's #humanright to #privacy, as enshrined in legislation, created in the @Parliament's, both federal & states, to guarantee individuals their #HumanRight as detailed by the @UN & interpreted by our legislators & the courts
Read 27 tweets
Profile picture
IoT Safari
@iotsafari
1\n #Amazon has done much more for building and deploying #IoT devices in a secure and robust manner than any other ecosystem organization. Their focus? Help build and deploy more connected devices. If you are building connected devices, this summary report is for you:
2\n Both their arms #Alexa and #AWS offer solutions at both the ends: the device (h/w and s/w dev kits) and the cloud. So how does it help you, the device maker? Let's find out. Every tweet below is an Amazon solution. Let's start with Alexa first.
3\n Control via #Alexa 1: If you've built a cloud connected device, use the Alexa SmartHome Skill to link it to Alexa. Then users can asks Alexa to ctrl your device, which goes to Alexa cloud, then to your skill, then your cloud and finally to your device. developer.amazon.com/docs/smarthome…
Read 15 tweets

Trending hashtags

#privacylaws #snapshot #Serverless #freertos #MuellerReport #automotive #Privacy #MQTT #Amazon #cloud #FictionAt12am #onhere #AadhaarFail #HumanRight #tech #NationalSecurity #NZMosqueShooting #SkripalSuspects #AWS #security #NewZealandshooting #privacy #decrypted #genius #WiFi
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!