[HN Gopher] AWS SIGv4 and SIGv4A - How AWS signs and verifies AP...
___________________________________________________________________
AWS SIGv4 and SIGv4A - How AWS signs and verifies API requests
Author : Corrado
Score : 53 points
Date : 2021-09-23 19:56 UTC (3 hours ago)
(HTM) web link (shufflesharding.com)
(TXT) w3m dump (shufflesharding.com)
| psanford wrote:
| This is neat, although it throws a wrench into my recent move
| encrypt my AWS secret access key with my TPM to prevent the key
| from being used anywhere besides my laptop[0].
|
| [0]:
| https://github.com/psanford/awsv4signer/tree/main/examples/t...
| timmattison wrote:
| We actually just did a livestream today at AWS about how to
| store a credential in an HSM to avoid having IAM credentials in
| clear text. You can see it here -
| https://www.twitch.tv/aws/video/1156973272
|
| We haven't released the code yet but are in the process. If you
| think this could work for you or you'd just like to see how we
| did it DM me on Twitter @timmattison and I'll give you the code
| ASAP.
| gnabgib wrote:
| The article is vague (no link to docs, no formula, no block
| diagram), but it seems to say the fundamental process still
| runs via a pre-shared-secret. That is secret you're trying to
| secure, and one that AWS knows.
|
| However, that secret is no longer used for the signing. Instead
| it's combined with a date and service-description to generate a
| public-private keypair, which is itself not secret (both AWS
| and you can derive this if you know the algorithm). Your
| requests are now signed with this private key (client side) and
| can be verified by the services with the public key (server
| side).
|
| AWS still knows your secret, but it keeps it in a more secured
| location verses out on the farms. The farms would need a way to
| request your public key for the day from the secured location,
| so they can verify the sender. But, the farms no longer have
| access to your secret key, so cannot sign other requests
| masquerading as you.
| psanford wrote:
| If the ECDSA key pair is still derived using an hmac keyed by
| the private key, I can do that with the key loaded in the
| tpm. Otherwise it is unlikely to work with my current setup.
|
| Once the key is loaded into the TPM as an HMAC key, you can
| no longer get the plaintext key back out. You have to use the
| TPM to perform any HMAC operations using the key.
| twistedpair wrote:
| Feels odd that AWS still uses secret tokens all these years
| later. Take GCP for example. They use your personal identity
| (via OAuth, service accounts use certs), and you can use FIDO
| tokens to authenticate your local keys (e.g. for gcloud CLI). I
| was very surprised to see that awscli still doesn't support
| Yubikeys.
| jffry wrote:
| I'm a big fan of aws-vault [1], which helps securely store
| your tokens and use them to obtain temporary credentials
| which are time-limited and constrained to a specific IAM
| role.
|
| It's not as good as having something that supports a hardware
| token, of course, but it's better than the default awscli
| suggestion to keep the secrets around in plaintext either on
| disk or in env vars.
|
| [1] https://github.com/99designs/aws-vault
| nielsole wrote:
| I wonder why the subkeys are valid for 1d and not something much
| shorter like 15 minutes. IIUC if the frontend IAM servers of a
| service get compromised you can only accept traffic for that
| service again on the next day, when a new subkey is valid.
|
| I also wonder whether those subkeys are copied over to the
| frontend server (that might be a lot of data to copy) every day
| or requested and cached (possibly high latency for first call)
| gjs278 wrote:
| >IIUC
|
| never use this again. we already have IIRC and "I think" for
| fucks sake just stick with those
| GauntletWizard wrote:
| I flat out don't trust AWS SIG; It falls into the classic
| encryption antipattern of signing the meaning and not the bytes -
| Anytime a transformation of the data is required before or after
| the signature is applied, you open up a hole for attackers to
| exploit. See V1 and V3, which were flat out insecure and have
| been abandoned.
|
| Sign the bytes, not the meaning.
| deanCommie wrote:
| Super interesting! I wonder - have any other services or
| companies (SaaS or otherwise) adopted SigV4 other than AWS?
|
| Seems like a solid protocol (though a lot to implement in a
| client, that can be encapsulated in an SDK)
| et1337 wrote:
| We use a flavor of SigV4 for our REST and gRPC APIs at
| StrongDM[1]
|
| [1] https://www.strongdm.com/
| edoceo wrote:
| I'm using signatures, influenced by AWS and ActivityPub specs
| for some of our APIs. But I'm using Sodium for the
| hashing/signing.
| jaytaylor wrote:
| Is there a benefit to companies all using the exact same web
| service request signature scheme?
|
| One downside is that it would make widespread web service API
| abuse even easier than it already is. One would need to
| understand even less about the mechanics and workings of same-
| scheme services across companies. Yes, this is security through
| obscurity, but why leave more surface area open than necessary?
|
| Malicious actors will certainly appreciate it!
| whartung wrote:
| > Is there a benefit to companies all using the exact same
| web service request signature scheme?
|
| Well, there's some things to consider.
|
| First, Amazon AWS is a very rich target. It hosts a very
| large quantity of services that would be ripe for
| exploitation. I'm sure attackers would love to find holes in
| the AWS mechanism.
|
| Second, because of number 1, I'm sure the AWS services are
| not only a prime target for attack, but also actively being
| attacked. By both nefarious black hat ne'er do wells, to
| state level agencies. I would fully expect US, Russian,
| Chinese and other state intelligence agencies to be very
| interested in an exploit of something as ripe as the AWS
| system.
|
| Third, Amazon has the motivation, due to number 1, to keep on
| top of and ensure that its technique is sound and robust. Not
| only that, it has the resources to do it.
|
| Four, the technique is open, and documented, and available to
| all. No skullduggery is required at an algorithm level to
| analyze it and understand it. Thesis seeking white hat PhD
| students can have at it and advance the field.
|
| So, if there were to be "one algorithm", Amazon and AWS have
| the experience and know how to hold theirs up high on a
| pedestal labeled "You could do a lot worse".
| phnofive wrote:
| Wasn't clear to me who wrote this or why, so:
|
| > I'm Colm MacCarthaigh, a VP and Distinguished Engineer at
| Amazon Web Services, and this website is my blog.
| capableweb wrote:
| > a VP and Distinguished Engineer at Amazon Web Services
|
| Any further translation on what VP and "Distinguished Engineer"
| means here? It sounds like both of them are honorary and
| doesn't really mean much, but then "Distinguished" makes it
| seem they received some sort of Nobal price of computing as
| well.
|
| And if neither of them really mean anything, then this guy is
| really "just" a developer right?
| Thaxll wrote:
| > And if neither of them really mean anything, then this guy
| is really "just" a developer right?
|
| Probably yeah, he went to a coding boodcamp and was hired
| after that.
| BikiniPrince wrote:
| Colm is a fairly badass engineer. He was a senior principle
| when I left. Sounds like they made another level since then
| and he jumped into VP. Somewhat makes sense as he leads the
| business in both a technical and business sense. Amazon's
| traditional issue is they only know how to level managers.
| Turns out when the company starts accruing some really
| senior people you have to accommodate them.
|
| This is a fairly fluffy piece of writing. His internal
| writings were much deeper.
| bbgm wrote:
| Amazon has long had a VP-level engineer track (Peter
| Vosshall was the first IIRC). Colm is very rightly one.
| mcspiff wrote:
| Distinguished Engineer is the top "level" for engineers at
| Amazon. It's equivalent to a VP position for managers. So
| it's a job title, similar to Sr Engineer.
| argc wrote:
| What does '"just" a developer' mean?
| capableweb wrote:
| I specifically put quotes around it to avoid comments like
| you. "Just" in terms of superfluous titles, not that
| becoming a developer is easy or anything. Seems I've
| managed to get my answers though, so thank you everyone
| (except argc)!
| slownews45 wrote:
| Yes, a developer title basically. But very senior
|
| Comp is $950K++++ per year range.
| BikiniPrince wrote:
| I'm sure he has exceeded this by now. If you can afford to
| keep genius around then you should.
|
| It's hard to get familiar with engineers at Amazon. They
| have spokes persons who release things written by others
| and their external contribution process is difficult at
| best.
|
| It isn't a surprise people think he is a nobody. I still
| remember him after five years.
| jedberg wrote:
| Colm is an extremely smart engineer who has designed some
| really big systems. Distinguished is the title they give you
| when they want to pay you VP bucks so you stay at Amazon.
| pan69 wrote:
| In the org I work in "Distinguished" is simply a level of
| seniority (and pay grade). For engineers we have; grad ->
| engineer -> senior -> specialist -> principal -> chief ->
| distinguished.
|
| The further/higher you get you usually do less "programming"
| and more design/architectural, plus line management.
| pvg wrote:
| He's been on HN for ages
|
| https://news.ycombinator.com/user?id=colmmacc
| tptacek wrote:
| He's an extremely good Twitter follow, for what it's worth.
| ctvo wrote:
| Really? Looks like someone's blog on technical things that
| they're interested in and there's an 'About' link right where
| you'd expect that tell you who they are.
| [deleted]
___________________________________________________________________
(page generated 2021-09-23 23:00 UTC)