[HN Gopher] AWS SIGv4 and SIGv4A - How AWS signs and verifies AP... ___________________________________________________________________ AWS SIGv4 and SIGv4A - How AWS signs and verifies API requests Author : Corrado Score : 53 points Date : 2021-09-23 19:56 UTC (3 hours ago) (HTM) web link (shufflesharding.com) (TXT) w3m dump (shufflesharding.com) | psanford wrote: | This is neat, although it throws a wrench into my recent move | encrypt my AWS secret access key with my TPM to prevent the key | from being used anywhere besides my laptop[0]. | | [0]: | https://github.com/psanford/awsv4signer/tree/main/examples/t... | timmattison wrote: | We actually just did a livestream today at AWS about how to | store a credential in an HSM to avoid having IAM credentials in | clear text. You can see it here - | https://www.twitch.tv/aws/video/1156973272 | | We haven't released the code yet but are in the process. If you | think this could work for you or you'd just like to see how we | did it DM me on Twitter @timmattison and I'll give you the code | ASAP. | gnabgib wrote: | The article is vague (no link to docs, no formula, no block | diagram), but it seems to say the fundamental process still | runs via a pre-shared-secret. That is secret you're trying to | secure, and one that AWS knows. | | However, that secret is no longer used for the signing. Instead | it's combined with a date and service-description to generate a | public-private keypair, which is itself not secret (both AWS | and you can derive this if you know the algorithm). Your | requests are now signed with this private key (client side) and | can be verified by the services with the public key (server | side). | | AWS still knows your secret, but it keeps it in a more secured | location verses out on the farms. The farms would need a way to | request your public key for the day from the secured location, | so they can verify the sender. But, the farms no longer have | access to your secret key, so cannot sign other requests | masquerading as you. | psanford wrote: | If the ECDSA key pair is still derived using an hmac keyed by | the private key, I can do that with the key loaded in the | tpm. Otherwise it is unlikely to work with my current setup. | | Once the key is loaded into the TPM as an HMAC key, you can | no longer get the plaintext key back out. You have to use the | TPM to perform any HMAC operations using the key. | twistedpair wrote: | Feels odd that AWS still uses secret tokens all these years | later. Take GCP for example. They use your personal identity | (via OAuth, service accounts use certs), and you can use FIDO | tokens to authenticate your local keys (e.g. for gcloud CLI). I | was very surprised to see that awscli still doesn't support | Yubikeys. | jffry wrote: | I'm a big fan of aws-vault [1], which helps securely store | your tokens and use them to obtain temporary credentials | which are time-limited and constrained to a specific IAM | role. | | It's not as good as having something that supports a hardware | token, of course, but it's better than the default awscli | suggestion to keep the secrets around in plaintext either on | disk or in env vars. | | [1] https://github.com/99designs/aws-vault | nielsole wrote: | I wonder why the subkeys are valid for 1d and not something much | shorter like 15 minutes. IIUC if the frontend IAM servers of a | service get compromised you can only accept traffic for that | service again on the next day, when a new subkey is valid. | | I also wonder whether those subkeys are copied over to the | frontend server (that might be a lot of data to copy) every day | or requested and cached (possibly high latency for first call) | gjs278 wrote: | >IIUC | | never use this again. we already have IIRC and "I think" for | fucks sake just stick with those | GauntletWizard wrote: | I flat out don't trust AWS SIG; It falls into the classic | encryption antipattern of signing the meaning and not the bytes - | Anytime a transformation of the data is required before or after | the signature is applied, you open up a hole for attackers to | exploit. See V1 and V3, which were flat out insecure and have | been abandoned. | | Sign the bytes, not the meaning. | deanCommie wrote: | Super interesting! I wonder - have any other services or | companies (SaaS or otherwise) adopted SigV4 other than AWS? | | Seems like a solid protocol (though a lot to implement in a | client, that can be encapsulated in an SDK) | et1337 wrote: | We use a flavor of SigV4 for our REST and gRPC APIs at | StrongDM[1] | | [1] https://www.strongdm.com/ | edoceo wrote: | I'm using signatures, influenced by AWS and ActivityPub specs | for some of our APIs. But I'm using Sodium for the | hashing/signing. | jaytaylor wrote: | Is there a benefit to companies all using the exact same web | service request signature scheme? | | One downside is that it would make widespread web service API | abuse even easier than it already is. One would need to | understand even less about the mechanics and workings of same- | scheme services across companies. Yes, this is security through | obscurity, but why leave more surface area open than necessary? | | Malicious actors will certainly appreciate it! | whartung wrote: | > Is there a benefit to companies all using the exact same | web service request signature scheme? | | Well, there's some things to consider. | | First, Amazon AWS is a very rich target. It hosts a very | large quantity of services that would be ripe for | exploitation. I'm sure attackers would love to find holes in | the AWS mechanism. | | Second, because of number 1, I'm sure the AWS services are | not only a prime target for attack, but also actively being | attacked. By both nefarious black hat ne'er do wells, to | state level agencies. I would fully expect US, Russian, | Chinese and other state intelligence agencies to be very | interested in an exploit of something as ripe as the AWS | system. | | Third, Amazon has the motivation, due to number 1, to keep on | top of and ensure that its technique is sound and robust. Not | only that, it has the resources to do it. | | Four, the technique is open, and documented, and available to | all. No skullduggery is required at an algorithm level to | analyze it and understand it. Thesis seeking white hat PhD | students can have at it and advance the field. | | So, if there were to be "one algorithm", Amazon and AWS have | the experience and know how to hold theirs up high on a | pedestal labeled "You could do a lot worse". | phnofive wrote: | Wasn't clear to me who wrote this or why, so: | | > I'm Colm MacCarthaigh, a VP and Distinguished Engineer at | Amazon Web Services, and this website is my blog. | capableweb wrote: | > a VP and Distinguished Engineer at Amazon Web Services | | Any further translation on what VP and "Distinguished Engineer" | means here? It sounds like both of them are honorary and | doesn't really mean much, but then "Distinguished" makes it | seem they received some sort of Nobal price of computing as | well. | | And if neither of them really mean anything, then this guy is | really "just" a developer right? | Thaxll wrote: | > And if neither of them really mean anything, then this guy | is really "just" a developer right? | | Probably yeah, he went to a coding boodcamp and was hired | after that. | BikiniPrince wrote: | Colm is a fairly badass engineer. He was a senior principle | when I left. Sounds like they made another level since then | and he jumped into VP. Somewhat makes sense as he leads the | business in both a technical and business sense. Amazon's | traditional issue is they only know how to level managers. | Turns out when the company starts accruing some really | senior people you have to accommodate them. | | This is a fairly fluffy piece of writing. His internal | writings were much deeper. | bbgm wrote: | Amazon has long had a VP-level engineer track (Peter | Vosshall was the first IIRC). Colm is very rightly one. | mcspiff wrote: | Distinguished Engineer is the top "level" for engineers at | Amazon. It's equivalent to a VP position for managers. So | it's a job title, similar to Sr Engineer. | argc wrote: | What does '"just" a developer' mean? | capableweb wrote: | I specifically put quotes around it to avoid comments like | you. "Just" in terms of superfluous titles, not that | becoming a developer is easy or anything. Seems I've | managed to get my answers though, so thank you everyone | (except argc)! | slownews45 wrote: | Yes, a developer title basically. But very senior | | Comp is $950K++++ per year range. | BikiniPrince wrote: | I'm sure he has exceeded this by now. If you can afford to | keep genius around then you should. | | It's hard to get familiar with engineers at Amazon. They | have spokes persons who release things written by others | and their external contribution process is difficult at | best. | | It isn't a surprise people think he is a nobody. I still | remember him after five years. | jedberg wrote: | Colm is an extremely smart engineer who has designed some | really big systems. Distinguished is the title they give you | when they want to pay you VP bucks so you stay at Amazon. | pan69 wrote: | In the org I work in "Distinguished" is simply a level of | seniority (and pay grade). For engineers we have; grad -> | engineer -> senior -> specialist -> principal -> chief -> | distinguished. | | The further/higher you get you usually do less "programming" | and more design/architectural, plus line management. | pvg wrote: | He's been on HN for ages | | https://news.ycombinator.com/user?id=colmmacc | tptacek wrote: | He's an extremely good Twitter follow, for what it's worth. | ctvo wrote: | Really? Looks like someone's blog on technical things that | they're interested in and there's an 'About' link right where | you'd expect that tell you who they are. | [deleted] ___________________________________________________________________ (page generated 2021-09-23 23:00 UTC)