Amazon Cryptography
Amazon Cryptography – Cloud Architecture and Migration Services for the Mobile Market Network Partners Business Integration Big Data Cloud Enterprise Cloud Strategy Financial IT Management Center Containers Database Desktop and Application Streaming Developer Tools DevOps Front-End Web and Mobile HPC
Industrial Connectivity & Internet of Things Applications Machine Learning Media Messaging & Targeting Microsoft .NET Networking & Object Delivery Workflows Open Public Sector Computing Robotics SAP Security Systems Analytics Startup Warehouse Supply Chain & Logistics Training & Certificate
Amazon Cryptography
Many Amazon Web Services () customer workflows require the use of sensitive and regulated information such as Payment Card Industry Information (PCI), Personally Identifiable Information (PII), and Protected Health Information (PHI) ). In this post, I will show you a method designed to protect important information for its lifetime. This method can help improve your data security situation and can be useful in meeting the requirements of a privacy policy that suits your organization to protect data at rest, in transit and in use.
Encryption Cryptography Signing
One way to protect sensitive data is to use the field-level encryption feature provided by Amazon CloudFront. This CloudFront feature protects sensitive data fields from requests on the network side. The selected fields are saved after being consumed and stored in the application stack. The idea of protecting sensitive data early in its life cycle is a desirable security architecture. However, CloudFront can protect a maximum of 10 fields and only in HTTP(S) POST requests that contain a payload in HTML format.
If your needs exceed CloudFront’s field-level encryption, such as the need to handle multiple application payloads, different HTTP methods, and more than 10 important fields, you can implement field-level encryption yourself by use the Lambda@Edge feature in CloudFront. . . Regarding the choice of an appropriate encryption scheme, this problem requires an asymmetric cryptographic scheme that allows the public keys to be distributed openly at the edges of the CloudFront network, while the private keys are safely stored in the core communication. One of the most popular asymmetric encryption systems is RSA. Therefore, we will implement a Lambda@Edge function that uses asymmetric encryption using the RSA cryptosystem to protect an arbitrary number of fields in each HTTP(S) request. We will discuss the solution using a JSON payload example, although this method can be applied to any payment system.
A complicated part of any encryption solution is key management. To solve this, I use Key Management (KMS). KMS simplifies the solution and provides improved security and performance benefits, detailed later.
You can protect data that passes through individual networks using Layer Security (TLS), and the rest in individual storage silos using volume encryption, object encryption, or table encryption. However, if you have sensitive equipment, you may need additional protection that can track data as it moves through the application stack. Advanced data protection techniques such as field-level encryption enable the protection of sensitive data fields under high application loads while leaving non-sensitive fields exposed. This approach allows applications to perform business operations on arbitrary fields without encryption, and allows fine-grained control over which fields can be accessed by which part of the application.
Schneier’s Cryptography Classics Library: Applied Cryptography, Secrets And Lies, And Practical Cryptography: Schneier, Bruce: 9780470226261: Amazon.com: Books
The best practice to protect sensitive information is to minimize its exposure to the public throughout its lifetime. This means protecting data as soon as possible on use and ensuring that only authorized application users can access data only when and as needed. CloudFront, when combined with the flexibility offered by Lambda@Edge, provides a convenient environment on the network side to protect critical data during consumption.
Because upstream systems do not have access to sensitive data, data exposure is minimized, helping to reduce your compliance footprint for audit purposes.
The idea behind field-level encryption is to protect various sensitive data fields, while preserving the application’s loading process. The alternative is full encryption of the payload, where all of the application’s hardware is contained as a binary fragment that makes it unusable until it is completely decrypted. With field-level encryption, the unintelligible information that remains in plaintext remains useful for everyday business operations. By improving data protection in existing applications, this method can reduce the risk of application failure because the data structure is preserved.
This figure shows how the PII data fields in the JSON structure that the application accepts can be converted from plaintext to plaintext using field-level encryption.
Amazon.com: Cryptography In C And C++: 9781430250982: Welschenbach, Michael: Books
You can convert text to text as shown in Figure 1 using the Lambda@Edge function to perform field-level encryption. I discuss encryption and decryption methods separately in the following sections.
Figure 2 shows CloudFront calling a Lambda@Edge function when processing a client request. CloudFront provides multiple connection points for calling Lambda@Edge functions. Since you are processing client requests and your encryption behavior is related to the request sent to the origin server, you want your work to run on the origin request at CloudFront. The origin request event represents an internal environment change in CloudFront that occurs before CloudFront sends the request to the origin server.
You can integrate your Lambda@Edge with CloudFront as described in Adding triggers using the CloudFront Console. A screenshot of the CloudFront console is shown in Figure 3. The event type selected is Request Origin and the Body checkbox is selected to pass the request body to Lambda@Edge.
The Lambda@Edge function acts as a programmatic hook in handling CloudFront requests. You can use the function to replace the incoming request with the request body with enclosed data fields.
Mastering Blockchain: Deeper Insights Into Decentralization, Cryptography, Bitcoin, And Popular Blockchain Frameworks
You can create an RSA client management key (CMK) in KMS as described in Creating an asymmetric CMK. This is done during system configuration.
Note: You can use RSA key pairs or generate new ones externally using OpenSSL commands, especially if you need to perform RSA decryption and key management without KMS. Your choice will not affect the actual encryption model presented here.
Generating an RSA key in KMS requires two inputs: key length and usage type. In this example, I created a 2048-bit key and set it to use for encryption and decryption. The RSA CMK encryption scheme created in KMS is shown in Figure 4.
Among the encryption algorithms shown in Figure 4—RSAES_OAEP_SHA_256 and RSAES_OAEP_SHA_1, this example uses RSAES_OAEP_SHA_256. The combination of the 2048-bit key with the RSAES_OAEP_SHA_256 algorithm allows to encrypt a maximum of 190 bits of information, which is enough for most PII fields. You can choose a different key length and encryption algorithm depending on your security and performance needs. How to choose your CMK system includes information about RSA key specifications for encryption and decryption.
Understanding The Aws Iot Security Model
Using KMS to manage RSA keys and managing the keys yourself eliminates this complexity and can help you:
You need to extract the RSA public key from KMS to include it in the Lambda deployment package. You can do this in the Management Console, through the KMS SDK, or by using the get public key command in the Command Line Interface (CLI). Figure 5 shows the Copy and Download options for a public key in the Public Keys of the KMS console.
Note: As we will see in the example code in step 3, we include the public key in the Lambda@Edge deployment package. This is acceptable practice because public keys in asymmetric cryptographic systems are not secret and can be distributed freely to parties who need to encrypt. Alternatively, you can use Lambda@Edge to query KMS for the current public key. However, this introduces latency, adds charges to your personal KMS account, and increases your costs. The main model for using external data in Lambda@Edge is described in External Data in Lambda@Edge. Step 2 – CloudFront handles HTTP API requests
CloudFront receives HTTP(S) requests from the client. CloudFront then calls Lambda@Edge when processing the request and includes the HTTP request in the call.
Cryptographic Libraries For Developers (programming Series): Moyle, Ed, Kelley, Diana: 9781584504092: Amazon.com: Books
The Lambda@Edge function executes the HTTP request body. The function extracts the sensitive data fields and performs RSA encryption on the values.
The event structure passed to the Lambda@Edge function is described in the Lambda@Edge Event Structure. After the event process, you can export the body of the HTTP request. In this example, the assumption is that the HTTP payload takes a JSON document based on a specific format defined as part of the API contract. The function analyzes the input of a JSON document, converting it to a Python dictionary. Python’s native dictionary operators are then used to extract the field’s critical value.
Note: If you don’t know the structure of your API tools in advance or you are dealing with unstructured tools, you can use techniques like basic pattern analysis and statistics to find important data patterns and target them accordingly. For example, early credit card account numbers include a Luhn checksum that can be programmed for identification. In addition, services such as Amazon
No Comments