AWS security - Symmetric and Asymmetric keys introduction

 AWS - Security

today's topic

- ACM - Amazon Certificate Manager

AMC(CA) -> KMS

KMC
- Sym
- Asym  - ELB (https)

We have plaintext data -> storage -save (at rest)

plain text
- storage (saved - at rest)
- data in transit (network)

storage data
- anyone has access can get data
- delete data
- modify data

these data need to be converted to other format so that folks normally can't read.
this process is cipher text which also called encription.

decript to get the data at original form.

same key to use to encript and same key to decript is symmetric encription
- openssl is one of the tool

symetric algotherm
- aes256

we can use symetric/shared key to encript the data. After cypher text or cypher blob is created you store your data and use same key to decript the same key.


KMS is where you store the key.

Lets take a look with example
---------------------------------------

1. Login to aws dashboard

go to s3

- we store data @s3.
by default data loaded to s3 is not encripted.

how to encript your object in s3.

we can use symmetric key to encript this kind of data.
go to your s3 bucket and

You can encript your data at s3 in 3 ways
1. Amazon manage the key - Managed Key (- SSE-S3)
2. Using your own kwy - KMS - upload your own key to KMS and use it. (SSE-KMS)
3. customer - laptop - (SSE-C)

method 1 and 2 aws is encriptiing your data called server side encription (SSE).
1. Name of managed key is called SSE-S3
2. name of KMS is called SSE-KMS
3. Customer managed called SSE-C

SSE-S3
- they use unique key to encript every data.
file1 - key2
file2 - key4
file3 -key1

SSE-KMS


Go to S3
- create a bucket
name: mybuk1232
Defaut encription is disable and lets keep this way

just create a bucket

go to bucket and upload the file


by default, any uploaded file is not encripted.

data until now are plaintext. not encripted.
click on the bucket -> properties
go to encription section
select enable
you have three options
encription types
- Amazon s3 key (sse-s3
- aws key service - sse-kms
-

if you don't want to encript your data, create your new bucket.
Only copy your data that you want to encript here.

now, go back and upload new data.
as soon as you upload, behind the scene, they use one of their unique key and encript the file.

Go to encription
and service-side encripteion
server side encription is enabled.

if you want to use the file, you can download, but behind the scene, it is decripted.

if you want different encription
go to bucket, bucket properties and aws kms service and change.

go to KMS service, and create a key
select symmetric key
- stoe in KMS
- alias : key-for-s3

skip all and click finish (only root allow)

now, go back to your bucket
go to properties
encripttion
and choose the key from kms - sse-kms
choose from you rkms master key and select your key

click save.


you can do audition of your keys..



go to your windows system
- install openssl

use aws-command line
> aws s3 cp myfile s3://testbucket123

file is uploaded to specific bucket.

by default any bucket encripted, file will also be encripted.

now, lets see we don't want to use aws key.
we want customer key to encript


first lets create a key

> openssl enc -aes-128-cbc -k mykey1 -P
key=.......
iv  = ..............

key is created.

now, use this key to encript

google 'aws s3 cp  cli '

look for cp command
--sse-c <value>
this command enables customer side encription

> aws s3 cp myfile.txt s3://testbucket123 --sse-c --sse-c-key <key>

file is uploaded.

go to the bucket

but we have a problem.  
after google, it says 128 bit key is not supported
use aes256

generate a new key and try again

===========================

Asymmetric Key
---------------------

lets say, you have a web server and it has login page asking for usename and pw.
100s of user use the service from all over the world.

when data is tranfered on the weire, its always good to encript the data passing over the net.

on client side, data is encripted and pass over the cypher text and server receives the encripted data.
- server need a key to decript the key
.
Client has a key and the challenge is to transfer key to the server.
and thee are hundres of keys on each client.
so, this is adifficult challange so we can not use symmetric key.

since symmetric key is used to encript and decript the data, in this case it is not useful

we will use asymmetric key

asymmetric key
- private key
- public key

asym generates two keys and we use public key to encript the data

public key -> data -> encript - > customer side -> decript data -> using private key

never share private key to anyone but share the public key.

There are variety of asym keys
DSA
RSA
ECRSA
and more

we have a server and we have hundreds of clients

server        c1, c2, c3, c4, c5 .....

we create public and private key on server side.
- we save private key to local hard disk or KMS
- public key, we share with public and tell them to download it and use it.

now, lets say client1 wants to share the data.
client 1 will create a key say c1key and encript the data.
same way c2 also use its own key c2key to encript data
now, our briwser downloads the public and encript the data and that date is transfered back to server.
- server will unlocked it because server has symtrtric key as well as a private key, so server can decript the data.


encripting - we are using symetric key to transmit the key and server descript it.
This process is called SSL/TLS handshaking.


use of asym key is
- having public and private key, helps us to handshaking client and server.
   encription/decription

- checking signature
  validating user data.

when data transfering using http data is not secure , its plaintext
but when data is transferring using https, its a secure connection and data transmit are secured.


when you connect to your bank through your browser, your browser downloads the public key and encript the data passed through the tunnel.


go to aws -> KMS
- Click on create a key
- Select asymmetric

key use
select encript and decript
key spec
- select RSA_2048
- RSA_3072
- RSA_4048


asd labels:
alias: myasymtric-key

just review and go all the way down, and click on finish

we can use this key to encript/decript the data.

you can use public key to encript and private to decript.

go to KMS
and customer managed keys
click on your key
and go t opublic key

you can download your key
------befin public key file ---------


------End Public key file ----------

now, what we are going to do it
we have file1.txt file and we will lock or encipt the file and use private to decript it.


go to your pc

> notepad secure.txt
Credit Card # 11213434
login id: john
pw: mypassword

lets encript it

> openssl rsautil --help

some of the options

-in infile
-out outfile
- pubin
-inkey val
-encript
-decript

> openssl rsautl -encript -in secure.txt -out secret_enc.txt -pubin -inkey publickey-.....pem

the publickey is the one you downloaded form the web.

now, secret.txt file is encripted

now, you can not open the encripted file

> notepad secret_enc.txt

only way to decript is to use KMS in aws.

google for aws kms cli

there is option decript

> aws kms encript --key-id  <key_id> --ciphertext-blob fileb://sec_en.txt
> aws kms encript --key-id  <key_id> --ciphertext-blob fileb://sec_en.txt
get keyid from kms
blob is the file

got an error
invalidCiphertextexception

you have to provide the algotherum type

> openssh rsault --encript -oaep -in secret.txt -out secret-en.txt -pubin -in.. publicKey-.....pem


again error

-oaep
we have to pass one more  option

google for base64 to encore/decore the data


digital signature
- create file with singature


how to check the integraity of data?
- everyone sending you a signature and data comes of same format.
- at gmail, open a message and go to signature
- check the signatue


Go to key
create a sign and verify key
- same way
go to kms
key and seletct the signature
once you created, open and veiw the public key