AWS - Security
today's topic
- ACM - Amazon Certificate Manager
AMC(CA) -> KMS
KMC
- Sym
- Asym - ELB (https)
We have plaintext data -> storage -save (at rest)
plain text
- storage (saved - at rest)
- data in transit (network)
storage data
- anyone has access can get data
- delete data
- modify data
these data need to be converted to other format so that folks normally can't read.
this process is cipher text which also called encription.
decript to get the data at original form.
same key to use to encript and same key to decript is symmetric encription
- openssl is one of the tool
symetric algotherm
- aes256
we can use symetric/shared key to encript the data. After cypher text or cypher blob is created you store your data and use same key to decript the same key.
KMS is where you store the key.
Lets take a look with example
---------------------------------------
1. Login to aws dashboard
go to s3
- we store data @s3.
by default data loaded to s3 is not encripted.
how to encript your object in s3.
we can use symmetric key to encript this kind of data.
go to your s3 bucket and
You can encript your data at s3 in 3 ways
1. Amazon manage the key - Managed Key (- SSE-S3)
2. Using your own kwy - KMS - upload your own key to KMS and use it. (SSE-KMS)
3. customer - laptop - (SSE-C)
method 1 and 2 aws is encriptiing your data called server side encription (SSE).
1. Name of managed key is called SSE-S3
2. name of KMS is called SSE-KMS
3. Customer managed called SSE-C
SSE-S3
- they use unique key to encript every data.
file1 - key2
file2 - key4
file3 -key1
SSE-KMS
Go to S3
- create a bucket
name: mybuk1232
Defaut encription is disable and lets keep this way
just create a bucket
go to bucket and upload the file
by default, any uploaded file is not encripted.
data until now are plaintext. not encripted.
click on the bucket -> properties
go to encription section
select enable
you have three options
encription types
- Amazon s3 key (sse-s3
- aws key service - sse-kms
-
if you don't want to encript your data, create your new bucket.
Only copy your data that you want to encript here.
now, go back and upload new data.
as soon as you upload, behind the scene, they use one of their unique key and encript the file.
Go to encription
and service-side encripteion
server side encription is enabled.
if you want to use the file, you can download, but behind the scene, it is decripted.
if you want different encription
go to bucket, bucket properties and aws kms service and change.
go to KMS service, and create a key
select symmetric key
- stoe in KMS
- alias : key-for-s3
skip all and click finish (only root allow)
now, go back to your bucket
go to properties
encripttion
and choose the key from kms - sse-kms
choose from you rkms master key and select your key
click save.
you can do audition of your keys..
go to your windows system
- install openssl
use aws-command line
> aws s3 cp myfile s3://testbucket123
file is uploaded to specific bucket.
by default any bucket encripted, file will also be encripted.
now, lets see we don't want to use aws key.
we want customer key to encript
first lets create a key
> openssl enc -aes-128-cbc -k mykey1 -P
key=.......
iv = ..............
key is created.
now, use this key to encript
google 'aws s3 cp cli '
look for cp command
--sse-c <value>
this command enables customer side encription
> aws s3 cp myfile.txt s3://testbucket123 --sse-c --sse-c-key <key>
file is uploaded.
go to the bucket
but we have a problem.
after google, it says 128 bit key is not supported
use aes256
generate a new key and try again
===========================
Asymmetric Key
---------------------
lets say, you have a web server and it has login page asking for usename and pw.
100s of user use the service from all over the world.
when data is tranfered on the weire, its always good to encript the data passing over the net.
on client side, data is encripted and pass over the cypher text and server receives the encripted data.
- server need a key to decript the key
.
Client has a key and the challenge is to transfer key to the server.
and thee are hundres of keys on each client.
so, this is adifficult challange so we can not use symmetric key.
since symmetric key is used to encript and decript the data, in this case it is not useful
we will use asymmetric key
asymmetric key
- private key
- public key
asym generates two keys and we use public key to encript the data
public key -> data -> encript - > customer side -> decript data -> using private key
never share private key to anyone but share the public key.
There are variety of asym keys
DSA
RSA
ECRSA
and more
we have a server and we have hundreds of clients
server c1, c2, c3, c4, c5 .....
we create public and private key on server side.
- we save private key to local hard disk or KMS
- public key, we share with public and tell them to download it and use it.
now, lets say client1 wants to share the data.
client 1 will create a key say c1key and encript the data.
same way c2 also use its own key c2key to encript data
now, our briwser downloads the public and encript the data and that date is transfered back to server.
- server will unlocked it because server has symtrtric key as well as a private key, so server can decript the data.
encripting - we are using symetric key to transmit the key and server descript it.
This process is called SSL/TLS handshaking.
use of asym key is
- having public and private key, helps us to handshaking client and server.
encription/decription
- checking signature
validating user data.
when data transfering using http data is not secure , its plaintext
but when data is transferring using https, its a secure connection and data transmit are secured.
when you connect to your bank through your browser, your browser downloads the public key and encript the data passed through the tunnel.
go to aws -> KMS
- Click on create a key
- Select asymmetric
key use
select encript and decript
key spec
- select RSA_2048
- RSA_3072
- RSA_4048
asd labels:
alias: myasymtric-key
just review and go all the way down, and click on finish
we can use this key to encript/decript the data.
you can use public key to encript and private to decript.
go to KMS
and customer managed keys
click on your key
and go t opublic key
you can download your key
------befin public key file ---------
------End Public key file ----------
now, what we are going to do it
we have file1.txt file and we will lock or encipt the file and use private to decript it.
go to your pc
> notepad secure.txt
Credit Card # 11213434
login id: john
pw: mypassword
lets encript it
> openssl rsautil --help
some of the options
-in infile
-out outfile
- pubin
-inkey val
-encript
-decript
> openssl rsautl -encript -in secure.txt -out secret_enc.txt -pubin -inkey publickey-.....pem
the publickey is the one you downloaded form the web.
now, secret.txt file is encripted
now, you can not open the encripted file
> notepad secret_enc.txt
only way to decript is to use KMS in aws.
google for aws kms cli
there is option decript
> aws kms encript --key-id <key_id> --ciphertext-blob fileb://sec_en.txt
> aws kms encript --key-id <key_id> --ciphertext-blob fileb://sec_en.txt
get keyid from kms
blob is the file
got an error
invalidCiphertextexception
you have to provide the algotherum type
> openssh rsault --encript -oaep -in secret.txt -out secret-en.txt -pubin -in.. publicKey-.....pem
again error
-oaep
we have to pass one more option
google for base64 to encore/decore the data
digital signature
- create file with singature
how to check the integraity of data?
- everyone sending you a signature and data comes of same format.
- at gmail, open a message and go to signature
- check the signatue
Go to key
create a sign and verify key
- same way
go to kms
key and seletct the signature
once you created, open and veiw the public key
Sunday, March 21, 2021
AWS security - Symmetric and Asymmetric keys introduction
Subscribe to:
Post Comments (Atom)
Git branch show detached HEAD
Git branch show detached HEAD 1. List your branch $ git branch * (HEAD detached at f219e03) 00 2. Run re-set hard $ git reset --hard 3. ...
-
snmpconfig command allow you to managge snmpv1/v3 agent configuration on SAN switch. Event trap level is mapped with event severity level....
-
Firmware upgrade on HPE SuperDom Flex 280 - prerequisites tasks a. Set up repo b. Upload firmware to your webserver 1. For foundation so...
-
Disabling the Telnet protocol on Brocade SAN switches By default, telnet is enabled on Brocade SAN switches. As part of security hardening o...
No comments:
Post a Comment