Deep dive on AWS CloudHSM

(1)

(2)

Deep dive on AWS CloudHSM

S E C 4 0 6 - R

Avni Rambhia

Sr. Product Manager, Cryptography

Amazon Web Services

Rohit Mathur

Software Development Manager, Cryptography

Amazon Web Services

(3)

Agenda

Basics of AWS CloudHSM

CloudHSM tools: Cluster administration & cross-region redundancy Optimizing application performance

Controlled key wrapping What’s new & coming soon Q&A

(4)

Setting expectations

This deep dive builds on the overview and assumes familiarity with CloudHSM SEC305-R repeats on Wednesday and covers:

• AWS CloudHSM vs. alternative AWS cryptography services

• Using CloudHSM directly vs. via AWS Key Management Service (AWS KMS) custom key store

• Compliance and CloudHSM Other related sessions:

• Security overview (SEC205-R)

• AWS Certificate Manager Private Certificate Authority

• (deep dive: SEC218-R; workshop: SEC314-R)

• AWS KMS (deep dive: SEC322-R; workshop: SEC401-R)

• AWS Secrets Manager: (case study: SEC354; workshops: GPSTEC418, SEC348)

(5)

Aspects of control with a general-purpose HSM

Control

Application development

Algorithms and key lengths

User management Specific

compliance

(6)

Control implies responsibility

Control

Application development

Algorithms and key

lengths User management

Specific compliance

Responsibility

Application Integration

MaintenanceHSM Backups

Provisioning High

availability User

Management

(7)

AWS CloudHSM simplifies management tasks

Responsibility

Application integration

maintenanceHSM Backups

Provisioning High

availability User

management

(8)

Concepts in CloudHSM

• Cluster

• HSM

• Backup

• Higher throughput: Expand cluster

• More active keys: New cluster

CloudHSM HSM

CloudHSM HSM Keys

synchronized

CloudHSM cluster

Backup

(9)

Cloning a cluster

• Same trust hierarchy and masking key

• Can synchronize keys within FIPS envelope

Automatically synchronized

CloudHSM cluster

Create cluster from backup

Cloned CloudHSM

cluster

(10)

Two ways to use CloudHSM

• HSM-based master key unlocks data keys

• E.g., database encryption

• Durability is primary concern

Direct transactions

• HSM is in path of every transaction

• E.g., OpenSSL, AWS KMS CKS

• Availability and latency are critical

Master key stored in HSM

Data keys are encrypted with master key

Envelope encryption

(11)

Meet the characters

Service API: Manage your cluster

• Console

• AWS CLI/SDK

• Shows in AWS CloudTrail

AWS Command Line Interface (AWS CLI) tools: Use your HSMs

• CloudHSM_mgmt_util – HSM administration

• Key_mgmt_util – Convenient for infrequent key operations

SDKs: Application development

• PKCS#11

• OpenSSL

• JCE

Client daemon: Talks to cluster

• Used by key_mgmt_util and SDKs to interact with cluster

• Handles load balancing

• Is aware of cluster

configuration changes

(12)

Communicating with your HSM

(13)

End-to-end encrypted channel

• Outer TLS channel establishes

connection to server run by CloudHSM

• Inner TLS channel is established after client verifies it is talking to its own

HSM. Inner TLS terminates on the HSM (i.e., inside the FIPS boundary).

• Cryptographic transactions are conducted inside inner channel

• Inner channel is opaque to AWS (thus, no HSM transactions in CloudTrail)

• Audit logs from the HSM are delivered to Amazon CloudWatch in your

account

(14)

HSM audit logs in CloudWatch

Each HSM emits its own log stream

User & key management are logged today

• Create/delete user & change password

• Log in and log out

• Create/delete key and wrap/unwrap key

• Share key

Cryptographic operations are not logged today

• Encrypt, decrypt, sign, verify

(15)

CloudHSM_mgmt_util: Closer look

• Global mode: Safe default

Talks sequentially to all HSMs in the cluster Doesn’t use client daemon:

“configure –m” before using the utility

• Server mode: Use with care

• Talk to one HSM at a time

• Fix desynchronized clusters

• Great power, great responsibility

(16)

CloudHSM_mgmt_util: Closer look

• Global mode: Safe default

Talks sequentially to all HSMs in the cluster Doesn’t use client daemon:

“Configure –m” before using the utility

• Server mode: Manually synchronize cloned clusters

• Cross-region DR

• Cluster scaling

• …

(17)

Basic usage of CloudHSM_mgmt_util

(18)

Key attributes

• Can be set programmatically at key creation

• Cannot be changed programmatically today

• Present limitation of cluster synchronization

• Roadmap feature

• You can edit attributes via CloudHSM_mgmt_util

• Talks directly to HSM instances

• Example: Cluster with 2 HSMs

(19)

Command: genSymKey -t 31 -s 32 -l aes256

Cfm3GenerateSymmetricKey returned: 0x00 : HSM Return: SUCCESS Symmetric Key Created. Key Handle: 262151

Cluster Error Status

Node id 1 and err state 0x00000000 : HSM Return: SUCCESS Node id 2 and err state 0x00000000 : HSM Return: SUCCESS

Generate key with key_mgmt_util

Note that each HSM has a copy of this new key

(20)

Command: getAttribute -o 262151 -a 512 –out key_att.txt got all attributes of size 444 attr cnt 17

Attributes dumped into key_att.txt file

Cfm3GetAttribute returned: 0x00 : HSM Return: SUCCESS

Check key attributes with key_mgmt_util

By default, OBJ_ATTR_DECRYPT and OBJ_ATTR_WRAP are both set to 0x01 For a wrapping key, you typically want OBJ_ATTR_DECRYPT to be 0x00

(21)

aws-cloudhsm>loginHSM CU user1 PASSWORD loginHSM success on server 0(10.0.3.118) loginHSM success on server 1(10.0.1.176) aws-cloudhsm>setAttribute 262151 261 0

*************************CAUTION********************************

This is a CRITICAL operation, should be done on all nodes in the cluster. Cav server does NOT synchronize these changes with the nodes on which this operation is not executed or failed, please ensure this

operation is executed on all nodes in the cluster.

****************************************************************

Do you want to continue(y/n)?y

setAttribute success on server 0(10.0.3.118) setAttribute success on server 1(10.0.1.176)

Edit attribute with cloudhsm_mgmt_util

Global mode logs you into all HSMs

Util runs command on each HSM

(22)

//already logged in as user1

aws-cloudhsm>getAttribute 262151 261

Attribute Value on server 0(10.0.3.118):

OBJ_ATTR_DECRYPT 0x00000000

Attribute Value on server 1(10.0.1.176):

OBJ_ATTR_DECRYPT 0x00000000

aws-cloudhsm>

Verify changed attribute

(23)

Troubleshooting with CloudHSM_mgmt_util

(24)

Out-of-sync HSMs in cluster

Users out of sync

Fix option 1: Delete out of sync HSM, then add a new one Fix option 2: Fix using cloudhsm_mgmt_util server mode

(25)

Out-of-sync HSMs in cluster

Fix with CloudHSM_mgmt_util Users out of sync

The prompt will change

Switch to server mode

(26)

Out-of-sync HSMs in cluster

Fix with CloudHSM_mgmt_util Users out of sync

Log in to HSM 0 and create user

System does issue warning

“y” to continue

(27)

Out-of-sync HSMs in cluster

Finish up Users now in sync

Log out of the HSM

Exit server mode

(28)

Out-of-sync HSMs in cluster

Finish up Users now in sync

Back in global mode

(29)

Recap and results

• Global mode

• listUsers

• Detect mismatch

• Server mode with first HSM

• Login to HSM as CO

• Create missing user

• Logout of HSM

• Exit

• Return to global mode

• listUsers

• All’s well

What you did: Result: Users back in sync

(30)

(31)

Cross-region redundant workloads

Cloning allows secure cross-region key replication

Step 1:

Copy backup to new region

Step 2:

Ongoing:

Synchronize new keys

(32)

Cross-region key transfer using wrapping

Region 1 CloudHSM

cluster

Region 2 CloudHSM

cluster

AESWrap newKey with wrappingKey

AESUnwrap newKey with wrappingKey

(33)

Cross-region key transfer using maskedObjects

Region 1 CloudHSM

cluster

Region 2 CloudHSM

cluster

extractMaskedObject

insertMaskedObject key_mgmt_util

(34)

Cross-region key transfer using syncKey

Region 1 CloudHSM

cluster

Region 2 CloudHSM

cluster

Cloudhsm_mgmt_util configured to connect to one HSM from each cluster

• Log in to leftHSM in server mode

• syncKey by handle to rightHSM

(35)

Wrap vs. SyncKey

Wrap

Better if you frequently create keys Pros

• Can be automated in C/Java

• Direct connectivity between clusters not required

Cons

• Does not work for non- exportable keys

• Key attributes in new HSM depend on unwrapping code

SyncKey

Required for non-exportable keys Pros

• Key stays in FIPS boundary

• Constrained to cloned cluster

• Key retains attributes & policies Cons

• Only usable via

cloudhsm_mgmt_util (today)

• Requires cross-region VPC to connect HSMs across regions

(36)

(37)

Understanding HSM performance

Transaction = network roundtrip + operation + (sometimes) synchronization

(38)

Understanding HSM performance

Transaction = network roundtrip + operation + (sometimes) synchronization Multi-threading

increases throughput for given latency

(39)

Understanding HSM performance

Transaction = network roundtrip + operation + (sometimes) synchronization

• Cryptographic operations on a key handle give you maximum speed

• Attributes and labels require lookup, adding latency

• Caching the handle for frequently used keys provides better speed

(40)

Understanding HSM performance

Transaction = network roundtrip + operation + (sometimes) synchronization Two types of keys in the HSM

• Token keys are persistent,

synchronized to all HSMs in the cluster

• Session keys are created on one HSM and erased after the session

• You can create and unwrap keys as session or token keys

• Session keys offer lower latency but no durability

(41)

Cluster performance: When to add HSMs

During design:

• For reliability: 2+ HSMs per production cluster, spread across AZs

• For speed: As needed after threading and code optimization At runtime:

• When latency of calls increases Amazon CloudWatch metrics:

• HSMs with unhealthy metrics are autoreplaced by AWS CloudHSM

• For missing metrics, consider proactively adding an HSM

(42)

(43)

Controlled key wrapping

Problem: Wrapping out keys to save HSM space or to copy keys across regions carries risk of improper permissions on unwrapped key

Solution: Cryptographic officer (CO) can:

1. Mark a wrapping key as trusted by setting CKA_TRUSTED attribute 2. Ensure proper CKA_UNWRAP_TEMPLATE on a wrapping key

3. Ensure CKA_WRAP_WITH_TRUSTED is set for data keys

Key sharing can further reduce scope for cryptographic user (CU) error

Support: Templates supported in PKCS#11 today; other SDKs coming soon

(44)

Also new this year

• Asymmetric key wrapping for secure key exchange

• Keystore compatible with Keytool, Jarsigner, and similar doc/code signing tools

• Secp256k1 signing for blockchain applications

• HMAC key derivation, and support for CKA_DERIVE attribute

• Compatibility with Lambda

• Backup management in the console

(45)

Coming soon

• AWS KMS asymmetric (signing and encryption) with custom key store

• Resource-based access control, tag on create, and backup tagging

• Configurable offload of operations using CloudHSM OpenSSL engine

• Advanced attributes in JCE

(46)

(47)

Related Sessions

AWS Security Overview: SEC205, repeats

AWS ACM PrivateCA

Deep dive: SEC218, repeats

Developer workshop: SEC314, repeats

AWS Key Management Service

Deep Dive: SEC322, repeats

Encryption SDK workshop: SEC401, repeats

AWS CloudHSM Overview: SEC305, repeats

AWS Secrets Manager

Customer Case Study: SEC354, repeats

Workshops: GPSTEC418, repeats; SEC348, repeats

(48)

Whitepapers and past presentations:

https://aws.amazon.com/cloudhsm/resources/

Security and compliance resources:

https://docs.aws.amazon.com/cloudhsm/latest/userguide/compliance.html Blogs:

https://aws.amazon.com/blogs/security/category/security-identity-compliance/aws-cloudhsm/

Sample code on GitHub:

• PKCS11: https://github.com/aws-samples/aws-cloudhsm-pkcs11-examples

• JCE: https://github.com/aws-samples/aws-cloudhsm-jce-examples

Resources

(49)

30+ free digital courses cover topics related to cloud

security, including Introduction to Amazon GuardDuty and Deep Dive on Container Security

Learn security with AWS Training and Certification

Visit aws.amazon.com/training/paths-specialty/

Classroom offerings, like AWS Security Engineering on AWS, feature AWS expert instructors and hands-on activities

Validate expertise with the AWS Certified Security - Specialty exam

Resources created by the experts at AWS to help you build and validate cloud security skills

(50)

Thank you!

Email: [email protected] Twitter: @AvniRamb

Avni Rambhia

(51)