deep dive on aws cloudhsm

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Deep dive on AWS CloudHSM

S E C 4 0 6 - R

Avni Rambhia

Sr. Product Manager, Cryptography

Amazon Web Services

Rohit Mathur

Software Development Manager, Cryptography

Amazon Web Services

Agenda

Basics of AWS CloudHSM

CloudHSM tools: Cluster administration & cross-region redundancy

Optimizing application performance

Controlled key wrapping

What’s new & coming soon

Q&A

Setting expectations

This deep dive builds on the overview and assumes familiarity with CloudHSM

SEC305-R repeats on Wednesday and covers:• AWS CloudHSM vs. alternative AWS cryptography services• Using CloudHSM directly vs. via AWS Key Management Service (AWS KMS)

custom key store• Compliance and CloudHSM

Other related sessions:

• Security overview (SEC205-R)

• AWS Certificate Manager Private Certificate Authority

• (deep dive: SEC218-R; workshop: SEC314-R)

• AWS KMS (deep dive: SEC322-R; workshop: SEC401-R)

• AWS Secrets Manager: (case study: SEC354; workshops: GPSTEC418,

SEC348)

Aspects of control with a general-purpose HSM

Control

Application development

Algorithms and key lengths

User management

Specific compliance

Control implies responsibility

Control

Application development

Algorithms and key lengths

User management

Specific compliance

Responsibility

Application Integration

HSM Maintenance

Backups

ProvisioningHigh

availability

User Management

AWS CloudHSM simplifies management tasks

Responsibility

Application integration

HSM maintenance

Backups

ProvisioningHigh

availability

User management

Concepts in CloudHSM

• Cluster

• HSM

• Backup

• Higher throughput: Expand cluster

• More active keys: New cluster

CloudHSM HSM

CloudHSM HSM

Keys

synchronized

CloudHSM cluster

Backup

Cloning a cluster

• Same trust hierarchy and masking key

• Can synchronize keys within FIPS envelope

Automatically

synchronized

CloudHSM

cluster

Create cluster

from backup

Cloned

CloudHSM

cluster

Two ways to use CloudHSM

• HSM-based master key unlocks data keys

• E.g., database encryption

• Durability is primary concern

Direct transactions

• HSM is in path of every transaction

• E.g., OpenSSL, AWS KMS CKS

• Availability and latency are critical

Master key

stored in

HSM

Data keys are encrypted

with master key

Envelope encryption

Meet the characters

Service API: Manage your cluster

• Console

• AWS CLI/SDK

• Shows in AWS CloudTrail

AWS Command Line Interface (AWS

CLI) tools: Use your HSMs

• CloudHSM_mgmt_util – HSM

administration

• Key_mgmt_util – Convenient

for infrequent key operations

SDKs: Application development

• PKCS#11

• OpenSSL

• JCE

Client daemon: Talks to cluster

• Used by key_mgmt_util and

SDKs to interact with cluster

• Handles load balancing

• Is aware of cluster

configuration changes

Communicating with your HSM

End-to-end encrypted channel

• Outer TLS channel establishes connection to server run by CloudHSM

• Inner TLS channel is established after client verifies it is talking to its own HSM. Inner TLS terminates on the HSM (i.e., inside the FIPS boundary).

• Cryptographic transactions are conducted inside inner channel

• Inner channel is opaque to AWS (thus, no HSM transactions in CloudTrail)

• Audit logs from the HSM are delivered to Amazon CloudWatch in your account

HSM audit logs in CloudWatch

Each HSM emits its own log stream

User & key management are logged today

• Create/delete user & change password

• Log in and log out

• Create/delete key and wrap/unwrap key

• Share key

Cryptographic operations are not logged today

• Encrypt, decrypt, sign, verify

CloudHSM_mgmt_util: Closer look

• Global mode: Safe default

Talks sequentially to all HSMs in the cluster

Doesn’t use client daemon: “configure –m” before using the utility

• Server mode: Use with care

• Talk to one HSM at a time

• Fix desynchronized clusters

• Great power, great responsibility

CloudHSM_mgmt_util: Closer look

• Global mode: Safe default

Talks sequentially to all HSMs in the cluster

Doesn’t use client daemon: “Configure –m” before using the utility

• Server mode: Manually synchronize cloned clusters

• Cross-region DR

• Cluster scaling

• …


Basic usage of CloudHSM_mgmt_util

Key attributes

• Can be set programmatically at key creation

• Cannot be changed programmatically today

• Present limitation of cluster synchronization

• Roadmap feature

• You can edit attributes via CloudHSM_mgmt_util

• Talks directly to HSM instances

• Example: Cluster with 2 HSMs

Command: genSymKey -t 31 -s 32 -l aes256

Cfm3GenerateSymmetricKey returned: 0x00 : HSM Return: SUCCESS

Symmetric Key Created. Key Handle: 262151

Cluster Error Status

Node id 1 and err state 0x00000000 : HSM Return: SUCCESS

Node id 2 and err state 0x00000000 : HSM Return: SUCCESS

Generate key with key_mgmt_util

Note that each HSM has a copy of this new key

Command: getAttribute -o 262151 -a 512 –out key_att.txt

got all attributes of size 444 attr cnt 17

Attributes dumped into key_att.txt file

Cfm3GetAttribute returned: 0x00 : HSM Return: SUCCESS

Check key attributes with key_mgmt_util

By default, OBJ_ATTR_DECRYPT and OBJ_ATTR_WRAP are both set to 0x01

For a wrapping key, you typically want OBJ_ATTR_DECRYPT to be 0x00

aws-cloudhsm>loginHSM CU user1 PASSWORD

loginHSM success on server 0(10.0.3.118)

loginHSM success on server 1(10.0.1.176)

aws-cloudhsm>setAttribute 262151 261 0

*************************CAUTION********************************

This is a CRITICAL operation, should be done on all nodes in the cluster. Cav server does NOT synchronize these changes with the nodes on which this operation is not executed or failed, please ensure this operation is executed on all nodes in the cluster.

****************************************************************

Do you want to continue(y/n)?y

setAttribute success on server 0(10.0.3.118)

setAttribute success on server 1(10.0.1.176)

Edit attribute with cloudhsm_mgmt_util

Global mode logs you into all HSMs

Util runs command on each HSM

//already logged in as user1

aws-cloudhsm>getAttribute 262151 261

Attribute Value on server 0(10.0.3.118):

OBJ_ATTR_DECRYPT

0x00000000

Attribute Value on server 1(10.0.1.176):

OBJ_ATTR_DECRYPT

0x00000000

aws-cloudhsm>

Verify changed attribute


Troubleshooting with CloudHSM_mgmt_util

Out-of-sync HSMs in cluster

Users out of sync

Fix option 1: Delete out of sync HSM, then add a new oneFix option 2: Fix using cloudhsm_mgmt_util server mode


Fix with CloudHSM_mgmt_utilUsers out of sync

The prompt will

change

Switch to server

mode


Fix with CloudHSM_mgmt_utilUsers out of sync

Log in to HSM 0 and

create user

System does issue

warning

“y” to continue


Finish upUsers now in sync

Log out of the HSM

Exit server mode


Finish upUsers now in sync

Back in global mode

Recap and results

• Global mode

• listUsers

• Detect mismatch

• Server mode with first HSM

• Login to HSM as CO

• Create missing user

• Logout of HSM

• Exit

• Return to global mode

• listUsers

• All’s well

What you did: Result: Users back in sync

Cross-region redundant workloads

Cloning allows secure cross-region key replication

Step 1:

Copy backup to

new region

Step 2:

Create cluster

from backup

Ongoing:

Synchronize new

keys

Cross-region key transfer using wrapping

Region 1

CloudHSM

cluster

Create cluster

from backup

Region 2

CloudHSM

cluster

AESWrap newKey

with wrappingKey

AESUnwrap newKey

with wrappingKey

Cross-region key transfer using maskedObjects

Region 1

CloudHSM

cluster

Create cluster

from backup

Region 2

CloudHSM

cluster

extractMaskedObject

insertMaskedObject

key_mgmt_util

Cross-region key transfer using syncKey

Region 1

CloudHSM

cluster

Create cluster

from backup

Region 2

CloudHSM

cluster

Cloudhsm_mgmt_util configured to

connect to one HSM from each cluster

• Log in to leftHSM in server mode

• syncKey by handle to rightHSM

Wrap vs. SyncKey

WrapBetter if you frequently create keys

Pros

• Can be automated in C/Java

• Direct connectivity between

clusters not required

Cons

• Does not work for non-

exportable keys

• Key attributes in new HSM

depend on unwrapping code

SyncKeyRequired for non-exportable keys

Pros

• Key stays in FIPS boundary

• Constrained to cloned cluster

• Key retains attributes & policies

Cons

• Only usable via

cloudhsm_mgmt_util (today)

• Requires cross-region VPC to

connect HSMs across regions

Understanding HSM performance

Transaction = network roundtrip + operation + (sometimes) synchronization



Multi-threadingincreases throughputfor given latency



• Cryptographic operations on a key handle give you maximum speed

• Attributes and labels require lookup, adding latency

• Caching the handle for frequently used keys provides better speed



Two types of keys in the HSM

• Token keys are persistent, synchronized to all HSMs in the cluster

• Session keys are created on one HSM and erased after the session

• You can create and unwrap keys as session or token keys

• Session keys offer lower latency but no durability

Cluster performance: When to add HSMs

During design:

• For reliability: 2+ HSMs per production cluster, spread across AZs

• For speed: As needed after threading and code optimization

At runtime:

• When latency of calls increases

Amazon CloudWatch metrics:

• HSMs with unhealthy metrics are autoreplaced by AWS CloudHSM

• For missing metrics, consider proactively adding an HSM

Controlled key wrapping

Problem: Wrapping out keys to save HSM space or to copy keys across regions carries risk of improper permissions on unwrapped key

Solution: Cryptographic officer (CO) can:

1. Mark a wrapping key as trusted by setting CKA_TRUSTED attribute

2. Ensure proper CKA_UNWRAP_TEMPLATE on a wrapping key

3. Ensure CKA_WRAP_WITH_TRUSTED is set for data keys

Key sharing can further reduce scope for cryptographic user (CU) error

Support: Templates supported in PKCS#11 today; other SDKs coming soon

Also new this year

• Asymmetric key wrapping for secure key exchange

• Keystore compatible with Keytool, Jarsigner, and similar doc/code signing tools

• Secp256k1 signing for blockchain applications

• HMAC key derivation, and support for CKA_DERIVE attribute

• Compatibility with Lambda

• Backup management in the console

Coming soon• AWS KMS asymmetric (signing and encryption) with custom key store

• Resource-based access control, tag on create, and backup tagging

• Configurable offload of operations using CloudHSM OpenSSL engine

• Advanced attributes in JCE

Related Sessions

AWS Security Overview: SEC205, repeats

AWS ACM PrivateCADeep dive: SEC218, repeatsDeveloper workshop: SEC314, repeats

AWS Key Management ServiceDeep Dive: SEC322, repeats

Encryption SDK workshop: SEC401, repeats

AWS CloudHSM Overview: SEC305, repeats

AWS Secrets ManagerCustomer Case Study: SEC354, repeats

Workshops: GPSTEC418, repeats; SEC348, repeats

Whitepapers and past presentations: https://aws.amazon.com/cloudhsm/resources/

Security and compliance resources: https://docs.aws.amazon.com/cloudhsm/latest/userguide/compliance.html

Blogs: https://aws.amazon.com/blogs/security/category/security-identity-compliance/aws-cloudhsm/

Sample code on GitHub:

• PKCS11: https://github.com/aws-samples/aws-cloudhsm-pkcs11-examples

• JCE: https://github.com/aws-samples/aws-cloudhsm-jce-examples

Resources

https://aws.amazon.com/cloudhsm/resources/

https://docs.aws.amazon.com/cloudhsm/latest/userguide/compliance.html

https://aws.amazon.com/blogs/security/category/security-identity-compliance/aws-cloudhsm/

https://github.com/aws-samples/aws-cloudhsm-pkcs11-examples

https://github.com/aws-samples/aws-cloudhsm-jce-examples


30+ free digital courses cover topics related to cloud security, including Introduction to Amazon GuardDuty and Deep Dive on Container Security

Learn security with AWS Training and Certification

Visit aws.amazon.com/training/paths-specialty/

Classroom offerings, like AWS Security Engineering on AWS, feature AWS expert instructors and hands-on activities

Validate expertise with the AWS Certified Security - Specialty exam

Resources created by the experts at AWS to help you build and validate cloud security skills

Thank you!


Email: [email protected]: @AvniRamb

Avni Rambhia

deep dive on aws cloudhsm

Documents