deep dive on aws cloudhsm
TRANSCRIPT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Deep dive on AWS CloudHSM
S E C 4 0 6 - R
Avni Rambhia
Sr. Product Manager, Cryptography
Amazon Web Services
Rohit Mathur
Software Development Manager, Cryptography
Amazon Web Services
Agenda
Basics of AWS CloudHSM
CloudHSM tools: Cluster administration & cross-region redundancy
Optimizing application performance
Controlled key wrapping
What’s new & coming soon
Q&A
Setting expectations
This deep dive builds on the overview and assumes familiarity with CloudHSM
SEC305-R repeats on Wednesday and covers:• AWS CloudHSM vs. alternative AWS cryptography services• Using CloudHSM directly vs. via AWS Key Management Service (AWS KMS)
custom key store• Compliance and CloudHSM
Other related sessions:
• Security overview (SEC205-R)
• AWS Certificate Manager Private Certificate Authority
• (deep dive: SEC218-R; workshop: SEC314-R)
• AWS KMS (deep dive: SEC322-R; workshop: SEC401-R)
• AWS Secrets Manager: (case study: SEC354; workshops: GPSTEC418,
SEC348)
Aspects of control with a general-purpose HSM
Control
Application development
Algorithms and key lengths
User management
Specific compliance
Control implies responsibility
Control
Application development
Algorithms and key lengths
User management
Specific compliance
Responsibility
Application Integration
HSM Maintenance
Backups
ProvisioningHigh
availability
User Management
AWS CloudHSM simplifies management tasks
Responsibility
Application integration
HSM maintenance
Backups
ProvisioningHigh
availability
User management
Concepts in CloudHSM
• Cluster
• HSM
• Backup
• Higher throughput: Expand cluster
• More active keys: New cluster
CloudHSM HSM
CloudHSM HSM
Keys
synchronized
CloudHSM cluster
Backup
Cloning a cluster
• Same trust hierarchy and masking key
• Can synchronize keys within FIPS envelope
Automatically
synchronized
CloudHSM
cluster
Create cluster
from backup
Cloned
CloudHSM
cluster
Two ways to use CloudHSM
• HSM-based master key unlocks data keys
• E.g., database encryption
• Durability is primary concern
Direct transactions
• HSM is in path of every transaction
• E.g., OpenSSL, AWS KMS CKS
• Availability and latency are critical
Master key
stored in
HSM
Data keys are encrypted
with master key
Envelope encryption
Meet the characters
Service API: Manage your cluster
• Console
• AWS CLI/SDK
• Shows in AWS CloudTrail
AWS Command Line Interface (AWS
CLI) tools: Use your HSMs
• CloudHSM_mgmt_util – HSM
administration
• Key_mgmt_util – Convenient
for infrequent key operations
SDKs: Application development
• PKCS#11
• OpenSSL
• JCE
Client daemon: Talks to cluster
• Used by key_mgmt_util and
SDKs to interact with cluster
• Handles load balancing
• Is aware of cluster
configuration changes
Communicating with your HSM
End-to-end encrypted channel
• Outer TLS channel establishes connection to server run by CloudHSM
• Inner TLS channel is established after client verifies it is talking to its own HSM. Inner TLS terminates on the HSM (i.e., inside the FIPS boundary).
• Cryptographic transactions are conducted inside inner channel
• Inner channel is opaque to AWS (thus, no HSM transactions in CloudTrail)
• Audit logs from the HSM are delivered to Amazon CloudWatch in your account
HSM audit logs in CloudWatch
Each HSM emits its own log stream
User & key management are logged today
• Create/delete user & change password
• Log in and log out
• Create/delete key and wrap/unwrap key
• Share key
Cryptographic operations are not logged today
• Encrypt, decrypt, sign, verify
CloudHSM_mgmt_util: Closer look
• Global mode: Safe default
Talks sequentially to all HSMs in the cluster
Doesn’t use client daemon: “configure –m” before using the utility
• Server mode: Use with care
• Talk to one HSM at a time
• Fix desynchronized clusters
• Great power, great responsibility
CloudHSM_mgmt_util: Closer look
• Global mode: Safe default
Talks sequentially to all HSMs in the cluster
Doesn’t use client daemon: “Configure –m” before using the utility
• Server mode: Manually synchronize cloned clusters
• Cross-region DR
• Cluster scaling
• …
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Basic usage of CloudHSM_mgmt_util
Key attributes
• Can be set programmatically at key creation
• Cannot be changed programmatically today
• Present limitation of cluster synchronization
• Roadmap feature
• You can edit attributes via CloudHSM_mgmt_util
• Talks directly to HSM instances
• Example: Cluster with 2 HSMs
Command: genSymKey -t 31 -s 32 -l aes256
Cfm3GenerateSymmetricKey returned: 0x00 : HSM Return: SUCCESS
Symmetric Key Created. Key Handle: 262151
Cluster Error Status
Node id 1 and err state 0x00000000 : HSM Return: SUCCESS
Node id 2 and err state 0x00000000 : HSM Return: SUCCESS
Generate key with key_mgmt_util
Note that each HSM has a copy of this new key
Command: getAttribute -o 262151 -a 512 –out key_att.txt
got all attributes of size 444 attr cnt 17
Attributes dumped into key_att.txt file
Cfm3GetAttribute returned: 0x00 : HSM Return: SUCCESS
Check key attributes with key_mgmt_util
By default, OBJ_ATTR_DECRYPT and OBJ_ATTR_WRAP are both set to 0x01
For a wrapping key, you typically want OBJ_ATTR_DECRYPT to be 0x00
aws-cloudhsm>loginHSM CU user1 PASSWORD
loginHSM success on server 0(10.0.3.118)
loginHSM success on server 1(10.0.1.176)
aws-cloudhsm>setAttribute 262151 261 0
*************************CAUTION********************************
This is a CRITICAL operation, should be done on all nodes in the cluster. Cav server does NOT synchronize these changes with the nodes on which this operation is not executed or failed, please ensure this operation is executed on all nodes in the cluster.
****************************************************************
Do you want to continue(y/n)?y
setAttribute success on server 0(10.0.3.118)
setAttribute success on server 1(10.0.1.176)
Edit attribute with cloudhsm_mgmt_util
Global mode logs you into all HSMs
Util runs command on each HSM
//already logged in as user1
aws-cloudhsm>getAttribute 262151 261
Attribute Value on server 0(10.0.3.118):
OBJ_ATTR_DECRYPT
0x00000000
Attribute Value on server 1(10.0.1.176):
OBJ_ATTR_DECRYPT
0x00000000
aws-cloudhsm>
Verify changed attribute
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Troubleshooting with CloudHSM_mgmt_util
Out-of-sync HSMs in cluster
Users out of sync
Fix option 1: Delete out of sync HSM, then add a new oneFix option 2: Fix using cloudhsm_mgmt_util server mode
Out-of-sync HSMs in cluster
Fix with CloudHSM_mgmt_utilUsers out of sync
The prompt will
change
Switch to server
mode
Out-of-sync HSMs in cluster
Fix with CloudHSM_mgmt_utilUsers out of sync
Log in to HSM 0 and
create user
System does issue
warning
“y” to continue
Out-of-sync HSMs in cluster
Finish upUsers now in sync
Log out of the HSM
Exit server mode
Out-of-sync HSMs in cluster
Finish upUsers now in sync
Back in global mode
Recap and results
• Global mode
• listUsers
• Detect mismatch
• Server mode with first HSM
• Login to HSM as CO
• Create missing user
• Logout of HSM
• Exit
• Return to global mode
• listUsers
• All’s well
What you did: Result: Users back in sync
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cross-region redundant workloads
Cloning allows secure cross-region key replication
Step 1:
Copy backup to
new region
Step 2:
Create cluster
from backup
Ongoing:
Synchronize new
keys
Cross-region key transfer using wrapping
Region 1
CloudHSM
cluster
Create cluster
from backup
Region 2
CloudHSM
cluster
AESWrap newKey
with wrappingKey
AESUnwrap newKey
with wrappingKey
Cross-region key transfer using maskedObjects
Region 1
CloudHSM
cluster
Create cluster
from backup
Region 2
CloudHSM
cluster
extractMaskedObject
insertMaskedObject
key_mgmt_util
Cross-region key transfer using syncKey
Region 1
CloudHSM
cluster
Create cluster
from backup
Region 2
CloudHSM
cluster
Cloudhsm_mgmt_util configured to
connect to one HSM from each cluster
• Log in to leftHSM in server mode
• syncKey by handle to rightHSM
Wrap vs. SyncKey
WrapBetter if you frequently create keys
Pros
• Can be automated in C/Java
• Direct connectivity between
clusters not required
Cons
• Does not work for non-
exportable keys
• Key attributes in new HSM
depend on unwrapping code
SyncKeyRequired for non-exportable keys
Pros
• Key stays in FIPS boundary
• Constrained to cloned cluster
• Key retains attributes & policies
Cons
• Only usable via
cloudhsm_mgmt_util (today)
• Requires cross-region VPC to
connect HSMs across regions
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Understanding HSM performance
Transaction = network roundtrip + operation + (sometimes) synchronization
Understanding HSM performance
Transaction = network roundtrip + operation + (sometimes) synchronization
Multi-threadingincreases throughputfor given latency
Understanding HSM performance
Transaction = network roundtrip + operation + (sometimes) synchronization
• Cryptographic operations on a key handle give you maximum speed
• Attributes and labels require lookup, adding latency
• Caching the handle for frequently used keys provides better speed
Understanding HSM performance
Transaction = network roundtrip + operation + (sometimes) synchronization
Two types of keys in the HSM
• Token keys are persistent, synchronized to all HSMs in the cluster
• Session keys are created on one HSM and erased after the session
• You can create and unwrap keys as session or token keys
• Session keys offer lower latency but no durability
Cluster performance: When to add HSMs
During design:
• For reliability: 2+ HSMs per production cluster, spread across AZs
• For speed: As needed after threading and code optimization
At runtime:
• When latency of calls increases
Amazon CloudWatch metrics:
• HSMs with unhealthy metrics are autoreplaced by AWS CloudHSM
• For missing metrics, consider proactively adding an HSM
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Controlled key wrapping
Problem: Wrapping out keys to save HSM space or to copy keys across regions carries risk of improper permissions on unwrapped key
Solution: Cryptographic officer (CO) can:
1. Mark a wrapping key as trusted by setting CKA_TRUSTED attribute
2. Ensure proper CKA_UNWRAP_TEMPLATE on a wrapping key
3. Ensure CKA_WRAP_WITH_TRUSTED is set for data keys
Key sharing can further reduce scope for cryptographic user (CU) error
Support: Templates supported in PKCS#11 today; other SDKs coming soon
Also new this year
• Asymmetric key wrapping for secure key exchange
• Keystore compatible with Keytool, Jarsigner, and similar doc/code signing tools
• Secp256k1 signing for blockchain applications
• HMAC key derivation, and support for CKA_DERIVE attribute
• Compatibility with Lambda
• Backup management in the console
Coming soon• AWS KMS asymmetric (signing and encryption) with custom key store
• Resource-based access control, tag on create, and backup tagging
• Configurable offload of operations using CloudHSM OpenSSL engine
• Advanced attributes in JCE
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Related Sessions
AWS Security Overview: SEC205, repeats
AWS ACM PrivateCADeep dive: SEC218, repeatsDeveloper workshop: SEC314, repeats
AWS Key Management ServiceDeep Dive: SEC322, repeats
Encryption SDK workshop: SEC401, repeats
AWS CloudHSM Overview: SEC305, repeats
AWS Secrets ManagerCustomer Case Study: SEC354, repeats
Workshops: GPSTEC418, repeats; SEC348, repeats
Whitepapers and past presentations: https://aws.amazon.com/cloudhsm/resources/
Security and compliance resources: https://docs.aws.amazon.com/cloudhsm/latest/userguide/compliance.html
Blogs: https://aws.amazon.com/blogs/security/category/security-identity-compliance/aws-cloudhsm/
Sample code on GitHub:
• PKCS11: https://github.com/aws-samples/aws-cloudhsm-pkcs11-examples
• JCE: https://github.com/aws-samples/aws-cloudhsm-jce-examples
Resources
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
30+ free digital courses cover topics related to cloud security, including Introduction to Amazon GuardDuty and Deep Dive on Container Security
Learn security with AWS Training and Certification
Visit aws.amazon.com/training/paths-specialty/
Classroom offerings, like AWS Security Engineering on AWS, feature AWS expert instructors and hands-on activities
Validate expertise with the AWS Certified Security - Specialty exam
Resources created by the experts at AWS to help you build and validate cloud security skills
Thank you!
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Email: [email protected]: @AvniRamb
Avni Rambhia
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.