ockam icon indicating copy to clipboard operation
ockam copied to clipboard

Published 20 hours ago verified publisher icon build-trust

Ockam Vault for AWS (KMS/HSM) in Rust

Open mrinalwadhwa opened this issue 5 years ago • 2 comments

What would it take to write an Ockam Vault for AWS?

The current ockam_vault_* crates are good reference point https://github.com/ockam-network/ockam/tree/develop/implementations/rust/ockam

AWS Services that seem relevant? https://docs.aws.amazon.com/kms/index.html https://aws.amazon.com/cloudhsm/resources/

Are there other AWS services that are worth looking into?

If you would like someone to help / mentor / pair program with you as you work on your first Ockam issue, please leave a comment on this discussion.

mrinalwadhwa avatar May 18 '20 14:05 mrinalwadhwa

Ok, I tried to collect crypto expectations for Ockam library

XX

- Sha256-based HKDF
- ECDH (curve25519)
- AES-GCM

X3DH

- Sha256-based HKDF
- ECDH (curve25519)
- AES-GCM
- EC sign&verify (curve25519 XeDDSA)

Entity

- EC sign&verify (curve25519 XeDDSA)
- Additional operations depending on additionally created keys (e.g. if Entity wants to have BLS key, we need BLS support from that Vault implementation)

Entity Secure Channel

- AES-GCM
- What's needed for Key Agreement (XX or X3DH) and Entity

Note 1: I'm assuming that basic operations like generate key, extract public key, import key, reference key by id go without saying in any crypto implementation. Note 2: I'm assuming sha256 can be executed locally, we only feed it with non-sensitive data. Note 3: HKDF can be tricky, even if it's supported, some implementations may no allow to reference input arguments (which are usually sensitive and not allowed to be exported) in required way. Also, having HMAC-support one can sometimes implement HKDF

AWS support

I'm not listing here full set of supported features, just those that are potentially useful for us.

AWS KMS supported operations page 5: - EC sign&verify (P-256 ECDSA) - AES-GCM

AWS CloudHSM supported operations Support though PKCS#11 page 258: - EC sign&verify (P-256 ECDSA) - AES-GCM - Some HMAC support - Some ECDH support Support through JCE Provider page 286 looks roughly the same, but is Java-specific, which makes it less interesting for us.

Conclusion

I would say it's impossible to run everything on potential AWS Vault, but we can create limited Vault implementation. Having only sign&verify support should be enough for us, to run Entity API and attest Secure Channels using such Entity. Entity keys at the moment are the only persistent and long-lived keys in our system, so I think it's fine if we store only those keys in AWS, while others live in RAM. Partially, my conclusion is applicable to using HSMs directly on edge devices. We may run Entity and AES on HSM, while other things happen on main chip.

SanjoDeundiak avatar Sep 06 '21 15:09 SanjoDeundiak

This is great @SanjoDeundiak! Thank you for digging into the AWS offerings. Entity authentication and AES I think are a great starting points for a AWS vault.

mrinalwadhwa avatar Sep 07 '21 06:09 mrinalwadhwa

The support for AWS KMS was implemented with this PR: https://github.com/build-trust/ockam/pull/3870

etorreborre avatar Feb 01 '23 09:02 etorreborre