Encryptions/Data Protection

studied byStudied by 4 people
4.0(1)
Get a hint
Hint

Three stages of SSL/TLS

1 / 30

flashcard set

Earn XP

31 Terms

1

Three stages of SSL/TLS

  1. Cipher Suite: client sends SSL/TLS version and supported cipher suites, server sends back server cert and public key

  2. Authentication: client validates server cert with CA and verifies server has public key

  3. Key Exchange: client generates public key encrypted pre-master key and sends data

New cards
2

Signing

Using the private key to "sign" a message, then using the public key to verify that it was its corresponding private key that signed it

New cards
3

Hashing

  • Hash function turns your data into a fix length value

  • Use case

    • Sending the hash value of the password so that the password is not actually stored on server

    • Check see if data has been altered

  • Digital signing a hash to make sure has is not altered

New cards
4

Envelop Encryption

Encrypting the key that is used to encrypt your data; how SSE-S3 works

New cards
5

Secrets Manager

  • Supports automatic rotation through Lambda

  • Directly integrate with some AWS products like RDS

    • Which allows you to automatically rotate DB password and because it integrates with RDS directly, updating password is done for you

  • Applications can retrieve secrets by calling the Secrets Manager SDK or API

New cards
6

RDS data protection

  • Since RDS is backed by EBS, RDS supports EBS volume encryption

  • Encryption cannot be removed once added

  • Oracle supports integration with CloudHSM

New cards
7

TDE

  • Transparent Data Encryption

  • Encryption is handled within the DB engine; data is secured the moment it is written

  • Supported on RDS SQL and Oracle DB types

New cards
8

RDS Authentication

  • Generate-db-auth-token: creates a token with 15 min validity which can be used in place of a DB user password

  • IAM policies are used to map IAM identities to DB users

  • Authorization is handled by the DB engine

New cards
9

DynamoDB Encryption

  • Communication to Dynamo DB Endpoint is HTTPS

    • If data sent from user/CLI/Console/API, plaintext inside https tunnel

    • If data sent from encryption client, cipher text inside tunnel

  • Between Endpoint and the Table, not HTTPs. Either plaintext or cipher text depending on above source

  • Encryption at rest is mandatory

  • Streams, global tables, backups are all encrypted and use the same key as table

  • If a table uses CMK but that CMK is disabled or inaccessible for 7 days, that table is baked up and archived. To restore it you have to present the key.

New cards
10

Load balancer

  • Requires 8+ free IP addresses per subnet you plan to deploy a LB node in

  • Different listeners can have different SSL certs

New cards
11

Security policies

  • Set of ciphers and protocols; when a server and client are setting up the SSL connection, client sends a cipher suite. Security policy tells what a load balancer can use from that cipher suite

  • Default ELBSecurityPolicy-2016-08

New cards
12

Key component

Key = key metadata + key material

New cards
13

KMS

  • Accessed through KMS specific APIs, not industry standards

  • Regional and Public service

  • When you delete a KMS generated key, it is mark for deletion for some time between 7-30 days. It is NOT immediately deleted

  • Perform cryptographic operations (encrypt and decrypt) inside KMS so key never leaves KMS

  • Provides FIPS 140-2 Level 2

  • 50,000 GenerateDataKey API calls per second across us-east-1, us-west-2, eu-west-1

  • 10,000 across us-east-2, ap-southeast-1&2, ap-northeast-1, eu-central-1, eu-west-1

  • 5500 for all other regions

  • Contains Key ID, date, key policy, and state

  • Key encryption keys (aka KMS key) can be used for up to 4KB of data

New cards
14

DEK

  • Data encryption key

  • GenerateDataKey - works on > 4KB

  • It is generated using one of the keys KMS manages

  • Symmetric key

  • When DEK is generated, KMS generates plaintext for you to encrypt your data with (you do the encryption yourself)

  • KMS also provides a ciphertext version of your key for you to store with the encrypted data

  • When time to decrypt, you pass the ciphertext key to KMS and KMS does the decryption of just the key, and you take that and decrypt the rest of the data

New cards
15

AWS Managed key vs CMK

  • AWS Managed Keys

    • Rotation required (once per year)

    • One per service per region

    • Cannot be used outside of the service of what it is created for

    • Key policy cannot be customized or changed

  • Customer Managed Key

    • More control such as key policy

    • Key policy has the ability to distrust an account entirely; meaning even the full admin access users can be denied

    • Supports cross-account access

    • Rotation is default but can be disabled

New cards
16

Imported key

  • Can be deleted immediately but only deletes the key material. The key and metadata is kept to allow you to rotate the key because you can import a new key material but keep the same container

  • Manual key rotation

  • Use case: regulation, standardization across hybrid env

  • No portability: does not allow decryption outside of AWS

New cards
17

Generated key

  • Cannot be restored after deletion period

  • Cannot be immediately deleted

New cards
18

Asymmetric keys (3 types)

  • RSA - encrypt/decrypt OR signing and verification

  • Elliptic Curve (ECC) - signing and verification

  • SM2 (only China region) - encrypt/decrypt OR signing and verification

New cards
19

Encryption SDK

  • Open source client side encryption library; can utilize KMS or not

  • Available in C, .NET, CLI, Java, Javascript, Python

  • Handles data keys and wrapping keys

  • Handles message formatting

New cards
20

Cryptographic Materials Cache

  • Depending on your application, if you need high rate of generation of DEK, you might hit rate limit

  • CMC allows you to cache the DEK so that you don't reach limit of API calls

  • Can set max age threshold, max message encrypted, max bytes encrypted

New cards
21

Grants

  • Grants allow permissions on 1 KMS key

  • Ideal for temporary access and least permission access (where as key policies are long term)

  • Generally used by AWS services which us KMS

  • Only grant permission, no DENY

  • Eventual consistency - up to 5 minute propagation delay which can cause AccessDeniedError

New cards
22

ValidationError

if you try to do something a grant does not allow

New cards
23

Multi-region keys

  • You can choose to have a multi-region key upon key creation

  • Primary key in a primary region is replicated to other regions

  • Primary and Replica keys can be promoted/demoted

  • Same key ID

  • These are independent keys and merely replicas (i.e., the keys can be independently managed and have different enablement state, descriptions, tags, etc.)

  • Benefits

    • Decreases latency

    • DR

    • Active-Active application

    • Digital signing

New cards
24

Custom Key Stores

  • Keys can be interacted with KMS API but encryption operations are done on CloudHSM

  • No shared HSMs

  • Only support symmetric keys, no multi-region, no auto key rotation

  • 1 CloudHSM supports one custom key store

New cards
25

Encryption Context

  • Passing an additional variable (hence, context) when encrypt/decrypt to ensure the integrity of data

  • For example, in a table, there is nothing preventing the same field of ciphertext replacing other fields. But if it was done through encryption context, even if the ciphertext was replaced, it would not be able to be decrypted because the corresponding variable would be different

New cards
26

CloudHSM

  • A single tenant HSM (shared hardware)

  • A temper resistant hardware that AWS has no access to, it is customer managed

  • Fully FIPS 140-2 Level 3 compliant

  • Launched in a specific CloudHSM VPC managed by AWS

  • One AZ by default, you can create a cluster and make it multi AZ

New cards
27

CloudHSM APIs (3)

  • PKCS#11

  • Java Cryptography Extensions (JCE)

  • Microsoft CryptoNG (CNG) Library

New cards
28

SSE-C

  • Customer generate and manages keys

  • End user provides both key and objects to S3

  • Hash of the key is taken by S3 and attach it to the key after encryption, key is discarded after

New cards
29

SSE-S3 (AES 256)

  • S3 generates and manage a root key (KEK) and specific object encryption key (DEK)

    • Root key and object key are rotated and managed by S3, no visibility to end user

    • Root key is used to encrypt the object keys

  • NO control on how often the key is rotated, who has access to specific key (no key policies)

New cards
30

SSE-KMS

  • KMS generates/manages root key and generates data encryption key that it passes to S3 to use as object keys

  • Allows specific key policies so even someone with full S3 admin permissions may not be able to decrypt everything

New cards
31

bucket key

time limited key encryption key that is passed to S3 which is then used to create DEK (essentially offload operation to S3 instead of KMS)

New cards

Explore top notes

note Note
studied byStudied by 18 people
... ago
4.0(1)
note Note
studied byStudied by 12 people
... ago
5.0(1)
note Note
studied byStudied by 34 people
... ago
5.0(1)
note Note
studied byStudied by 13 people
... ago
5.0(2)
note Note
studied byStudied by 1 person
... ago
5.0(1)
note Note
studied byStudied by 57 people
... ago
5.0(1)
note Note
studied byStudied by 22 people
... ago
5.0(1)
note Note
studied byStudied by 1975 people
... ago
4.7(11)

Explore top flashcards

flashcards Flashcard (93)
studied byStudied by 1 person
... ago
5.0(1)
flashcards Flashcard (115)
studied byStudied by 13 people
... ago
5.0(2)
flashcards Flashcard (22)
studied byStudied by 17 people
... ago
5.0(3)
flashcards Flashcard (75)
studied byStudied by 2 people
... ago
5.0(1)
flashcards Flashcard (29)
studied byStudied by 27 people
... ago
5.0(2)
flashcards Flashcard (40)
studied byStudied by 1 person
... ago
5.0(1)
flashcards Flashcard (20)
studied byStudied by 1 person
... ago
5.0(1)
flashcards Flashcard (134)
studied byStudied by 2615 people
... ago
4.0(26)
robot