Let's start with VPC Encryption. We're encrypting all of the VPC traffic between supported instance types. This blurb with the details has been in our public documentation for a months now, but we held off saying much about it until now: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enhanced-networking-ena.html#ena-data-encryption-in-transit …
-
-
Show this thread
-
We encrypt traffic between instances in the same VPC, or if their VPCs are peered in the same region. We encrypt the entire customer packet, nothing is visible. We also encrypt our own network virtualization header.
Show this thread -
This provides powerful anonymity on the wire; there is no customer ID or VPC ID there in plaintext. This has the effect of making traffic correlation and traffic analysis attacks many many orders of magnitude harder.
Show this thread -
The traffic is encrypted using AES-256. Many protocols, such as TLS, do not have strong post-quantum security in their handshakes. This new layer means that those handshakes are protected on the wire by AES, which is safe against post-quantum risks.
Show this thread -
If you're worried about someone collecting data today, and decrypting it later when Quantum Computing is practical, this is nice defense in depth.
Show this thread -
To avoid Post-Quantum problems itself, VPC Encryption uses symmetric keys that are shared between senders. They are frequently rotated and revoked to provide forward secrecy.
Show this thread -
To avoid having any sensitive system that knows all of the keys; there are two independent, very different, key distribution mechanisms. Each distributes "pre-key material" which is then only combined in our Nitro security system to derive the real key.
Show this thread -
The effect of that is that if one of the distribution systems were some how compromised, this would not disclose the actual encryption keys. Very nice pattern to have!
Show this thread -
VPC Encryption compliments VPC Inter-Region Peering, which we've been similarly encrypting (with similar key derivation) from the day it launched. Underneath, and in addition to, all of this is the Lever Link Encryption Project.
Show this thread -
The Lever Link Encryption Project has been a truly massive endeavor to strongly encrypt, for now and all time, every network link that is in any way out of AWS physical control.
Show this thread -
Physical control means inside a facility we own and operate; and sometimes it means secure ducting over short distances with cool lasers that can detect any interference.
Show this thread -
If a link is outside our premises, or crossing an ocean, we encrypt it. For encryption, we use AES-256 again, with MACsec or Optical Layer encryption, with some more clever key agreement schemes that we had to invent! But don't worry, they are reassuringly boring.
Show this thread -
Incidentally "Lever" is named for https://en.wikipedia.org/wiki/Mavis_Batey …pic.twitter.com/4AxSWVa9h5
Show this thread -
Lever encryption and VPC Encryption or Inter-Region Peering often happen at the same time, e.g. packets crossing between AZs or regions. That's two layers of no-configuration required pervasive cryptography.
Show this thread -
h/t to my colleague and Lever lead David Sinn for all that info!
Show this thread -
Now, none of this means that you should not use TLS or other encryption protocols in your own applications. Network Encryption is awesome, but does not provide anti-replay, or application-to-application authentication. These new protocols are designed to fill gaps.pic.twitter.com/uP9NXXz9sj
Show this thread -
Of course it's great too to have a built-in mechanism to protect legacy traffic that is not encrypted at all.
Show this thread -
These are first features I've ever worked on where is no API, nothing for you to do. This is all under the hood. There is no change to your experience running on AWS. Customers never see the encrypted traffic, we do the encryption and decryption for you.
Show this thread -
All of the encryption and decryption happens in hardware; and for VPC Encryption, it's custom silicon designed and built by Annapurna labs as part of our Nitro security system. That means we can all of this with no impact on performance. We've been in production for months!
Show this thread -
O.k. there you have it. VPC Encryption, Lever Link Encryption, Multi-Party key distribution, AES-256, no API or settings, just "on". AMA.
Show this thread
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.