Amazon could use public key encryption to verify the signature here - that way AWS doesn’t need a copy of the private key to verify the contents. Why would they use HMAC instead? https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html …
-
-
Sure though hashing only is effective because it’s expensive right? You don’t want to do eg a 100ms bcrypt hash on every operation
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
(I don’t think I understand it that well to be honest! I understand hashing a password and comparing against a stored value. But I’m not sure how a stored hash on the server side could be used to compare against a HMAC which includes other, dynamically generated values)
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
> "customer's credentials aren't on the server side" The specific services don't see them, but aren't the creds still stored in an Amazon-owned server somewhere?
-
They're vended from a KMS-like system (it predates KMS though); it's essentially a distributed HSM. Stores keys, but envelope encrypted (with actual HSMs and a threshold scheme at the bottom), and only releases tokens.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
...