Amazon could use public key encryption to verify the signature here - that way AWS doesn’t need a copy of the private key to verify the contents. Why would they use HMAC instead? https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html …
-
Show this thread
-
More generally a lot of API’s rely on storing the secret key on both the server and the client and I’m wondering why. The server can do authentication without needing the private key
1 reply 0 retweets 1 likeShow this thread -
Replying to @derivativeburke
AWS SIGv4 auth uses double-HMAC in a construction that means the customer's credentials aren't on the server side; just small scoped ephemeral, service-specific, tokens that are valid for minutes to hours (varies by service)
...1 reply 1 retweet 3 likes -
Replying to @colmmacc @derivativeburke
I know you know this, but password hashing is also a thing, you don't need to use asymmetric cryptography to protect against server compromise :) PKEY tends to discern itself when you want to use cards, Yubikeys, enclaves and offline signing.
3 replies 1 retweet 0 likes -
Replying to @colmmacc @derivativeburke
> "customer's credentials aren't on the server side" The specific services don't see them, but aren't the creds still stored in an Amazon-owned server somewhere?
1 reply 0 retweets 1 like
They're vended from a KMS-like system (it predates KMS though); it's essentially a distributed HSM. Stores keys, but envelope encrypted (with actual HSMs and a threshold scheme at the bottom), and only releases tokens.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.