Companies of all sizes seek reduction of IT operational costs and complexity. Therefore migrate their business processes to public clouds. In reality, companies operate in-house maintained applications and applications running in public clouds such as AWS (Amazon Web Services). However, it is a difficult challenge to unify and operate IT services in such a multi-domain environment (and now imagine that there is also Azure or Google cloud). For instance, Public Key Infrastructure (PKI) is the case of framework that needs it distributed across all those diverse IT environments.
This post has ambition to provide you with a couple of ideas on how the PKI works, how to integrate your in-house PKI strategy with AWS cloud, and what problems you may be facing in the process.
What is PKI?
As defined by NIST (National Institut of Standards and Technology), Public Key Infrastructure is a framework that defines an entire lifecycle of public key certificates (issuance, maintenance, revocation). PKI was born in 1990s and since then it was helping to govern encryption strategies in all industries. This framework works with various symmetric and asymmetric encryption methods. For instance asymmetric cryptography brings authenticity, integrity, and confidentiality for many use cases such as code signing, digital signatures, SSL/TLS, SSH, Blockchain applications and many more. Asymmetric encryption basically works with two keys (private and public key). Private keys have to be generated and stored in isolated, safe storage such as Hardware Security Module (HSM) while public keys can be distributed freely. Then operations like encryption (one user encrypt data using public key and only a person possessing a private key can decrypt those data) or signing (one user sign document with private key and anyone possessing corresponding public key can verify authenticity of signed document) are corner stones of data protection in terrestrial IT as well as in space business.
Integration with AWS Key Management Service
In the core of PKI is an Hardware Security Module (HSM) appliance such as the CORAC KeyMaster. CORAC KeyMaster is a hardware appliance running well documented and secure API providing various cryptographic services to processes running in-house as well as in the cloud.
In order to expand your PKI strategy to AWS it is important to create a process for integration with AWS Key Management Service (KMS). AWS Bring Your Own Key (BYOK) solution allows customers to generate their own encryption keys (AES-256) using in-house HSMs and upload such keys to AWS KMS. In order to export the key in a secure way, it is necessary to encrypt it (wrap it) using a public key generated by AWS KMS.
In order to successfully import in-house generated encryption keys to the AWS KMS, following steps should be taken:
Access KeyMaster crypto API (HTTPs)
Access the AWS KMS using an AWS account
Create a wrapping key with AWS import token
In order to generate a wrapping key, the user has to enter the “Key Management Service” application and select the “Customer-managed keys” section in the left vertical menu. As a next step, specific wrapping algorithm has to be selected:
For the demonstration purposes we select RSAES_OEP_SHA_256 in drop-down menu on the picture bellow:
Image: Wrapping algorithm selection
Once generated, the key can be downloaded:
Image: Downloading a wrapping key
In readme file following text is stored:
Wrapping Key Spec: RSA_2048 Wrapping Algorithm: RSAES_OAEP_SHA_256 Wrapping Key File: wrappingKey_84ca68e9-c5cb-47d4-91f1-b350ec6be74b_04241724 Import Token File: importToken_84ca68e9-c5cb-47d4-91f1-b350ec6be74b_04241724 Wrapping Key and Import Token Expiration: Tue, 25 Apr 2023 14:45:21 GMT
4. Import AWS wrapping key to CORAC KeyMaster appliance:
POST /keys/RSA/import_pub_key Parameters: - wrap_key_alias
5. Generate AES-256 key for the AWS:
GET /keys/AES256/generate Parameters: - key_alias
6. Wrap generated key using public key obtained from AWS KMS:
GET /keys/wrap_key Parameters: - key_alias - wrap_key_alias
7. Upload encryption key material to AWS KMS:
Image: Upload wrapped key material
In order to upload a wrapped key, it is necessary to point the upload dialog to it and import the token generated earlier (importToken_84ca68e9-c5cb-47d4-91f1-b350ec6be74b_04241724). Optionally, it is possible to limit the time validity by setting an expiration date for the uploaded key material.
Image: Upload wrapped key material
There are, however, tons of potential complications causing business process disruption in case that in-house HSM loses connection with AWS Key Management Service (KMS).
As a next step, we will elaborate on PKI strategies for distributed environments and how to mitigate operational risks. Stay tuned!
CORAC Team 2023