Score:1

AWS IoT - Unique Keys per each device - Data encryption

rs flag

(Probably not the right board to ask. But here goes)

I'm designing an IoT Solution with RPi as client and AWS as the server. On the client hardware, I have an Security Chip that can securely generate and store ECC, RSA, AES Keys/Pairs and can perform variety of cryptographic operations including ECDH, ECDSA, KeyGen, etc.,

My broader objectives on the cloud side are the following:

  1. On AWS Server side, I want to generate Unique ECC Keys per device, store them in HSM, perform ECDH to generate symmetric keys for encryption. I don't want anyone (including me) to have access to the private keys generated by KMS (Or any other AWS Service - Encrypted or otherwise).
  2. I would like for the encryption and decryption operations to be performed by AWS services (preferably in a dedicated hardware made for that job). This is to avoid abuse of implementation bugs in my code.
  • While I can generate Data Encryption keys using KMS, I believe, I have to decrypt the private key in the code to use it. This means I have access to the private key.
  • I didn't yet find way to do ECDH and then securely store the keys generated in that process.

Can you please help me the following:

  1. How to securely generate and store the ECC Keys for ECDH and ECDSA?
  2. Is there any service that can help me do the cryptographic operations (Encrypt, Decrypt, ECDH, ECDSA, etc.,) without me having to write the code for them?
Thanks!
tC
fgrieu avatar
ng flag
Since you mention HSM on the AWS side, best practice is to generate, store and use the keys within the HSM, leaving you with no way to manipulate the keys in any way (the good news is that you do not need/have the corresponding effort/knowledge/risk). Having all the crypto in the HSM is a defining design choice, that comes with both constraints and benefits. The HSM will do the crypto. You want to read the [supplier's documentation](https://aws.amazon.com/cloudhsm/) and I'm afraid that the practical and IT aspects of the question could drift off-topic.
Score:1
vu flag

How to securely generate and store the ECC Keys for ECDH and ECDSA?

Keypair content for ECDH and ECDSA are identicial. They can be used in both algorithms, but the standard practice is to generate separate key for separate purposes.

As for storing, you have to consult the manual for your HSM.

  • If your HSM can store them directly, then store them directly;

  • If your HSM can store only an encryption key, then encrypt your ECC keys using that encryption key and store it in some kind of NVRAM, then store the encryption key in HSM.

If you need standard documents: here's a link.

Is there any service that can help me do the cryptographic operations (Encrypt, Decrypt, ECDH, ECDSA, etc.,) without me having to write the code for them?

You can use a library. There are many libraries out there, some notable ones include:

  • OpenSSL - the best known, but had a serious "HeartBleed" vulnerability discovered in 2014.

  • LibreSSL - a fork of OpenSSL maintained by OpenBSD developers.

  • NSS - (Network Security Services) from Mozilla.

Teja avatar
rs flag
Thank you for your answer. My question is more on how to get this done in AWS. [AWS KMS](https://aws.amazon.com/kms/) gives me an option to generate keys. However, I can get access to the Private Keys which is something I don't want (In case of any legal request, I can surrender only give encrypted data. Without me having access to the keys, I would not be able to deliver them to anyone)
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.