News

AWS Moving to Its Own Simplified Encryption

• By David Ramel
• 07/01/2015

With Transport Layer Security (TLS) encryption facing security flaws and a bloated code base, Amazon Web Services Inc. (AWS) will be moving to its own implementation, which it has just open sourced.

TLS is a cryptographic protocol that has surpassed Secure Sockets Layer (SSL) as the generally accepted means of securing data transported across networks such as the Internet.

However, TLS algorithmic errors and other problems have been publicized of late, requiring upgrades and fixes. AWS said that process is made even more problematic by an unwieldy code base for the protocol and its optional extensions. For example, the "de facto reference implementation," OpenSSL, contains more than 500,000 lines of code, 70,000 of which is required for TLS processing alone, AWS said.

To simplify things, AWS will be moving to its own newly open sourced TLS implementation called s2n (standing for "signal to noise").

"s2n is a library that has been designed to be small, fast, with simplicity as a priority," said exec Stephen Schmidt in a blog post yesterday. "s2n avoids implementing rarely used options and extensions, and today is just more than 6,000 lines of code. As a result of this, we've found that it is easier to review s2n; we have already completed three external security evaluations and penetration tests on s2n, a practice we will be continuing."

While AWS services will be moved to the new protocol, the process should be transparent to users and developers.

"s2n isn't intended as a replacement for OpenSSL, which we remain committed to supporting through our involvement in the Linux Foundation's Core Infrastructure Initiative," Schmidt said. "OpenSSL provides two main libraries: 'libssl,' which implements TLS, and 'libcrypto,' which is a general-purpose cryptography library. Think of s2n as an analogue of 'libssl,' but not 'libcrypto.'"