https://slcyber.io/assetnote-security-research-center/a-novel-technique-for-sql-injection-in-pdos-prepared-statements/

This post describes several issues you should take into account when designing AWS Nitro Enclaves which communicate with AWS KMS for persistent key operations. We’ll assume you are familiar with the following pieces of documentation:

• AWS Nitro Enclaves User Guide
• How AWS Nitro Enclaves uses AWS KMS - AWS Key Management Service

Nitro Enclaves enable running code in a confined environment. Communication is limited to the parent instance using a vsock. If code running in an enclave needs to communicate with AWS KMS, it might seem like there are two setups:

• setup 1: create an ephemeral RSA keypair and generate an attestation in the enclave. Pass the attestation to the parent instance. Let the parent instance call AWS KMS. The response is encrypted to the ephemeral RSA keypair. The parent instance then forwards the encrypted response to the enclave.
• setup 2: have the parent instance provide its IAM credentials to the enclave and setup a TCP vsock ⇔ AWS KMS bridge (you can call this a proxy or a port forward if you prefer). The enclave then establishes a TLS connection to AWS KMS. The enclave still needs to generate an ephemeral RSA keypair and an attestation in order to use AWS KMS key policies tied to a specific enclave.

Observation 1: AWS KMS responses aren’t authenticated

In the first setup, a man-in-the-middle (MITM) attacker on the enclave’s parent instance sees the public RSA key in the attestation. The attacker can therefore generate any encrypted response. This implies, it is impossible to trust most of AWS KMS’ responses in this setup. The only exceptions are Decrypt and DeriveSharedSecret when the response is meant to be an encrypted content-encryption-key (CEK), in which case an attacker cannot forge responses. Assuming the CEK is used with an authenticated cipher.

Observation 2: Encrypted KMS responses are malleable

When AWS KMS returns an encrypted response, the encryption algorithm is currently fixed to RSA with AES-CBC (see cms.c in aws-nitro-enclaves-sdk-c). AES-CBC is an unauthenticated encryption mode and there is no additional HMAC in the response. An attacker can flip bits in the ciphertext and corresponding bits will flip in the plaintext. We now have two reasons for using the second setup and performing the TLS handshake from within the enclave.

Observation 3: GenerateRandom is probably never useful

The only safe way to request random bytes (with the intention of increasing one’s entropy pool) from AWS KMS is to first establish a TLS connection, which itself requires having a good source of entropy, a catch-22. What is going on with Generate random using kmstool-enclave-cli?

In any case, the Enclave has mutiple sources of entropy and can receive additional entropy on a case-by-csae basis (e.g. while processing requests).

Observation 4: The downside of initiating the TLS handshake from enclaves

The major downside of initiating the TLS handshake from within enclaves is that any changes to the TLS configuration (e.g. changes in which root certificates are trusted) will be akin to changing your enclave’s code and can result in different PCR values.

The footprint of the additional code to handle TLS + HTTP can also be significant. It’s code that enters the enclave’s trust boundary and must therefore be trusted and/or carefully audited.

We recommend that you configure the TLS client to only use TLS 1.3, secure ciphers, and only trust Amazon’s root CAs.

Show don’t tell

aws-nitro-enclave-foobar-service is a piece of Go code we implemented to demonstrate how to securely create and use an AWS KMS-backed key. The code uses both setups (with and without TLS handshake from within the enclave) in a secure way.

AWS’ code examples kmstool-enclave-cli and vsock_proxy are equally good references when designing Nitro Enclaves.

Read Confidential Computing at 1Password for an overview of the system. 1Password has made the audit report publicly available. They undergo such audits on a regular basis and aim to publish these reports whenever possible.

Recently, they published a follow up Cryptographic Right Answers: Post Quantum Edition, also very well written and full of useful insights.

Our experience building on Cloudflare’s platform has lead us to open source d1-batch. This is a library that makes is easier to batch queries to Cloudflare’s D1 database.

In terms of next steps, we plan to share a collection of useful “recipes”. These will be pieces of code you can use as building blocks and modify per your needs.

Given a data diode, how would you encrypt the data you are transmitting?

Modern cryptographic protocols, such as TLS, require an initial handshake to establish session keys (and gain properties such as perfect forward secrecy). If you are dealing with one-way communications, you’ll have to either use existing file encryption protocols (which will result in lots of bytes of overhead) or design your cryptographic protocol.

A simple architecture can be implemented with minimal engineering effort:

• an emitter-proxy which encrypts data inside the secure network.
• a data diode which connects the emitter-proxy to the receiver-proxy.
• a receiver-proxy which decrypts the data, outside the secure network.

Each proxy gets a X25519 key pair and knows the public key of the other proxy.

The emitter-proxy implements the following:

1. derives a shared key by performing a Diffie-Hellman key exchange, followed by a KDF. This step only needs to be performed once, it is therefore possible to use more expensive constructs with possibly better security margins.
2. listens for incoming data packets.
3. encrypts each packet with AES-GCM or AES-GCM-SIV using the shared key derived above.
4. sends the encrypted packet to the data diode.

The receiver-proxy is similar:

1. derives the same shared key by performing its own Diffie-Hellman key exchange and KDF operation.
2. listens for incoming data packets.
3. decrypts each packet with AES-GCM or AES-GCM-SIV using the shared key.
4. forwards the decrypted packet to wherever the data needs to go.

The result is an encrypted & authenticated data diode communication. The encryption overhead can be very minimal: 12 bytes for the IV and 16 bytes for the TAG.

Interested to implement this?

There are a few details I didn’t cover, such as heartbeats and ensuring packets aren’t lost in transit, as well as making key rotations easier – all tractable problems. As a co-author of Ghostunnel, an encryption/decryption proxy widely used in a production setting, I am confident I can help you – feel free to contact me.

I’m looking forward to better authentication systems on the web. Also, R.I.P. Persona.

Do you teach cryptography? If yes, ask your students to design a protocol for two people to play a cards game over the internet (eg Uno, Gin Rummy, Go fish or whatever). The protocol should be trustless so the players don’t have to rely on a centralized server to deal cards and players shouldn’t be able to peek at the deck unless the game rule allows it.

Give extra points to students who come up with simpler protocols, formal proofs, or an actual implementation.

As I was preparing my writeup describing a solution to this puzzle, I discovered that this puzzle is well known under the name “mental poker”. Rivest, Shamir and Adleman wrote a paper (1979).

More recently, Nicolas Mohnblatt published an excellent post titled Mental Poker in the Age of SNARKs (2022). Instead of boring you with yet another protocol, go read Nicolas’ work and experiment with their library, written using arkworks.

Matthew Green wrote a great blog post, Poker is hard, especially for cryptographers (2012).