Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Encryption Programming

Amazon's New SSL/TLS Implementation In 6,000 Lines of Code 107

bmearns writes: Amazon has announced a new library called "s2n," an open source implementation of SSL/TLS, the cryptographic security protocols behind HTTPS, SSH, SFTP, secure SMTP, and many others. Weighing in at about 6k lines of code, it's just a little more than 1% the size of OpenSSL, which is really good news in terms of security auditing and testing. OpenSSL isn't going away, and Amazon has made clear that they will continue to support it. Notably, s2n does not provide all the additional cryptographic functions that OpenSSL provides in libcrypto, it only provides the SSL/TLS functions. Further more, it implements a relatively small subset of SSL/TLS features compared to OpenSSL.
This discussion has been archived. No new comments can be posted.

Amazon's New SSL/TLS Implementation In 6,000 Lines of Code

Comments Filter:
  • by Anonymous Coward

    Will they deliver it to me by drone?

  • by TerraFrost ( 611855 ) on Wednesday July 01, 2015 @07:32AM (#50024703)
    The story summary got it wrong - SSH uses it's own distinct protocol to establish an encrypted connection and SFTP is a subsystem of SSH.
    • by Anonymous Coward
      Your mom uses SSH
    • by Anonymous Coward

      It's not quite as simple as that; although SSH and SSL are distinct protocols, in the actual implementations, there may be some overlap of the crypto libraries. See, for example, http://it.slashdot.org/story/14/04/30/1822209/openssh-no-longer-has-to-depend-on-openssl

  • Good idea (Score:5, Interesting)

    by msobkow ( 48369 ) on Wednesday July 01, 2015 @07:33AM (#50024705) Homepage Journal

    Standards have a notorious habit of becoming bloated with rarely used features that never do get properly tested. Rethinking what is actually useful and needed is great for pruning code and handling the majority of use cases. Sure there will be edge cases it can't handle, but that's the whole point: they're edge cases that most programmers aren't going to need to use.

    • by ThePhilips ( 752041 ) on Wednesday July 01, 2015 @07:51AM (#50024789) Homepage Journal

      From security perspective, the small code base is an advantage of its own.

      Support for limited subset of encryption protocols is also a benefit of its own. E.g. OpenSSL still supports MD5 hashes and would happily use them if one forgets to blacklist them.

      • by Junta ( 36770 )

        Support for limited subset of encryption protocols is also a benefit of its own. E.g. OpenSSL still supports MD5

        Which is quite important, since there are a *lot* of scenarios that still use MD5 (and HMAC-MD5 isn't even broken). So for things that need MD5 hashes even if it's not secure, you can still function, and for things that still use HMAC-MD5, you can still talk *securely*.

        • by jandrese ( 485 )
          Maybe you can talk securely. Nobody has publicly announced any vulnerabilities in HMAC-MD5 yet, but that MD5 piece hanging off of there makes me nervous. If Amazon is willing to say that they no longer support Windows 3.11 for Workgroups users buying products from the Amazon store, it is their call. They have to weigh the loss of customers over discovering later that some weird long forgotten part of their OpenSSL implementation gave the keys to the kingdom over to the hackers.
          • by Junta ( 36770 )

            All the known broken facets of MD5 have zero applicability to HMAC usage scenario. The only part of it that weakens HMAC is that SHA256/SHA512 are more computationally expensive.

            If someone knows a weakness in HMAC-MD5, it's hard to imagine it would be related to any of the known broken parts of MD5, and thus HMAC-MD5's chances of being broken might not be so different than any other HMAC use of a hash.

            Yes HMAC-SHA2 is the best choice now. Now it's not a good reason to go nuts over things that use HMAC-MD5

        • Somebody needs to tell a certain company that does third party security validation that. MD5 hashes have use in things that have nothing to do with security, and they constantly get flagged.
          The solution is pretty easy, just use a different Hash, and Apache Commons makes that change a one-liner... but still.. cmoon...
          • by Junta ( 36770 )

            Sometimes you don't have a choice in an interoperable piece of software. In an aggresive world that tosses away backwards compat in the name of security, you'd either have to toss out a bunch of perfectly ok equipment because you *can't* talk to it anymore, or stick to outdated software to protect the investment, which may have unfixed vulnerabilities because the versions that fix things also dropped support for your needs.

    • Agree. It's better to build something rock solid which supports only 80% of all use cases than to end up with something big and bloated that handles every thinkable use case. Yes, the ultimate thing is to have something rock solid that supports everything, but that's an utopia.

  • Seems like it might be useful in embedded systems, but I don't see any mention of that in any of the articles.
  • by Anonymous Coward

    Finally, a quality implementation implemented and backed by a real company. I've had enough of these freelance pet projects get over adopted and used by millions, only to cause some of the worst security breaches in the internet ever!

  • Compile errors (Score:4, Insightful)

    by Aethedor ( 973725 ) on Wednesday July 01, 2015 @07:46AM (#50024773)

    ... which is really good news in terms of security auditing and testing.

    Good, then start debugging. Because I got compile errors on both Linux and MacOS X.

    • Same here, but in some weird way the '.so' file is there and a header file which has a 'duplicate function' in it named 's2n_shutdown', maybe they wanted to make sure it shuts down.
      btw I'm making a .net wrapper at https://github.com/Behrooz-Amo... [github.com]
      only a few hours spent figuring this thing out/coding, any help is appreciated people.
  • I hope this takes over as the defacto standard for HTTPS. I'm tired of constantly seeing SSL and OpenSSL vulnerabilities.
    • In that case, you better try mbed TLS [mbed.org] (former PolarSSL). Has been tested and audited more times than this untested new comer. And it has full support for everything that is needed. mbed TLS makes every new attempt to implement an SSL / TLS library obsolete immediately.

  • Very much unfinished (Score:5, Informative)

    by Lumpio- ( 986581 ) on Wednesday July 01, 2015 @08:03AM (#50024857)
    Did anybody notice that it doesn't, for example, do client mode at all yet? Or it does, but it doesn't implement cert validation at all which makes it useless as a client at the moment and therefore client mode is disabled. That along with delegating all the actual crypto to other libraries means the entire thing doesn't actually *do* much. No wonder it's only 6kLOC.
    • Yea, its roughly the same as saying I can write windows in one line of assembly ...

      Because I can jump to the windows init code ... that was written using millions of lines of code from thousands of other people.

    • Though if you think about Amazon's use case for it, this makes sense. Amazon's main business involves running web servers, not clients so much. I could see them writing a server-only TLS library, though they certainly could make use of the client side as well (in Kindle, for instance), so it makes sense that they'd start out with the server side and add the client functionality later.

      • by Lumpio- ( 986581 )
        My point was that it's not that useful to compare it to other libraries unless there's feature parity.
  • by snsh ( 968808 ) on Wednesday July 01, 2015 @08:06AM (#50024879)

    Does it support SSLv2 and weak ciphers like NULL? or is it hardened out of the box?

    • by jandrese ( 485 )
      The TFA mentioned that it only supports a tiny subset of the functionality that OpenSSL supports. I'm reasonably certain that they didn't include the old and broken stuff in their rewrite.
    • Uh, it shouldn't support SSL at all. SSL is an insecure protocol which, by modern web standards, should not be used ever; TLS is the current protocol.
  • ... fewer lines means better software right? Why not write it in Python and get it down to one line. That would clearly be the best implementation.


    Seriously though, has s2n been audited independently? Who has been involved in its development (Amazon and...)? You can't wheel out the line count and claim a revolutions has happened.
  • by punman ( 412350 ) on Wednesday July 01, 2015 @08:19AM (#50024963) Journal

    Summary is misleading at best. A brief inspection of the source code reveals this is still using OpenSSL's crypto functions. So you're not getting 6k lines of source code to replace OpenSSL, as the summary implies. You're getting 6k worth of wrapper code that still uses OpenSSL and needs to be linked against OpenSSL libraries.

    • by Bengie ( 1121981 )
      It looks like it's a wrapping library that makes it easier to use OpenSSL more safely by limiting which features you can use and how they're used.
      • People have done that before: [conformal.com]

        assl was written by Marco Peereboom in order to hide
        the awful OpenSSL API. It strives to reuse openssl(1) APIs and provide a
        much simpler and sane interface for programmers that are interested in
        writing applications that require the SSL/TLS protocol for secure
        communications.

  • by jonwil ( 467024 ) on Wednesday July 01, 2015 @08:23AM (#50025001)

    Ok so firstly it still uses large chunks of OpenSSL (all the crypto stuff) and is still vulnerable to any security holes in that stuff. So its no good on that score.
    Also, it disables DHE (which is supposed to be good for ensuring forward secrecy) claiming its a "security risk" (to be fair, maybe there is some security flaw with DHE that I haven't read about yet and that is why its turned off)
    Oh and it still supports horridly broken things like RC4, 3DES, SSLv3 and TLS1.0 (all of which contain known unfixable security flaws making them unsuitable going forward)

    • maybe there is some security flaw with DHE that I haven't read about yet and that is why its turned off

      Logjam [weakdh.org]. TLDR; about 100k hours of CPU time can build a dictionary to crack most session keys in less than 90 seconds for 512bit primes.

    • by chihowa ( 366380 )

      3DES isn't horridly broken. With the most commonly used keying option, it's vulnerable to a meet-in-the-middle attack, but it still provides 112 bit security. That'll start looking a little lean in the coming years, but it's still a beast to brute force.

      On the other hand, RC4, SSLv3, and TLS1.0 are actually broken.

      • Someone explain how RC4 is broken. I thought the issues were highly sensitive to environment, notably weak IVs.
        • by chihowa ( 366380 )

          Well, here's a good place to start [wikipedia.org]. RC4 has a number of vulnerabilities and while each of them can be mitigated to a certain extent (changing keys, discarding the beginning of streams, etc), the confidence is low that implemented systems will successfully avoid all of them and not open up new vulnerabilities in the process.

          • Ah, okay. It has actual weaknesses. I had for a long time only heard of protocol weaknesses: RC4 implemented without HMAC, with the key and IV scheduled a certain way, appending a nonce instead of hashing it, has many weaknesses; such statements are ridiculous, because everything implemented poorly has weaknesses (this is why we have key exchange protocols, and VPNs which generate a random RSA key per session and are thus completely insecure). It looks like RSA has some key recovery weaknesses you can't
    • by Meneth ( 872868 )
      And it prefers ECDHE over DHE per default, despite all TLS Elliptic Curves being unsafe.
  • Apples and oranges (Score:5, Insightful)

    by QuietLagoon ( 813062 ) on Wednesday July 01, 2015 @08:33AM (#50025063)

    ... it's just a little more than 1% the size of OpenSSL...Notably, s2n does not provide all the additional cryptographic functions that OpenSSL provides in libcrypto, it only provides the SSL/TLS functions....

    So then, aren't size comparisons between OpenSSL and s2n at best useless, and at worst intentionally misleading?

    • So then, aren't size comparisons between OpenSSL and s2n at best useless, and at worst intentionally misleading?

      Possibly misleading, if one doesn't understand the true claims, but definitely useful.

      If you're just using OpenSSL for running servers and s2n can provide all of the functions a server needs, and s2n is is 1% of openssl's size, then it's a much, much cheaper target for auditing, and so it's far more feasible to feel secure about it.

      If you're doing something different with OpenSSL then the use case

    • ... it's just a little more than 1% the size of OpenSSL...Notably, s2n does not provide all the additional cryptographic functions that OpenSSL provides in libcrypto, it only provides the SSL/TLS functions....

      So then, aren't size comparisons between OpenSSL and s2n at best useless, and at worst intentionally misleading?

      No, but this particular comparison is. Besides all of the stuff s2n doesn't provide, s2n actually uses OpenSSL's libcrypto to provide the implementations of all of its crypto algorithm. A useful comparison could be made between OpenSSL's TLS layer and s2n, with some caveats listing the TLS features s2n doesn't provide.

      Note that none of this means that s2n doesn't have value. If you don't need the other OpenSSL features, it's a lot less code to audit.

  • 6,000 lines of code that DO NOT replace OpenSSL. Only partially replace. A sub-set.

  • Notably, s2n does not provide all the additional cryptographic functions that OpenSSL provides in libcrypto, it only provides the SSL/TLS functions. Further more, it implements a relatively small subset of SSL/TLS features compared to OpenSSL.

    This is the kind of really important detail that is often left out of summaries and winds up making my eye twitch. Thanks OP and/or editors for rising above the common dross.

  • by backslashdot ( 95548 ) on Wednesday July 01, 2015 @10:33AM (#50025953)

    6000 lines of code, that's the good news. The bad news is that it's written in perl and makes heavy use of regular expressions.

  • its not much of anything:
    https://github.com/awslabs/s2n... [github.com]
    contains #include <openssl/...>

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (1) Gee, I wish we hadn't backed down on 'noalias'.

Working...