Real-vs-ideal World Security|Course hero helper

A Machine-Checked Proof of Security for AWS Key Management Service

José Bacelar Almeida

University of Minho and INESC TEC

Manuel Barbosa

University of Porto (FCUP) and

INESC TEC

Gilles Barthe

IMDEA Software Institute

MPI for Security and Privacy

Matthew Campagna

Amazon Web Services

Ernie Cohen

Amazon Web Services

Benjamin Gregoire

INRIA Sophia Antipolis

Vitor Pereira

University of Porto (FCUP) and

INESC TEC

Bernardo Portela

University of Porto (FCUP) and

INESC TEC

Pierre-Yves Strub

École Polytechnique

Serdar Tasiran

Amazon Web Services

ABSTRACT We present a machine-checked proof of security for the domain

management protocol of Amazon Web Services’ KMS (Key Man-

agement Service) a critical security service used throughout AWS

and by AWS customers. Domain management is at the core of

AWS KMS; it governs the top-level keys that anchor the security of

encryption services at AWS. We show that the protocol securely

implements an ideal distributed encryption mechanism under stan-

dard cryptographic assumptions. The proof is machine-checked in

the EasyCrypt proof assistant and is the largest EasyCrypt devel-

opment to date.

CCS CONCEPTS • Security and privacy → Key management; Logic and veri- fication.

KEYWORDS Provable-Security; Machine-Checked Proof; Key Management

ACM Reference Format: José Bacelar Almeida, Manuel Barbosa, Gilles Barthe, Matthew Campagna,

Ernie Cohen, Benjamin Gregoire, Vitor Pereira, Bernardo Portela, Pierre-

Yves Strub, and Serdar Tasiran. 2019. A Machine-Checked Proof of Security

for AWS Key Management Service. In 2019 ACM SIGSAC Conference on Computer & Communications Security (CCS ’19), November 11–15, 2019, London, United Kingdom. ACM, New York, NY, USA, 16 pages. https://doi.

org/10.1145/3319535.3354228

Permission to make digital or hard copies of all or part of this work for personal or

classroom use is granted without fee provided that copies are not made or distributed

for profit or commercial advantage and that copies bear this notice and the full citation

on the first page. Copyrights for components of this work owned by others than the

author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or

republish, to post on servers or to redistribute to lists, requires prior specific permission

and/or a fee. Request permissions from permissions@acm.org.

CCS ’19, November 11–15, 2019, London, United Kingdom © 2019 Copyright held by the owner/author(s). Publication rights licensed to ACM.

ACM ISBN 978-1-4503-6747-9/19/11. . . $15.00

https://doi.org/10.1145/3319535.3354228

1 INTRODUCTION Today’s cloud services use sophisticated distributed architectures

and algorithms to make data highly available and durable. To im-

prove security, data at rest is typically encrypted, and decrypted

only when/where necessary. The encryption keys themselves must

be similarly durable and available; however, directly providing all keys towhichever service needs to use them unnecessarily increases

the attack surface. For the most sensitive keys, it is more prudent to

encapsulate them within a separate distributed encryption service.

Such a service allows the creation of new keys, and uses these

keys to encrypt and decrypt data, but does not expose the keys

themselves to clients.

The subject of this paper is the AWS domain management proto-

col (henceforth abbreviated DMP), a distributed encryption service

underlying the Amazon Web Services (AWS) Key Management Ser-

vice (KMS [5]). AWS KMS, a core component of the AWS cloud, lets

AWS customers create and manage encryption keys, providing a

consistent view of encryption/decryption operations across AWS

services, and controlling their use through AWS Identity and Access

Management (IAM). 1 The widespread usage of AWS KMS and the

central role of the DMP justifies a high-assurance security proof,

leveraging recent developments in computer-aided cryptography

such as [3, 4, 7].

In this paper, we present a fully mechanized, concrete proof of

security of the DMP. Informally, the proof shows that the DMP

provides an idealized encryption service.

Security goal. The DMP is designed to protect the confidentiality

of data encrypted under domain keys and guarantee the correct

operation of the interface it provides, even in the presence of a

malicious individual interfering with the inner workings of the sys-

tem. In particular, we consider an adversary that can commission

and decommission hosts and HSMs (Hardware Security Modules),

assumed to be under adversarial control, and manipulate (insert,

delete, modify) messages exchanged between system entities. Our

1 Within AWS KMS, the DMP is used only to encrypt and decrypt customer master

keys, the roots of the customer key hierarchies. The use of these master keys, and the

design of KMS (outside of the DMP itself) is described in [5].

Session 1C: Cloud Security I CCS ’19, November 11–15, 2019, London, United Kingdom

63

goal is to show that such an adversary cannot gain further advan-

tage than possibly causing the system to go unresponsive.

Formally, this security goal is defined using an ideal functionality

and the real-vs-ideal world paradigm, similarly to the Universal

Composability [14] framework. We prove that the DMP is indis-

tinguishable from an idealized encryption service to an arbitrary

external environment that can collude with a malicious insider

adversary. This formalization captures precisely the security that

the rest of AWS KMS needs from the DMP.

Main Theorem. Our main theorem states that the DMP behaves

like an ideal authenticated encryption service. The theorem rules

out attacks from arbitrary computationally bounded adversaries,

under standard cryptographic assumptions for digital signatures,

hash-functions and encryption schemes. Formally, we prove that

the probability of breaking the protocol is smaller than

2 · ( (qops + qhid) · ϵsig + qdom · ϵaead + ϵcr + ϵmrpke + ϵcoll

) ,

where qops and qhid are upper bounds on the number of human op-

erators and HSMs in the system, respectively; qdom upper-bounds

the number of domain keys; ϵsig, ϵaead and ϵcr denote the maxi-

mum probabilities of breaking a standard signature, authenticated

encryption and cryptographic hash function, respectively; ϵmrpke denotes the maximum probability of breaking a multi-recipient

variant of public-key encryption; and ϵcoll is a small statistical term

related to collisions of signature verification keys. The security of

cryptographic signatures, hashes, and authenticated encryption im-

plies that all of the epsilons above (and hence the total probability

of breaking the protocol) are negligible. A more precise statement

of the concrete cryptographic setting and bound can be found in

Sections 4 and 5.

Formalization. The proof is fully machine-checked in EasyCrypt [6],

a proof assistant for cryptographic proofs. The development is

15K lines of code (loc), of which 500 loc comprise the protocol

specification. Besides being the largest EasyCrypt development

to date, the proof combines game-hopping techniques that are

standard in cryptographic proofs, and rich inductive reasoning that

is standard in program verification. The machine-checked proof is

novel for the following reasons:

• We formalize a notion of key secrecy for KMS DMP in the style of

cryptographic APIs [23] and extend prior work in this area by i.

addressing a substantially more complex (distributed) API; and ii.

making explicit which assumptions on the behaviour of human

operators are necessary (as otherwise trivial breaks would be

possible), whilst excluding all non-trivial breaks as in prior work

by reducing to standard cryptographic assumptions.

• We relate the above definition of security with a real-vs-ideal

world security definition for encryption services, by proving

a (reusable) general composition result for combining crypto-

graphic key management APIs with AEAD schemes. Our result-

ing top-level security theorem establishes that KMS DMP is as

good as an ideal authenticated encryption service in the specified

trust model.

• The machine-checked proof follows best proof engineering prac-

tices and favors reusable components, breaking down the verifi-

cation effort in three types of steps:

i. reusable results that lift standard cryptographic assumptions

on signatures and hash functions to idealized versions that

permit reasoning symbolically about complex invariants on

authenticated data structures;

ii. use rich inductive reasoning to prove that intricate authentica-

tion invariants hold in the security experiments, and rewrite

(slice) the code of the security games to make explicit the split

between data which is under adversarial control (due to trivial

strategies that do not contradict the security claim) and data

which is outside of the adversary’s reach; and

iii. build on the previous results to conduct a game hopping proof

that, first, idealizes digital signatures and hash functions, accou-

ting for concrete (negligible) security losses; then modularly

uses the authentication invariants to perform security experi-

ment slicing; and finally reduces the key-secrecy property to

the security of multi-recipient encryption.

Paper Structure. In Section 2 we give a bird’s eye view of our ap-

proach and provide a road-map for the paper, before moving on to

more technical sections. In Section 3 we give a detailed description

of the DMP and of its formalization in EasyCrypt. Then, in Section 4

we formalize the security model that we have adopted and in which

we have proved security of the DMP. In Section 5 we describe the

machine-checked security proof. Section 6 gives an overview of the

improvements to EasyCrypt that were developed during the project.

Section 8 contains a summary of related work, and Section 9 the

concluding remarks.

2 OVERVIEW In this section we present an overview of the DMP goals and inter-

face, and then outline the structure and contents of the EasyCrypt

model and proof (shown in Figure 1).

DMP Concepts. The fundamental unit of security in the DMP is

a domain. Each domain provides an independent distributed en-

cryption functionality using a combination of machines and people

(collectively referred to as entities) which may change over time.

Each entity can participate in multip