0

How does AWS request signing and verification work? Let's say I have created a signed request using this guide.

How does AWS service verify this signature? I see 2 options with their respective flaws (considering symmetrical encryption only)

  1. AWS stores encrypted access key, which is used by the end service to calculate signature and verify it. But this breaks the rule that you should store only password hashes if possible.
  2. AWS distributes the key = HMAC(service, access_key) to respective services. But if this key is somehow leaked, anyone can sign any request for given time window.

I believe the actual verification is more secure than my naive scenarios, but I could not find any specifics.

schroeder
  • 125,553
  • 55
  • 289
  • 326
user32569
  • 101
  • 1
    Are you aware of how signing verification works in general? What does a signing key and a password have in common that the rule for storing passwords would apply to signing keys? – schroeder Dec 07 '20 at 10:08
  • I'm thinking that your question is answered with some basic concepts: https://security.stackexchange.com/questions/8034/how-does-the-digital-signature-verification-process-work – schroeder Dec 07 '20 at 10:09
  • From my perspective, the main reason we hash passwords is to protect users against password re-use. Since users often re-use the same password on multiple sites, their password is a critical piece of information for them, and so it is hashed to give it that necessary layer of extra protection. When you start to talk about API keys this no longer applies. As a site operator I can't take your API key and use it to login to your bank. As a result, it is nowhere near as sensitive, and storing it in a retrievable format is both acceptable and required. – Conor Mancone Dec 07 '20 at 10:46

0 Answers0