Lecture 5. AWS Key Management (Applied Cryptography 101: Real-World Deployments)

Video lectures for Alfred Menezes's introductory course on real-world deployments of cryptography. Abstract: This video that gives an in-depth explanation of how Amazon Web Services (AWS) encrypts and decrypts the vast amounts of customer data stored in its data centres. Although the encryption and decryption processes are conceptually straightforward, the real complexity lies in the management of the countless number of symmetric keys used to secure individual data items---including their creation, storage, retrieval, and rotation. The video also highlights the critical role played by Hardware Security Modules (HSMs) in safeguarding these keys and controlling access to them. Topics covered: Cloud computing, Amazon Web Services, AWS global infrastructure, data centre security, Hardware Security Modules (HSMs), AWS KMS, AWS encryption, envelope encryption, DynamoDB Lecture playlist: https://www.youtube.com/playlist?list=PLA1qgQLL41SRn_23p8zD0vUpKM4qOgt_T Course web page: https://cryptography101.ca/crypto101-deployments/ The slides are available on the course web page. Other cryptography courses: https://cryptography101.ca Slides 00:00 Introduction 01:30 Slide 79: Encryption in the cloud: AWS 04:01 Slide 80: AWS global infrastructure 05:06 Slide 81: AWS security 07:19 Slide 82: Snowden revelations: Google cloud 09:22 Slide 83: Data centre security 11:01 Slide 84: Hardware Security Modules (HSMs) 12:37 Slide 85: AWS encryption 16:15 Slide 86: Plaintext encryption 17:58 Slide 87: Random IVs 19:02 Slide 88: DEK encryption 20:35 Slide 89: Derive key mode for key wrapping 21:22 Slide 90: KMS pricing 22:40 Slide 91: DynamoDB 25:13 Slide 92: Envelope encryption 28:57 Slide 93: Protecting a CMK 30:20 Slide 94: Exported Key Tokens (EKTs) 32:17 Slide 95: Protecting a domain key (AWS key hierarchy) 34:00 Slide 96: Exported Domain Tokens (EDTs) 37:02 Slide 97: AWS references