HTTP Request Signing with AWS Signature Version 4

  • Slides: 12
Download presentation
HTTP Request Signing with AWS Signature Version 4 Annabelle Backman, AWS IETF 105 –

HTTP Request Signing with AWS Signature Version 4 Annabelle Backman, AWS IETF 105 – July, 2019

Request Signing in AWS • Why? • Authentication • Message integrity • Replay prevention

Request Signing in AWS • Why? • Authentication • Message integrity • Replay prevention • When? • Almost all requests to AWS APIs • What? • Method, endpoint, path, timestamp, query string parameters, body • Some headers • How? • HMAC-SHA 256 with key derived from shared secret

Signature Version 4 1. Create the canonical request 2. Create the string to sign

Signature Version 4 1. Create the canonical request 2. Create the string to sign 3. Calculate the signature

Sig. V 4 Step 1: Create the Canonical Request POST /a/. . /long/path%20 name/?

Sig. V 4 Step 1: Create the Canonical Request POST /a/. . /long/path%20 name/? a=1&b=2&C=def&C=abc HTTP/1. 1 Host: example. amazonaws. com Content-Type: application/x-www-form-urlencoded; charset=utf-8 X-Amz-Date: 20190722 T 0530 Z Canonical. Request = HTTPRequest. Method + 'n' + Canonical. URI + 'n' + Canonical. Query. String + 'n' + Canonical. Headers + 'n' + Signed. Headers + 'n' + Hex. Encode(Hash(Request. Payload))

Sig. V 4 Step 1: Create the Canonical Request POST /a/. . /long/path%20 name/?

Sig. V 4 Step 1: Create the Canonical Request POST /a/. . /long/path%20 name/? a=1&b=2&C=def&C=abc HTTP/1. 1 Host: example. amazonaws. com Content-Type: application/x-www-form-urlencoded; charset=utf-8 X-Amz-Date: 20190722 T 053000 Z POST Canonical. URI Canonical. Query. String Canonical. Headers Signed. Headers Hex. Encode(Hash(Request. Payload))

Sig. V 4 Step 1: Create the Canonical Request POST /a/. . /long/path%20 name/?

Sig. V 4 Step 1: Create the Canonical Request POST /a/. . /long/path%20 name/? a=1&b=2&C=def&C=abc HTTP/1. 1 Host: example. amazonaws. com Content-Type: application/x-www-form-urlencoded; charset=utf-8 X-Amz-Date: 20190722 T 053000 Z POST /long/path%2520 name/ Canonical. Query. String Canonical. Headers Signed. Headers Hex. Encode(Hash(Request. Payload))

Sig. V 4 Step 1: Create the Canonical Request POST /a/. . /long/path%20 name/?

Sig. V 4 Step 1: Create the Canonical Request POST /a/. . /long/path%20 name/? a=1&b=2&C=def&C=abc HTTP/1. 1 Host: example. amazonaws. com Content-Type: application/x-www-form-urlencoded; charset=utf-8 X-Amz-Date: 20190722 T 053000 Z POST /long/path%2520 name/ C=abc&C=def&a=1&b=2 Canonical. Headers Signed. Headers Hex. Encode(Hash(Request. Payload))

Sig. V 4 Step 1: Create the Canonical Request POST /a/. . /long/path%20 name/?

Sig. V 4 Step 1: Create the Canonical Request POST /a/. . /long/path%20 name/? a=1&b=2&C=def&C=abc HTTP/1. 1 Host: example. amazonaws. com Content-Type: application/x-www-form-urlencoded; charset=utf-8 X-Amz-Date: 20190722 T 053000 Z POST /long/path%2520 name/ C=abc&C=def&a=1&b=2 content-type: application/x-www-form-urlencoded; charset=utf 8 host: example. amazonaws. com x-amz-date: 20190722 T 053000 Z content-type; host; x-amz-date Hex. Encode(Hash(Request. Payload))

Sig. V 4 Step 1: Create the Canonical Request POST /a/. . /long/path%20 name/?

Sig. V 4 Step 1: Create the Canonical Request POST /a/. . /long/path%20 name/? a=1&b=2&C=def&C=abc HTTP/1. 1 Host: example. amazonaws. com Content-Type: application/x-www-form-urlencoded; charset=utf-8 X-Amz-Date: 20190722 T 053000 Z POST /long/path%2520 name/ C=abc&C=def&a=1&b=2 content-type: application/x-www-form-urlencoded; charset=utf 8 host: example. amazonaws. com x-amz-date: 20190722 T 053000 Z content-type; host; x-amz-date e 3 b 0 c 44298 fc 1 c 149 afbf 4 c 8996 fb 92427 ae 41 e 4649 b 934 ca 495991 b 7852 b 855

Sig. V 4 Step 2: Create the String to Sign String. To. Sign =

Sig. V 4 Step 2: Create the String to Sign String. To. Sign = Algorithm + 'n' + Request. Date. Time + 'n' + Credential. Scope + 'n' +) Hex. Encode(Hash(Canonical. Request)) AWS 4 -HMAC-SHA 256 20190722 T 053000 Z 20190722/us-east-1/example/aws 4_request f 536975 d 06 c 0309214 f 805 bb 90 ccff 089219 ecd 68 b 2577 efef 23 edd 43 b 7 e 1 a 59

Sig. V 4 Step 3: Calculate the Signature k. Secret = Secret. Key k.

Sig. V 4 Step 3: Calculate the Signature k. Secret = Secret. Key k. Date = HMAC('AWS' + k. Secret, Date) k. Region = HMAC(k. Date, Region) k. Service = HMAC(k. Region, Service) k. Signing = HMAC(k. Service, "aws 4_request") Signature = Hex. Encode(HMAC(k. Signing, String. To. Sign))