- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
Hi, the way to achieve you goal is to use AWS Secrets Manager to build a custom secret with your web signing key. Then, you can leverage KMS and its features (automated key rotation, etc) to protect you web3 key via KMS encryption.
See https://aws.amazon.com/secrets-manager/
For details on HOWTO: https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_secret.html
In you want to build an extremely solid solution, you can also implement confidential computing with Nitro enclaves: see https://aws.amazon.com/blogs/database/part-3-aws-nitro-enclaves-for-secure-blockchain-key-management/
I think you are mixing up a few thing. The signing algorithm is not tied to a specific hashing function. When you say ECDSA-SHA3-256, I believe what you are referring to is use SHA3-256 to generate a digest of a message then use ECDSA (likely secp256k1 key spec since you mentioned cryptocurrency) to sign the digest.
Generally, when you sign a message to create signature, you generate a digest of the message then sign the digest rather than the message itself. You can choose to sign the entire message but there are performance penalty and potential security concern by doing so. In addition, AWS KMS supports signing message up to 4 KB only, hence you would need to generate and sign the digest instead if your message is big. (If you are interested learning difference between signing message and digest, check out this StackExchange post.)
The KMS API Sign has a built-in hashing function (SHA-2). But the hashing function is only used if you set MessageType
to RAW
. If you set this to DIGEST
then AWS KMS skips the hashing step before performing the signing operation. This behavior is also similar for KMS API Verify
So what you can do is the following:
- Create asymmetric KMS key in secp256k1 key spec.
- Import your private key to AWS KMS (see here).
- Generate SHA3-256 hash of your message within your application.
- Call KMS API Sign, use the
SigningAlgorithm
that matches the length of your hash (i.e., ECDSA_SHA_256).
Obviously step 1 and 2 is done once. I hope this helps.
Helpful Link: https://cryptobook.nakov.com/digital-signatures/ecdsa-sign-verify-examples
Yes I do mix things up (generating a digest and signing). I will try again. Thanks.
Contenuto pertinente
- AWS UFFICIALEAggiornata un anno fa
- AWS UFFICIALEAggiornata 5 mesi fa
- Come posso risolvere gli errori 400 con accesso negato per il testo criptato di AWS KMS in AWS Glue?AWS UFFICIALEAggiornata un anno fa
Thanks for your comments. Let me study this first.