By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Is it possible to use KMS for web3 signing?

0

Hi,

I have a question regarding the use of AWS Key Management Service (KMS) for web3 signing. As of my knowledge, KMS does not support the importing of asymmetric key-pairs into KMS until June 5, 2023. However, it's worth mentioning that KMS now not only supports importing asymmetric key-pairs, and for the ECC_SECG_P256K1 key specification as well.

My concern is that KMS does not seem to support the ECDSA-SHA3-256 signing algorithm, which is essential for web3 signing. If this understanding is correct, it implies that KMS cannot be used for web3 signing, right?

If the above is right, I am curious if there are any alternative services or solutions on AWS that can securely store web3 account's private keys and provide the required signing capabilities.

I appreciate any insights or recommendations from the community.

Topics
Security, Identity, & Compliance
Tags
AWS Key Management Service
Language
English
Simon Lee
asked 10 months ago537 views
2 Answers
1

Hi, the way to achieve you goal is to use AWS Secrets Manager to build a custom secret with your web signing key. Then, you can leverage KMS and its features (automated key rotation, etc) to protect you web3 key via KMS encryption.

See https://aws.amazon.com/secrets-manager/

For details on HOWTO: https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_secret.html

In you want to build an extremely solid solution, you can also implement confidential computing with Nitro enclaves: see https://aws.amazon.com/blogs/database/part-3-aws-nitro-enclaves-for-secure-blockchain-key-management/

profile pictureAWS
EXPERT
Didier_Durand
answered 10 months ago
  • Simon Lee
    10 months ago

    Thanks for your comments. Let me study this first.

1

I think you are mixing up a few thing. The signing algorithm is not tied to a specific hashing function. When you say ECDSA-SHA3-256, I believe what you are referring to is use SHA3-256 to generate a digest of a message then use ECDSA (likely secp256k1 key spec since you mentioned cryptocurrency) to sign the digest.

Generally, when you sign a message to create signature, you generate a digest of the message then sign the digest rather than the message itself. You can choose to sign the entire message but there are performance penalty and potential security concern by doing so. In addition, AWS KMS supports signing message up to 4 KB only, hence you would need to generate and sign the digest instead if your message is big. (If you are interested learning difference between signing message and digest, check out this StackExchange post.)

The KMS API Sign has a built-in hashing function (SHA-2). But the hashing function is only used if you set MessageType to RAW. If you set this to DIGEST then AWS KMS skips the hashing step before performing the signing operation. This behavior is also similar for KMS API Verify

So what you can do is the following:

  1. Create asymmetric KMS key in secp256k1 key spec.
  2. Import your private key to AWS KMS (see here).
  3. Generate SHA3-256 hash of your message within your application.
  4. Call KMS API Sign, use the SigningAlgorithm that matches the length of your hash (i.e., ECDSA_SHA_256).

Obviously step 1 and 2 is done once. I hope this helps.

Helpful Link: https://cryptobook.nakov.com/digital-signatures/ecdsa-sign-verify-examples

AWS
kumo-hiyori
answered 10 months ago
  • Simon Lee
    10 months ago

    Yes I do mix things up (generating a digest and signing). I will try again. Thanks.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content