- Newest
- Most votes
- Most comments
AWS KMS achieves key exchange and synchronization for multi-region keys through a sophisticated process that ensures security and durability. Here's a detailed explanation of the architecture and cryptography used:
-
Cross-Region Replication Process: The process begins when a multi-region primary key is replicated to another region. This involves copying the key material from one AWS Region (Region A) to another (Region B).
-
HSM Isolation and Proxy Service: HSMs (Hardware Security Modules) in different regions cannot communicate directly due to network isolation. To overcome this, AWS uses a proxy service to facilitate communication between regions.
-
Ephemeral Key Generation: The process starts with the HSM in the destination region (Region B) generating an ephemeral ECDH (Elliptic Curve Diffie-Hellman) key on the NIST P-384 curve. This key is called the Replication Agreement Key B (RAKB).
-
Key Exchange Initiation: The public component of RAKB is sent to an HSM in the source region (Region A) via the proxy service.
-
Source Region Key Generation: Upon receiving RAKB's public component, the HSM in Region A generates its own ephemeral ECDH key, called Replication Agreement Key A (RAKA), also on the NIST P-384 curve.
-
Symmetric Key Derivation: Region A's HSM then uses the ECDH key establishment scheme with RAKA and the public component of RAKB to derive a symmetric key called the Replication Wrapping Key (RWK).
-
Key Material Encryption: The RWK is used to encrypt the actual key material of the multi-region KMS key that is being replicated.
-
Secure Transfer: The public component of RAKA and the encrypted key material (encrypted with RWK) are sent to the HSM in Region B through the proxy service.
-
Key Reconstruction and Decryption: The HSM in Region B receives this information and derives the RWK by running the ECDH key establishment scheme using RAKB and the public component of RAKA. It then uses this derived RWK to decrypt the key material from Region A.
-
Cryptographic Signing: Throughout this process, every message is signed using a Replication Signing Key (RSK), which is an ECDSA key on the NIST P-384 curve. Each region has at least one RSK, and the public components of these RSKs are shared across all regions in the same AWS partition.
This architecture ensures that the key material is securely replicated across regions while maintaining the isolation of HSMs. The use of ephemeral keys, the ECDH key establishment scheme, and message signing provides multiple layers of security. The proxy service adds an extra layer of durability to the process.
It's important to note that this replication process is initiated by the user and is not automatic. AWS KMS does not automatically create or replicate multi-region keys into any region on behalf of the user. Each replicated key, while sharing the same key ID and material as the primary key, is managed independently in its respective region.
This system allows for the creation of related multi-region keys that can be used interchangeably for encryption and decryption across different AWS regions, facilitating scenarios such as disaster recovery, global data management, and active-active applications spanning multiple regions.
Sources
Replication process for multi-Region keys - AWS Key Management Service
Replication process for multi-Region keys - AWS Key Management Service
How multi-Region keys work - AWS Key Management Service
Multi-Region keys in AWS KMS - AWS Key Management Service
