igor - Fotolia
Amazon Web Services announced that its new open source s2n implementation of the TLS protocol is more secure than standard TLS. How does s2n work and what is the use case for it in the enterprise?
Signal to Noise or s2n is an implementation of the Transport Layer Security (TLS) protocol, which is the successor protocol of SSL. TLS uses asymmetric cryptography to authenticate devices, determine a suitable symmetric encryption key for both devices, and encrypt payload data between devices.
Perhaps the most widely used implementation of TLS is OpenSSL, which gained notoriety for the Heartbleed vulnerability last year. Heartbleed allowed attackers to read the memory of devices using vulnerable versions of OpenSSL, including memory that was storing secret keys. Leading security expert and researcher Bruce Schneier called Heartbleed "catastrophic," and said "[o]n the scale of 1 to 10, this is an 11."
One of the reasons it is difficult to detect bugs and vulnerabilities in applications is the sheer volume of code that must be reviewed and analyzed. OpenSSL consists of hundreds of thousands of lines of code. One of the reasons s2n can claim to be more secure is that its implementation is much smaller, on the scale of 6,000 lines of code.
Of course, the smaller code base also means it offers fewer features. S2n implements TLS, while OpenSSL also contains support for cryptographic services, such as generating certificate-signing requests for digital certificate vendors and self-signed certificates.
With a relatively small code base, AWS is able to process more thorough and multiple security reviews, as well as vulnerability scans than would be impossible if the code base is much larger -- that is, with the same amount of resources anyway.
In the enterprise, s2n can serve the same purpose as the libssl parts of OpenSSL. The AWS implementation of TLS does not have features that correspond to OpenSSL's cryptographic library, libcrypto. Enterprises may also consider using s2n for authenticating devices and encrypting traffic over TLS. However, they may also want to continue using other features of OpenSSL, such as those that support generating self-signed certificates and certificate-signing requests.
Ask the Expert:
SearchCloudSecurity expert Dan Sullivan is ready to answer your application security questions -- submit them now. (All questions are anonymous.)
Go beyond SSL with TLS encryption
Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices
Related Q&A from Dan Sullivan
Docker's recent upgrade introduced support for hardware signing and in the future, automated security analysis on Docker images. Expert Dan Sullivan ... Continue Reading
Cisco's new project Contiv automates operational policies for containerized applications in the cloud. Expert Dan Sullivan explains the benefits of ... Continue Reading
Dropbox API abused by attackers posing as legitimate users in a huge spear phishing campaign. Expert Dan Sullivan explains how to mitigate the risks ... Continue Reading