Amazon open-sources new, leaner TLS implementation
Amazon have introduced their own TLS implementation that claims to be faster, smaller and simpler than the already recognised standard. As the roll out happens in the coming months, their s2n offering promises greater simplicity.
Amazon Web Services have released and open-sourced their implementation of the TLS/SSL protocols, known as s2n, short for “signal to noise”. Noting the large amount of code present in the de facto reference implementation OpenSSL, Amazon’s offering is said to be “small, fast, with simplicity as a priority”.
OpenSSL contains over 500,000 lines of code, which Chief Information Security Officer Stephen Schmidt says “presents challenges for code audits, security reviews, performance, and efficiency”, on top of the higher risk of error. 70,000 lines of code alone focuses solely on processing TLS.
Simpler and stronger
With s2n, Amazon wanted to create a simpler and smaller protocol that would be faster overall and easier to review. By avoiding the implementation of rarely used options and extensions, s2n, written in C, puts down a mere 6,000 lines of code that has already been evaluated externally a number of times.
s2n’s API, which uses the latest “default” set of preferences, was designed to be simple due to the difficulty that can result from keeping track of which encryption algorithms and protocols to use. Remaining on a specific version for backwards compatibility is also supported.
Safety-wise, other than the size of the codebase providing a more auditable environment, s2n implements the following safety mechanisms:
- Static analysis, fuzz-testing and penetration testing:
- Erase on read: encrypts or erases plaintext data as quickly as possible
- Built-in memory protection: operating system features protect data from being swapped to disk or appearing in core dumps
- Compartmentalised random number generation: every thread provided with two separate random number generators, one for “public” randomly generated data and one for “private” data
- Table based state-machines: simple tables to drive the TLS/SSL state machines, making it difficult for invalid out-of-order states to arise
It also supports different encryption libraries including OpenSSL, LibreSSL, BoringSSL and the Apple Common Crypto framework. By supporting OpenSSL, Amazon want the world to know that s2n wasn’t created as a replacement, but rather as an alternative – Schmidt states that Amazon “remain committed to supporting [OpenSSL] through our involvement in the Linux Foundation’s Core Infrastructure Initiative”.
OpenSSL provides two main libraries: “libssl”, which implements TLS, and “libcrypto,” which is a general-purpose cryptography library. Think of s2n as an analogue of “libssl,” but not “libcrypto.”
For those already using AWS services such as Elastic Load Balancing, CloudFront and S3, s2n implements all the functionality that is required for integration. Changes won’t be required for external application, as TLS is is standard protocol.
To access source code, documentation, or to contribute to the project, you can find s2n on GitHub here.