Security optimize

How to perform security checks on AWS files using keys and signatures

Nick Hardiman walks you through the process of verifying AWS files by working with public keys provided by Amazon and using digital signatures.

I've been setting the groundwork for taking care of some basic security when you're working with cloud web services - specifically Amazon Web Services. After load balancing my service showed that I needed to plan for more capacity, I'm going to download the Amazon EC2 API tools, but first, verify them with security tools. I defined the tools and how they are used in my last post.

First, I use openssl to verify the GPGtools install file. This involves using a something called a checksum. Then I use GPGtools to check the fingerprint of Amazon's public key. Finally I verify the Amazon EC2 API tools install file using a digital signature.

This is what I am going to do. For each of the eight tasks below, I will show you the exact steps to doing each in this post.

  1. Download and verify GPGTools.
  2. Install GPGTools.
  3. Create my new keychain.
  4. Copy the EC2 packages public key.
  5. Verify the Amazon public key.
  6. Trust the Amazon public key.
  7. Download the EC2 tools file and its digital signature.
  8. Verify the file using the digital signature.

#1 Download and verify GPGTools

I use openssl to verify the sha-1 checksum of the GPGtools installer file.

Copy the installer file and the sha-1 checksum from the website.

  1. Open a web browser.
  2. Go to the GPGTools installer page: http://www.gpgtools.org/installer/
  3. Copy the GPGTools installer file to the Downloads folder. The file I got was labelled GPGTools-20120318.dmg. It's a 50MB file so it takes a few minutes -- even when downloading at a high speed of 200KB per second.
  4. Look down the page at the Release Notes. The checksum is written there, like this. Version 20120318 (18. March 2012). Fix: Closed an GPGMail installation issue on OS X 10.5 and 10.6. Checksum: 184bf74e55c509da0aa4943ab7cc39ecd5caf99f (SHA-1).
  5. Copy the checksum.
  6. Close the web browser.

Verify the file by comparing checksums.

  1. Open a CLI on the OSX machine.
  2. Change to the Downloads directory.
  3. Display the checksum of the file. My-MacBook-Pro:Downloads nick$ openssl sha1 GPGTools-20120318.dmg

    SHA1(GPGTools-20120318.dmg)= 184bf74e55c509da0aa4943ab7cc39ecd5caf99f

    My-MacBook-Pro:Downloads nick$
  4. Compare this with the checksum copied from the GPGTools installer page.
  5. Close the CLI.

If they match, I have verified the file. I know my download was not intercepted and altered as it crossed the Internet. If they don't match, it probably means my download was accidentally corrupted.

#2 Install GPGTools

The OS performs its own security checks during the install process. First, the OSX installer adds its own little security warning. Next, I have to type my password in before any changes are made.

#3 Create my new keychain

The GPGTools application goes straight into the process of creating a GPG key for me and adding it to the keychain. I will use this keychain later, to store the AWS EC2 Packages key.

A keychain is a special kind of data store file, designed to hold many keys like this one (it's often called a keyring). Many operating systems and applications use keychain files. From now on, if anyone sends you a mail with their digital signature (yet another variation on security), you will find their public key appearing in your keychain.

#4 Copy the EC2 packages public key

  1. Open a CLI on the OSX machine.
  2. Create a new text file using the vi text editor.
    • My-MacBook-Pro:~ nick$ vi ec2-packages-public.key
  3. Open a web browser.
  4. Go to the https://aws.amazon.com/security/ec2-pkgs-public-key/
  5. Copy the key from the page to the new text file. The key is 40 lines of text and looks like this.

    -----BEGIN PGP PUBLIC KEY BLOCK-----

    Version: GnuPG/MacGPG2 v2.0.14 (Darwin)

    mQINBE2ZjYkBEADSn79s47NX8O+NbIIiAuHRDsgEfOTVMGy88H3

    1UB25UMEXcP7VeMSHz0djQ1AKPobKtEKmIFA2ummPk0ZWKajb+W

    ...

    /d2wHaG8TiXyCXA8HurjQBxbwJREkqWC9WQ3jFzudB9yVLR5ekS

    1KkhnZlWWaJMCe8yAeNMPrmH6Pl6NZJFAkCiOxg7jwhhWDxruVW

    oJIMz+Rn

    =9/Ou

    -----END PGP PUBLIC KEY BLOCK-----

    This type of text has the rather exciting name of ASCII armor.
  6. Save the new file.
  7. Close the CLI.

#5 Verify the Amazon public key

This is a similar procedure to comparing the sha-1 checksums of the GPG installer file.

Copy the key's fingerprint from the website.

  1. Open a web browser.
  2. Go to the EC2 Public Key page https://aws.amazon.com/security/ec2-pkgs-public-key/
  3. Find the key fingerprint. The fingerprint is part of the list of information, like this. ... Expires: N/A User ID: AWS EC2 Packages Key fingerprint: A262 37CF 2294 C30E 9844 96C9 116B 3651 0349 E66A ...
  4. Copy the fingerprint.
  5. Close the web browser.

Verify the key by comparing fingerprints.

  1. Open a CLI.
  2. Import the Amazon key to your new keychain. A keychain is a special kind of data store file, designed to hold many keys like this one. My-MacBook-Pro:~ nick$ gpg --import ec2-packages-public.key gpg: key 0349E66A: public key "AWS EC2 Packages <ec2-packages@amazon.com>" imported

    gpg: Total number processed: 1

    gpg: imported: 1 (RSA: 1)

    gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model

    gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u

    gpg: next trustdb check due at 2015-08-18

    My-MacBook-Pro:~ nick$
  3. This import copies the Amazon key into your keychain and gives it a unique label - also called a key. That keychain key is the label 0349E66A, displayed on the first line of results (it's also known as a key specifier).
  4. Get the fingerprint of the Amazon key. GPG finds the Amazon key using the keychain key 0349E66A. My-MacBook-Pro:~ nick$ gpg --fingerprint 0349E66A pub 4096R/0349E66A 2011-04-04

    Key fingerprint = A262 37CF 2294 C30E 9844 96C9 116B 3651 0349 E66A

    uid AWS EC2 Packages ec2-packages@amazon.com

    My-MacBook-Pro:~ nick$
  5. Compare this fingerprint with the one from the web page.
  6. Close the CLI.

If they match, I have verified the file. I can now tell GPG to trust things done with this key.

#6 Trust the Amazon public key

It may seem strange to trust a business that, when it comes right down to it, you really don't know, but it's actually the same type of trust we have all used many times. Every web browser is supplied with a built-in store of trusted certificates that enable online shopping.

  1. Change the GPG information about the Amazon key:My-MacBook-Pro:~ nick$ gpg --edit-key 0349E66A gpg (GnuPG/MacGPG2) 2.0.18; Copyright (C) 2011 Free Software Foundation, Inc.

    This is free software: you are free to change and redistribute it.

    There is NO WARRANTY, to the extent permitted by law.

    pub 4096R/0349E66A created: 2011-04-04 expires: never usage: SC

    trust: unknown validity: unknown

    [ unknown] (1). AWS EC2 Packages ec2-packages@amazon.com

    gpg>

    The GPG prompt appears.
  2. Change the trust level from unknown to full:gpg> trust

    pub 4096R/0349E66A created: 2011-04-04 expires: never usage: SC

    trust: unknown validity: unknown

    [ unknown] (1). AWS EC2 Packages ec2-packages@amazon.com

    Please decide how far you trust this user to correctly verify other users' keys

    (by looking at passports, checking fingerprints from different sources, etc.)

    1 = I don't know or won't say

    2 = I do NOT trust

    3 = I trust marginally

    4 = I trust fully

    5 = I trust ultimately

    m = back to the main menu

    Your decision? 4

    pub 4096R/0349E66A created: 2011-04-04 expires: never usage: SC

    trust: full validity: unknown

    [ unknown] (1). AWS EC2 Packages ec2-packages@amazon.com

    Please note that the shown key validity is not necessarily correct

    unless you restart the program.

    gpg>

  3. Sign the Amazon key. The key is not valid until you have signed it:gpg> sign

    pub 4096R/0349E66A created: 2011-04-04 expires: never usage: SC

    trust: full validity: unknown

    Primary key fingerprint: A262 37CF 2294 C30E 9844 96C9 116B 3651 0349 E66A

    AWS EC2 Packages ec2-packages@amazon.com

    Are you sure that you want to sign this key with your

    key "Nicholas Hardiman <nick@planetlarg.net>" (D70386E0)

    Really sign? (y/N) y

    You need a passphrase to unlock the secret key for

    user: "Nicholas Hardiman <nick@planetlarg.net>"

    2048-bit RSA key, ID D70386E0, created 2012-05-08

    (I enter the secret passphrase I made when installing GPGtools)

    gpg>

  4. Save your work: gpg> save My-MacBook-Pro:~ nick$
  5. Close the CLI.

#7 Download the EC2 tools file and its digital signature

The EC2 tools are written in Java. As with all things Java, they are bigger and heavier than is really necessary.

Copy the digital signature file from the website to the downloads folder.

  1. Open a web browser.
  2. Go to the Amazon Setting Up the Tools page. http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/setting-up-your-tools.html
  3. Find the EC2 Packages Public Key link.
  4. Download the file ec2-api-tools.zip.asc. This .asc file is a special type of PGP file: it contains a digital signature. It ‘s about 20 lines of text that looks like this:

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.3 (GNU/Linux)

iQIVAwUAT6ff9BFrNlEDSeZqAQK0EhAAl36e3whOwS/1Omq6C5lygE2rgR

rjF20ahSnie8b5plXa5f4k3r+P/jRpfbkVSoZY8Jwz2Mw/8bbn1tSN8hXm

gEOHulr0ahXTmmO/VhDrGzQMCaL9/oLryKaRkKJ4X6PHRSBAHMzJDw5LHv

...

D5BqisA2FSX3nVXEp94MT8VJR0H/peNegkW5w6qc98EeAOZ/VKqooUqwi9

pYIRGsBViyKvBOmy2JdPNom4sQuXcG9njuCDQMIGrwIsS1Rir9NH9fk8Sq

Hxz9lE99aP8=

=reKL

-----END PGP SIGNATURE-----

Stop Safari unzipping downloads.

By default, my copy of Safari automatically unzips file downloads. That is no good for checking the digital signature of ec2-api-tools.zip, so before I get the file I have to change the configuration.

  1. Find the Open "safe" files after downloading option. Safari menu > Preferences... > General tab.
  2. Untick the box.
  3. Close the Preferences window.

Copy the install file ec2-api-tools.zip.

  1. Go to the EC2 tools installer page. http://aws.amazon.com/developertools/351
  2. Copy the file to the Downloads folder. The file ec2-api-tools.zip is about 13MB.
  3. Close the web browser.

#8 Verify the file using the digital signature

  1. Open a CLI.
  2. Go to the downloads folder.
  3. Check the digital signature. My-MacBook-Pro:Downloads nick$ gpg --verify ec2-api-tools.zip.asc ec2-api-tools.zip gpg: Signature made Mon 7 May 15:45:08 2012 BST using RSA key ID 0349E66A

    gpg: Good signature from "AWS EC2 Packages <ec2-packages@amazon.com>"

    My-MacBook-Pro:Downloads nick$
  4. Close the CLI.

If they match, I have verified the file.

That's the end of the security checks. Now I can get on with the installation of the Amazon EC2 API tools.

About

Nick Hardiman builds and maintains the infrastructure required to run Internet services. Nick deals with the lower layers of the Internet - the machines, networks, operating systems, and applications. Nick's job stops there, and he hands over to the ...

0 comments