Nick Hardiman explains how files downloaded to work with Amazon EC2 can be verified using basic cloud security tools. He describes what they are and how they work here.
After load-testing my web service, I realized that I need to add capacity by downloading the Amazon EC2 API tools, but first I must verify these downloaded files with security tools. First I use openssl to verify the GPGtools install file. This involves using a something called a checksum. Then I use GPGtools to check the fingerprint of Amazon's public key. Finally I verify the Amazon EC2 API tools install file using a digital signature.
These terms are all part of cloud security. It's important for a cloud expert to understand what they mean. I've given an introduction here, before I get into the gritty security work.
PGP (Pretty Good Privacy) and GPGTools
A file can be locked using PGP, making it impossible for anyone to break open. I can use PGP to make sure my files were not changed as they crossed the Internet and to work with the Amazon EC2 tools. PGP is also used for other IT security jobs such as adding digital signatures to messages, checking automatic system updates, and building a web of trust with friends.
GPG (Gnu Privacy Guard) is an application written by the FSF (Free Software Foundation) that is included in every Linux distribution. Project teams have done the hard work of converting GPG into GPG4Win (to run on Windows) and GPGTools (to run on OSX). I am using OSX, so the first thing I do is install GPGtools.
A lot of websites publish checksums for their download files. A checksum is a big number produced by a clever mathematical procedure called a cryptographic hash function. A file is fed in one end of the function and the checksum pops out the other end.
No matter how big the file was going in, the checksum is always the same size. The checksum produced by the popular sha-1 function is 160 bits long, and the md5 checksum is 128 bits long.
Since bits are only useful inside a computer, a checksum is converted to a string of characters when it is displayed on a web page, like this one.
I use a checksum to check the file GPGTools-20120318.dmg.
GPG uses fingerprints for its keys. A fingerprint is like a checksum. There are a few differences, but they aren't relevant to most people: it's quicker to make a fingerprint from a file than making a checksum from a file; a fingerprint is lower quality, and it's more likely to be unique.
I use a fingerprint to check the Amazon public key.
A digital signature
A digital signature is an encrypted checksum stuck on the end of a file. Adding a digital signature involves more outrageously clever mathematics called public key cryptography. The checksum is encrypted by the signing person using their private key and later decrypted by everyone else using the signer's public key.
A digital signature is usually used to securely send e-mail messages -- it proves no-one is pretending to be the sender and no-one has changed the message en-route. Anyone can use PGP to add a digital signature to a file, and to check other people's digital signatures.
I use a digital signature to check the file ec2-api-tools.zip.
GPGTools on a Mac running OSX Lion
I install GPGTools on a Mac computer running OSX Lion (version 10.7.3), Apple's general-purpose operating system used widely around the world.
Despite the overall popularity of OSX, its use in the enterprise has grown from a tiny percentage to only a slightly less tiny percentage. Apple's iOS usage, on the other hand, has exploded in the enterprise.
Now that I've laid the foundation by defining all the components and methods that I'll use to verify the security of my files, in the next post, I'll actually provide all the steps to installing and using these tools.