Hacker News new | ask | show | jobs
by SomaticPirate 499 days ago
Wow, the smugness of that reply. Responding by calling someone naive and blowing them off despite there being real questions.

The “insecure crypto “ that they clearly link to (despite not wanting to put them on blast) was also a bit overdone. I guess we all are stuck hiring this expert to review our crypto code(under NDA of course) and tell us we really should use AWS KMS.
2 comments
BigJono 499 days ago
AWS KMS is great product branding. I've never seen another company so accurately capture how it feels to use their product with just the name before.
link
tptacek 499 days ago
It's also just a profoundly good product. If you can use KMS, you should.
link
smitelli 499 days ago
Always be suspicious of any acronym with a ‘K’ in it, just on general principle.
link
benmmurphy 499 days ago
There are some weird attacks against KMS that I think are possible that are not obvious. For example KMS has a mode where it will decrypt without supplying a key reference (suspicious!). If an attacker can control the cipher text then they can share a KMS key from their AWS account to yours and then control the plaintext. I haven’t confirmed this works so maybe my understanding is incorrect.

Also, with KMS you probably should be using the data key API but then you need some kind of authenticated encryption implemented locally. I think AWS has SDKs for this but if you are not covered by the SDK then you are back to rolling your own crypto.

link