1
00:00:00,000 --> 00:00:01,310
‫So first, an overview of

2
00:00:01,310 --> 00:00:02,540
‫encryption mechanism.

3
00:00:02,540 --> 00:00:03,713
‫And the first one is going to be

4
00:00:03,713 --> 00:00:05,580
‫encryption in flights.

5
00:00:05,580 --> 00:00:08,070
‫Then, why would we want even encryption in flights?

6
00:00:08,070 --> 00:00:09,520
‫Well, we want encryption in flight because

7
00:00:09,520 --> 00:00:11,810
‫if I send a very sensitive secret,

8
00:00:11,810 --> 00:00:14,710
‫for example, my credit card to a server,

9
00:00:14,710 --> 00:00:16,330
‫to make a payment online,

10
00:00:16,330 --> 00:00:19,060
‫I want to make sure that no one else, on the way,

11
00:00:19,060 --> 00:00:21,770
‫where my network packet is going to travel,

12
00:00:21,770 --> 00:00:23,740
‫can see my credit card number.

13
00:00:23,740 --> 00:00:24,670
‫So I want to make sure that

14
00:00:24,670 --> 00:00:26,240
‫when I make a payment online,

15
00:00:26,240 --> 00:00:27,500
‫I have that green lock,

16
00:00:27,500 --> 00:00:30,500
‫I have that HTTPS website which guarantees me,

17
00:00:30,500 --> 00:00:32,360
‫that it is an SSL enabled website,

18
00:00:32,360 --> 00:00:34,160
‫and I will get encryption in flight.

19
00:00:34,160 --> 00:00:35,670
‫And so when you have encryption in flight,

20
00:00:35,670 --> 00:00:36,830
‫the data will be encrypted

21
00:00:36,830 --> 00:00:38,200
‫before I sent it,

22
00:00:38,200 --> 00:00:40,470
‫and then the server will be decrypting it

23
00:00:40,470 --> 00:00:41,800
‫after receiving it.

24
00:00:41,800 --> 00:00:43,510
‫But, only myself and the server

25
00:00:43,510 --> 00:00:45,440
‫know how to do these things.

26
00:00:45,440 --> 00:00:48,190
‫Now the SSL certificates are what's going to

27
00:00:48,190 --> 00:00:50,990
‫help with the encryption, and so another way to

28
00:00:50,990 --> 00:00:52,660
‫see it is HTTPS.

29
00:00:52,660 --> 00:00:53,960
‫So anytime we've been dealing

30
00:00:53,960 --> 00:00:55,440
‫with with an Amazon service,

31
00:00:55,440 --> 00:00:57,570
‫and it had an HTTPS endpoint,

32
00:00:57,570 --> 00:00:59,910
‫that guaranteed us that it was encryption in flight.

33
00:00:59,910 --> 00:01:02,050
‫And now the whole web, almost the whole web,

34
00:01:02,050 --> 00:01:04,843
‫needs to run on SSL and HTTPS.

35
00:01:06,220 --> 00:01:08,330
‫Basically, when you have this enabled,

36
00:01:08,330 --> 00:01:09,760
‫you're protected against

37
00:01:09,760 --> 00:01:11,370
‫the 'man in the middle' attack.

38
00:01:11,370 --> 00:01:14,069
‫And so, this guarantees that,

39
00:01:14,069 --> 00:01:15,040
‫when you have that green lock,

40
00:01:15,040 --> 00:01:16,840
‫and that the server certificate is valid,

41
00:01:16,840 --> 00:01:19,940
‫that no one can retrieve your sensitive information.

42
00:01:19,940 --> 00:01:21,590
‫So let's do a quick example.

43
00:01:21,590 --> 00:01:23,130
‫Here is us, and we want to talk to

44
00:01:23,130 --> 00:01:25,270
‫an HTTP website on AWS;

45
00:01:25,270 --> 00:01:26,250
‫could be DynamoDB,

46
00:01:26,250 --> 00:01:27,760
‫could be whatever we want.

47
00:01:27,760 --> 00:01:28,880
‫And then what we're going to do,

48
00:01:28,880 --> 00:01:31,720
‫is that we're going to have add the super secret data,

49
00:01:31,720 --> 00:01:34,730
‫we're going to encrypt it with SSL encryption,

50
00:01:34,730 --> 00:01:36,440
‫and send it over the network,

51
00:01:36,440 --> 00:01:38,580
‫and then the website will receive the data,

52
00:01:38,580 --> 00:01:40,333
‫and know how to decrypt it.

53
00:01:41,180 --> 00:01:43,300
‫Very, very simple; the idea of it,

54
00:01:43,300 --> 00:01:44,690
‫but the execution is not as easy,

55
00:01:44,690 --> 00:01:46,520
‫so this is how much I'll give you.

56
00:01:46,520 --> 00:01:48,510
‫The good news is that all programming languages

57
00:01:48,510 --> 00:01:50,530
‫know how to do SSL encryption and decryption,

58
00:01:50,530 --> 00:01:52,230
‫and already do this for you,

59
00:01:52,230 --> 00:01:53,780
‫so you don't have to worry about anything.

60
00:01:53,780 --> 00:01:56,460
‫This is not something you have to deal with directly.

61
00:01:56,460 --> 00:01:58,030
‫The second thing is going to be called

62
00:01:58,030 --> 00:02:00,030
‫server side encryption at rest.

63
00:02:00,030 --> 00:02:03,000
‫And so that is when the data is encrypted,

64
00:02:03,000 --> 00:02:05,040
‫after being received by the server.

65
00:02:05,040 --> 00:02:07,350
‫So before that, the server was receiving data,

66
00:02:07,350 --> 00:02:09,480
‫decrypting it, and using it in its decrypted form.

67
00:02:09,480 --> 00:02:10,850
‫Here, the server is going to

68
00:02:10,850 --> 00:02:12,600
‫store the data on its disk,

69
00:02:12,600 --> 00:02:15,160
‫and so we need to know that the server

70
00:02:15,160 --> 00:02:17,950
‫is storing the data in an encrypted form.

71
00:02:17,950 --> 00:02:20,370
‫Because, in case the server gets hijacked

72
00:02:20,370 --> 00:02:21,203
‫by someone else,

73
00:02:21,203 --> 00:02:22,036
‫we don't want that someone else

74
00:02:22,036 --> 00:02:24,080
‫to be able to decrypt that data.

75
00:02:24,080 --> 00:02:27,310
‫And so the data will be decrypted before being sent

76
00:02:27,310 --> 00:02:29,410
‫back to our client.

77
00:02:29,410 --> 00:02:32,490
‫So, thanks to a key, usually called a data key,

78
00:02:32,490 --> 00:02:34,320
‫then that data is going to be stored

79
00:02:34,320 --> 00:02:35,566
‫in an encrypted form,

80
00:02:35,566 --> 00:02:37,780
‫and the encryption and decryption keys

81
00:02:37,780 --> 00:02:38,830
‫must be managed somewhere,

82
00:02:38,830 --> 00:02:41,640
‫usually called a KMS, or key management service,

83
00:02:41,640 --> 00:02:43,743
‫and the server must have the right to talk to

84
00:02:43,743 --> 00:02:45,750
‫that key management service.

85
00:02:45,750 --> 00:02:47,630
‫So here's our object, and we're going to

86
00:02:47,630 --> 00:02:49,780
‫transfer it, for example, to EBS.

87
00:02:49,780 --> 00:02:52,118
‫So it's gonna be transferred over whatever mechanism,

88
00:02:52,118 --> 00:02:54,720
‫and EBS will use a data key,

89
00:02:54,720 --> 00:02:58,510
‫and using a data key will perform encryption of that data,

90
00:02:58,510 --> 00:03:00,380
‫and now it's stored in an encrypted form,

91
00:03:00,380 --> 00:03:02,540
‫and then the day we need to retrieve the data

92
00:03:02,540 --> 00:03:04,930
‫for whatever reason, then EBS,

93
00:03:04,930 --> 00:03:06,860
‫the AWS service, will do decryption for us

94
00:03:06,860 --> 00:03:08,310
‫using the data key again,

95
00:03:08,310 --> 00:03:09,988
‫and we'll get the de-encrypted data,

96
00:03:09,988 --> 00:03:14,040
‫and back to us over at HTTP, HTTPS, for example.

97
00:03:14,040 --> 00:03:16,150
‫So this is how server side encryption works,

98
00:03:16,150 --> 00:03:18,480
‫and as you can see, the server side itself

99
00:03:18,480 --> 00:03:20,670
‫of the service, manages the encryption

100
00:03:20,670 --> 00:03:23,030
‫and the decryption, and uses a data key

101
00:03:23,030 --> 00:03:24,810
‫it has access to.

102
00:03:24,810 --> 00:03:27,170
‫So this is, for server side encryption at rest.

103
00:03:27,170 --> 00:03:29,830
‫And we've seen that many AWS services

104
00:03:29,830 --> 00:03:32,303
‫do use that encryption at rest.

105
00:03:33,450 --> 00:03:35,709
‫Now let's talk about client side encryption.

106
00:03:35,709 --> 00:03:37,480
‫In client side encryption, the data will be

107
00:03:37,480 --> 00:03:40,160
‫encrypted by the client, and the client is us.

108
00:03:40,160 --> 00:03:43,110
‫The server will never be able to decrypt that data.

109
00:03:43,110 --> 00:03:47,000
‫The data will then be decrypted by a receiving client.

110
00:03:47,000 --> 00:03:49,600
‫So all in all, the data is just stored on the server,

111
00:03:49,600 --> 00:03:51,930
‫but the server doesn't know what the data means.

112
00:03:51,930 --> 00:03:54,090
‫And the server, as best practice,

113
00:03:54,090 --> 00:03:57,210
‫should never be able to decrypt the data anyway.

114
00:03:57,210 --> 00:03:59,440
‫And for this, we could leverage something called

115
00:03:59,440 --> 00:04:02,350
‫envelope encryption, but I have a whole lecture on this

116
00:04:02,350 --> 00:04:04,170
‫later on, because this is pretty advanced,

117
00:04:04,170 --> 00:04:06,520
‫but the example asks you about envelope encryption,

118
00:04:06,520 --> 00:04:09,120
‫so for now, let's just do an abstraction of it.

119
00:04:09,120 --> 00:04:11,510
‫So we have our object, and on our client,

120
00:04:11,510 --> 00:04:13,890
‫we're going to use a data key,

121
00:04:13,890 --> 00:04:16,980
‫and we're going to encrypt our data client side.

122
00:04:16,980 --> 00:04:19,170
‫So we perform encryption with that data key.

123
00:04:19,170 --> 00:04:22,180
‫Now we send that data to any store of data we want;

124
00:04:22,180 --> 00:04:23,870
‫could be FTP, could be S3,

125
00:04:23,870 --> 00:04:25,660
‫could be whatever you want really.

126
00:04:25,660 --> 00:04:27,840
‫You put your data wherever you want,

127
00:04:27,840 --> 00:04:29,400
‫say Amazon or somewhere else.

128
00:04:29,400 --> 00:04:31,670
‫And then, when you receive it,

129
00:04:31,670 --> 00:04:34,860
‫your client will receive an encrypted object,

130
00:04:34,860 --> 00:04:37,690
‫and if it has access to the data key,

131
00:04:37,690 --> 00:04:38,930
‫if it can manage to retrieve

132
00:04:38,930 --> 00:04:40,980
‫the data key from somewhere,

133
00:04:40,980 --> 00:04:43,101
‫then it will be able to perform a decryption,

134
00:04:43,101 --> 00:04:46,250
‫and get the decrypted object as a result.

135
00:04:46,250 --> 00:04:48,240
‫So as you can see now, the encryption happens

136
00:04:48,240 --> 00:04:49,400
‫client side.

137
00:04:49,400 --> 00:04:51,830
‫The server, the data store, does not know how

138
00:04:51,830 --> 00:04:53,570
‫to decrypt or encrypt the data,

139
00:04:53,570 --> 00:04:55,940
‫it just receives encrypted data.

140
00:04:55,940 --> 00:04:57,590
‫And so that's quite secure as well.

141
00:04:57,590 --> 00:04:59,550
‫So here are the three kinds of encryption

142
00:04:59,550 --> 00:05:03,180
‫you can get, overall, except envelope encryption

143
00:05:03,180 --> 00:05:04,320
‫that we'll show you later on.

144
00:05:04,320 --> 00:05:08,270
‫So this is not using any KMS just yet.

145
00:05:08,270 --> 00:05:10,770
‫This is just an abstraction of how encryption works.

146
00:05:10,770 --> 00:05:12,320
‫I know this may be a little bit simplified,

147
00:05:12,320 --> 00:05:14,930
‫but hopefully that clears up what encryption is,

148
00:05:14,930 --> 00:05:16,460
‫and in the next lecture, we're going to

149
00:05:16,460 --> 00:05:18,093
‫do a deep dive into KMS.