1
00:00:00,000 --> 00:00:01,310
So first, an overview of

2
00:00:01,310 --> 00:00:02,540
encryption mechanism.

3
00:00:02,540 --> 00:00:03,713
And the first one is going to be

4
00:00:03,713 --> 00:00:05,580
encryption in flights.

5
00:00:05,580 --> 00:00:08,070
Then, why would we want even encryption in flights?

6
00:00:08,070 --> 00:00:09,520
Well, we want encryption in flight because

7
00:00:09,520 --> 00:00:11,810
if I send a very sensitive secret,

8
00:00:11,810 --> 00:00:14,710
for example, my credit card to a server,

9
00:00:14,710 --> 00:00:16,329
to make a payment online,

10
00:00:16,329 --> 00:00:19,060
I want to make sure that no one else, on the way,

11
00:00:19,060 --> 00:00:21,770
where my network packet is going to travel,

12
00:00:21,770 --> 00:00:23,740
can see my credit card number.

13
00:00:23,740 --> 00:00:24,670
So I want to make sure that

14
00:00:24,670 --> 00:00:26,240
when I make a payment online,

15
00:00:26,240 --> 00:00:27,500
I have that green lock,

16
00:00:27,500 --> 00:00:30,500
I have that HTTPS website which guarantees me,

17
00:00:30,500 --> 00:00:32,360
that it is an SSL enabled website,

18
00:00:32,360 --> 00:00:34,160
and I will get encryption in flight.

19
00:00:34,160 --> 00:00:35,670
And so when you have encryption in flight,

20
00:00:35,670 --> 00:00:36,830
the data will be encrypted

21
00:00:36,830 --> 00:00:38,200
before I sent it,

22
00:00:38,200 --> 00:00:40,470
and then the server will be decrypting it

23
00:00:40,470 --> 00:00:41,800
after receiving it.

24
00:00:41,800 --> 00:00:43,510
But, only myself and the server

25
00:00:43,510 --> 00:00:45,440
know how to do these things.

26
00:00:45,440 --> 00:00:48,190
Now the SSL certificates are what's going to

27
00:00:48,190 --> 00:00:50,990
help with the encryption, and so another way to

28
00:00:50,990 --> 00:00:52,660
see it is HTTPS.

29
00:00:52,660 --> 00:00:53,960
So anytime we've been dealing

30
00:00:53,960 --> 00:00:55,440
with with an Amazon service,

31
00:00:55,440 --> 00:00:57,570
and it had an HTTPS endpoint,

32
00:00:57,570 --> 00:00:59,910
that guaranteed us that it was encryption in flight.

33
00:00:59,910 --> 00:01:02,050
And now the whole web, almost the whole web,

34
00:01:02,050 --> 00:01:04,843
needs to run on SSL and HTTPS.

35
00:01:06,220 --> 00:01:08,330
Basically, when you have this enabled,

36
00:01:08,330 --> 00:01:09,760
you're protected against

37
00:01:09,760 --> 00:01:11,370
the 'man in the middle' attack.

38
00:01:11,370 --> 00:01:14,069
And so, this guarantees that,

39
00:01:14,069 --> 00:01:15,040
when you have that green lock,

40
00:01:15,040 --> 00:01:16,840
and that the server certificate is valid,

41
00:01:16,840 --> 00:01:19,940
that no one can retrieve your sensitive information.

42
00:01:19,940 --> 00:01:21,590
So let's do a quick example.

43
00:01:21,590 --> 00:01:23,130
Here is us, and we want to talk to

44
00:01:23,130 --> 00:01:25,270
an HTTP website on AWS;

45
00:01:25,270 --> 00:01:26,250
could be DynamoDB,

46
00:01:26,250 --> 00:01:27,760
could be whatever we want.

47
00:01:27,760 --> 00:01:28,880
And then what we're going to do,

48
00:01:28,880 --> 00:01:31,720
is that we're going to have add the super secret data,

49
00:01:31,720 --> 00:01:34,730
we're going to encrypt it with SSL encryption,

50
00:01:34,730 --> 00:01:36,440
and send it over the network,

51
00:01:36,440 --> 00:01:38,580
and then the website will receive the data,

52
00:01:38,580 --> 00:01:40,333
and know how to decrypt it.

53
00:01:41,180 --> 00:01:43,300
Very, very simple; the idea of it,

54
00:01:43,300 --> 00:01:44,690
but the execution is not as easy,

55
00:01:44,690 --> 00:01:46,520
so this is how much I'll give you.

56
00:01:46,520 --> 00:01:48,510
The good news is that all programming languages

57
00:01:48,510 --> 00:01:50,530
know how to do SSL encryption and decryption,

58
00:01:50,530 --> 00:01:52,230
and already do this for you,

59
00:01:52,230 --> 00:01:53,780
so you don't have to worry about anything.

60
00:01:53,780 --> 00:01:56,460
This is not something you have to deal with directly.

61
00:01:56,460 --> 00:01:58,030
The second thing is going to be called

62
00:01:58,030 --> 00:02:00,030
server side encryption at rest.

63
00:02:00,030 --> 00:02:03,000
And so that is when the data is encrypted,

64
00:02:03,000 --> 00:02:05,040
after being received by the server.

65
00:02:05,040 --> 00:02:07,350
So before that, the server was receiving data,

66
00:02:07,350 --> 00:02:09,479
decrypting it, and using it in its decrypted form.

67
00:02:09,479 --> 00:02:10,850
Here, the server is going to

68
00:02:10,850 --> 00:02:12,600
store the data on its disk,

69
00:02:12,600 --> 00:02:15,160
and so we need to know that the server

70
00:02:15,160 --> 00:02:17,950
is storing the data in an encrypted form.

71
00:02:17,950 --> 00:02:20,370
Because, in case the server gets hijacked

72
00:02:20,370 --> 00:02:21,203
by someone else,

73
00:02:21,203 --> 00:02:22,036
we don't want that someone else

74
00:02:22,036 --> 00:02:24,080
to be able to decrypt that data.

75
00:02:24,080 --> 00:02:27,310
And so the data will be decrypted before being sent

76
00:02:27,310 --> 00:02:29,410
back to our client.

77
00:02:29,410 --> 00:02:32,490
So, thanks to a key, usually called a data key,

78
00:02:32,490 --> 00:02:34,320
then that data is going to be stored

79
00:02:34,320 --> 00:02:35,566
in an encrypted form,

80
00:02:35,566 --> 00:02:37,780
and the encryption and decryption keys

81
00:02:37,780 --> 00:02:38,830
must be managed somewhere,

82
00:02:38,830 --> 00:02:41,640
usually called a KMS, or key management service,

83
00:02:41,640 --> 00:02:43,743
and the server must have the right to talk to

84
00:02:43,743 --> 00:02:45,750
that key management service.

85
00:02:45,750 --> 00:02:47,630
So here's our object, and we're going to

86
00:02:47,630 --> 00:02:49,780
transfer it, for example, to EBS.

87
00:02:49,780 --> 00:02:52,118
So it's gonna be transferred over whatever mechanism,

88
00:02:52,118 --> 00:02:54,720
and EBS will use a data key,

89
00:02:54,720 --> 00:02:58,510
and using a data key will perform encryption of that data,

90
00:02:58,510 --> 00:03:00,380
and now it's stored in an encrypted form,

91
00:03:00,380 --> 00:03:02,540
and then the day we need to retrieve the data

92
00:03:02,540 --> 00:03:04,930
for whatever reason, then EBS,

93
00:03:04,930 --> 00:03:06,860
the AWS service, will do decryption for us

94
00:03:06,860 --> 00:03:08,310
using the data key again,

95
00:03:08,310 --> 00:03:09,988
and we'll get the de-encrypted data,

96
00:03:09,988 --> 00:03:14,040
and back to us over at HTTP, HTTPS, for example.

97
00:03:14,040 --> 00:03:16,150
So this is how server side encryption works,

98
00:03:16,150 --> 00:03:18,480
and as you can see, the server side itself

99
00:03:18,480 --> 00:03:20,670
of the service, manages the encryption

100
00:03:20,670 --> 00:03:23,030
and the decryption, and uses a data key

101
00:03:23,030 --> 00:03:24,810
it has access to.

102
00:03:24,810 --> 00:03:27,170
So this is, for server side encryption at rest.

103
00:03:27,170 --> 00:03:29,830
And we've seen that many AWS services

104
00:03:29,830 --> 00:03:32,303
do use that encryption at rest.

105
00:03:33,450 --> 00:03:35,709
Now let's talk about client side encryption.

106
00:03:35,709 --> 00:03:37,480
In client side encryption, the data will be

107
00:03:37,480 --> 00:03:40,160
encrypted by the client, and the client is us.

108
00:03:40,160 --> 00:03:43,110
The server will never be able to decrypt that data.

109
00:03:43,110 --> 00:03:47,000
The data will then be decrypted by a receiving client.

110
00:03:47,000 --> 00:03:49,600
So all in all, the data is just stored on the server,

111
00:03:49,600 --> 00:03:51,930
but the server doesn't know what the data means.

112
00:03:51,930 --> 00:03:54,090
And the server, as best practice,

113
00:03:54,090 --> 00:03:57,210
should never be able to decrypt the data anyway.

114
00:03:57,210 --> 00:03:59,440
And for this, we could leverage something called

115
00:03:59,440 --> 00:04:02,350
envelope encryption, but I have a whole lecture on this

116
00:04:02,350 --> 00:04:04,170
later on, because this is pretty advanced,

117
00:04:04,170 --> 00:04:06,520
but the example asks you about envelope encryption,

118
00:04:06,520 --> 00:04:09,120
so for now, let's just do an abstraction of it.

119
00:04:09,120 --> 00:04:11,510
So we have our object, and on our client,

120
00:04:11,510 --> 00:04:13,890
we're going to use a data key,

121
00:04:13,890 --> 00:04:16,980
and we're going to encrypt our data client side.

122
00:04:16,980 --> 00:04:19,170
So we perform encryption with that data key.

123
00:04:19,170 --> 00:04:22,180
Now we send that data to any store of data we want;

124
00:04:22,180 --> 00:04:23,870
could be FTP, could be S3,

125
00:04:23,870 --> 00:04:25,660
could be whatever you want really.

126
00:04:25,660 --> 00:04:27,840
You put your data wherever you want,

127
00:04:27,840 --> 00:04:29,400
say Amazon or somewhere else.

128
00:04:29,400 --> 00:04:31,670
And then, when you receive it,

129
00:04:31,670 --> 00:04:34,860
your client will receive an encrypted object,

130
00:04:34,860 --> 00:04:37,690
and if it has access to the data key,

131
00:04:37,690 --> 00:04:38,930
if it can manage to retrieve

132
00:04:38,930 --> 00:04:40,980
the data key from somewhere,

133
00:04:40,980 --> 00:04:43,101
then it will be able to perform a decryption,

134
00:04:43,101 --> 00:04:46,250
and get the decrypted object as a result.

135
00:04:46,250 --> 00:04:48,240
So as you can see now, the encryption happens

136
00:04:48,240 --> 00:04:49,400
client side.

137
00:04:49,400 --> 00:04:51,830
The server, the data store, does not know how

138
00:04:51,830 --> 00:04:53,570
to decrypt or encrypt the data,

139
00:04:53,570 --> 00:04:55,940
it just receives encrypted data.

140
00:04:55,940 --> 00:04:57,590
And so that's quite secure as well.

141
00:04:57,590 --> 00:04:59,550
So here are the three kinds of encryption

142
00:04:59,550 --> 00:05:03,180
you can get, overall, except envelope encryption

143
00:05:03,180 --> 00:05:04,320
that we'll show you later on.

144
00:05:04,320 --> 00:05:08,270
So this is not using any KMS just yet.

145
00:05:08,270 --> 00:05:10,770
This is just an abstraction of how encryption works.

146
00:05:10,770 --> 00:05:12,320
I know this may be a little bit simplified,

147
00:05:12,320 --> 00:05:14,930
but hopefully that clears up what encryption is,

148
00:05:14,930 --> 00:05:16,460
and in the next lecture, we're going to

149
00:05:16,460 --> 00:05:18,093
do a deep dive into KMS.