Amazon Athena

AWS Open Source Security

Providing open source cryptography & transport libraries

What is open source cryptography at AWS?

Cryptography is at the heart of AWS, underpinning security for both AWS and its customers. It's seamlessly integrated into the operations we perform, enabling the secure storage and transmission of your data. AWS is dedicated to offering security-focused services and tools that promote best practices in cryptography. As part of this commitment, AWS is proud to contribute our reliable, high-performance cryptographic and transport libraries to the open source community.

In 2015, AWS introduced s2n-tls, a fast open source implementation of the TLS protocol. The name "s2n", or "signal to noise," refers to the way encryption masks meaningful signals behind a facade of seemingly random noise. Since then, AWS has launched several other open source cryptographic libraries, including Amazon Corretto Crypto Provider (ACCP) and AWS Libcrypto (AWS-LC). AWS believes that open source benefits everyone, and we are committed to expanding our cryptographic and transport libraries to meet the evolving security needs of our customers.

Featured resources

Start your journey with AWS cryptography by exploring our open source libraries. Learn about AWS-LC, ACCP, AWS Libcrypto for Rust (aws-lc-rs), and s2n-quic in our featured blogs below. See how you can integrate these libraries into your applications to improve cryptographic performance.

Blog

AWS-LC FIPS 3.0: First cryptographic library to include ML-KEM in FIPS 140-3 validation

We’re excited to announce that AWS-LC FIPS 3.0 has been added to the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP) modules in process list.

Read the blog

Blog

Better-performing “25519” elliptic-curve cryptography

Automated reasoning and optimizations specific to CPU microarchitectures improve both performance and assurance of correct implementation.

Read the blog

Blog

Formal verification makes RSA faster — and faster to deploy

Optimizations for Amazon's Graviton2 chip boost efficiency, and formal verification shortens development time.By June Lee, Hanno Becker, John Harrison.

Read the blog

Blog

AWS-LC is now FIPS 140-3 certified

AWS-LC, our open source cryptographic library, has achieved FIPS 140-3 validation from NIST, enabling customers to benefit from its improved performance across many environments.

Read the blog

Video

Using s2n-quic: Bringing QUIC, the secure transport protocol, to AWS

Explore some exciting features of QUIC and learn about s2n-quic, an open-source QUIC implementation that delivers the performance and security AWS customers expect.

Watch the video

Video

AWS-LC: FIPS certification journey and how it’s used on AWS

Gain insights into how AWS-LC was submitted for Federal Information Processing Standard (FIPS) 140-3 certification.

Watch the video

Video

Security in the Open: OSS and AWS

Discover whatAWS teams aredoing to improve thesecurity of theupstream OSS supplychain throughcontributions to theOpen SourceSecurity Foundation(OpenSSF) and more.

Watch the video

Video

Adoption of High Assurance and Highly Performant Cryptographic Algorithms at AWS

Learn about AWS's experience implementing and deploying cryptographic algorithms that utilize carefully targeted micro-architectural optimizations and are formally verified with Automated Reasoning.

Watch the video

Federal Information Processing Standard 140-3

The Federal Information Processing Standard (FIPS) 140-3 is a rigorous technical standard for cryptographic modules used by the U.S. and Canadian Federal governments. AWS is proud that the National Institute of Standards and Technology (NIST) has awarded FIPS 140-3 level 1 validation certificates to AWS-LC, AWS-LC-FIPS v2.0 static, and AWS-LC-FIPS v2.0 dynamic.

AWS Open Source Cryptographic and Transport Libraries

AWS Libcrypto

AWS Libcrypto (AWS-LC) is the flagship cryptographic library maintained by the AWS Cryptography team. Based on code from the Google BoringSSL and OpenSSL projects, AWS-LC serves as a foundation for our other language-specific cryptographic and transport libraries.

AWS-LC

AWS Libcrypto Formal Verification

AWS Libcrypto Formal Verification (aws-lc-verification) provides specifications, proof scripts, and other artifacts required to formally verify portions of AWS Libcrypto. Formal verification is used to locate bugs and increase assurance of the correctness and security of the library.

aws-lc-verification

Amazon Corretto Crypto Provider

Amazon Corretto Crypto Provider (ACCP) is a collection of efficient cryptographic implementations, backed by AWS-LC, and exposed through the standard Java Cryptography Architecture (JCA) interface. It can be used as a drop-in replacement in many different Java applications.

ACCP

s2n-tls

s2n-tls is a C99 implementation of the TLS/SSL protocol that is designed to be simple, fast, and secure. s2n-tls has been widely adopted by AWS services since its introduction in 2015. For example, s2n-tls has handled 100% of SSL traffic for Amazon S3 since 2017.

s2n-tls

s2n-quic

s2n-quic is a Rust implementation of the IETF QUIC protocol, featuring a simple, easy-to-use API. QUIC is an encrypted transport protocol designed for performance and serves as the foundation of HTTP/3.

s2n-quic

s2n-bignum

s2n-bignum is a collection of bignum arithmetic routines designed for cryptography and utilized by AWS-LC and our other libraries. Each function is written in a constant-time style, and is accompanied by a machine-checked formal proof that its mathematical result is correct based on a formal model of the underlying machine. It thus provides a combination of speed, correctness and security against timing side channels.

s2n-bignum

AWS Encryption SDK

AWS Encryption SDK is a client-side encryption library for all types of data. It makes best-practice client-side encryption easier, so you can focus on the core functionality of your application. These libraries may be used with any cryptographic service provider, including AWS Key Management Service (KMS) or AWS CloudHSM.

AWS Encryption SDK

Cryptographic Computing for Clean Rooms

Cryptographic Computing for Clean Rooms (C3R) allows you to collaborate with your data in AWS Clean Rooms using a technique that allows multiple parties to jointly compute a function over their inputs while keeping those inputs private. If you have data handling policies that require encryption of sensitive data, you can pre-encrypt your data using a common collaboration-specific encryption key so that data is encrypted even when queries are run.

C3R

Interested?

To learn more about Open Source Cryptography

Contact us

AWS Open Source Security

What is open source cryptography at AWS?

Featured resources

AWS-LC FIPS 3.0: First cryptographic library to include ML-KEM in FIPS 140-3 validation

Better-performing “25519” elliptic-curve cryptography

Formal verification makes RSA faster — and faster to deploy

AWS-LC is now FIPS 140-3 certified

Using s2n-quic: Bringing QUIC, the secure transport protocol, to AWS

AWS-LC: FIPS certification journey and how it’s used on AWS

Security in the Open: OSS and AWS

Adoption of High Assurance and Highly Performant Cryptographic Algorithms at AWS

Federal Information Processing Standard 140-3

AWS Open Source Cryptographic and Transport Libraries

AWS Libcrypto

AWS Libcrypto Formal Verification

Amazon Corretto Crypto Provider

s2n-tls

s2n-quic

s2n-bignum

AWS Encryption SDK

Cryptographic Computing for Clean Rooms

Interested?

Learn

Resources

Developers

Help