Open Source Cryptography

Providing open source cryptography & transport libraries

What is open source cryptography at AWS?

Cryptography is at the heart of AWS, underpinning security for both AWS and its customers. It's seamlessly integrated into the operations we perform, enabling the secure storage and transmission of your data. AWS is dedicated to offering security-focused services and tools that promote best practices in cryptography. As part of this commitment, AWS is proud to contribute our reliable, high-performance cryptographic and transport libraries to the open source community.

In 2015, AWS introduced s2n-tls, a fast open source implementation of the TLS protocol. The name "s2n", or "signal to noise," refers to the way encryption masks meaningful signals behind a facade of seemingly random noise. Since then, AWS has launched several other open source cryptographic libraries, including Amazon Corretto Crypto Provider (ACCP) and AWS Libcrypto (AWS-LC). AWS believes that open source benefits everyone, and we are committed to expanding our cryptographic and transport libraries to meet the evolving security needs of our customers.

Start your journey with AWS cryptography by exploring our open source libraries. Learn about AWS-LC, ACCP, AWS Libcrypto for Rust (aws-lc-rs), and s2n-quic in our featured blogs below. See how you can integrate these libraries into your applications to improve cryptographic performance.

AWS-LC FIPS 3.0: First cryptographic library to include ML-KEM in FIPS 140-3 validation
December 10, 2024

We’re excited to announce that AWS-LC FIPS 3.0 has been added to the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP) modules in process list.

Better-performing “25519” elliptic-curve cryptography
September 10, 2024

Automated reasoning and optimizations specific to CPU microarchitectures improve both performance and assurance of correct implementation.

Formal verification makes RSA faster — and faster to deploy
August 8, 2024

Optimizations for Amazon's Graviton2 chip boost efficiency, and formal verification shortens development time.By June Lee, Hanno Becker, John Harrison.

AWS-LC is now FIPS 140-3 certified
October 6, 2023

AWS-LC, our open source cryptographic library, has achieved FIPS 140-3 validation from NIST, enabling customers to benefit from its improved performance across many environments.

AWS re:Inforce 2022 - Using s2n-quic: Bringing QUIC, the secure transport protocol, to AWS (49:00)

Explore some exciting features of QUIC and learn about s2n-quic, an open-source QUIC implementation that delivers the performance and security AWS customers expect.

AWS re:Inforce 2023 - AWS-LC: FIPS certification journey and how it’s used on AWS (15:45)

Gain insights into how AWS-LC was submitted for Federal Information Processing Standard (FIPS) 140-3 certification.

AWS re:Inforce 2023 - Security in the Open: OSS and AWS (SEC201-L) (58:43)

Discover whatAWS teams aredoing to improve thesecurity of theupstream OSS supplychain throughcontributions to theOpen SourceSecurity Foundation(OpenSSF) and more.

Adoption of High Assurance and Highly Performant Cryptographic Algorithms at AWS (RWC 2024) (21:12)

Learn about AWS's experience implementing and deploying cryptographic algorithms that utilize carefully targeted micro-architectural optimizations and are formally verified with Automated Reasoning.

Federal Information Processing Standard 140-3

The Federal Information Processing Standard (FIPS) 140-3 is a rigorous technical standard for cryptographic modules used by the U.S. and Canadian Federal governments. AWS is proud that the National Institute of Standards and Technology (NIST) has awarded AWS-LC a FIPS 140-3 level 1 validation certificate. AWS customers may leverage AWS-LC and our other open source libraries to help meet security goals.

FIPS logo
FIPS 140-3 Inside #4631

AWS Open Source Cryptographic and Transport Libraries

AWS Libcrypto

AWS Libcrypto (AWS-LC) is the flagship cryptographic library maintained by the AWS Cryptography team. Based on code from the Google BoringSSL and OpenSSL projects, AWS-LC serves as a foundation for our other language-specific cryptographic and transport libraries.

AWS Libcrypto for Rust

AWS Libcrypto for Rust (aws-lc-rs) is a cryptographic library using AWS-LC for its cryptographic operations and aims to provide developers with a secure, efficient, and easy-to-use cryptographic library. It offers a range of cryptographic operations, including AEAD, digital signatures, and digests/hashing.

AWS Libcrypto Formal Verification

AWS Libcrypto Formal Verification (aws-lc-verification) provides specifications, proof scripts, and other artifacts required to formally verify portions of AWS Libcrypto. Formal verification is used to locate bugs and increase assurance of the correctness and security of the library.

Amazon Corretto Crypto Provider

Amazon Corretto Crypto Provider (ACCP) is a collection of efficient cryptographic implementations, backed by AWS-LC, and exposed through the standard Java Cryptography Architecture (JCA) interface. It can be used as a drop-in replacement in many different Java applications.

s2n-tls

s2n-tls is a C99 implementation of the TLS/SSL protocol that is designed to be simple, fast, and secure. s2n-tls has been widely adopted by AWS services since its introduction in 2015. For example, s2n-tls has handled 100% of SSL traffic for Amazon S3 since 2017.

s2n-quic

s2n-quic is a Rust implementation of the IETF QUIC protocol, featuring a simple, easy-to-use API. QUIC is an encrypted transport protocol designed for performance and serves as the foundation of HTTP/3.

s2n-bignum

s2n-bignum is a collection of bignum arithmetic routines designed for cryptography and utilized by AWS-LC and our other libraries. Each function is written in a constant-time style, and is accompanied by a machine-checked formal proof that its mathematical result is correct based on a formal model of the underlying machine. It thus provides a combination of speed, correctness and security against timing side channels.

AWS Encryption SDK

AWS Encryption SDK is a client-side encryption library for all types of data. It makes best-practice client-side encryption easier, so you can focus on the core functionality of your application. These libraries may be used with any cryptographic service provider, including AWS Key Management Service (KMS) or AWS CloudHSM.

Cryptographic Computing for Clean Rooms

Cryptographic Computing for Clean Rooms (C3R) allows you to collaborate with your data in AWS Clean Rooms using a technique that allows multiple parties to jointly compute a function over their inputs while keeping those inputs private. If you have data handling policies that require encryption of sensitive data, you can pre-encrypt your data using a common collaboration-specific encryption key so that data is encrypted even when queries are run.

Interested in learning more about Open Source Cryptography?