Open Source Cryptography
Providing open source cryptography & transport libraries
What is open source cryptography at AWS?
Cryptography is an essential part of security for both AWS and our customers. Cryptography at AWS helps enable the secure storage and transmission of your data. AWS is dedicated to offering security-focused services and tools that promote best practices in cryptography. As part of our commitment to raising standards, AWS is proud to contribute our reliable, high-performance cryptographic and transport libraries to the open source community.
In 2015, AWS introduced s2n-tls, a fast open source implementation of the TLS protocol. The name "s2n", or "signal to noise," refers to the way encryption masks meaningful signals behind a facade of seemingly random noise. Since then, AWS has launched several other open source cryptographic libraries, including Amazon Corretto Crypto Provider (ACCP) and AWS Libcrypto (AWS-LC). AWS believes that open source benefits everyone, and we are committed to expanding our cryptographic and transport libraries to meet the evolving security needs of our customers.
Featured resources
Start your journey with AWS Cryptography by exploring our open source libraries. Learn how you can integrate these libraries into your applications to improve cryptographic performance.
AWS-LC is now FIPS 140-3 certified
October 6, 2023
AWS-LC, our open source cryptographic library, has achieved FIPS 140-3 validation from NIST, enabling customers to benefit from its improved performance across many environments.
Accelerating JVM cryptography with Amazon Corretto Crypto Provider 2
September 1, 2023
AWS released ACCP 2, providing comprehensive performance enhancements and compatibility with previous versions. Learn how to start using this library in your own applications.
Introducing AWS Libcrypto for Rust, an Open Source Cryptographic Library for Rust
April 19, 2023
Read this blog post to find out how to use secure and performant cryptography in your Rust applications.
Introducing s2n-quic, a new open-source QUIC protocol implementation in Rust
February 17, 2022
Learn about the performance and security advantages of the QUIC protocol. This blog post discusses s2n-quic, our small, fast and highly configurable Rust implementation of QUIC.
Learn how AWS-LC was submitted for Federal Information Processing Standard (FIPS) 140-3 certification.
Discover what AWS teams are doing to improve the security of the upstream open source security supply chain.
Explore QUIC and s2n-quic, an open source implementation that delivers high performance and security.
Learn about AWS-LC and why AWS is invested in improving open source cryptography.
Federal Information Processing Standard 140-3
The Federal Information Processing Standard (FIPS) 140-3 is a rigorous technical standard for cryptographic modules used by the U.S. and Canadian Federal governments. AWS is proud that the National Institute of Standards and Technology (NIST) has awarded AWS-LC a FIPS 140-3 level 1 validation certificate. AWS customers may leverage AWS-LC and our other open source libraries to help meet security goals.
Federal Information Processing Standard 140-3
The Federal Information Processing Standard (FIPS) 140-3 is a rigorous technical standard for cryptographic modules used by the U.S. and Canadian Federal governments. AWS is proud that the National Institute of Standards and Technology (NIST) has awarded AWS-LC a FIPS 140-3 level 1 validation certificate. AWS customers may leverage AWS-LC and our other open source libraries to help meet security goals.
AWS Open Source Cryptographic and Transport Libraries
AWS Libcrypto (AWS-LC) is the flagship cryptographic library maintained by the AWS Cryptography team. Based on code from the Google BoringSSL and OpenSSL projects, AWS-LC serves as a foundation for our other language-specific cryptographic and transport libraries.
AWS Libcrypto for Rust (aws-lc-rs) is a cryptographic library using AWS-LC for its cryptographic operations and aims to provide developers with a secure, efficient, and easy-to-use cryptographic library. It offers a range of cryptographic operations, including AEAD, digital signatures, and digests/hashing.
AWS Libcrypto Formal Verification (aws-lc-verification) provides specifications, proof scripts, and other artifacts required to formally verify portions of AWS Libcrypto. Formal verification is used to locate bugs and increase assurance of the correctness and security of the library.
Amazon Corretto Crypto Provider (ACCP) is a collection of efficient cryptographic implementations, backed by AWS-LC, and exposed through the standard Java Cryptography Architecture (JCA) interface. It can be used as a drop-in replacement in many different Java applications.
s2n-tls is a C99 implementation of the TLS/SSL protocol that is designed to be simple, fast, and secure. s2n-tls has been widely adopted by AWS services since its introduction in 2015. For example, s2n-tls has handled 100% of SSL traffic for Amazon S3 since 2017.
s2n-bignum is a collection of bignum arithmetic routines designed for cryptography and utilized by AWS-LC and our other libraries. Each function is written in a constant-time style, and is accompanied by a machine-checked formal proof that its mathematical result is correct based on a formal model of the underlying machine. It thus provides a combination of speed, correctness and security against timing side channels.
AWS Client Side Encryption Libraries is a collection of libraries for encrypting structured and unstructured data. They make best practice client side encryption easier, so you can focus on the core functionality of your application. These libraries may be used with any cryptographic service provider, including AWS Key Management Service (AWS KMS) or AWS CloudHSM.
Cryptographic Computing for Clean Rooms (C3R) allows you to collaborate with your data in AWS Clean Rooms using a technique that allows multiple parties to jointly compute a function over their inputs while keeping those inputs private. If you have data handling policies that require encryption of sensitive data, you can pre-encrypt your data using a common collaboration-specific encryption key so that data is encrypted even when queries are run.
Interested in learning more about Open Source Cryptography?