AWS SIGv4 and SIGv4A – How AWS signs and verifies API requests

Thanks for this great post. I actually just signed up to say that I actually wasted a considerable amount of time trying to create my own SIGv4 just to avoid replay attacks especially if the server is behind some L-7 load balancer such as Cloudflare more than any other reason. It was implemented like this: the server creates a ecdsa&#x2F;ed22519 key pair, hands over the private key to the user and keeps only the public key, then for every request to the actual APIs, the user uses the private key to create a JWT that contains some attributes such as the userID, sessionID, the request path, etc...). While this method obviously looked much more secure than just a long-term static JWT or an access token, the real problem I found was in the clock skew, if the client doesn&#x27;t have a well synchronized clock, then the JWT is deemed invalid by the server since such this JWT should be very short-lived by design otherwise what&#x27;s the point of having them in the first place. If your clients are browsers or running on PCs, as opposed to servers, containers, etc... this will be a huge problem for you. In fact, AWS clients implement their own clock skewing correction <a href="https:&#x2F;&#x2F;aws.amazon.com&#x2F;blogs&#x2F;developer&#x2F;clock-skew-correction&#x2F;" rel="nofollow">https:&#x2F;&#x2F;aws.amazon.com&#x2F;blogs&#x2F;developer&#x2F;clock-skew-correction...</a><p>I ended up implementing an additional auth API endpoint where you use your long-lived secret to periodically request a short-lived JWT that is only valid for a few hours, this short-lived secret is what is used for the actual APIs to authenticate the users.

This is neat, although it throws a wrench into my recent move encrypt my AWS secret access key with my TPM to prevent the key from being used anywhere besides my laptop[0].<p>[0]: <a href="https:&#x2F;&#x2F;github.com&#x2F;psanford&#x2F;awsv4signer&#x2F;tree&#x2F;main&#x2F;examples&#x2F;tpmsigner" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;psanford&#x2F;awsv4signer&#x2F;tree&#x2F;main&#x2F;examples&#x2F;t...</a>

Super interesting! I wonder - have any other services or companies (SaaS or otherwise) adopted SigV4 other than AWS?<p>Seems like a solid protocol (though a lot to implement in a client, that can be encapsulated in an SDK)

I wonder why the subkeys are valid for 1d and not something much shorter like 15 minutes. IIUC if the frontend IAM servers of a service get compromised you can only accept traffic for that service again on the next day, when a new subkey is valid.<p>I also wonder whether those subkeys are copied over to the frontend server (that might be a lot of data to copy) every day or requested and cached (possibly high latency for first call)

Wasn&#x27;t clear to me who wrote this or why, so:<p>&gt; I’m Colm MacCárthaigh, a VP and Distinguished Engineer at Amazon Web Services, and this website is my blog.

I flat out don&#x27;t trust AWS SIG; It falls into the classic encryption antipattern of signing the meaning and not the bytes - Anytime a transformation of the data is required before or after the signature is applied, you open up a hole for attackers to exploit. See V1 and V3, which were flat out insecure and have been abandoned.<p>Sign the bytes, not the meaning.