Security & Privacy - CSCI-40500-77100-Spring-2021/project-10__backend GitHub Wiki

Authorization Header

Authenticating Requests with S3

The HTTP Authorization header is used for providing authentication information.

All Amazon S3 operations use the Authorization request header to provide authentication information except for POST requests or requests that are signed using query parameters.

The following is an example of the Authorization header value from AWS Documentation.

Authorization: AWS4-HMAC-SHA256 
Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request, 
SignedHeaders=host;range;x-amz-date,
Signature=fe5f80f77d5fa3beca038a248ff027d0445342fe2855ddc963176630326f1024

The first line pertaining to authorization is the algorithm that was used to calculate the signature, where AWS4 is the signature version and HMAC-SHA256 is the signing algorithm.

The second line pertaining to credentials is the access key ID and the scope information, that includes the date, region, and service used to calculate the signature.

The third line is a list of request headers that includes header names in lowercase separated by semicolons.

The fourth line is a 256-bit signature that is expressed as 64 hex characters. This may vary depending on how the payload is decided to be transferred.

To learn about this and more check out the official documentation at: AWS Signature 4

Data In Transit Encrypted

All of our data in transit is encrypted. We use HTTPS protocol for all communications.

Hypertext Transfer Protocol Secure (HTTPS) is used for secure communication, the communication protocol implemented is encrypted using TLS.

HTTPS Protocols provide authentication of accessed source and protection of privacy and integrity of exchanged data while it is in transit as it is bidirectionally encrypted between a client and server. It protects users against man-in-the-middle attacks, eavesdropping, and tampering. We are using asymmetric encryption that is done at the transport layer, aka Transport Layer Security (TLS).

Cognito JWT Token

Cognito JWT Tokens are used for authentication purposes with every request. This token is passed as an authorization header.

An example of its use:

 public static void get(String url, ResultCallback<ResponseBody, IOException> responseEvent) {
        Auth.retrieveJWTToken(new ResultCallback<String, Exception>() {
            @Override
            public void onSuccess(String token) {
                Request request = new Request.Builder()
                        .url(GetRequestURL(url))
                        .header("Authorization", token)
                        .build();

Code Snippet