AWS prescriptive-guidance high security documentation change
Summary
Updated cryptographic algorithm recommendations - changed key agreement algorithm from ECDSA to ECDH(E), consolidated ECDSA signature entries, and expanded details about AWS-LC validation
Security assessment
Changes update recommended quantum-resistant algorithms and emphasize formal verification of implementations. These updates reflect security best practices for post-quantum cryptography and implementation assurance.
Diff
diff --git a/prescriptive-guidance/latest/encryption-best-practices/aws-cryptography-services.md b/prescriptive-guidance/latest/encryption-best-practices/aws-cryptography-services.md index 904fade94..d7238d059 100644 --- a//prescriptive-guidance/latest/encryption-best-practices/aws-cryptography-services.md +++ b//prescriptive-guidance/latest/encryption-best-practices/aws-cryptography-services.md @@ -17 +17 @@ AWS follows the [shared responsibility model](https://aws.amazon.com/compliance/ -AWS defaults to high-assurance cryptographic implementations and prefers hardware-optimized solutions that are efficient. Our cryptographic core library, [AWS-LC](https://github.com/aws/aws-lc), is available as open source for transparency and industry-wide reuse. The recommended cryptographic algorithms in AWS-LC are formally verified for correctness, and the library is validated under NIST's FIPS-140 program. +AWS defaults to high-assurance cryptographic implementations and prefers hardware-optimized solutions that are efficient. Our cryptographic core library, [AWS-LC](https://github.com/aws/aws-lc), is available as open source for transparency and industry-wide reuse. Many cryptographic algorithm implementations in AWS-LC are formally verified to increase assurance of the correctness and security of the implementation in several different platforms. The library is also validated under NIST's FIPS-140 program. @@ -56 +56 @@ Key agreement | ML-KEM-768 or ML-KEM-1024 | Preferred (quantum-resistant) -Key agreement | ECDSA with P-256, P-384, P-521, or Ed25519 | Acceptable +Key agreement | ECDH(E) with P-256, P-384, P-521, or X25519 | Acceptable @@ -60,2 +60 @@ Signatures | SLH-DSA | Acceptable (quantum-resistant) -Signatures | ECDSA with P-384 | Acceptable -Signatures | ECDSA with P-256, P-521, or Ed25519 | Acceptable +Signatures | ECDSA with P-256, P-384, P-521, or Ed25519 | Acceptable