Open Source Cryptography

We’re excited to announce that AWS-LC FIPS 3.0 has been added to the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP) modules in process list.

Automated reasoning and optimizations specific to CPU microarchitectures improve both performance and assurance of correct implementation.

Optimizations for Amazon's Graviton2 chip boost efficiency, and formal verification shortens development time.By June Lee, Hanno Becker, John Harrison.

AWS-LC, our open source cryptographic library, has achieved FIPS 140-3 validation from NIST, enabling customers to benefit from its improved performance across many environments.

Explore some exciting features of QUIC and learn about s2n-quic, an open-source QUIC implementation that delivers the performance and security AWS customers expect.

Gain insights into how AWS-LC was submitted for Federal Information Processing Standard (FIPS) 140-3 certification.

Discover whatAWS teams aredoing to improve thesecurity of theupstream OSS supplychain throughcontributions to theOpen SourceSecurity Foundation(OpenSSF) and more.

Learn about AWS's experience implementing and deploying cryptographic algorithms that utilize carefully targeted micro-architectural optimizations and are formally verified with Automated Reasoning.

AWS Libcrypto (AWS-LC) is the flagship cryptographic library maintained by the AWS Cryptography team. Based on code from the Google BoringSSL and OpenSSL projects, AWS-LC serves as a foundation for our other language-specific cryptographic and transport libraries.

AWS Libcrypto for Rust (aws-lc-rs) is a cryptographic library using AWS-LC for its cryptographic operations and aims to provide developers with a secure, efficient, and easy-to-use cryptographic library. It offers a range of cryptographic operations, including AEAD, digital signatures, and digests/hashing.

AWS Libcrypto Formal Verification (aws-lc-verification) provides specifications, proof scripts, and other artifacts required to formally verify portions of AWS Libcrypto. Formal verification is used to locate bugs and increase assurance of the correctness and security of the library.

Amazon Corretto Crypto Provider (ACCP) is a collection of efficient cryptographic implementations, backed by AWS-LC, and exposed through the standard Java Cryptography Architecture (JCA) interface. It can be used as a drop-in replacement in many different Java applications.

s2n-tls is a C99 implementation of the TLS/SSL protocol that is designed to be simple, fast, and secure. s2n-tls has been widely adopted by AWS services since its introduction in 2015. For example, s2n-tls has handled 100% of SSL traffic for Amazon S3 since 2017.

s2n-quic is a Rust implementation of the IETF QUIC protocol, featuring a simple, easy-to-use API. QUIC is an encrypted transport protocol designed for performance and serves as the foundation of HTTP/3.

s2n-bignum is a collection of bignum arithmetic routines designed for cryptography and utilized by AWS-LC and our other libraries. Each function is written in a constant-time style, and is accompanied by a machine-checked formal proof that its mathematical result is correct based on a formal model of the underlying machine. It thus provides a combination of speed, correctness and security against timing side channels.

AWS Encryption SDK is a client-side encryption library for all types of data. It makes best-practice client-side encryption easier, so you can focus on the core functionality of your application. These libraries may be used with any cryptographic service provider, including AWS Key Management Service (KMS) or AWS CloudHSM.

Cryptographic Computing for Clean Rooms (C3R) allows you to collaborate with your data in AWS Clean Rooms using a technique that allows multiple parties to jointly compute a function over their inputs while keeping those inputs private. If you have data handling policies that require encryption of sensitive data, you can pre-encrypt your data using a common collaboration-specific encryption key so that data is encrypted even when queries are run.