s2n

s2n
Original author(s)	Colm MacCárthaigh
Developer(s)	Amazon Web Services
Stable release	1.4.8 / 19 March 2024; 21 days ago
Repository	github.com/awslabs/s2n ;
Written in	C99
Operating system	Cross-platform
Type	Security library
License	Apache License 2.0
Website	github.com/aws/s2n-tls

s2n is an open-source C99 implementation of the Transport Layer Security (TLS) protocol developed by Amazon Web Services (AWS) and released in 2015. It was developed to ensure the code—about 6,000 lines long—would be easier to review than that of OpenSSL—with 500,000 lines, 70,000 of which are involved in processing TLS.^[2]^[3]

History[edit]

s2n was released on June 30, 2015 on GitHub. AWS said that the name "s2n" stand for signal to noise as a nod "to the almost magical act of encryption—disguising meaningful signals, like your critical data, as seemingly random noise".^[2] It has been the subject of several external reviews as well as penetration testing.^[4]

It was reportedly vulnerable to Lucky Thirteen attack. In response, Amazon's s2n team said it would remove CBC-mode cipher suites and take code from BoringSSL to replace its own CBC-mode decryption.^[5] An AWS Security Blog Post said that it did not impact Amazon, AWS, or its customers because they had never been used in a production environment.^[6]

In February 2017, Amazon announced that s2n was now handling 100% of SSL traffic for Amazon S3.^[7]

Features[edit]

TLS extensions[edit]

Common TLS extensions supported by this software are Server Name Indication, Application-Layer Protocol Negotiation, and Online Certificate Status Protocol.

Cryptography[edit]

s2n supports the main ciphers in use today, such as AES in CBC and GCM modes, 3DES and RC4. It also provides support for perfect forward secrecy through Diffie–Hellman or Elliptic-curve Diffie–Hellman ephemeral keys.

Weaker ciphers and key exchange modes are disabled by default.^[4]

Language bindings[edit]

The language bindings below were not developed by AWS:^[8]

Lua: LuaJIT 2.0 binding
Python: CyS2N

References[edit]

^ "Release 1.4.8". 19 March 2024. Retrieved 25 March 2024.
^ ^a ^b Schmidt, Steve (30 June 2015). "Introducing s2n, a New Open Source TLS Implementation". AWS Security Blog. Retrieved 23 March 2021.
^ Killalea, Tom (March 2021). "A Second Conversation with Werner Vogels". Communications of the ACM. 64 (3): 50–57. doi:10.1145/3434232. Retrieved 23 March 2021.
^ ^a ^b aws/s2n-tls: an implementation of the TLS/SSL protocols, on GitHub
^ Chirgwin, Richard (21 August 2018). "TLS developers should ditch 'pseudo constant time' crypto processing". The Register. Retrieved 23 March 2021.
^ MacCarthaigh, Colm (24 November 2015). "s2n and Lucky 13". AWS Security Blog. Retrieved 23 March 2021.
^ Schmidt, Steve (23 February 2017). "s2n Is Now Handling 100 Percent of SSL Traffic for Amazon S3". AWS Security Blog. Retrieved 23 March 2021.
^ "Language Bindings for s2n-tls". GitHub. Amazon Web Services. Retrieved 23 March 2021.

[wikidata-d1c2fbbe4a52f91fd42d92a10375c18263429431-v11-1] "Release 1.4.8". 19 March 2024. Retrieved 25 March 2024.

[announcement-2] Schmidt, Steve (30 June 2015). "Introducing s2n, a New Open Source TLS Implementation". AWS Security Blog. Retrieved 23 March 2021.

[3] Killalea, Tom (March 2021). "A Second Conversation with Werner Vogels". Communications of the ACM. 64 (3): 50–57. doi:10.1145/3434232. Retrieved 23 March 2021.

[s2n-github-4] ws/s2n-tls: an implementation of the TLS/SSL protocols, on GitHub

[register-5] Chirgwin, Richard (21 August 2018). "TLS developers should ditch 'pseudo constant time' crypto processing". The Register. Retrieved 23 March 2021.

[aws-lucky-6] MacCarthaigh, Colm (24 November 2015). "s2n and Lucky 13". AWS Security Blog. Retrieved 23 March 2021.

[s3-7] Schmidt, Steve (23 February 2017). "s2n Is Now Handling 100 Percent of SSL Traffic for Amazon S3". AWS Security Blog. Retrieved 23 March 2021.

[8] "Language Bindings for s2n-tls". GitHub. Amazon Web Services. Retrieved 23 March 2021.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]