Long way to the auth if you want a SIGv4 roll​

Presenter: Dushan
Format: 45 mins
​
Abstract
The vast majority of authentication systems rely on pre-shared secrets that get exchanged over an encrypted channel between parties to verify each others identity.

But there are several fundamental issues with this approach.

1. The initial establishment of these credentials between two unknown parties is challenging, especially via an un-trusted channel such as the internet.
   
2. A common alternative is to leverage public key cryptography but this requires the maintenance of a PKI and has several of its own complexities.
   
3. The client needs to keep the secret a secret, if it is leaked (unintentionally) or shared (deliberately) additional unauthorized parties can interact with the service as though they were the original client, effectively breaking the authentication layer entirely.
   
4. Rotating a compromised credential can be challenging and can result in broken sessions and downtime (especially if the server does not have logic to do a smooth rotation).

What if two services could authenticate each other without needing to share secrets, without requiring any prior trust, by leveraging the fact that they both trust the Amazon Identity and Access Management Service (IAM)...?

In this presentation I am going to demonstrate how I have taken the authentication primitives provided by Amazon and decoupled signature creation from transmission in order to build an overlay protocol which enables parties to perform mutual authentication in a simple way, without needing to share secrets, while preserving all the security guarantees offered by AWS IAM.

This talk will demonstrate to the audience how to build such a system, empowering them to build mutual authentication into their applications, without needing to do a significant amount of engineering, while additionally freeing them of the burden of credential management.