Amazon’s s2n encryption library aims to be small, light, and auditable

In hopes of avoiding the kinds of bugs that have found their way into the OpenSSL or GnuTLS encryption libraries, Amazon is rolling its own library for implementing SSL/TLS and giving it away for free — although it’s still only in its early stages.

The library, named s2n, is meant to provide a small, fast, and simple implementation of TLS. The scaled-down nature of s2n doesn’t just make the library easier to create and implement, it makes it easier to audit as well.

The jungle of available encryption algorithms and protocols can be difficult to navigate, with many of them deprecated or only used for corner-case backwards-compatibility functionality. (The FREAK flaw exploited one of those legacy protocols.) Consequently, s2n allows the user to set the latest, most-preferred default settings by way of a simple API call. Specific versions of protocols can also be invoked for backwards compatibility if needed.

In a post to Amazon’s security blog, the company detailed how s2n — which consists of only about 6,000 lines of C code — doesn’t even implement many of the less-used extensions or options found in TLS. The company claims it has “already completed three external security evaluations and penetration tests on s2n, a practice we will be continuing.” Other safety features in s2n, as described in the project’s README file, include memory-protection technologies and separate random-number generators for public and private data.

What s2n doesn’t do is also worth noting. For one, Amazon is not positioning it as a direct replacement for the OpenSSL library; Amazon’s plan is to support that project by way of the Linux Foundation’s Core Infrastructure Initiative.

Also, s2n isn’t meant — at least not yet — to be a general-purpose cryptography library. Instead it is focusing exclusively on providing TLS functionality for servers. It also does not yet appear to perform certificate validation on its own, according to one issue still open on the project. 

Aside from continuing to advance the project on its own, Amazon’s next move is to integrate the Apache-licensed library into AWS’ services over the next few months.

“TLS is a standardized protocol and s2n already implements the functionality that we use, so this won’t require any changes in your own applications and everything will remain interoperable,” Amazon said.