8 validate the signature by passing in the sha 256

This preview shows page 173 - 175 out of 263 pages.

8. Validate the signature by passing in the SHA-256 hash of the string, the public key, and the signature as parameters to the RSA signature verification algorithm. If the result is true, the digest file is valid. Validate the Log Files If the digest file is valid, validate each of the log files that the digest file references. 1. To validate the integrity of a log file, compute its SHA-256 hash value on its uncompressed content and compare the results with the hash for the log file recorded in hexadecimal in the digest. If the hashes match, the log file is valid. 2. By using the information about the previous digest file that is included in the current digest file, validate the previous digest files and their corresponding log files in succession. The following sections describe these steps in detail. A. Get the Digest File The first steps are to get the most recent digest file, verify that you have retrieved it from its original location, verify its digital signature, and get the fingerprint of the public key. 1. Using S3 Get or the AmazonS3Client class (for example), get the most recent digest file from your Amazon S3 bucket for the time range that you want to validate. 2. Check that the S3 bucket and S3 object used to retrieve the file match the S3 bucket S3 object locations that are recorded in the digest file itself. 3. Next, get the digital signature of the digest file from the x-amz-meta-signature metadata property of the digest file object in Amazon S3. 4. In the digest file, get the fingerprint of the public key whose private key was used to sign the digest file from the digestPublicKeyFingerprint field. B. Retrieve the Public Key for Validating the Digest File To get the public key to validate the digest file, you can use either the AWS CLI or the CloudTrail API. In both cases, you specify a time range (that is, a start time and end time) for the digest files that you want Version 1.0 168
Image of page 173
AWS CloudTrail User Guide Custom Implementations of CloudTrail Log File Integrity Validation to validate. One or more public keys may be returned for the time range that you specify. The returned keys may have validity time ranges that overlap. Note Because CloudTrail uses different private/public key pairs per region, each digest file is signed with a private key unique to its region. Therefore, when you validate a digest file from a particular region, you must retrieve its public key from the same region. Use the AWS CLI to Retrieve Public Keys To retrieve public keys for digest files by using the AWS CLI, use the cloudtrail list-public-keys command. The command has the following format: aws cloudtrail list-public-keys [--start-time <start-time>] [--end-time <end- time>] The start-time and end-time parameters are UTC timestamps and are optional. If not specified, the current time is used, and the currently active public key or keys are returned.
Image of page 174
Image of page 175

You've reached the end of your free preview.

Want to read all 263 pages?

  • Fall '19
  • Amazon Web Services, AWS, Amazon Elastic Compute Cloud, AWS CloudTrail

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture