To understand how Cryptbreaker manages to achieve its two primary goals we need to talk more about the capabilities afforded to us by Amazon Web Services (AWS).
AWS provides a number of services to subscribers to use. Everything from DNS management (Route 53), to Virtual Machines (EC2), simple data storage (S3), Content Delivery Networks (CloudFront), and even managed databases (Amazon Aurora, Amazon RDS, and Amazon Redshift just to name a few).
In addition to providing tons of services AWS also allows users to configure roles, permissions, and an assorted number of other configuration options around how these services are configured and used.
The three primary services that Cryptbreaker relies on to provide affordable cracking with the option to prevent plaintext credentials from ever being viewed are Amazon’s Simple Storage Service (S3), Amazon’s Virtual Machine offering Elastic Compute Cloud (EC2) and the Identity and Access Management (IAM) service.
We’ll discuss each of these services in a little more detail before jumping into how Cryptbreaker configures and utilizes them.
Amazon’s S3 allows for the storage of files in the cloud. Think of it as a Dropbox like service where we can create and control folders and files. These folders and files can be uploaded via either a web site, accessed by signing into your AWS account or via Application Program Interfaces (APIs). S3 folders are called buckets and the files inside the buckets are known as objects.
Amazon allows for users to configure whether their buckets and objects are public or private. Public objects can be accessed by anyone while Private resources cannot.
The simpliest way to think of Amazon’s EC2 service is as a way to configure and run Virtual Machines in the cloud. But it’s more than that. You can configure network topology and firewalls, configure snapshots and backups, manage ssh keys, and even request resources at below standard pricing by utilizing spot instances. Billing of EC2 resources is based on an hourly rate and can be charged per hour or per second based on how the instances are launched.
Cryptbreaker utilizes spot instances and uses an Ubuntu base image so you are only charged the hourly rate based off the total number of seconds that your instance is actually working.
In order to maximize resource utilization and cashflow, Amazon allows people to buy EC2 instances at severely discounted rates. The use of these instances isn’t guaranteed (Amazon reserves the right to terminate and destroy you instance if they want to sell the underlying computing power to another customer). While this behavior isn’t ideal for many applications, you wouldn’t want you database or web server randomly shutting down, it is perfect for the kind off work that we want to perform with Cryptbreaker.
Policies and Roles play a key role (pardon the pun?) in allowing us to securely utilize AWS for our computing and data storage needs. Practically everything in AWS can have access and permissions managed by roles and policies. You want to allow a specific user to start but not stop EC2 instances? Make a policy. You want to allow a user to upload files to S3 but not delete them? Make a policy. You want to make it so all your files in an S3 bucket for your billing department can only be read by members with the ‘Billing Department’ role. Make a policy.
Policies can get very, very granular and Roles can be assigned to users and other AWS objects. This allows for great power and control over who can access what in or environment.
Now that we have a brief background on the services in use lets dive into the architecture.