Amazon Encryption SDK: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
No edit summary
 
(6 intermediate revisions by the same user not shown)
Line 7: Line 7:
* [[Amazon AWS#SDKs|Amazon]]
* [[Amazon AWS#SDKs|Amazon]]
* [[Amazon KMS]]
* [[Amazon KMS]]
* [[AWS SDK for Java]]
* [[AWS_SDK_for_Java_Version_2#Component_APIs|AWS SDK for Java Version 2]]
* [[AWS_SDK_for_Java_Version_1#Component_APIs_that_Use_SDK_for_Java_Version_1|AWS SDK for Java Version 1]]


=Overview=
=Overview=


Amazon Encryption SDK provides an encryption library that optionally integrates with AWS KMS and uses it as a master key provider. The SDK generates, encrypts and decrypts data keys, uses those [[Amazon_KMS_Concepts#Data_Key|data keys]] to encrypt and decrypt raw data, and stores encrypted data keys with the corresponding encrypted data in a single object. The AWS Encryption SDK and the Amazon S3 encryption client are not compatible because they produce ciphertexts with different data formats. The library uses an [[Symmetric_Cryptography#AES-GCM|AES-GCM]] encryption algorithm with 256-bit, 192-bit and 128-bit encryption keys. The length of the [[Symmetric_Cryptography#Initialization_Vector_.28IV.29|Initialization Vector]] is 12 bytes. The length of the authentication tag is 16 bytes. By default, the SDK uses the data key as an input to the HMAC-based extract-and-expand key derivation function (HKDF) to derive the AES-GCM encryption key, and also adds an Elliptic Curve Digital Signature Algorithm (ECDSA) signature.
Amazon Encryption SDK provides an encryption library that optionally integrates with AWS KMS and uses it as a master key provider. The SDK generates, encrypts and decrypts data keys, uses those [[Amazon_KMS_Concepts#Data_Key|data keys]] to encrypt and decrypt raw data, and stores encrypted data keys with the corresponding encrypted data in a single object. The AWS Encryption SDK and the Amazon S3 encryption client are not compatible because they produce ciphertexts with different data formats. The AWS Encryption SDK can be used to encrypt byte arrays, I/O streams (byte streams), and strings.


=Dependencies=


<font color=darkgray>TODO: Gradle dependencies for ASW SDK for Java 2 look differently: https://kb.novaordis.com/index.php/AWS_SDK_for_Java_Version_2#Gradle_Project


=Dependencies=
TODO: Gradle dependencies for ASW SDK for Java 1 look differently: https://kb.novaordis.com/index.php/AWS_SDK_for_Java_Version_1#Gradle_Project</font>


<syntaxhighlight lang='groovy'>
<syntaxhighlight lang='groovy'>
Line 28: Line 31:
=Concepts=
=Concepts=


<span id='Data_Key_Caching'></span>{{Internal|Amazon Encryption SDK Concepts|Amazon Encryption SDK Concepts}}
<span id='Data_Key_Caching'></span><span id='Overhead_Introduced_by_Amazon_Encryption_SDK_Message_Format'></span>{{Internal|Amazon Encryption SDK Concepts|Amazon Encryption SDK Concepts}}
 
=Encryption=
 
==Overhead Introduced by Amazon Encryption SDK Message Format==
 
Encrypting data with Amazon Encryption SDK introduces a certain amount of space overhead, mainly due to the fact that the [[Amazon_KMS_Concepts#Data_Key|data key]], after being encrypted with the [[Amazon_KMS_Concepts#Customer_Master_Key|customer master key]], is stored together with the cipher text. The amount of overhead depends on the size of the clear text data, encryption algorithm, whether additional authenticated data (AAD) is provided, and the length of that AAD, the number and type of master key providers, and the frame size. When AWS Encryption SDK is used with its default configuration, with one CMK in AWS KMS as the master key, with no AAD, and encrypt non-framed data, the overhead is approximately 600 bytes. In general, it can be reasonably assumed that Amazon Encryption SDK adds overhead of 1KB or less, not including AAD.


=Playground Example=
=Playground Example=


{{External|[https://github.com/ovidiuf/playground/blob/master/amazon/encryption-sdk/01-simplest-encryptionsdk/src/main/java/playground/amazon/encryptionsdk/AWSEncryptionSDKExamples.java Playground AWS Encryption SDK Examples]}}
{{External|[https://github.com/ovidiuf/playground/blob/master/amazon/encryption-sdk/01-simplest-encryptionsdk/src/main/java/playground/amazon/encryptionsdk/AWSEncryptionSDKExamples.java Playground AWS Encryption SDK Examples]}}

Latest revision as of 05:44, 3 October 2021

External

Internal

Overview

Amazon Encryption SDK provides an encryption library that optionally integrates with AWS KMS and uses it as a master key provider. The SDK generates, encrypts and decrypts data keys, uses those data keys to encrypt and decrypt raw data, and stores encrypted data keys with the corresponding encrypted data in a single object. The AWS Encryption SDK and the Amazon S3 encryption client are not compatible because they produce ciphertexts with different data formats. The AWS Encryption SDK can be used to encrypt byte arrays, I/O streams (byte streams), and strings.

Dependencies

TODO: Gradle dependencies for ASW SDK for Java 2 look differently: https://kb.novaordis.com/index.php/AWS_SDK_for_Java_Version_2#Gradle_Project

TODO: Gradle dependencies for ASW SDK for Java 1 look differently: https://kb.novaordis.com/index.php/AWS_SDK_for_Java_Version_1#Gradle_Project 

dependencies {
    implementation('org.bouncycastle:bcprov-ext-jdk15on:1.58')
    implementation('com.amazonaws:aws-encryption-sdk-java:1.3.1')
}

Clarify whether I need KMS API or not: AWS KMS API Dependencies.

Concepts

Amazon Encryption SDK Concepts

Playground Example

Playground AWS Encryption SDK Examples
Retrieved from "https://kb.novaordis.com/index.php?title=Amazon_Encryption_SDK&oldid=82911"