Amazon Encryption SDK Concepts: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 26: Line 26:


{{External|[https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#message Amazon Encryption SDK Developer Guide - Message]}}
{{External|[https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#message Amazon Encryption SDK Developer Guide - Message]}}
The encrypted message consists of at least two parts: header and body. In some cases, it also contains a footer. The message header contains the encrypted data key and information about the how the message body is formed. The message body contains ciphertext. The message footer contains a signature that authenticates the message header and the message body.

Revision as of 23:17, 12 December 2018

Internal

Supported Algorithms

Amazon Encryption SDK Developer Guide - Supported Algorithms
Amazon Encryption SDK Developer Guide - Algorithms Reference

The library uses an AES-GCM encryption algorithm with 256-bit, 192-bit and 128-bit encryption keys. The length of the Initialization Vector is 12 bytes. The length of the authentication tag is 16 bytes. By default, the SDK uses the data key as an input to the HMAC-based extract-and-expand key derivation function (HKDF) to derive the AES-GCM encryption key, and also adds an Elliptic Curve Digital Signature Algorithm (ECDSA) signature.

Data Key Management

By default, the SDK uses AWS KMS as the master key provider and its GenerateDataKey API operation to generate data keys and the Decrypt API operation to decrypt a data key that was stored alongside cipher text. AWS KMS encrypts and decrypts the data key by using the Customer Master Key that was specified when configuring the master key provider before the SDK use.

When data is encrypted, the SDK encrypts the data key and stores it along with the encrypted data in an encrypted message. When data is decrypted, the AWS Encryption SDK extracts the encrypted data key from the encrypted message, decrypts it, and uses it to decrypt the data.

Data Key Caching

TODO:

Encrypted Message

Amazon Encryption SDK Developer Guide - Message

The encrypted message consists of at least two parts: header and body. In some cases, it also contains a footer. The message header contains the encrypted data key and information about the how the message body is formed. The message body contains ciphertext. The message footer contains a signature that authenticates the message header and the message body.