Amazon Encryption SDK Concepts

From NovaOrdis Knowledge Base
Jump to navigation Jump to search

Internal

Supported Algorithms

Amazon Encryption SDK Developer Guide - Supported Algorithms
Amazon Encryption SDK Developer Guide - Algorithms Reference

The library uses an AES-GCM encryption algorithm with 256-bit, 192-bit and 128-bit encryption keys. The length of the Initialization Vector is 12 bytes. The length of the authentication tag is 16 bytes. By default, the SDK uses the data key as an input to the HMAC-based extract-and-expand key derivation function (HKDF) to derive the AES-GCM encryption key, and also adds an Elliptic Curve Digital Signature Algorithm (ECDSA) signature.

Data Key Management

By default, the SDK uses AWS KMS as the master key provider and its GenerateDataKey API operation to generate data keys and the Decrypt API operation to decrypt a data key that was stored alongside cipher text. AWS KMS encrypts and decrypts the data key by using the Customer Master Key that was specified when configuring the master key provider before the SDK use.

When data is encrypted, the SDK encrypts the data key and stores it along with the encrypted data in an encrypted message. When data is decrypted, the AWS Encryption SDK extracts the encrypted data key from the encrypted message, decrypts it, and uses it to decrypt the data.

Data keys can be encrypted with more than one master key, for redundancy in case one of the master keys is not accessible.

Data Key Caching

TODO:

Encrypted Message

Amazon Encryption SDK Developer Guide - Message

The encrypted message consists of at least two parts: header and body. In some cases, it also contains a footer. The message header contains the encrypted data key and information about the how the message body is formed. The message body contains ciphertext. The message footer contains a signature that authenticates the message header and the message body.

Overhead Introduced by Amazon Encryption SDK Message Format

Encrypting data with Amazon Encryption SDK introduces a certain amount of space overhead, mainly due to the fact that the data key, after being encrypted with the customer master key, is stored together with the cipher text. The amount of overhead depends on the size of the clear text data, encryption algorithm, whether additional authenticated data (AAD) is provided, and the length of that AAD, the number and type of master key providers, and the frame size. When AWS Encryption SDK is used with its default configuration, with one CMK in AWS KMS as the master key, with no AAD, and encrypt non-framed data, the overhead is approximately 600 bytes. In general, it can be reasonably assumed that Amazon Encryption SDK adds overhead of 1KB or less, not including AAD.