How AWS KMS determine which key to use when decrypt?

安稳与你 提交于 2020-02-23 12:47:16

问题


I'm confused on how the aws-kms select which key to use to decrypt a ciphertextblob?

When calling the decrypt method, no key information is provided.


回答1:


When you encrypt, KMS stores the CMK information in the ciphertextblob (CiphertextBlob: Ciphertext including metadata) as metadata. So while calling decrypt, KMS knows which CMK to use.

More details in: https://d1.awsstatic.com/whitepapers/aws-kms-best-practices.pdf https://docs.aws.amazon.com/cli/latest/reference/kms/encrypt.html




回答2:


If you look at the CiphertextBlob output of two different --plaintexts (as I show below) you can observe a pattern that must be some kind of metedata. Not sure whether this metadata is documented.

aws kms encrypt --key-id <my-key> --plaintext first-text --query "CiphertextBlob"  --output text  >> encryption_outputs.out
aws kms encrypt --key-id <my-key> --plaintext second-text --query "CiphertextBlob"  --output text  >> encryption_outputs.out
cat encryption_outputs.out 
AQICAHiHuhOJgMFOzLCxr9JLvFbwcvLJ1ujdFhqufo6u+0DOZAFcwvj+uW9S0ogPZqWnn2o0AAAAaDBmBgkqhkiG9w0BBwagWTBXAgEAMFIGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMKCO7GDmhCkqkISldAgEQgCXJaFxGsprON7JHfoLWFXM/VVg9tv76Ndp9ABZ5zd8VOlK2rtPK
AQICAHiHuhOJgMFOzLCxr9JLvFbwcvLJ1ujdFhqufo6u+0DOZAGMZIUoMTRnPxLZLGx/cD7fAAAAaTBnBgkqhkiG9w0BBwagWjBYAgEAMFMGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMmXxBMotXpz0dByd5AgEQgCayx6uiIjJopXsHOeGWAvC5i83CLnp1M7gAVYPQck8lEPtykghR7Q==


来源:https://stackoverflow.com/questions/52012625/how-aws-kms-determine-which-key-to-use-when-decrypt

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!