Practice of envelope encryption and key management

Principle of envelope encryption

Envelope encryption is implemented using symmetric AES+ asymmetric RSA. The Key of the RSA AES algorithm is used and stored or transmitted together with the Key. The CIphertext + AES Key is used as an envelope.

Envelope encryption is used to encrypt a large amount of data. The length of RSA encryption cannot exceed the length of the RSA Key (generally, the length of the RSA Key is 1024/2048/4096 bits). Therefore, symmetric encryption algorithms are required for large-file encryption scenarios, such as images, videos, and texts. The keys of the symmetric encryption algorithm are exposed when they are transmitted between networks or organizations. Therefore, using the RSA asymmetric algorithm to encrypt symmetric keys ensures secure transmission of keys.

Envelope encryption is actually used in THE SSL protocol. After exchanging the public Key, SSL finally negotiates an AES encryption Key, which is encrypted using the RSA algorithm during transmission between the two parties.

The encryption process of envelope encryption

1. Generate AES plaintext key
2. Use AES plaintext key to encrypt data
3. Use the RSA public key to encrypt the AES plaintext key to obtain the ciphertext key
4. The ciphertext key is stored along with the encrypted data, which is figuratively put in an envelope

The decryption process of envelope encryption

1. The data receiver receives an envelope containing ciphertext data and
2. Use the RSA private key to decrypt the AES ciphertext key to obtain the plaintext key
3. Use AES plaintext key to decrypt ciphertext data

Public cloud KMS service

The Key to encrypting the symmetric Key is the RSA Key. The RSA Key requires master Key management, data encryption Key management, access control, access audit logs, and Key rotation. Currently, major public cloud vendors provide key management services and are integrated with cloud servers. For example, the object storage service uses KMS to encrypt data, and the RDS uses KMS to encrypt disk data.

• Master key management: create a new master key, import the existing key to KMS, update the master key rotation (the encrypted data key records which master key is used for encryption, and the original key still exists after updating the master key rotation), control key access, and access audit log.
• Data encryption key management: create, encrypt, decrypt.
• Cloud service interconnection: object storage, cloud hard disks, and databases.

Use custom key material as the root key

Enterprises generally have AES encryption keys in use. For example, in online and offline data exchange, data encrypted by one party is decrypted by the other party, requiring the same encryption keys. Therefore, you need to import the existing key material when creating the master encryption key. To create a master key by importing the existing key material to KMS, download the RSA public key (used to encrypt the master key material) from the KMS service, specify the RSA filling algorithm, encrypt the key material with the RSA public key and RSA algorithm, and import the key material to KMS.

For details about how to import the master key, see the help document of Huawei Cloud KMS. The following is an example.

1. Download the RSA public key from the KMS service and select the RSA padding algorithm

The following three files are required for huawei cloud to download the AES key material:

Drwxr-xr-x 1 user01 1049089 04 月 28 19:47./ drwxr-xr-x 1 user01 1049089 04 月 28 19:47.. / -rw-r--r-- 1 user01 1049089 2236 4月 28 19:46 importToken_d4a19541-800D-4a6C-9678-c9C7d7249887_20190428114633 -rw-r--r-- 1 user01 1049089 302 4月 28 19:46 readme_d4a19541-800d-4a6C-9678-c9c7d7249887_20190428114633.txt -rw-r--r-- 1 User01 1049089 294 4月 28 19:46 wrappingKEY_d4a19541-800D-4a6C-9678-c9C7d7249887_20190428114633Copy the code

• WrappingKey_ Key ID_ Download time: Packaging key, used to encrypt key material packaging key
• ImportToken_ Key ID_ Download time: import token. KMS imports key materials
• Readme_key ID_ Download time: a description file that records the serial number of the packaging key, key packaging algorithm, name of the packaging key file, name of the token file, and expiration time of the packaging key and token

The README content

$ cat README_d4a19541-800d-4a6c-9678-c9c7d7249887_20190428114633.txt
Wrapping Key Spec: RSA_2048
Wrapping Algorithm: RSAES_OAEP_SHA_1
Wrapping Key File: wrappingKey_d4a19541-800d-4a6c-9678-c9c7d7249887_20190428114633
Import Token File: importToken_d4a19541-800d-4a6c-9678-c9c7d7249887_20190428114633
Wrapping Key and Import Token Expiration: 2019-04-29 11:46:33 UTC

Copy the code

2. Generate 256-bit AES key material

The AES key length is 256 bits. Openssl is used to generate the key material

openssl rand -out plain-text-key-material.bin 32
Copy the code

3. Use the RSA public key and select the fill algorithm to encrypt the AES key material

 openssl pkeyutl -in plain-text-key-material.bin -inkey wrappingKey_d4a19541-800d-4a6c-9678-c9c7d7249887_20190428114633 -out encrypted-key-material.bin -keyform der -pubin -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha1 
Copy the code

4. Import AES key material into KMS

Perform import operations on the public cloud interface.

Use the imported master key to create a data encryption key and encrypt and decrypt data

Refer to the sample code.

Note that the data key created on the Huawei cloud can contain only 512 bits. The 512-bit key can be used only for the AES-XTS algorithm, which is mainly used for disk encryption.

If KMS is integrated in the application, AES encryption algorithm is commonly used as AES-CBC, and the longest key is 256 bits. Therefore, based on the current situation, only 512 bits of key can be truncated, but truncation will bring a series of problems. How to ensure the consistency of truncation rules between teams? In envelope encryption scenarios, is the truncated key stored with the ciphertext data or before the truncated key? Will the inconsistency between the truncated key and the key stored in KMS cause unknown problems?

At present, Ali Cloud can support the creation of data encryption key, the specified key length is 128 or 256 bits.

About RSA Padding

The RSA padding algorithm ensures semantic security. The ciphertext of the same plain text is different each time. The padding algorithm fills some random numbers in the plain text to achieve this effect. RSA encryption requires that the ciphertext length be no longer than the Key length. Therefore, after the P algorithm is used, the limit on the length of the original ciphertext is changed.

Currently, there are three filling algorithms: RSA_PKCS1_PADDING/RSA_PKCS1_OAEP_PADDING/RSA_NO_PADDING

RSA_PKCS1_PADDING The most commonly used mode

The input: must be at least 11 bytes shorter than the MODULUS of the RSA key RSA_size(RSA) -11. If the input plaintext is too long, it must be cut and filled with the output: as long as the modulus

According to this requirement, for a 512bit key, block length = 512/8-11 = 53 bytes

RSA_PKCS1_OAEP_PADDING

Input: RSA_size(RSA) — 41 Output: as long as modulus

RSA_NO_PADDING don’t fill

Input: can be as long as the RSA key module. If the input plaintext is too long, it must be cut and filled with the output: as long as the MODULUS

Reference

PKCS#1 V2

Principle 1 of RAS algorithm

RAS algorithm principle two

RSA encryption algorithm

Padding&Text-book-rsa

Java AES and using my own Key

Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 Download

Java commonly used encryption algorithms used with collation more cloud best practices best practices