How to Protect the Integrity of Your Encrypted Data by Using AWS Key Management Service and EncryptionContext
This is the code repository for Python-port code sample used in AWS Security Blog How to Protect the Integrity of Your Encrypted Data by Using AWS Key Management Service and EncryptionContext
- Amazon Web Services account
- Python installed
- Python boto3 installed
Create a customer master key.
Create a table EcDemoAddresses with a string-type key EmailAddress.
Or you can run the following command:
$ cd encryption-context-python
$ python create_dynamodb_table.py
I created a cloudformation template to provision
- KMS
- DynamoDB
There are two parameters for this stack:
- KeyAdministrator : AWS KMS Key Administrator
- KeyUser : AWS KMS Key User
After editting cloudformation/parameters.json, run the next command:
$ aws cloudformation create-stack \
--stack-name EcDemo \
--template-body file://cloudformation/dynamodb-kms.template.json \
--parameters file://cloudformation/parameters.json \
--capabilities=CAPABILITY_IAM
There are three sample codes in the blog.
All sample codes are located at encryption-context-python directory.
KMS throws an InvalidCiphertextException upon receiving ciphertext that has been tampered with.
This is an insecure KMS encryption implementation.
If a malicious user(Mallory) can modify the DynamoDB table, she can replace data. Mallory can do this even without access to the encryption keys by simply swapping the encrypted data between the records, which doesn't require her to encrypt or decrypt anything.
When you provide EncryptionContext at encryption, the system throws an InvalidCiphertextException when the system attemps to decrypt the record that has been tampered with.
This code improves the security of KMS encryption.