How AWS KMS determine which key to use when decrypt?

Question

I'm confused on how the aws-kms select which key to use to decrypt a ciphertextblob?

When calling the decrypt method, no key information is provided.

Similar question: https://stackoverflow.com/questions/38645551/getting-the-kms-key-from-kms-ciphertextblob — Alexey Vazhnov, Oct 25 '21 at 15:56

score 5 · Accepted Answer · answered Aug 25 '18 at 11:39

5

When you encrypt, KMS stores the CMK information in the ciphertextblob (CiphertextBlob: Ciphertext including metadata) as metadata. So while calling decrypt, KMS knows which CMK to use.

More details in: https://d1.awsstatic.com/whitepapers/aws-kms-best-practices.pdf https://docs.aws.amazon.com/cli/latest/reference/kms/encrypt.html

answered Aug 25 '18 at 11:39

sudo

2,237
1
9
14

in the encrypt document about the output: "CiphertextBlob -> (blob) The encrypted plaintext. When you use the HTTP API or the AWS CLI, the value is Base64-encoded. Otherwise, it is not encoded." I don't see the CiphertextBlob includes some metadata. I tried base64 decode CiphertextBlob but it's not readable, anyway I can look into the CiphertextBlob? thanks! – xiaobing Aug 25 '18 at 20:44
2

The format of the ciphertext metadata is not publicly defined. If the decrypt operation succeeds, the results include the Arn of the CMK that was used to decrypt the ciphertext. https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html#API_Decrypt_ResponseSyntax – mattsb42-aws Aug 27 '18 at 17:26

score 1 · Answer 2 · answered Jan 22 '20 at 08:09

If you look at the CiphertextBlob output of two different --plaintexts (as I show below) you can observe a pattern that must be some kind of metedata. Not sure whether this metadata is documented.

aws kms encrypt --key-id <my-key> --plaintext first-text --query "CiphertextBlob"  --output text  >> encryption_outputs.out
aws kms encrypt --key-id <my-key> --plaintext second-text --query "CiphertextBlob"  --output text  >> encryption_outputs.out
cat encryption_outputs.out 
AQICAHiHuhOJgMFOzLCxr9JLvFbwcvLJ1ujdFhqufo6u+0DOZAFcwvj+uW9S0ogPZqWnn2o0AAAAaDBmBgkqhkiG9w0BBwagWTBXAgEAMFIGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMKCO7GDmhCkqkISldAgEQgCXJaFxGsprON7JHfoLWFXM/VVg9tv76Ndp9ABZ5zd8VOlK2rtPK
AQICAHiHuhOJgMFOzLCxr9JLvFbwcvLJ1ujdFhqufo6u+0DOZAGMZIUoMTRnPxLZLGx/cD7fAAAAaTBnBgkqhkiG9w0BBwagWjBYAgEAMFMGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMmXxBMotXpz0dByd5AgEQgCayx6uiIjJopXsHOeGWAvC5i83CLnp1M7gAVYPQck8lEPtykghR7Q==

How AWS KMS determine which key to use when decrypt?

2 Answers2

Linked