2

I have been working to encrypt messages of size greater than 4Kb using AWS KMS. As I went through the AWS KMS documentation, the maximum size of a message that can be encrypted using AWS KMS is only 4Kb. I tried using both symmetric and asymmetric keys types to encrypt the message, but couldn't get the expected results. This is the error screenshot: enter image description here

And I'm pretty sure that this error is due to my message being greater than 4Kb. I have the following constraints.

  1. The encryption has to be on the frontend. This is creating a problem to use a symmetric approach because the key that I use may be easily seen to end users even the frontend code is minified.
  2. I am searching for a lightweight approach so that I don't have many libraries and plugins added to the frontend code.
  3. As I went through several articles what I found is if I use the asymmetric approach, there is always a limitation of message size that can be encrypted.

I was focusing on AWS KMS because I am using aws-sdk already in my front-end code and any solution with the same SDK won't increase my code size.

So, the possible alternatives I have found as per my study(not 100% sure) are:

  1. Hybrid encryption(outside AWS): Use a symmetric key to encrypt the message and use an asymmetric key to encrypt the symmetric key.
  2. Envelope encryption(with AWS)(Not sure how we can implement this)

Therefore, I am searching for references around AWS illustrating Envelope Encryption (with example if possible) or any other solutions satisfying the above-mentioned constraints. If around AWS is not possible, any lightweight approaches(with practical implementation) that can be implemented on the frontend would also be highly appreciated.

Programming Language: Javascript

John
  • 972
  • 1
  • 7
  • 24
  • 1
    The usual technique is to use asymmetric encryption for the key, and then use that key to symmetrically encrypt the much larger file. – rossum Mar 01 '21 at 12:10
  • "The key that I use may be easily seen to end users." Yes, and so is the plaintext, so observing the encryption key doesn't change anything. // Asking for libraries or resources is off-topic on SO. – Peter Mar 02 '21 at 10:53
  • @Peter "The key that I use may be easily seen to end-users." This is only the case if I used a symmetric key. In the case of the asymmetric key, seeing the public key by users doesn't make much sense. So, my problem with using the asymmetric key is, basically, it can only encrypt data up to 4Kb. The only purpose for encryption on the frontend is, no users in middle(during the transit) would be able to modify the message until it reaches to destination. – John Mar 03 '21 at 05:02
  • Protecting data in transit is exactly what TLS is for. – Peter Mar 03 '21 at 08:15

1 Answers1

1

Yes, it is a good option to use envelope encryption. You can generate a random as a content encryption key(CEK). And use AWS KMS to generate a key encryption key(KEK).

Let's say you get a plain text M.

Then the encryption process should be like this:

EM = encrypt M with CEK 
ECEK = encrypt CEK with KEK
Final text = ECEK.EM

the decryption process should be like this:

CEK = decrypt ECEK with KEK
M = decrypt EM with CEK

Just make sure the length of CEK is less than 4KB.

Eason Xu
  • 11
  • 1