Reputation: 1
How to decrypt the CiphertextForRecipient using the private key in the enclave?
I am trying for Decrypt API of AWS KMS from an enclave.
And In the Nitro Enclave Documentation, it was expressed that, instead of returning the plaintext ( decrypted result ) KMS response with "CiphertextForRecipient" which is encrypted with the public key in the attestation. And that "CiphertextForRecipient" can be decrypted with the private key in the enclave.
Refered from https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html.
In the attestation document, there is public key(optional) value.
Refered from https://docs.aws.amazon.com/enclaves/latest/user/verify-root.html.
So, my question is, which private key am I going to use to decrypt?
Is it the private key of corresponding public key which is used to signed the attestation document.
Or the private key of the corresponding public key which is optional value of attestation document.
Upvotes: 0
Views: 236
Answers (1)
Reputation: 31
In short: it is the public key which is optionally included in attestation document.
You should decrypt the CiphertextForRecipient using the public key that corresponds to the public_key field in the attestation document. So, you will do the following:
- Generate a new RSA keypair within the enclave.
- Request the attestation document from the AWS Nitro System, including the RSA public key as
public_key. - Make the
kms:Decryptrequest, including the attestation document. - Unwrap the response's
CiphertextForRecipientusing the RSA private key.
The CiphertextForRecipient is in RFC 5652 RecipientInfo format. Here is an openssl snippet for decrypting it:
openssl cms -decrypt \
-inform=DER \
-in "$PATH_TO_CIPHERTEXT_FOR_RECIPIENT" \
-inkey "$PATH_TO_RSA_PRIVATE_KEY" \
-out "$PATH_FOR_PLAINTEXT_OUTPUT"
Then, the plaintext output will be available as a file at $PATH_FOR_PLAINTEXT_OUTPUT.
The snippet above is adapted from the Anjuna documentation. For some reason, the main AWS documentation site is not clear about this, but the related GitHub repos have more info on how AWS KMS interacts with AWS Nitro Enclaves:
Upvotes: 1
Related Questions
- How to decrypt AWS KMS Double Encryption when downloading files from S3?
- Can we prevent EC2 instance from accessing the plain text data when using the AWS Nitro Enclave for encryption?
- Why doesn't AWS KMS encrypt/decrypt need data key?
- How does AWS KMS/ AWS services protect the plain text data-key in transit?
- Python - Decrypt S3 image file, encrypted with CSE KMS