Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(Example): limit max encrypted data keys #245

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

feat(Example): limit max encrypted data keys #245

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
855b8cb
feat(Example): limit max encrypted data keys
texastony May 10, 2022
f82ff13
fix(example): remove comment syntax
texastony Jun 15, 2022
74b2e62
Merge branch 'master' into feat-example-limit-EDKs
texastony Jun 15, 2022
e3c9961
Merge branch 'master' into feat-example-limit-EDKs
texastony Jul 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 72 additions & 0 deletions examples/templates/configuration/limit-encrypted-data-keys.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
[//]: # "Copyright Amazon.com Inc. or its affiliates. All Rights Reserved."
[//]: # "SPDX-License-Identifier: CC-BY-SA-4.0"

# Limit Encrypted Data Kays example

Implementations of this example MUST follow the rules defined in
[Example Templates](../../../examples.md#example-templates).

## Implementations

- [NET](https://github.com/aws/aws-encryption-sdk-dafny/blob/mainline/aws-encryption-sdk-net/Examples/LimitEncryptedDataKeysExample.cs)

## Definitions

### Conventions used in this document

The key words
"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL"
in this document are to be interpreted as described in
[RFC 2119](https://tools.ietf.org/html/rfc2119).

## Header

```
Limiting encrypted data keys is most valuable when you are decrypting
messages from an untrusted source.
By default, the ESDK will allow up to 65,535 encrypted data keys.
A malicious actor might construct an encrypted message with thousands of
encrypted data keys, none of which can be decrypted.
As a result, the AWS Encryption SDK would attempt to decrypt each
encrypted data key until it exhausted the encrypted data keys in the message.
```

## Summary

```
Demonstrate limiting the number of Encrypted Data Keys [EDKs] allowed
when encrypting or decrypting a message.
```

## Inputs

- **plaintext**:
Plaintext to encrypt

- **maxEncryptedDataKeys**:
Maximum number of encrypted data keys an encrypted message may have.

## Steps

1. Instantiate the EncryptionSDK with MaxEncryptedDataKeys.

2. Create a multi-keyring with maxEncryptedDataKeys keys

```
We will use a helper method to create a Multi Keyring with `maxEncryptedDataKeys` AES Keyrings
```

3. Encrypt the plaintext data with the multi-keyring

4. Decrypt the encrypted data using the multi-keyring you used on encrypt.

5. Demonstrate that the decrypted plaintext is identical to the original plaintext.

6. Demonstrate that an EncryptionSDK with a lower MaxEncryptedDataKeys will fail to decrypt the encrypted message.

```
Instantiate the EncryptionSDK with a lower MaxEncryptedDataKeys
...
Repeat the earlier decryption steps, proving that they fail
```
Loading