Why am I getting different bytes every time I encrypt with AWS KMS CMK?

1
votes

I am trying to encrypt my sensitive data like user email address to the database using aws kms cmk. I am using aws SDK in java.

I have encrypted the field and stored in data base.

I can also decrypt the data.

But the main problem comes when I have to query the data... As I am getting back the aws sdkbytes and I am converting it to base 68 and storing it.

Why does aws always return the different SDK bytes for the same data after encryption? I can't search simply through the data. I have to bring all the list and decrypt the data and then match the data. It is taking a lot of time.

Please suggest me the good way to encrypt the data using aws cmk keys.

Thanks Ankit

2
javamysqlamazon-web-servicesencryptionsdk
You probably mean base 64.Marek Puchalski

2 Answers

1
votes

The encryption, when done properly, is never deterministic. Being deterministic and encrypting always [email protected] to fa3GeFi2nb52JH0 would be a weakness, as it would leak information (if you find two equal ciphertexts, then you know that they hold the same plain text. You don't know the exact value, but you know it is the same). Technically you do it with a random value named IV (initialization vector) being passed to the encryption process, but let's not dig deeper.

So, how to deal with your case. You can either:

  • accept it the way it is now,
  • say you want your encryption to be deterministic even at the cost of being weaker and leaking data.

How to make encryption deterministic? Use constant IV value. I don't know if this can be done in AWS and how, but that would be the easiest way to go.

0
votes

By using KMS in this way you're performing client side encryption which would put the responsibility on you to decrypt after you have retrieved the data.

At the current time there are no implementations explicitly for using KMS keys within SQL operations, the only support is for encryption at rest of the file storage.

You options are:

  • Switch to native MySQL encryption
  • Switch from encrypted to hash to match (not ideal) for this field.
  • Perform post processing after narrowing down to decrypt.