Why Google Cloud KMS generating different encrypted ciphertext for same input text?

0
votes

I am trying to encrypt confidential and sensitive data using the Google Cloud Key Management Service (KMS) python API. I noticed in every iteration after the encryption that the same key for the exact input text generates different encrypted ciphertext. I mean, for the same input text, I am getting different encrypted ciphertext.

My question is,

  1. why the encrypted ciphertext got changed? How to get the same encrypted ciphertext/value for the same input?
  2. How the control the length of encrypted ciphertext?

Here is the python code I used

from google.cloud import kms
client = kms.KeyManagementServiceClient()
name = 'projects/sandbox/locations/global/keyRings/encryptdecrypt-keyring/cryptoKeys/encryptdecrypt-key_v01/cryptoKeyVersions/1' #CryptoKey info 
plaintext = b'hello123' # The data to encrypt

enc1=client.encrypt(request={'name': name, 'plaintext': plaintext})

Ref:

1
pythonencryptiongoogle-cloud-platformgoogle-cloud-kms
IV, or Initialization Vector prevents the same plaintext from generating the same cyphertext. en.wikipedia.org/wiki/Initialization_vector - John Hanley
It is a security feature that even with same key and plaintext the ciphertext differs (it's called non determistic encryption). - Michael Fehr

1 Answers

2
votes

Yes, the system generates different ciphertext when encrypting the same input. This is an important security control for most encryption systems; it prevents the attack of an attacker getting you to encrypt a particular message M so they can determine if a ciphertext they have in hand, C, is also an encrypted copy of the same message M.

There are systems which offer consistent encryption outputs; the property is known as Deterministic Encryption. However, I would suggest consulting with a cryptography expert before selecting a mechanism; these tools are tricky.

We make no commitment as to the exact length of the encrypted ciphertext; if you have a need for that to be predictable, I'd like to know more about why and how we can help.

Thanks for using GCP and Cloud KMS!