数据加密密钥和密钥加密密钥
[英]Data Encryption Keys and Key Encryption Keys
问题描述
I hope someone can help me to understand how DEK and KEK works in layman term.
我希望有人可以帮助我了解 DEK 和 KEK 如何以通俗的方式工作。
This is my understanding so far这是我目前的理解
Part 1 Uploaded data is stored in chunks.第 1 部分上传的数据以块的形式存储。 Each chunk is encrypted with DEK.每个块都用 DEK 加密。 DEK is stored near the chunked data. DEK 存储在分块数据附近。
Part 2 DEK of the data chunk is wrapped with KEK数据块的第 2 部分DEK 用 KEK 包装
Part 3 KEK is stored in KMS.第 3 部分KEK 存储在 KMS 中。
This sentence from a Google's course material really tripped me.谷歌课程材料中的这句话真的让我大吃一惊。
The wrapped data encryption keys are then stored with this data
My brain goes crazy with these questions:我的大脑被这些问题发疯了:
- What is this wrapped data encryption keys ?这个包装的数据加密密钥是什么? Isn't that the KEK in part 2?这不是第 2 部分中的 KEK 吗?
- If that's the KEK in part 2, shouldn't that be in KMS?如果这是第 2 部分中的 KEK,那不应该在 KMS 中吗?
- If yes, does KMS store data?如果是,KMS 是否存储数据?
- If no, how many DEKs a chunk of data has?如果不是,那么一块数据有多少个 DEK? 2 DEKs? 2个DEK?
- What keys do we(users/customers)keep?我们(用户/客户)保留哪些密钥?
- We store the data with which keys?我们用哪些键存储数据?
1 个解决方案
解决方案1
1 已采纳 2022-06-10 10:46:00
What is this wrapped data encryption keys?
The wrapped DEK is the result of encrypting the DEK with the KEK.打包的 DEK 是使用 KEK 加密 DEK 的结果。 The key encryption key is called that because it encrypts (data encryption) keys.之所以称为密钥加密密钥,是因为它加密(数据加密)密钥。
If that's the KEK in part 2, shouldn't that be in KMS?
Does KMS store data?
No. As the name suggests, a key management system only stores keys, and specifically KEKs.不会。顾名思义,密钥管理系统只存储密钥,特别是 KEK。
How many DEKs does a chunk of data have?
One.一。 Data is encrypted only once, so there is only one key.数据只加密一次,因此只有一个密钥。
What keys do we (users/customers) keep?
Only the KEK.只有KEK。 When using a KMS, not even that key is known to you, the user of the KMS.使用 KMS 时,您(KMS 的用户)甚至不知道该密钥。
We store the data with which keys?
With the wrapped DEK.用包裹得克。
Here is a concrete example:这是一个具体的例子:
Data (ie plaintext): yellow submarine KEK (aka. master key): my-secret-master DEK (randomly generated for each piece of data): ttlly-random-dek数据(即明文): yellow submarine KEK(又名主密钥): my-secret-master DEK(每条数据随机生成): ttlly-random-dek
Ciphertext: Base64(AES(Data, DEK)) = TJ4SLFTy0sMdvGe55QCuYQ== Wrapped DEK: Base64(AES(DEK, KEK)) = lOEmql1JuSONZ8uLorc/vQ==密文:Base64(AES(Data, DEK)) = TJ4SLFTy0sMdvGe55QCuYQ== Wrapped DEK: Base64(AES(DEK, KEK)) = lOEmql1JuSONZ8uLorc/vQ==
The second operation is done by the KMS, if there is one (it has to be, because it's the only one in possession of the KEK, and it will never disclose it).第二个操作由 KMS 完成,如果有的话(它必须是,因为它是唯一拥有 KEK 的人,并且它永远不会透露它)。
What you store together: TJ4SLFTy0sMdvGe55QCuYQ== and lOEmql1JuSONZ8uLorc/vQ== .您一起存储的内容: TJ4SLFTy0sMdvGe55QCuYQ==和lOEmql1JuSONZ8uLorc/vQ== 。
And to reconstruct the plaintext given TJ4SLFTy0sMdvGe55QCuYQ== + lOEmql1JuSONZ8uLorc/vQ== :并重构给定TJ4SLFTy0sMdvGe55QCuYQ== + lOEmql1JuSONZ8uLorc/vQ==的明文:
DEK: AES'(Base64'( lOEmql1JuSONZ8uLorc/vQ== ), KEK) // = ttlly-random-dek Plaintext: AES'(Base64'( TJ4SLFTy0sMdvGe55QCuYQ== ), DEK) DEK: AES'(Base64'( lOEmql1JuSONZ8uLorc/vQ== ), KEK) // = ttlly-random-dek明文: AES'(Base64'( TJ4SLFTy0sMdvGe55QCuYQ== ), DEK)
The first operation is done by the KMS if there is one (again, it has to be, because the KEK is involved).如果有第一个操作,则由 KMS 完成(同样,必须这样做,因为涉及到 KEK)。
In the example above I conveniently chose 16 bytes of data and 16-byte keys, so I could gloss over block cipher modes and IVs/nonces.在上面的示例中,我方便地选择了 16 字节的数据和 16 字节的密钥,因此我可以忽略分组密码模式和 IV/nonce。 In practical applications the IVs for each encryption have to be retained as well, of course.当然,在实际应用中,每个加密的 IV 也必须保留。
Note that the KMS never sees your data, and it only has to encrypt and decrypt tiny amounts.请注意,KMS 永远不会看到您的数据,它只需要加密和解密少量数据。 That is why we do all of this;这就是我们做这一切的原因; only you, the owner of the data ever sees it in plaintext (assuming the KMS is an honest party, obviously).只有您,数据的所有者才能以明文形式看到它(显然,假设 KMS 是诚实的一方)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.