Envelope Encryption
Script error: No such module "Draft topics".
Script error: No such module "AfC topic".
Envelope encryption is a term used by cloud service providers to describe their usage of key encapsulation. Envelope encryption is a cryptographic technique for encrypting data used by all major cloud service providers. In envelope encryption, one key (and encryption algorithm) are used to encrypt another key, which is used to encrypt data (with a potentially different encryption algorithm).[1] This technique potentially allows for better performance and security, since a potentially more secure but slower asymmetric algorithm can be used to encrypt a short key used to encrypt the data, while the actual data can be encrypted with a faster, symmetric algorithm. Envelope encryption is used as part of centralized key management systems in cloud computing.[2]
Implementation[edit]
In envelope encryption, there are two types of keys: Data Encryption Keys (abbreviated DEK, and used to encrypt data) and Key Encryption Keys (abbreviated KEK, and used to encrypt the DEKs). In a cloud environment, encryption with envelope encryption involves generating a DEK locally, encrypting one's data using the DEK, and then issuing a request to wrap (encrypt) the DEK with a KEK stored in a potentially more secure service. Then, this wrapped DEK and encrypted message constitute a ciphertext for the scheme. To decrypt a ciphertext, the wrapped DEK is unwrapped (decrypted) via a call to a service, and then the wrapped DEK is used to decrypt the encrypted message.[3] Such a scheme can combine the advantages of different cryptographic algorithms. Symmetric encryption (often used for the DEK) is faster and can produce smaller ciphertexts. Asymmetric encryption (often used for the KEK) provides easier key management and separation of roles, but can be slower.[2]
Use in key management systems[edit]
In cloud systems, such as Google Cloud Platform and Amazon Web Services, a key management system (KMS) can be available as a service.[2][3][4] In some cases, the key management system will store keys in hardware security modules, which are hardware systems that protect keys with hardware features like intrusion resistance.[5] This means that KEKs can also be more secure because they are stored on secure specialized hardware.[2] Envelope encryption makes centralized key management easier because a centralized key management system only needs to store KEKs, which occupy less space, and requests to the KMS only involve sending wrapped and unwrapped DEKs, which use less bandwidth than transmitting entire messages. Since one KEK can be used to encrypt many DEKs, this also allows for less storage space to be used in the KMS. This also allows for centralized auditing and access control at one point of access.[3]
References[edit]
- ↑ Albertini, Ange; Duong, Thai; Gueron, Shay; Kölbl, Stefan; Luykx, Atul; Schmieg, Sophie (November 17, 2020). "How to Abuse and Fix Authenticated Encryption Without Key Commitment". USENIX Security 2022 – via Cryptology ePrint Archive.
- ↑ 2.0 2.1 2.2 2.3 "AWS KMS concepts - AWS Key Management Service". docs.aws.amazon.com. Retrieved 2021-12-30.
- ↑ 3.0 3.1 3.2 "Envelope encryption | Cloud KMS Documentation". Google Cloud. Retrieved 2021-12-30.
- ↑ "What is envelope encryption? - FAQ| Alibaba Cloud Documentation Center". www.alibabacloud.com. Retrieved 2021-12-30.
- ↑ Editor, CSRC Content. "Hardware Security Module (HSM) - Glossary | CSRC". csrc.nist.gov. Retrieved 2022-01-23.
This article "Envelope Encryption" is from Wikipedia. The list of its authors can be seen in its historical and/or the page Edithistory:Envelope Encryption. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.