0

I am trying to achieve AWS KMS envelope encryption on both iOS and Android. From the KMS API I get a 256 bit data key in both plaintext and encrypted forms (encrypted by a master key held only on KMS HSMs).

Right now, I am using iOS CommonCrypto and Android's built-in Cryptography library to encrypt sensitive data fields with AES-256-CBC.

This data is then sent over TLS to the server. Eventually, the events containing the encrypted fields are read out into into a secure ETL process where the fields are decrypted for analysis.

The reason I am encrypting on-device is so that the events may flow through existing data analytics infrastructure that isn't built to handle sensitive data. I want to do this without including additional dependencies to my client-side code.

Is CBC an appropriate choice for this? It is unclear to me if I need GCM for this. I can't find a good way to implement AES-GCM on any version of iOS except the latest one, v13.

Am I missing a more obvious design here to meet my needs?

Dan
  • 101
  • 1
  • realted : Use a AWS KMS AES-GCM key with AES-CBC algorithm from iOS CommonCrypto – kelalaka Sep 24 '19 at 22:09
  • 3
    You should always use an authenticated cipher like AES-GCM or crypto_secretbox_xsalsa20poly1305 and never an unauthenticated cipher like AES-CBC unless you have a particular reason to use an unauthenticated cipher in an unusual application. More details on the difference between the security contracts of these two beasts. What cryptography might available to you in your circumstances is a programming question beyond the scope of this site, though. – Squeamish Ossifrage Sep 24 '19 at 22:40
  • Thanks @SqueamishOssifrage that post is great. I don't think my use-case necessarily needs authentication/anti-forgery but I'm not sure. Giving that, and the existence of things like padding oracle attacks, it looks like I should use GCM even though it substantially complicates implementation. – Dan Sep 25 '19 at 14:58
  • If you're not sure, you should assume you need an authenticated cipher. Neglecting authentication can lead you to inadvertently leak secrets—this has happened in real-world protocols, like OpenPGP and S/MIME with EFAIL. – Squeamish Ossifrage Sep 25 '19 at 15:03
  • AES-GCM is not the only authenticated cipher, of course. If you have a NaCl binding, there's crypto_secretbox_xsalsa20poly1305. In a pinch, as long as you're careful about it, AES256-CTR/HMAC-SHA256 in encrypt-then-MAC composition serves too. Just make sure to record some known-answer test vectors that you verify on startup. That said, if whatever library you're relying on has only AES-CBC and no authenticated ciphers, that's evidence that it's a bad library you should maybe reconsider using. – Squeamish Ossifrage Sep 25 '19 at 15:13

0 Answers0