The system encrypting the password (i.e. the client) must do this in such a way that the decrypting code in Airlock IAM can decrypt it and that the supplied data can be processed in AWS KMS.
The client will receive these additional attributes as part of REST responses if the next step supports end-to-end encryption (e.g. password check). The client must use this information when preparing the E2EE request.
The REST Documentation details which next step codes may contain this information.
"e2eEncryptionInformation": {
"type": "KMS", // describes which E2E implementation is used - for AWS KMS, the type is always KMS
"publicKey": "XsrV3n0bqLUah+HS6S..." // example base64 encoded public key - this key corresponds to the in IAM configured "RSA Asymmetric Key ARN" - see AWS for more information on the public key format
"algorithm": "RSAES_OAEP_SHA_1" | "RSAES_OAEP_SHA_256", // the algorithm used depends on IAM and AWS configuration
"nonce": "p2oE-RbbU1cpy710AeVcdImgwfIXDIg8kMtxXqq2sDw=" // random value to be used in the additional authentication data of the AES-GCM encryption
}
Expected Request Format
The expected JSON Request Body is described in the REST API documentation provided by AWS KMS. Instead of sending the plaintext password in the corresponding JSON fields, an encrypted BLOB is expected. See the following example:
POST /rest/public/authentication/password/check/
{
"username": "bob"
"password": "{"password":"EKuZUtS9nm/jVDxVQQ2SVeh/6Yc=","key":"uhZV5rStmYPEDGiUa6dZsYjHfPTZD9ueYNEo4zh59JhUL5biTskg7TYXz/6NU1fBgE2tVtAhRTb0OfasJfuKT97ebgt3T3AOUcV7V8G3xtZsF12pueuEsUmhqzwN9kXzDMYKX7Qbdsdx0A7klgfMuvsRwCxAV8h6S5XvHP13Sn9dcgt24a5mmXmaYATgNX1Apfj9nP/FIMUHEGrnmOvx+8R3KLjO143T+RI1jFrokANVp9iAaW2XHpX/r66cUOSHal2cfHyK80SNCWJAMkPyd9xtYMY+mvWN2vIzDXkkIbOllubpzvMqof3vXWgtsvrNaDzJFA23PkyAcX/Oe3vLAw==","iv":"7FS4pExf0SPNABE9"}"
}
IAM expects the client to encrypt the password in a defined way and provide the used encryption data in a defined format. Clients can implement the following algorithm:
- Generate a symmetric one-time AES-GCM 256 key and a random 12 byte IV (initialization vector) for one-time encryption
- Encrypt the plaintext password with the generated AES-GCM 256 key, the IV and a random nonce. Base64 encode the result and add it as
password
attribute to the request. - Encrypt the one-time AES-GCM key with the provided RSA public key and algorithm (see e2eEncryptionInformation in REST response). Base64 encode it and add it as
key
attribute to the request. - Base64 encode the initialization vector and add it as
iv
attribute to the request.
Example of the expected JSON BLOB contained in the "password" field of the password-check request:
{
"password" // plaintext password encrypted with an AES-GCM 256 symmetric key and IV (key and IV generated on the client)
"key" // AES-GCM 256 symmetric key encrypted with the RSA public key received from IAM in e2eEncryptionInformation
"iv" // 12 byte initialization vector (generated on client)
}
If the REST request has multiple E2EE fields, e.g. on password change, each password needs to be encrypted individually.