arrow

Use Alibaba Cloud KMS To Simulate Data Encryption

1. Experiment

1.1 Knowledge points

This experiment involves Alibaba Cloud Key Management Service (KMS), which is a secure and easy-to-use management service provided by Alibaba Cloud. KMS allows you to use keys securely and conveniently and focus on developing encryption and decryption functions, without having to spend a great deal in protecting the confidentiality, integrity, and availability of keys. This experiment describes two methods to use KMS: Alibaba Cloud command-line interface (CLI) and SDK. In SDK mode, Flask, a microframework written in Python, is used to simulate a simple process of data encryption between server and client.

1.2 Experiment process

  • Install and configure Alibaba Cloud CLI
  • Use Alibaba Cloud CLI to demonstrate the encryption and decryption functions of KMS
  • Use the Python SDK for KMS to simulate data encryption between client and server

1.3 Cloud resources required

  • ECS
  • KMS

1.4 Prerequisites

  • You have understood the basic concept of ECS.

2. Start the experiment environment

Click Start Lab in the upper right corner of the page to start the experiment.

image desc.

After the experiment environment is successfully started, the system has deployed resources required by this experiment in the background, including the ECS instance, RDS instance, Server Load Balancer instance, and OSS bucket. An account consisting of the username and password for logging on to the Web console of Alibaba Cloud is also provided.

image desc

After the experiment environment is started and related resources are properly deployed, the experiment starts a countdown. You have an hour to perform experimental operations. After the countdown ends, the experiment stops, and related resources are released. During the experiment, pay attention to the remaining time and arrange your time wisely. Next, use the username and password provided by the system to log on to the Web console of Alibaba Cloud and view related resources:

openCole

Go to the logon page of Alibaba Cloud console.

image desc

Fill in the sub-user account and click Next.

image desc

Fill in the sub-user password and click Log on.

image desc

After you successfully log on to the console, the following page is displayed.

image desc

3. Install and configure AliyunCli

3.1 Log in to ECS

Click Elastic Compute Service, as shown in the following figure.

image desc

We can see one running ECS instance in Silicon Valley region.

image desc

Copy this ECS instance’s Internet IP address and remotely log on to this ECS (Ubuntu system) instance. For details of remote login, refer to login

image desc

The default account name and password of the ECS instance:

Account name: root

Password: nkYHG890..

3.2 Install AliyunCli

AliyunCli tool is available in two language versions: go and python, and can be installed on Linux or Windows. For this demonstration we will install AliyunCli in python on Ubuntu16.04.

In this experiment, an ECS using Ubuntu16.04 is automatically created. It comes with a python environment and pip (python package management tool), so we can use pip to install AliyunCli right away.

After you log on to the system, enter the following commands to check your pip version

pip3 --version

image desc

We can see that our version is 20.0.2, which is usable.

Execute the following commands to download the Alibaba Cloud command line tool.

wget https://labex-ali-data.oss-us-west-1.aliyuncs.com/kms/aliyun-cli-linux-3.0.90-amd64.tgz

image desc

Enter the following command to decompress the installation package.

tar -zxvf aliyun-cli-linux-3.0.90-amd64.tgz

image desc

Enter the following command to move the decompressed “aliyun” executable file to the “/usr/local/bin” directory.

mv aliyun /usr/local/bin

image desc

Enter the following command to check whether the installation is complete.

aliyun --help

image desc

3.3 Configure AliyunCli

After the command line tool is installed, you first need to configure your access key ID and access key secret. Such information is required to call Open API.

As shown below, click AccessKey Management.

image desc

Click Create AccessKey. After AccessKey has been created successfully, AccessKeyID and AccessKeySecret are displayed. AccessKeySecret is only displayed once. Click Download CSV FIle to save the AccessKeySecret

image desc

Go back to the terminal to enter the following commands, 

aliyun configure --profile akProfile

and then enter the access key ID, access key secret, us-west-1 (default area ID),json (default output format).

image desc

4. Use Alibaba Cloud CLI to demonstrate the encryption and decryption functions of KMS

Select Key Management Service

image desc

Select US West 1 (Silicon Valley). A key is available and will be used for subsequent data encryption.

image desc

If the user sees one or more KeyIDs whose status is “Pending Deletion”, which is normal, please select the KeyID of the “Enabled” state.

image desc

Return to the ECS terminal and enter the following command to check all the keys under the current account:

aliyun kms ListKeys

image desc

Currently, only one key is available. If the user sees multiple keys here, please carefully compare the key of the console and select the key with the status “Enabled”.

Copy the key ID and enter the following command (replace YOUR-KEY-ID with your key ID) to show the key details:

aliyun kms DescribeKey --KeyId YOUR-KEY-ID

image desc

Enter the following command to encrypt “this is a course of labex” (replace YOUR-KEY-ID with your key ID):

aliyun kms Encrypt --KeyId YOUR-KEY-ID --Plaintext "this is a course of labex"

image desc

In the preceding figure, the text underlined in red is encrypted.

Copy the ciphertext and enter the following command to decrypt the ciphertext (replace YOUR-CIPHERTEXT-BLOB with your ciphertext, respectively):

aliyun kms Decrypt --CiphertextBlob YOUR-CIPHERTEXT-BLOB

image desc

Enter the following command (replace YOUR-KEY-ID with your key ID) to generate a data key using the key ID:

aliyun kms GenerateDataKey --KeyId YOUR-KEY-ID

image desc

<font color='red'>The user can cut off the above result picture when doing the experiment and send it to the teacher, indicating that the part of the current chapter has been completed.</font>

The command returns a plaintext Plaintext and a ciphertext CiphertextBlob of the data key.

The usage of the data key is described in Step 5.

Enter the following command to query the operation commands supported by KMS on Alibaba Cloud CLI:

aliyun kms help

image desc

Enter the following command to query the parameters supported by a word command (CreateKey is used as an example):

aliyun kms CreateKey help

image desc

5. Use the Python SDK for KMS to simulate data encryption between client and server

5.1 Use a data key to encrypt and decrypt data locally

You can directly call the KMS API, use the specified CMK to generate and decrypt the data key, and use the data key for local data encryption and decryption. This scenario applies to mass data encryption and decryption. You do not need to transmit mass data through the network, realizing mass data encryption and decryption at low cost.

image desc

Encryption procedure:

  1. Create a CMK.
  2. Call the KMS GenerateDataKey interface to generate data keys. You can obtain a plaintext data key and a ciphertext data key.
  3. Use the plaintext data key to encrypt the file and generate a ciphertext file.
  4. Save the ciphertext data key and the ciphertext file to a persistent storage device or service.

image desc

Decryption procedure:

  1. Read the ciphertext data key and the ciphertext file from the persistent storage device or service.
  2. Call the KMS Decrypt interface to decrypt the ciphertext data key to obtain the plaintext data key.
  3. Use the plaintext data key to decrypt the file.

Example

image desc

5.2 Use the Flask microframework to simulate data encryption between client and server

The Flask microframework is required during the experiment. Flask is a micro web framework written in Python. During the experiment, the server running on Flask is started to exchange data with a client.

Enter the following command to install Flask: 

pip3 install Flask

image desc

Type the following command to install python dependencies.

pip3 install pycrypto

image desc

Enter the following command to install the python dependency package of Alibaba Cloud KMS.

pip3 install aliyun-python-sdk-kms

image desc

Enter the command vim /usr/local/lib/python3.8/dist-packages/Crypto/Random/_UserFriendlyRNG.py to open the file, refer to the figure below, and replace the “clock” method with “perf_counter”. Save and exit. Because the “clock” method is no longer supported in python3.8.

image desc

Enter the command vim .vimrc, copy the following content to the file, save and exit. It is used to turn off the automatic indentation function of the vim editor, which is convenient for copying code into the file in the background.

set paste

image desc

Enter the “vim server.py” command to create a file named server.py.

from flask import Flask,request
from aliyunsdkcore import client
from aliyunsdkkms.request.v20160120 import GenerateDataKeyRequest
from aliyunsdkkms.request.v20160120 import DecryptRequest
import json,base64
from Crypto.Cipher import AES

app = Flask(__name__)

accesskeyid = "YOUR-KEY-ACCESS-ID"
accesssecret = "YOUR-KEY-ACCESS-SECRET"
keyid = "YOUR-KEY-ID"
regionid = "us-west-1"

def createdatakey():
    clt = client.AcsClient(accesskeyid, accesssecret, regionid)
    genrequest = GenerateDataKeyRequest.GenerateDataKeyRequest()

    genrequest.set_KeyId(keyid);
    genrequest.set_KeySpec("AES_256") # or AES_128
    genrequest.set_accept_format("json")
    genrequest.set_protocol_type("https")
    genresp = clt.do_action_with_exception(genrequest)

    datakeydict = json.loads(genresp)
    datakey = base64.b64decode(datakeydict["Plaintext"]) #here we got the datakey with plaintext
    cipherdatakey = datakeydict["CiphertextBlob"] # here we got encrypted datakey

    return cipherdatakey

def decryptdata(ciphertext, cipherdatakey):
    clt = client.AcsClient(accesskeyid, accesssecret, regionid)
    decrequest = DecryptRequest.DecryptRequest()
    decrequest.set_CiphertextBlob(cipherdatakey)
    decrequest.set_accept_format("json")
    decrequest.set_protocol_type("https")

    decresp = clt.do_action_with_exception(decrequest)
    plaintext = json.loads(decresp)
    datakey = base64.b64decode(plaintext["Plaintext"])  # get plaintext datakey back

    cipherfile = base64.b64decode(ciphertext)
    iv = cipherfile[:AES.block_size]
    aes = AES.new(datakey,AES.MODE_CBC, iv)
    return aes.decrypt(cipherfile[AES.block_size:]).decode('utf-8') #use datakey to decrypt the content of file: cipherfile.txt and print it out 

@app.route('/')
def index():
    return 'Hello Flask!\n'

@app.route('/applyDataKey')
def applyDataKey():
    return createdatakey() + "\n"

@app.route("/sendEncryptedData",methods = ['GET',"POST"])
def sendEncryptedData():
    if request.method == "POST":
        ciphertext = request.form["ciphertext"]
        cipherdatakey = request.form["cipherdatakey"]
        print ("After decryption:" + decryptdata(ciphertext, cipherdatakey))
        return "decryptdata success"
    return "decryptdata fail, Methods is error"

if __name__ == '__main__':
    app.run(host='0.0.0.0',port=80)

Copy the preceding code to the server.py file (replace YOUR-KEY-ACCESS-ID, YOUR-KEY-ACCESS-SECRET, and YOUR-KEY-ID with yours).

image desc

Exit and save the changes.

Enter the “vim client.py” command to create a file named client.py.

#!/usr/bin/python
#coding:utf-8
import sys,requests,json
from aliyunsdkcore import client
from aliyunsdkkms.request.v20160120 import DecryptRequest
from Crypto.Cipher import AES
from Crypto import Random
import base64

accesskeyid = "YOUR-KEY-ACCESS-ID"
accesssecret = "YOUR-KEY-ACCESS-SECRET"
regionid = "us-west-1"

def aes256pad(s):
    return s + (32 - len(s) % 32) * chr(32 - len(s) % 32)

def send(ciphertext, cipherdatakey):
    url = "http://YOUR-ECS-IP/sendEncryptedData"
    payload={'ciphertext': ciphertext,
             'cipherdatakey': cipherdatakey}
    files=[
    ]
    headers = {}
    response = requests.request("POST", url, headers=headers, data=payload, files=files)
    print(response.text)

if __name__ == "__main__":
    content = sys.argv[1]
    cipherdatakey = sys.argv[2]

    clt = client.AcsClient(accesskeyid, accesssecret, regionid)
    decrequest = DecryptRequest.DecryptRequest()
    decrequest.set_CiphertextBlob(cipherdatakey)
    decrequest.set_accept_format("json")
    decrequest.set_protocol_type("https")

    decresp = clt.do_action_with_exception(decrequest)
    plaintext = json.loads(decresp)
    datakey = base64.b64decode(plaintext["Plaintext"])  # get plaintext datakey back

    iv = Random.new().read(AES.block_size)
    cipher = AES.new(datakey, AES.MODE_CBC, iv) #use daatakey to initiate an object
    filedata =aes256pad(content)
    cipherfile = base64.b64encode(iv + cipher.encrypt(filedata)) #encrypt the content
    print(cipherfile)
    send(str(cipherfile, encoding="utf-8"), cipherdatakey)

Copy the preceding code to the client.py file (replace YOUR-KEY-ACCESS-ID, YOUR-KEY-ACCESS-SECRET, and YOUR-ECS-IP with yours).

image desc

Exit and save the changes.

Enter the “ls” command to show the two files you have just created.

image desc

Enter the following command to start the server:

python3 server.py

image desc

Enter the IP address of your ECS instance in a web browser. If the following message appears, the server has started properly:

image desc

Initiate another remote connection to the ECS terminal.

Enter the following command (replace YOUR-ECS-IP with yours) to obtain data key ciphertext from the server:

curl http://YOUR-ECS-IP/applyDataKey

image desc

The command returns the data key ciphertext created on the server.

Enter the following command to encrypt “password:aliyun-test” and send it to the server. (Replace YOUR-DATAKEY-CIPHERTEXT with the data key ciphertext.)

python3 client.py password:aliyun-test YOUR-DATAKEY-CIPHERTEXT

image desc

In the preceding figure, the first arrow indicates the ciphertext sent to the server.

The second arrow indicates that the server has received and parsed the ciphertext.

Return to the first remote connection terminal. The ciphertext has been received and parsed into plaintext by the server.

image desc

<font color='red'>Users can cut off the above result picture when they are doing the experiment and send it to the teacher, indicating that the current experiment has been completed.</font>

The preceding experiment verifies that data is exchanged as ciphertext between client and server to protect against hacking.

Reminder:
Before you leave this lab, remember to log out your Alibaba RAM account before you click the ‘stop’ button of your lab. Otherwise you’ll encounter some issue when opening a new lab session in the same browser:

image desc image desc

6. Experiment summary

This experiment shows two use cases of Alibaba Cloud KMS. The first uses a customer master key (CMK) to encrypt and decrypt data directly. The second uses the data key generated by a CMK to encrypt and decrypt data locally. The second use case is suitable for encrypting and decrypting large volumes of data. This experiment also simulates the data exchange between client and server. The process of Encryption and decryption is more complex in a production environment. For more information, read the KMS documentation and other encryption and decryption models.