By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Signing >4096 byte Messages With KMS Asymmetric Key Pair

0

I'm looking to generate a digital signature HTTP response header for some of our REST APIs that return JSON. The original idea was to use KMS to store an asymmetric key pair(ECC_NIST_P256) and generate a signature given the response data and the ARN of the key pair that's stored. However, KMS will only sign 4096 bytes of data. For larger messages the guidance is to generate a message digest and sign that, but we need to sign the entire response.

So then I wanted to just use KMS to manage the keys and sign it "manually" via java.security classes in my application outside of KMS. However, if I'm going to do the signing I need the private key from the keypair, and so far it doesn't seem like there's a way for me to get at it(the api mentions the private key of an asymmetric key never leaves KMS unencrypted, and I don't see a method to get at it using the java SDK). We probably could import an existing asymmetric key into KMS, but then I'd have to have some other way of getting the private key bytes when signing rather than going through KMS, so that wouldn't really help.

So is it not possible for me to digitally sign my >4096 byte responses with an asymmetric key pair in KMS without having to store the private key separately?

Topics
Security, Identity, & Compliance
Tags
AWS Key Management Service
Language
English
mford
asked a year ago634 views
1 Answer
0

You can use GenerateDataKeyPair API to create private/public key pair you can use outside of AWS KMS. The private key is encrypted under a symmetric KMS key. To use the private key, you would need to call Decrypt API on the private key to get plaintext private key back. This solution works if your use case does not involve encrypting/decrypting within FIPS boundary.

For larger messages the guidance is to generate a message digest and sign that, but we need to sign the entire response.

Could you elaborate on this a little more? Curious to know why you need to sign the entire response. Also, how big is your response on average?

AWS
kumo-hiyori
answered a year ago
  • mford
    a year ago

    Signing the entire response was the original API customer requirement, but after some inquiries we were able to get sign-off on generating a message digest and just signing that. FYI our responses are around 600-700K.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content