【问题标题】:How to use client side encryption with Python如何在 Python 中使用客户端加密
【发布时间】:2018-06-15 23:16:51
【问题描述】:

我正在尝试使用客户端加密来加密敏感数据,然后再将其移至 S3 上的云存储并将其移至红移。我尝试使用 AWS 提供的示例代码,在尝试了它之后,我让它运行而没有返回错误,但是,它没有做任何我可以判断的事情,因为它没有按应有的方式打印。

def cycle_string(key_arn, source_plaintext, botocore_session=None):
    """Encrypts and then decrypts a string using a KMS customer master key (CMK)

    :param str key_arn: [encryption key]
    (http://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html)
    :param bytes source_plaintext: 
    :param botocore_session: Existing botocore session
    :type botocore_session: botocore.session.Session
    """

    # Create a KMS master key provider
    kms_kwargs = dict(key_ids=[key_arn])
    if botocore_session is not None:
        kms_kwargs['botocore_session'] = botocore_session
    master_key_provider = 
    aws_encryption_sdk.KMSMasterKeyProvider(**kms_kwargs)

    # Encrypt the plaintext source data
    ciphertext, encryptor_header = aws_encryption_sdk.encrypt(
        source=source_plaintext,
        key_provider=master_key_provider
    )
    print('Ciphertext: ', ciphertext)

    # Decrypt the ciphertext
    cycled_plaintext, decrypted_header = aws_encryption_sdk.decrypt(
        source=ciphertext,
        key_provider=master_key_provider
    )

    # Verify that the "cycled" (encrypted, then decrypted) plaintext is identical to the source
    # plaintext
    assert cycled_plaintext == source_plaintext

    # Verify that the encryption context used in the decrypt operation includes all key pairs from
    # the encrypt operation. (The SDK can add pairs, so don't require an exact match.)
    #
    # In production, always use a meaningful encryption context. In this sample, we omit the
    # encryption context (no key pairs).
    assert all(
        pair in decrypted_header.encryption_context.items()
        for pair in encryptor_header.encryption_context.items()
    )

    print('Decrypted: ', cycled_plaintext)

我是 Python 和加密的新手,所以我可能会遗漏一些语法,或者只是不了解它的工作原理。这是在 python 中使用 AWS 客户端加密的最佳方式吗?如果是这样,为什么这段代码没有返回任何东西?

更新: 我用稍微不同的方法让它工作

session = botocore.session.get_session()
client = session.create_client('kms', 
                               region_name = 'us-east-1', 
                               aws_access_key_id = '[YOUR ACCESS KEY]', 
                               aws_secret_access_key = '[YOUR SECRET ACCESSKEY]')

key_id = '[KEY ID]'
plaintext='[FILEPATH\FILENAME.CSV]'


ciphertext = kms.encrypt(KeyId=key_id, Plaintext=plaintext)
#decrypt_ciphertext = kms.decrypt(CiphertextBlob = ciphertext['CiphertextBlob'])
print('Ciphertext: ', ciphertext)
#print('Decrypted Ciphertext: ', decrypt_ciphertext)

现在可以打印了,但我不确定如何判断数据是否真正加密

【问题讨论】:

  • 你知道 Python 对代码缩进有严格的规定吗?
  • 是的,我在复制代码时忘记添加一些空格。现在应该修复了
  • 再添加一些打印语句,看看发生了什么——尤其是对 KMSMasterKeyProvider 等 AWS 服务的调用。了解加密并不重要,更重要的是让最简单的 AWS 程序正常工作。很可能这很简单,比如没有将正确的凭证传递给 AWS。您也可以从 python 提示符中一一运行命令。

标签: python amazon-web-services encryption boto3 aws-kms


【解决方案1】:

该函数不返回任何内容,因为它不包含返回调用。

该函数的目的是演示如何使用库加密明文,然后解密生成的密文消息,证明循环产生相同的明文。

如果您在实践中使用它,则在任何给定时间您都需要该周期的一半(即:加密或解密,但不能同时使用)。

【讨论】:

    【解决方案2】:

    您可以使用pycrypto:

    #!/usr/bin/env python
    # -*- coding: UTF-8 -*-
    
    import hashlib
    import base64
    from Crypto import Random
    from Crypto.Cipher import AES
    
    
    BS = 16
    pad = lambda s: s + (BS - len(s) % BS) * chr(BS - len(s) % BS)
    unpad = lambda s : s[0:-ord(s[-1])]
    
    
    class AESCipher:
    
        def __init__( self, key ):
            self.key = hashlib.sha256(key.encode('utf-8')).digest()
    
        def encrypt( self, raw ):
            raw = pad(raw)
            iv = Random.new().read( AES.block_size )
            cipher = AES.new( self.key, AES.MODE_CBC, iv )
            return base64.b64encode( iv + cipher.encrypt( raw ) )
    
        def decrypt( self, enc ):
            enc = base64.b64decode(enc)
            iv = enc[:16]
            cipher = AES.new(self.key, AES.MODE_CBC, iv )
            return unpad(cipher.decrypt( enc[16:] ))
    
    
    #password
    password="mypassword"
    
    #content
    global_report="Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum."
    
    #generate cipher
    cipher = AESCipher(bytes(password))
    
    #encrypt
    encrypted = cipher.encrypt(bytes(global_report))
    
    #show encrypted
    print encrypted
    
    #decrypt
    decrypted = cipher.decrypt(encrypted)
    
    #show decrypted
    print decrypted
    

    返回:

    E6bbNzM3AaWv0AAntzUYYEufaBa7X+6D5grl1yRYMdUQ/YPoSE525YXUsvxpGoXA8PcYPYDmTd8oPPH2tSU1/XeSTAti+n1JvzG7SwfTxAWzbl/4KcRWNNaFBzr0WJQt0zG8UJyWHXVhTJfteovTB+xa8Ugqmg+2y3XAe7EhsVOKzXlxXzWNfNnDLS74k8BsXrsw7Pt3NK9YQpubDFdNFrF58gE+ukoOAWpllV1Ia4W4I4B3m6dWuBlSgIEDaSZSZliUIQvMW/xuf9R5VuD09dVUnHPhv1977bYOyRuxCT2qDKTnxXiwC0pkj7cFRoKFs5qsrsbvJhjEu0m24Onb3FDrQ+PT4rIqh4YOkt+dSDt5n7yn5t5MsqqAppS2dLwH/m961wS1gs8KAX2U6+7JxwfU0fzqy6EQWMAbdUQZRFtNPurk8Kb0kaUmB9tYpZaNfZ4GlVSYpnZ3IgAaXshBp2ZBfW0SSZMO5dmR0fFC0n662Ynv60hUxmjsRJqHNfHav7kkxtoXi+JEVfUsYmT+y9Z7PJaBRa0E/MCzswP+F4vx0kR5DCo3M4oT/gVBTBwYpts7xy7B/1Hg/DwOJq7GbSu1SS0EK3OdRwXz+rtXgykHutA1E8Dk+nIGIs/E0LiQ47sZKx+QXdN8DVgtXukso8MfeesBhnrGMuW19LZyczs2NyJX3jkryupqrdcFcs38bQa9xifLl3hPHS88hS6n648ZUyEaU+Im5xnWaUDHSuHSwCoUuvYj34p/9vhyhvtsq38SXFsjqppreLYEk7cY/w==
    Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.
    

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2017-06-04
      • 2018-03-27
      • 2016-07-24
      • 1970-01-01
      • 1970-01-01
      相关资源
      最近更新 更多