DEV Community: Tony Brown The latest articles on DEV Community by Tony Brown (@bonybrown). https://dev.to/bonybrown https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F358009%2F69ce3306-3d77-4b28-9485-2104713b9bda.jpeg DEV Community: Tony Brown https://dev.to/bonybrown en Decrypting Amazon Connect Encrypted Customer Data Tony Brown Tue, 31 Mar 2020 04:02:39 +0000 https://dev.to/bonybrown/decrypting-aws-connect-encrytped-data-40n8 https://dev.to/bonybrown/decrypting-aws-connect-encrytped-data-40n8 <p>Amazon Connect is Amazon's telephony platform, allowing customers to create call flows that collect data from the caller, via speech recognition or DTMF input. Sometimes, sensitive information such as credit card numbers are collected. Connect provides a mechanism for encrypting sensitive data while it is held in the Connect service, but in order to process that data in a related Lambda function integration, it must be decrypted.</p> <h2> Amazon's Guide and Reference Implementation </h2> <p>Amazon provide a reference implementation in their documentation of the feature here: <a href="https://docs.aws.amazon.com/connect/latest/adminguide/encrypt-data.html">https://docs.aws.amazon.com/connect/latest/adminguide/encrypt-data.html</a></p> <p>This post is an addendum to that documentation.</p> <h2> Overview </h2> <p>Amazon Connect uses public/private key encryption, using the AWS Encryption SDK to provide support across the range of languages supported by that SDK (Java, Javascript, Python and C). While you will need to create and upload the certificate and public key for Connect to use, the encryption algorithms are not configurable - it will always use:</p> <ul> <li>OAEP: Optimal Asymmetric Encryption Padding, describes the scheme of adding randomised padding to the message before encryption</li> <li>RSA encryption in ECB mode: This is a public/private key cipher, in a block cipher mode. Connect will encrypt the data with the public key.</li> <li>SHA-512: Uses the SHA-512 algorithm to create a hash of the message, so tampering of the message can be detected.</li> <li>MGF1: Mask Generation Function 1, part of the RSA/OAEP standard defined in in RFC 3447.</li> </ul> <p>This means, obviously, that you have to support these algorithms to decrypt the data.</p> <h2> Support in the AWS Encryption SDK </h2> <p>You might expect that the algorithms chosen by Amazon Connect would be supported by all the AWS Encryption SDKs. This is not the case - here's the summary:</p> <ul> <li>C - No, <a href="https://github.com/aws/aws-encryption-sdk-c/blob/master/include/aws/cryptosdk/cipher.h#L42">does not support the SHA-512 hash length</a> for RSA/OAEP</li> <li>Java - Yes, AWS provides <a href="https://docs.aws.amazon.com/connect/latest/adminguide/encrypt-data.html#sample-decryption">sample code</a> </li> <li>Javascript - Yes, the <a href="https://aws.amazon.com/blogs/contact-center/creating-a-secure-ivr-solution-with-amazon-connect/">AWS blog post</a> for this feature has a javascript implementation in the linked CloudFormation stack.</li> <li>Python - Seems like it should with the <a href="https://github.com/aws/aws-encryption-sdk-python/blob/master/src/aws_encryption_sdk/identifiers.py#L281">RSA_OAEP_SHA512_MGF1</a> wrapping algorithm.</li> </ul> <h2> Sample Java decryption code </h2> <p>Here I've taken the AWS Java decryption sample, and reworked it slightly.<br> </p> <div class="highlight"><pre class="highlight java"><code><span class="c1">// DecryptSample.java</span> <span class="kn">import</span> <span class="nn">com.amazonaws.encryptionsdk.AwsCrypto</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.amazonaws.encryptionsdk.CryptoResult</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.amazonaws.encryptionsdk.jce.JceMasterKey</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.bouncycastle.jce.provider.BouncyCastleProvider</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.*</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.io.IOException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.nio.charset.Charset</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.nio.file.*</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.security.*</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.security.interfaces.*</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.security.spec.*</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">DecryptionSample</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">PROVIDER</span> <span class="o">=</span> <span class="s">"AmazonConnect"</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">WRAPPING_ALGORITHM</span> <span class="o">=</span> <span class="s">"RSA/ECB/OAEPWithSHA-512AndMGF1Padding"</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">main</span><span class="o">(</span><span class="nc">String</span><span class="o">[]</span> <span class="n">args</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">IOException</span><span class="o">,</span> <span class="nc">GeneralSecurityException</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">keyFile</span> <span class="o">=</span> <span class="n">args</span><span class="o">[</span><span class="mi">0</span><span class="o">];</span> <span class="c1">// path to PEM encoded private key to use for decryption</span> <span class="nc">String</span> <span class="n">keyId</span> <span class="o">=</span> <span class="n">args</span><span class="o">[</span><span class="mi">1</span><span class="o">];</span> <span class="c1">// this is the id used for key in your contact flow</span> <span class="nc">String</span> <span class="n">cypherText</span> <span class="o">=</span> <span class="n">args</span><span class="o">[</span><span class="mi">2</span><span class="o">];</span> <span class="c1">// the Base64 encoded cypher text</span> <span class="n">decrypt</span><span class="o">(</span><span class="n">keyFile</span><span class="o">,</span> <span class="n">keyId</span><span class="o">,</span> <span class="n">cypherText</span><span class="o">);</span> <span class="o">}</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">decrypt</span><span class="o">(</span><span class="nc">String</span> <span class="n">privateKeyFile</span><span class="o">,</span> <span class="nc">String</span> <span class="n">keyId</span><span class="o">,</span> <span class="nc">String</span> <span class="n">cypherText</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">IOException</span><span class="o">,</span> <span class="nc">GeneralSecurityException</span> <span class="o">{</span> <span class="nc">Security</span><span class="o">.</span><span class="na">addProvider</span><span class="o">(</span><span class="k">new</span> <span class="nc">BouncyCastleProvider</span><span class="o">());</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">cypherBytes</span> <span class="o">=</span> <span class="nc">Base64</span><span class="o">.</span><span class="na">getDecoder</span><span class="o">().</span><span class="na">decode</span><span class="o">(</span><span class="n">cypherText</span><span class="o">);</span> <span class="nc">String</span> <span class="n">privateKeyPem</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">String</span><span class="o">(</span><span class="nc">Files</span><span class="o">.</span><span class="na">readAllBytes</span><span class="o">(</span><span class="nc">Paths</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="n">privateKeyFile</span><span class="o">)),</span> <span class="nc">Charset</span><span class="o">.</span><span class="na">forName</span><span class="o">(</span><span class="s">"UTF-8"</span><span class="o">));</span> <span class="nc">RSAPrivateKey</span> <span class="n">privateKey</span> <span class="o">=</span> <span class="n">getPrivateKey</span><span class="o">(</span><span class="n">privateKeyPem</span><span class="o">);</span> <span class="nc">AwsCrypto</span> <span class="n">awsCrypto</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">AwsCrypto</span><span class="o">();</span> <span class="nc">JceMasterKey</span> <span class="n">decMasterKey</span> <span class="o">=</span> <span class="nc">JceMasterKey</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="kc">null</span><span class="o">,</span><span class="n">privateKey</span><span class="o">,</span> <span class="no">PROVIDER</span><span class="o">,</span> <span class="n">keyId</span><span class="o">,</span> <span class="no">WRAPPING_ALGORITHM</span><span class="o">);</span> <span class="nc">CryptoResult</span><span class="o">&lt;</span><span class="kt">byte</span><span class="o">[],</span> <span class="nc">JceMasterKey</span><span class="o">&gt;</span> <span class="n">result</span> <span class="o">=</span> <span class="n">awsCrypto</span><span class="o">.</span><span class="na">decryptData</span><span class="o">(</span><span class="n">decMasterKey</span><span class="o">,</span> <span class="n">cypherBytes</span><span class="o">);</span> <span class="nc">String</span> <span class="n">plainText</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">String</span><span class="o">(</span><span class="n">result</span><span class="o">.</span><span class="na">getResult</span><span class="o">());</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">format</span><span class="o">(</span><span class="s">"Decrypted: %s\n"</span><span class="o">,</span> <span class="n">plainText</span><span class="o">);</span> <span class="o">}</span> <span class="kd">public</span> <span class="kd">static</span> <span class="nc">RSAPrivateKey</span> <span class="nf">getPrivateKey</span><span class="o">(</span><span class="nc">String</span> <span class="n">privateKeyPem</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">IOException</span><span class="o">,</span> <span class="nc">GeneralSecurityException</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">privateKeyBase64</span> <span class="o">=</span> <span class="n">privateKeyPem</span><span class="o">.</span><span class="na">replaceAll</span><span class="o">(</span><span class="s">"-----.*-----\n"</span><span class="o">,</span><span class="s">""</span><span class="o">).</span><span class="na">replaceAll</span><span class="o">(</span><span class="s">"\n"</span><span class="o">,</span> <span class="s">""</span><span class="o">);</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">decoded</span> <span class="o">=</span> <span class="nc">Base64</span><span class="o">.</span><span class="na">getDecoder</span><span class="o">().</span><span class="na">decode</span><span class="o">(</span><span class="n">privateKeyBase64</span><span class="o">);</span> <span class="nc">KeyFactory</span> <span class="n">kf</span> <span class="o">=</span> <span class="nc">KeyFactory</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="s">"RSA"</span><span class="o">);</span> <span class="nc">PKCS8EncodedKeySpec</span> <span class="n">keySpec</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PKCS8EncodedKeySpec</span><span class="o">(</span><span class="n">decoded</span><span class="o">);</span> <span class="nc">RSAPrivateKey</span> <span class="n">privKey</span> <span class="o">=</span> <span class="o">(</span><span class="nc">RSAPrivateKey</span><span class="o">)</span> <span class="n">kf</span><span class="o">.</span><span class="na">generatePrivate</span><span class="o">(</span><span class="n">keySpec</span><span class="o">);</span> <span class="k">return</span> <span class="n">privKey</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div> <h2> Important points </h2> <div class="highlight"><pre class="highlight java"><code><span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">PROVIDER</span> <span class="o">=</span> <span class="s">"AmazonConnect"</span><span class="o">;</span> <span class="nc">String</span> <span class="n">keyId</span> <span class="o">=</span> <span class="n">args</span><span class="o">[</span><span class="mi">1</span><span class="o">];</span> <span class="c1">// this is the id used for key in your contact flow</span> <span class="nc">JceMasterKey</span> <span class="n">decMasterKey</span> <span class="o">=</span> <span class="nc">JceMasterKey</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="kc">null</span><span class="o">,</span><span class="n">privateKey</span><span class="o">,</span> <span class="no">PROVIDER</span><span class="o">,</span> <span class="n">keyId</span><span class="o">,</span> <span class="no">WRAPPING_ALGORITHM</span><span class="o">);</span> </code></pre></div> <p>When decrypting the cyphertext, the AWS Encryption SDK requires you to use the same provider and key identifiers as used in the encryption when obtaining a key context. Amazon Connect will always use <code>AmazonConnect</code> as the provider value. The <code>keyId</code> is set by you when you create the Store Customer Input action in the call flow. In this sample code, we're passing the <code>keyId</code> in as a command line parameter.</p> <h2> Getting this sample working </h2> <ul> <li>Save the code as <code>DecryptSample.java</code> </li> <li>Get dependency jars </li> </ul> <div class="highlight"><pre class="highlight plaintext"><code>wget https://repo1.maven.org/maven2/org/apache/commons/commons-lang3/3.9/commons-lang3-3.9.jar wget https://repo1.maven.org/maven2/org/bouncycastle/bcprov-jdk15to18/1.64/bcprov-jdk15to18-1.64.jar wget https://repo1.maven.org/maven2/com/amazonaws/aws-encryption-sdk-java/1.6.1/aws-encryption-sdk-java-1.6.1.jar </code></pre></div> <ul> <li>compile the code <code>javac -cp bcprov-jdk15to18-164.jar:aws-encryption-sdk-java-1.6.1.jar DecryptionSample.java</code> </li> <li>run it with <code>java -cp bcprov-jdk15to18-164.jar:aws-encryption-sdk-java-1.6.1.jar:commons-lang3-3.9.jar:. DecryptionSample [params]</code> </li> </ul> <p>You'll need a certificate and public/private key pair. First create the certificate and private key:<br> </p> <div class="highlight"><pre class="highlight shell"><code>openssl req <span class="nt">-batch</span> <span class="nt">-x509</span> <span class="nt">-sha256</span> <span class="nt">-nodes</span> <span class="nt">-newkey</span> rsa:4096 <span class="nt">-keyout</span> blog.connect.private.key <span class="nt">-days</span> 730 <span class="nt">-out</span> blog.connect.certificate.pem </code></pre></div> <p>Then create extract the public key:<br> </p> <div class="highlight"><pre class="highlight shell"><code>openssl x509 <span class="nt">-pubkey</span> <span class="nt">-noout</span> <span class="nt">-in</span> blog.connect.certificate.pem <span class="o">&gt;</span> blog.connect.public.key </code></pre></div> <h2> Encryption </h2> <p>Here's the sample Java code to perform the encryption like Amazon Connect would.<br> </p> <div class="highlight"><pre class="highlight java"><code><span class="c1">// EncryptionSample.java</span> <span class="kn">import</span> <span class="nn">com.amazonaws.encryptionsdk.AwsCrypto</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.amazonaws.encryptionsdk.CryptoResult</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.amazonaws.encryptionsdk.jce.JceMasterKey</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.bouncycastle.jce.provider.BouncyCastleProvider</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.*</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.io.IOException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.nio.charset.Charset</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.nio.file.*</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.security.*</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.security.interfaces.*</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.security.spec.*</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">EncryptionSample</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">PROVIDER</span> <span class="o">=</span> <span class="s">"AmazonConnect"</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">WRAPPING_ALGORITHM</span> <span class="o">=</span> <span class="s">"RSA/ECB/OAEPWithSHA-512AndMGF1Padding"</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">main</span><span class="o">(</span><span class="nc">String</span><span class="o">[]</span> <span class="n">args</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">IOException</span><span class="o">,</span> <span class="nc">GeneralSecurityException</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">keyFile</span> <span class="o">=</span> <span class="n">args</span><span class="o">[</span><span class="mi">0</span><span class="o">];</span> <span class="c1">// path to PEM encoded public key to use for encryption</span> <span class="nc">String</span> <span class="n">keyId</span> <span class="o">=</span> <span class="n">args</span><span class="o">[</span><span class="mi">1</span><span class="o">];</span> <span class="c1">// this is the key id to identify the key used</span> <span class="nc">String</span> <span class="n">plainText</span> <span class="o">=</span> <span class="n">args</span><span class="o">[</span><span class="mi">2</span><span class="o">];</span> <span class="c1">// this is the plain text to encypher</span> <span class="n">encrypt</span><span class="o">(</span><span class="n">keyFile</span><span class="o">,</span> <span class="n">keyId</span><span class="o">,</span> <span class="n">plainText</span><span class="o">);</span> <span class="o">}</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">encrypt</span><span class="o">(</span><span class="nc">String</span> <span class="n">publicKeyFile</span><span class="o">,</span> <span class="nc">String</span> <span class="n">keyId</span><span class="o">,</span> <span class="nc">String</span> <span class="n">plainText</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">IOException</span><span class="o">,</span> <span class="nc">GeneralSecurityException</span> <span class="o">{</span> <span class="nc">Security</span><span class="o">.</span><span class="na">addProvider</span><span class="o">(</span><span class="k">new</span> <span class="nc">BouncyCastleProvider</span><span class="o">());</span> <span class="nc">String</span> <span class="n">publicKeyPem</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">String</span><span class="o">(</span><span class="nc">Files</span><span class="o">.</span><span class="na">readAllBytes</span><span class="o">(</span><span class="nc">Paths</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="n">publicKeyFile</span><span class="o">)),</span> <span class="nc">Charset</span><span class="o">.</span><span class="na">forName</span><span class="o">(</span><span class="s">"UTF-8"</span><span class="o">));</span> <span class="nc">RSAPublicKey</span> <span class="n">publicKey</span> <span class="o">=</span> <span class="n">getPublicKey</span><span class="o">(</span><span class="n">publicKeyPem</span><span class="o">);</span> <span class="nc">AwsCrypto</span> <span class="n">awsCrypto</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">AwsCrypto</span><span class="o">();</span> <span class="nc">JceMasterKey</span> <span class="n">encMasterKey</span> <span class="o">=</span> <span class="nc">JceMasterKey</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="n">publicKey</span><span class="o">,</span> <span class="kc">null</span><span class="o">,</span> <span class="no">PROVIDER</span><span class="o">,</span> <span class="n">keyId</span><span class="o">,</span> <span class="no">WRAPPING_ALGORITHM</span><span class="o">);</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">plainBytes</span> <span class="o">=</span> <span class="n">plainText</span><span class="o">.</span><span class="na">getBytes</span><span class="o">();</span> <span class="nc">CryptoResult</span><span class="o">&lt;</span><span class="kt">byte</span><span class="o">[],</span> <span class="nc">JceMasterKey</span><span class="o">&gt;</span> <span class="n">result</span> <span class="o">=</span> <span class="n">awsCrypto</span><span class="o">.</span><span class="na">encryptData</span><span class="o">(</span><span class="n">encMasterKey</span><span class="o">,</span> <span class="n">plainBytes</span><span class="o">);</span> <span class="nc">String</span> <span class="n">b64Result</span> <span class="o">=</span> <span class="nc">Base64</span><span class="o">.</span><span class="na">getEncoder</span><span class="o">().</span><span class="na">encodeToString</span><span class="o">(</span><span class="n">result</span><span class="o">.</span><span class="na">getResult</span><span class="o">());</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="n">b64Result</span><span class="o">);</span> <span class="o">}</span> <span class="kd">public</span> <span class="kd">static</span> <span class="nc">RSAPublicKey</span> <span class="nf">getPublicKey</span><span class="o">(</span><span class="nc">String</span> <span class="n">publicKeyPem</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">IOException</span><span class="o">,</span> <span class="nc">GeneralSecurityException</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">publicKeyBase64</span> <span class="o">=</span> <span class="n">publicKeyPem</span><span class="o">.</span><span class="na">replaceAll</span><span class="o">(</span><span class="s">"-----.*-----\n"</span><span class="o">,</span><span class="s">""</span><span class="o">).</span><span class="na">replaceAll</span><span class="o">(</span><span class="s">"\n"</span><span class="o">,</span> <span class="s">""</span><span class="o">);</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">decoded</span> <span class="o">=</span> <span class="nc">Base64</span><span class="o">.</span><span class="na">getDecoder</span><span class="o">().</span><span class="na">decode</span><span class="o">(</span><span class="n">publicKeyBase64</span><span class="o">);</span> <span class="nc">KeyFactory</span> <span class="n">kf</span> <span class="o">=</span> <span class="nc">KeyFactory</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="s">"RSA"</span><span class="o">);</span> <span class="nc">X509EncodedKeySpec</span> <span class="n">keySpec</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">X509EncodedKeySpec</span><span class="o">(</span><span class="n">decoded</span><span class="o">);</span> <span class="nc">RSAPublicKey</span> <span class="n">pubKey</span> <span class="o">=</span> <span class="o">(</span><span class="nc">RSAPublicKey</span><span class="o">)</span> <span class="n">kf</span><span class="o">.</span><span class="na">generatePublic</span><span class="o">(</span><span class="n">keySpec</span><span class="o">);</span> <span class="k">return</span> <span class="n">pubKey</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div> <p>Compilation step is the same as for the code above: <code>javac -cp bcprov-jdk15to18-164.jar:aws-encryption-sdk-java-1.6.1.jar EncryptionSample.java</code></p> <h2> Putting it all together </h2> <p>Once you have the code compiled and have a public/private key pair, we can try it out:<br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="c"># assign ciphertext output to a variable</span> <span class="nv">CIPHERTEXT</span><span class="o">=</span><span class="si">$(</span>java <span class="nt">-cp</span> bcprov-jdk15to18-164.jar:aws-encryption-sdk-java-1.6.1.jar:commons-lang3-3.9.jar:. EncryptionSample blog.connect.public.key my-key-id 4444333322221111<span class="si">)</span> <span class="c"># inspect $CIPHERTEXT with:</span> <span class="nb">echo</span> <span class="nv">$CIPHERTEXT</span> <span class="c"># try decryption</span> java <span class="nt">-cp</span> bcprov-jdk15to18-164.jar:aws-encryption-sdk-java-1.6.1.jar:commons-lang3-3.9.jar:. DecryptionSample blog.connect.private.key my-key-id <span class="s2">"</span><span class="nv">$CIPHERTEXT</span><span class="s2">"</span> <span class="c"># should result in:</span> <span class="c"># Decrypted: 4444333322221111</span> </code></pre></div> <h2> Conclusion </h2> <p>This post examined the relationship between Amazon Connect's customer input encryption feature and the Encryption SDK used to implement it.</p> <p>Rudimentary Java code to mimic the encryption functionality of Amazon Connect, and the companion code to decrypt it was presented.</p> java aws connect crypto