Say you wanted to preserve the linkage to people and their birthdates.Birthday is a primary key in a database and you have multiple records for one person.Well, they'd likely start the same way anyone breaking a simple amateur cipher would — with frequency analysis.
How would they know that their efforts are resulting in the correct original value?
Could someone even recognize that the values are encrypted? You're correct that the values would all appear to be valid dates (this is known as format-preserving encryption, by the way), so they would not look to let them guess whether they're plausible or not, they might not notice anything amiss.
This topic shows how to use the Encrypt, Decrypt, and Re Encrypt operations in the AWS KMS API.
These operations are designed to encrypt and decrypt data keys.
The Generate Data Key and Generate Data Key Without Plaintext operations return encrypted data keys.
You might use this method when you are moving encrypted data to a new region and want to encrypt its data key with a CMK in the new region.
OK, so somebody suspects that your data has been encrypted.
(Or maybe they just know that it is; it's generally safest to assume that they do.) How would they go about breaking the encryption?
For details about the Java implementation of the Encrypt operation, see the encrypt method in the // Encrypt a data key // // Replace the fictitious key ID value with a valid key ID, key ARN, or alias of an AWS CMK.
String key Id = "arn:aws:kms:us-west-1122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; Byte Buffer plaintext = Byte Buffer.wrap(new byte); Encrypt Request req = new Encrypt Request()Key Id(key Id)Plaintext(plaintext); Byte Buffer ciphertext = kms.encrypt(req)Ciphertext Blob(); To decrypt an encrypted data key, and then immediately re-encrypt the data key under a different customer master key (CMK), use the Re Encrypt operation.
Basically, an FPE scheme for, say, dates within a year, is a keyed invertible pseudorandom permutation of the set (plus 366 for leap years; of course, in practice, you'd also want to use the year as a "tweak" for the scheme, so it won't be the same permutation each year).