Supported algorithm suites in the AWS Database Encryption SDK
Our clientside encryption library was renamed to the AWS Database Encryption SDK. This developer guide still provides information on the DynamoDB Encryption Client. 
An algorithm suite is a collection of cryptographic algorithms and related values. Cryptographic systems use the algorithm implementation to generate the ciphertext.
The AWS Database Encryption SDK uses an algorithm suite to encrypt and sign the fields in your database. All supported algorithm suites use the Advanced Encryption Standard (AES) algorithm with Galois/Counter Mode (GCM), known as AESGCM, to encrypt raw data. The AWS Database Encryption SDK supports 256bit encryption keys. The length of the authentication tag is always 16 bytes.
AWS Database Encryption SDK Algorithm Suites  

Algorithm  Encryption algorithm  Data key length (in bits)  Key derivation algorithm  Symmetric signature algorithm  Asymmetric signature algorithm  Key commitment  
Default  AESGCM  256  HKDF with SHA512  HMACSHA384  ECDSA with P384 and SHA384  HKDF with SHA512  
AESGCM without ECDSA digital signatures  AESGCM  256  HKDF with SHA512  HMACSHA384  None  HKDF with SHA512 
 Encryption algorithm

The name and mode of the encryption algorithm used. Algorithm suites in the AWS Database Encryption SDK use the Advanced Encryption Standard (AES) algorithm with Galois/Counter Mode (GCM).
 Data key length

The length of the data key in bits. The AWS Database Encryption SDK supports 256bit data keys. The data key is used as input to an HMACbased extractandexpand key derivation function (HKDF). The output of the HKDF is used as the data encryption key in the encryption algorithm.
 Key derivation algorithm

The HMACbased extractandexpand key derivation function (HKDF) used to derive the data encryption key. The AWS Database Encryption SDK uses the HKDF defined in RFC 5869
. 
The hash function used is SHA512

For the extract step:

No salt is used. Per the RFC, the salt is set to a string of zeros.

The input keying material is the data key from the keyring.


For the expand step:

The input pseudorandom key is the output from the extract step.

The key label is the UTF8encoded bytes of the
DERIVEKEY
string in big endian byte order. 
The input info is a concatenation of the algorithm ID and the key label (in that order).

The length of the output keying material is the Data key length. This output is used as the data encryption key in the encryption algorithm.


 Symmetric signature algorithm

The HashBased Message Authentication Code (HMAC) algorithm used to generate a symmetric signature. All supported algorithm suites include HMAC verification.
The AWS Database Encryption SDK serializes the material description and all fields marked
ENCRYPT_AND_SIGN
,SIGN_ONLY
, orSIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT
. Then, it uses HMAC with a cryptographic hash function algorithm (SHA384) to sign the canonicalization.The symmetric HMAC signature is stored in a new field (
aws_dbe_foot
) that the AWS Database Encryption SDK adds to the record.  Asymmetric signature algorithm

The signature algorithm used to generate an asymmetric digital signature.
The AWS Database Encryption SDK serializes the material description and all fields marked
ENCRYPT_AND_SIGN
,SIGN_ONLY
, orSIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT
. Then, it uses the Elliptic Curve Digital Signature Algorithm (ECDSA) with the following specifics to sign the canonicalization:
The elliptic curve used is the P384, as defined in Digital Signature Standard (DSS) (FIPS PUB 1864)
. 
The hash function used is SHA384.
The asymmetric ECDSA signature is stored with the symmetric HMAC signature in the
aws_dbe_foot
field.ECDSA digital signatures are included by default, but not required.

 Key commitment

The HMACbased extractandexpand key derivation function (HKDF) used to derive the commit key.

The hash function used is SHA512

For the extract step:

No salt is used. Per the RFC, the salt is set to a string of zeros.

The input keying material is the data key from the keyring.


For the expand step:

The input pseudorandom key is the output from the extract step.

The input info is the UTF8encoded bytes of the
COMMITKEY
string in big endian byte order. 
The length of the output keying material is 256 bits. This output is used as the commit key.

The commit key calculates the record commitment, a distinct 256bit HashBased Message Authentication Code (HMAC) hash, over the material description. For a technical explanation of adding key commitment to an algorithm suite, see Key Committing AEADs
in Cryptology ePrint Archive. 
Default algorithm suite
By default, the AWS Database Encryption SDK uses an algorithm suite with AESGCM, an HMACbased extractandexpand key derivation function (HKDF), HMAC verification, ECDSA digital signatures, key commitment, and a 256bit encryption key.
The default algorithm suite includes HMAC verification (symmetric signatures) and
ECDSA digital signatures (asymmetric
signatures). These signatures are stored in a new field (aws_dbe_foot
) that
the AWS Database Encryption SDK adds to the record. ECDSA digital
signatures are particularly useful when the authorization policy allows one
set of users to encrypt data and a different set of users to decrypt data.
The default algorithm suite also derives a key commitment – an HMAC hash that ties the data key to the record. The key commitment value is an HMAC calculated from the material description and commit key. The key commitment value is then stored in the material description. Key commitment ensures that each ciphertext decrypts to only one plaintext. They do this by validating the data key used as input to the encryption algorithm. When encrypting, the algorithm suite derives a key commitment HMAC. Before decrypting, they validate that the data key produces the same key commitment HMAC. If it does not, the decrypt call fails.
AESGCM without ECDSA digital signatures
Although the default algorithm suite is likely suitable for most applications, you can choose an alternate algorithm suite. For example, some trust models would be satisfied by an algorithm suite without ECDSA digital signatures. Use this suite only when the users who encrypt data and the users who decrypt data are equally trusted.
All AWS Database Encryption SDK algorithm suites include HMAC verification (symmetric signatures). The only difference, is that the AESGCM algorithm suite without ECDSA digital signature lacks the asymmetric signature that provides an additional layer of authenticity and nonrepudiation.
For example, if you have multiple wrapping keys in your keyring,
wrappingKeyA
, wrappingKeyB
, and wrappingKeyC
,
and you decrypt a record using wrappingKeyA
, the HMAC symmetric signature
verifies that the record was encrypted by a user with access to
wrappingKeyA
. If you used the default algorithm suite, the HMACs
provide the same verification of wrappingKeyA
, and additionally use the
ECDSA digital signature to ensure the record was encrypted by a user with encrypt
permissions for wrappingKeyA
.
To select the AESGCM algorithm suite without digital signatures, include the following snippet in your encryption configuration.