View a markdown version of this page

在 Connect 客户中对敏感的客户输入进行加密 - Amazon Connect Customer
如何解密由 Connect 客户加密的数据

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

在 Connect 客户中对敏感的客户输入进行加密

您可以对通过流收集的敏感数据进行加密。要执行此操作,您需要使用公共密钥密码。

配置 Connect Customer 时,首先要提供公钥。这是加密数据时使用的密钥。稍后,您将提供 X.509 证书,其中包括证明您拥有私钥的签名。

在收集数据的流程中,您需要提供 X.509 证书来加密使用 “存储的客户输入系统” 属性捕获的数据。要使用该功能,必须采用 .pem 格式上传密钥。加密密钥用于验证流中所用证书的签名。

注意

您一次最多可以激活两个加密密钥以帮助轮换。

要解密存储的客户输入属性中的数据,请使 AWS 加密开发工具包。有关更多信息,请参见AWS Encryption SDK 开发人员指南

如何解密由 Connect 客户加密的数据

以下代码示例展示了如何使用 AWS 加密 SDK 解密数据。


package com.amazonaws;
 
import com.amazonaws.encryptionsdk.AwsCrypto;
import com.amazonaws.encryptionsdk.CryptoResult;
import com.amazonaws.encryptionsdk.jce.JceMasterKey;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
 
import java.io.IOException;
import java.nio.charset.Charset;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.Security;
import java.security.interfaces.RSAPrivateKey;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Base64;
 
public class AmazonConnectDecryptionSample {
 
    // The Provider 'AmazonConnect' is used during encryption, this must be used during decryption for key
    // to be found
    private static final String PROVIDER = "AmazonConnect";
 
    // The wrapping algorithm used during encryption
    private static final String WRAPPING_ALGORITHM = "RSA/ECB/OAEPWithSHA-512AndMGF1Padding";
 
    /**
     * This sample show how to decrypt data encrypted by Amazon Connect.
     * To use, provide the following command line arguments: [path-to-private-key] [key-id] [cyphertext]
     * Where:
     *  path-to-private-key is a file containing the PEM encoded private key to use for decryption
     *  key-id is the key-id specified during encryption in your flow
     *  cyphertext is the result of the encryption operation from Amazon Connect
     */
    public static void main(String[] args) throws IOException, GeneralSecurityException {
        String privateKeyFile = args[0]; // path to PEM encoded private key to use for decryption
        String keyId = args[1]; // this is the id used for key in your flow
        String cypherText = args[2]; // the result from flow
 
        Security.addProvider(new BouncyCastleProvider());
 
        // read the private key from file
        String privateKeyPem = new String(Files.readAllBytes(Paths.get(privateKeyFile)), Charset.forName("UTF-8"));
        RSAPrivateKey privateKey =  getPrivateKey(privateKeyPem);
 
        AwsCrypto awsCrypto = new AwsCrypto();
        JceMasterKey decMasterKey =
                JceMasterKey.getInstance(null,privateKey, PROVIDER, keyId, WRAPPING_ALGORITHM);
        CryptoResult<String, JceMasterKey> result = awsCrypto.decryptString(decMasterKey, cypherText);
 
        System.out.println("Decrypted: " + result.getResult());
    }
 
    public static RSAPrivateKey getPrivateKey(String privateKeyPem) throws IOException, GeneralSecurityException {
        String privateKeyBase64 = privateKeyPem
                .replace("-----BEGIN RSA PRIVATE KEY-----\n", "")
                .replace("-----END RSA PRIVATE KEY-----", "")
                .replaceAll("\n", "");
        byte[] decoded = Base64.getDecoder().decode(privateKeyBase64);
        KeyFactory kf = KeyFactory.getInstance("RSA");
        PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(decoded);
        RSAPrivateKey privKey = (RSAPrivateKey) kf.generatePrivate(keySpec);
        return privKey;
    }
}