Question

You're the lead developer for a company that uses AWS KMS to decrypt passwords from an AWS RDS MySQL database using an asymmetric CMK. While decrypting the data, you receive an InvalidCiphertextException error which causes the application to fail. You have made sure that the CMK ID used is accurate.

What could have caused this error?

A. EncryptionAlgorithm set to default value.

B. EncryptionContext is empty.

C. GrantTokens is an empty array.

D. KeyId is empty.

Answer 1

Answer: A.

Option A is CORRECT as asymmetric CMKs cannot use the default algorithm as the default one is used for symmetric only.

It is required to record the algorithm during encryption and provide the exact one during decryption.

On the contrary, for symmetric CMKs, the default value would work.

Option B is incorrect.

This is not a required parameter and so leaving it empty will not cause this error.

Option C is incorrect as GrantTokens is not a required parameter but takes values in an array, and so it will not cause the error.

Option D is incorrect as it is mentioned that the CMK ID is verified and accurate.

Reference:

https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html

The InvalidCiphertextException error occurs when the ciphertext that is being decrypted is not in a valid format or cannot be decrypted. This error can be caused by several factors, including:

A. EncryptionAlgorithm set to default value: This option is unlikely to cause the InvalidCiphertextException error, as the default value for EncryptionAlgorithm is AES_CBC_PKCS5Padding, which is a valid encryption algorithm that AWS KMS supports.

B. EncryptionContext is empty: EncryptionContext is a set of key-value pairs that you can pass to AWS KMS when encrypting data, and it must be the same when decrypting data. If EncryptionContext is not provided during encryption or is different during decryption, AWS KMS will return an InvalidCiphertextException error. Therefore, if EncryptionContext is empty during decryption, it is likely to cause the error.

C. GrantTokens is an empty array: GrantTokens are additional authentication data that you can pass to AWS KMS when decrypting data. If the GrantTokens parameter is provided during encryption, it must be the same when decrypting data. If GrantTokens is not provided during encryption or is different during decryption, AWS KMS will return an InvalidCiphertextException error. Therefore, if GrantTokens is an empty array during decryption, it is likely to cause the error.

D. KeyId is empty: If KeyId is empty, AWS KMS cannot determine which key to use for decryption and will return an error. However, since the question states that the developer has made sure that the CMK ID used is accurate, it is unlikely that this option is the cause of the error.

In summary, the most likely cause of the InvalidCiphertextException error is that EncryptionContext or GrantTokens is not provided or is different during decryption than during encryption.