Skip to content
Khairy Mohamed
Linkedin

Implementing Hybrid Encryption in the Ecommerce

3 min read

Introduction

Managing sensitive data like vouchers requires a robust encryption mechanism to ensure security and compliance. In an Ecommerce, we adopted a hybrid encryption approach combining asymmetric and symmetric encryption to balance security, scalability, and performance. This article explores our design choices, implementation details, and how this architecture prevents vendor lock-in.

Why Hybrid Encryption?

Hybrid encryption combines the strengths of asymmetric encryption (RSA) and symmetric encryption (AES):

  1. Asymmetric Encryption: Secure key exchange using public-private key pairs.
  2. Symmetric Encryption: Efficient encryption/decryption of data using a shared secret key.

Our approach leverages AWS KMS (Key Management Service) for managing asymmetric keys while keeping symmetric keys dynamically generated for encrypting voucher data.

Architecture Overview

  1. Asymmetric Keys in AWS KMS:

    • Each voucher supplier is assigned an asymmetric key pair (RSA).
    • The private key remains securely stored in AWS KMS.

  2. Symmetric Key for Voucher Encryption:

    • Dynamically generated per voucher batch.
    • Encrypted using the supplier's public key and stored alongside the encrypted vouchers.

  3. Key Rotation:

    • Symmetric keys are rotated as per retention policy.
    • Asymmetric keys are manually rotated to prevent vendor lock-in.

Implementation Details

1. Generating and Storing Keys

import * as crypto from 'crypto';
import { KMSClient, EncryptCommand, DecryptCommand } from '@aws-sdk/client-kms';


const kmsClient = new KMSClient({ region: 'us-east-1' });


async function encryptSymmetricKey(symmetricKey: Buffer, keyId: string) {
    const params = {
        KeyId: keyId,
        Plaintext: symmetricKey,
    };
    const command = new EncryptCommand(params);
    const response = await kmsClient.send(command);
    return response.CiphertextBlob;
}


function generateSymmetricKey() {
    return crypto.randomBytes(32); // 256-bit AES key
}

2. Encrypting Vouchers

async function encryptVoucher(voucherCode: string, encryptedSymmetricKey: Buffer) {
    const symmetricKey = await kmsClient.send(new DecryptCommand({ CiphertextBlob: encryptedSymmetricKey }));


    const cipher = crypto.createCipheriv('aes-256-gcm', symmetricKey.Plaintext, crypto.randomBytes(12)); // 12-byte IV
    let encrypted = cipher.update(voucherCode, 'utf8', 'base64');
    encrypted += cipher.final('base64');


    return {
        encryptedVoucher: encrypted,
        iv: cipher.getAuthTag().toString('base64'),
    };
}

3. Decrypting Vouchers

async function decryptVoucher(encryptedVoucher: string, iv: string, encryptedSymmetricKey: Buffer) {
    const symmetricKey = await kmsClient.send(new DecryptCommand({ CiphertextBlob: encryptedSymmetricKey }));


    const decipher = crypto.createDecipheriv('aes-256-gcm', symmetricKey.Plaintext, Buffer.from(iv, 'base64'));
    let decrypted = decipher.update(encryptedVoucher, 'base64', 'utf8');
    decrypted += decipher.final('utf8');


    return decrypted;
}

4. Key Rotation Policy

  • Symmetric Key Rotation: Rotate symmetric keys after 7 days of activation or allocation to a specific user.

  • Asymmetric Key Rotation:

    • Generate a new key pair in AWS KMS.
    • Re-encrypt existing symmetric keys using the new public key.
async function rotateKeys(oldKeyId: string, newKeyId: string, encryptedSymmetricKey: Buffer) {
    const symmetricKey = await kmsClient.send(new DecryptCommand({ CiphertextBlob: encryptedSymmetricKey }));
    return encryptSymmetricKey(Buffer.from(symmetricKey.Plaintext), newKeyId);
}

Benefits of the Approach

  1. Security:

    • Strong encryption using industry-standard algorithms.
    • Asymmetric keys stored securely in AWS KMS.

  2. Scalability:

    • Efficient encryption/decryption using symmetric keys for large datasets.

  3. Vendor Independence:

    • Manual key rotation ensures data remains accessible even if AWS services are unavailable.

  4. Compliance:

    • Meets stringent data protection standards for sensitive information.

Conclusion

Our hybrid encryption approach ensures secure, scalable, and flexible management of voucher data. By combining AWS KMS for key management with dynamic symmetric encryption, we achieve a balance between performance and security while maintaining control over critical encryption assets.

Feel free to adapt this implementation to your use case. For any questions or feedback, drop a comment below!