本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
加密客戶輸入
您可以加密由流程收集的敏感資料。若要執行此作業,您需要使用公有金鑰加密。
設定 Amazon Connect 時,您必須先提供公開金鑰。這是加密資料時使用的金鑰。稍後,您會提供 X.509 憑證,其中包含可證明您擁有私密金鑰的簽章。
在蒐集資料的流程中,您會提供 X.509 憑證來加密使用儲存的客戶輸入系統屬性所擷取的資料。您必須以 .pem
格式上傳一個金鑰以使用此功能。加密金鑰會用來驗證流程內所用憑證的簽章。
注意
您可一次擁有兩個作用中的加密金鑰以輔助輪換。
若要在儲存的客戶輸入屬性中解密資料,請使用 AWS Encryption SDK。如需詳細資訊,請參閱 AWS Encryption SDK 開發人員指南。
如需詳細的逐步解說,請參閱以 Amazon Connect 建立安全 IVR 解決方案
-
設定 Amazon Connect 以收集信用卡號碼。
-
加密信用卡數字。
-
使用客戶提供的解密金鑰,將其傳送到我們的後端 AWS Lambda 以進行解密。
它提供了使用 OpenSSL 的兩個命令:
-
一個用來產生 RSA 金鑰對和自我簽署 X.509 憑證
-
另一個從 RSA 金鑰對中提取公開金鑰
如何解密 Amazon Connect 加密的資料
下列程式碼範例顯示如何使用 AWS Encryption SDK 解密資料。
package com.amazonaws; import com.amazonaws.encryptionsdk.AwsCrypto; import com.amazonaws.encryptionsdk.CryptoResult; import com.amazonaws.encryptionsdk.jce.JceMasterKey; import org.bouncycastle.jce.provider.BouncyCastleProvider; import java.io.IOException; import java.nio.charset.Charset; import java.nio.file.Files; import java.nio.file.Paths; import java.security.GeneralSecurityException; import java.security.KeyFactory; import java.security.Security; import java.security.interfaces.RSAPrivateKey; import java.security.spec.PKCS8EncodedKeySpec; import java.util.Base64; public class AmazonConnectDecryptionSample { // The Provider 'AmazonConnect' is used during encryption, this must be used during decryption for key // to be found private static final String PROVIDER = "AmazonConnect"; // The wrapping algorithm used during encryption private static final String WRAPPING_ALGORITHM = "RSA/ECB/OAEPWithSHA-512AndMGF1Padding"; /** * This sample show how to decrypt data encrypted by Amazon Connect. * To use, provide the following command line arguments: [path-to-private-key] [key-id] [cyphertext] * Where: * path-to-private-key is a file containing the PEM encoded private key to use for decryption * key-id is the key-id specified during encryption in your flow * cyphertext is the result of the encryption operation from Amazon Connect */ public static void main(String[] args) throws IOException, GeneralSecurityException { String privateKeyFile = args[0]; // path to PEM encoded private key to use for decryption String keyId = args[1]; // this is the id used for key in your flow String cypherText = args[2]; // the result from flow Security.addProvider(new BouncyCastleProvider()); // read the private key from file String privateKeyPem = new String(Files.readAllBytes(Paths.get(privateKeyFile)), Charset.forName("UTF-8")); RSAPrivateKey privateKey = getPrivateKey(privateKeyPem); AwsCrypto awsCrypto = new AwsCrypto(); JceMasterKey decMasterKey = JceMasterKey.getInstance(null,privateKey, PROVIDER, keyId, WRAPPING_ALGORITHM); CryptoResult<String, JceMasterKey> result = awsCrypto.decryptString(decMasterKey, cypherText); System.out.println("Decrypted: " + result.getResult()); } public static RSAPrivateKey getPrivateKey(String privateKeyPem) throws IOException, GeneralSecurityException { String privateKeyBase64 = privateKeyPem .replace("-----BEGIN RSA PRIVATE KEY-----\n", "") .replace("-----END RSA PRIVATE KEY-----", "") .replaceAll("\n", ""); byte[] decoded = Base64.getDecoder().decode(privateKeyBase64); KeyFactory kf = KeyFactory.getInstance("RSA"); PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(decoded); RSAPrivateKey privKey = (RSAPrivateKey) kf.generatePrivate(keySpec); return privKey; } }