Secure transport protocols such as Secure Sockets Layer/Transport Layer Security (“SSL/TLS”), and Secure Shell (“SSH”) are used to establish communication channels that protect the confidentiality of transmitted messages using encryption. However, even encrypted messages transferred using these protocols sometimes provide information about the data being transferred. For example, when a customer is relying on HTTP over SSL/TLS (“HTTPS”) for browsing a website, the size of the associated SSL/TLS encrypted records and the amount of time between record transfers can, in some cases, be used to identify the particular Web pages visited.
The structural formats of encrypted messages in various schemes are commonly public knowledge (i.e. documented in RFC standards). For example, in an envelope-based encryption scheme, data records are encrypted using Data Encryption Keys (“DEKs”) which are generated randomly. Then DEKs are encrypted using a Key Encrypting Key (“KEK”) which is pre-shared among parties authorized to access the encrypted data records. The structure of an encrypted data record will include plain text metadata (i.e. KEK's identifier) and an encrypted body which is concatenation of the encrypted DEK and the encrypted original data. Therefore, a cryptanalyst can know which bytes within the encrypted body contain the encrypted key used for the encryption of the rest of message.