Ends in
00
days
00
hrs
00
mins
00
secs
ENROLL NOW

🎁 Get 20% Off - Christmas Big Sale on All Practice Exams, Video Courses, and eBooks!

Asymmetric vs. Symmetric Encryption KMS Keys

Home » AWS » Asymmetric vs. Symmetric Encryption KMS Keys

Asymmetric vs. Symmetric Encryption KMS Keys

Last updated on July 11, 2024

Even before the Internet, the security, privacy, and integrity of information have always been the top concern of institutions like banks, hospitals, and universities. Nobody wants their personal information (name, address, credit card number, etc.) to be exposed in public for anyone to use. Imagine signing up on your favorite social media website, and after a few days, somewhere on the globe has been using your profile and pretending to be you without you knowing! Or maybe you’ve been using your credit card for shopping online and suddenly, your bank is sending you email reports for fraudulent activities on your account. That would be a creepy and scary world to live in. 

The unfortunate truth is that no matter how secure you might think your system is, it will never be one hundred percent secure. There will always be loopholes, and as computers get even more powerful, common attacks like brute force will still be a valid threat. For this reason, tremendous efforts have been made to improve and mitigate scenarios where sensitive data are compromised. Encryption proves to be the most effective solution in battling data breaches. 

What is Encryption?

Encryption is the process of converting the information (plaintext) into secret code (ciphertext) to hide its original meaning. It is used to protect the data so that only authorized users can read it.

It uses the concept of “keys” which are used to encrypt and decrypt the sensitive information from one end to another. The idea is, without these keys, one cannot simply decrypt and read the hidden information.

There are two types of encryption:

Symmetric encryption – uses a single key for both encryption and decryption. The shared key must be sent together with the encrypted data in order for other parties to read it.

Because of the simplicity of the process, it is usually faster than asymmetric encryption and is efficient in encrypting large amounts of data.

Symmetric Encryption Disadvantage:

symmetric-encryption

The main disadvantage of using a symmetric key is the difficulty of transporting the shared key. It is difficult in the sense that attacks, like man-in-the-middle attack, could easily obtain both the key and the encrypted data. Since a single key is used for both encryption and decryption, the man behind the attack would be able to decrypt the information sent over the network.

Asymmetric encryption – it uses a mathematically related public and private key for encryption and decryption. The public key is used for encrypting data and can never be used for decryption. The private key is only used for decrypting data. The private key stays on the user while both the public key and the encrypted data is sent to other parties. This kind of method makes the sharing of public keys a lot easier because even if someone has managed to steal the data with the public key, he won’t be able to decrypt the information.

Since this type of encryption uses a more complex algorithm than symmetric encryption, asymmetric is used for systems that use small data. It is usually used for establishing secure connections like TLS and SSH. It is also slower than symmetric encryption and is inefficient for encrypting large data.

Symmetric and Asymmetric Keys In AWS Key Management System:

AWS KMS keys

AWS KMS keys are the main resource in AWS KMS. They can be used to encrypt, decrypt, and re-encrypt data, as well as generate data keys for use outside of AWS KMS.

Tutorials dojo strip

Three types of AWS KMS Keys:

  • Customer Managed keys
    • You can view the KMS key’s metadata
    • You can manage the KMS keys
    • It is used only for your account
    • Automatic rotation is optional
  • AWS managed keys
    • You can view the KMS key’s metadata but you cannot manage it. 
    • It is used only for your account
    • Automatic rotation is required
  • AWS owned keys
    • These are KMS keys that an AWS Service owns and manages for use in multiple AWS accounts.
    • You do not need to create or manage the AWS owned keys. 
    • The key rotation strategy for an AWS owned keys is determined by the AWS service that creates and manages the KMS keys.

AWS KMS key supports both symmetric and asymmetric encryption. Although integrated in AWS Cloud, the concepts behind the encryption are still the same as the one explained above. 

Symmetric encryption KMS keys

  • Represents a 256-bit encryption key that never leaves AWS KMS unencrypted.
  • A Symmetric encryption KMS key type is created by default when you call the create-key API without specifying a value for the –key-spec parameter. The –key-spec parameter allows you to define the KMS key specification, where you can choose between symmetric and asymmetric key types.
  • AWS services that are integrated with AWS KMS (Amazon DynamoDB, Amazon S3, Amazon Relational Database Service, etc.) use symmetric encryption KMS key to encrypt and decrypt data and do not support Asymmetric KMS keys.
  • You can import your own key material into a symmetric encryption KMS keys and create symmetric KMS keys in custom key stores.
    • Note that imported key material is supported only for symmetric encryption KMS keys.

Asymmetric KMS keys

  • Private Key
    • The private key is created in AWS KMS and never leaves AWS KMS unencrypted.
    • The private can only be used by calling AWS KMS.
  • Public Key
    • The public key can be used within or outside of AWS KMS.

Three types of asymmetric KMS keys

  • RSA KMS keys
    • Can be used for encryption and decryption or signing and verification. You can never use RSA KMS keys for both purposes at the same time.
  • Elliptic Curve (ECC) KMS keys
    • Elliptic curve key pair used for signing and verification or serving shared secrets. You can never use Elliptic Curve (ECC) KMS keys for both purposes at the same time.
  • SM2 KMS keys  
    • Applicable only in China regions.
    • Can be used for encryption and decryption, signing and verification, or deriving shared secrets. You only need to choose one key usage type.

Use Case

  • Symmetric
    • Use symmetric if you are encrypting data within the AWS service. Since AWS services integrated with AWS KMS only support symmetric encryption KMS keys, there is no sense to use asymmetric KMS keys.
    • Symmetric encryption is commonly used when encrypting data at rest. AWS uses symmetric encryption when you’re encrypting objects stored in an S3 bucket or enabling encryption for your EBS volumes. 
  • Asymmetric
    • Since you can use the public key outside of AWS KMS in asymmetric, it is a good choice if you are building applications for users who cannot call AWS KMS. The easy process of creating key pairs is one of the main benefits of it.
    • Applicable for data signing and verification. You can use asymmetric KMS keys to authenticate documents by using a digital signature. Digital signing is used to ensure the integrity of data that passes between networks. Suppose that a contract form is sent to you from your client. And you must ensure that the information within the contract is all true and has not been altered by third-parties. If you have the right key, you can cryptographically verify that the contract is indeed sent from your client.

Encryption and Decryption with AWS KMS API Demo

Requirements for this demo

  • Make sure that you have programmatic access to call AWS KMS API. 
  • We will be using Windows 10, so you need to download, install, and configure the latest version of AWS CLI for windows. 
  • We will also need to use a package called certutil to decode base64 encoded data. You can easily download it from google. Just search for certutil.

STEP 1. Create a symmetric key. For simplicity, let’s leave everything to default.

Type “aws kms create-key” on the command prompt. Store the key Id somewhere. We will use this to create an alias. An Alias is just a nickname to reference the key Id so that we won’t have to memorize it or type this long string everytime we need it.

symmetric_vs._asymmetric_cmks_1
STEP 2. Create an alias. After the “–alias-name” parameter, type your preferred alias. Note that the custom name should be after the word “alias/” for it to work. Paste the key id after the “–target-key-id” parameter.

symmetric_vs._asymmetric_cmks_2

STEP 3. Let’s create a file that we will be encrypting and decrypting. To make it simple, let us create a txt file named “unsecure” and insert some text on it. 

symmetric_vs._asymmetric_cmks_3

STEP 4. Encrypt the “unsecure.txt” file. The value for the “–plaintext” parameter should follow this format “fileb://<path-to-your-file>”. The output of this API call is base64 encoded. We will use the “–query” parameter to pipe the output into a file called “encrypted.base64”. You are free to name the file whatever you want. The output parameter ensures that the text generated will not be enclosed within quotes ( “” ).

symmetric_vs._asymmetric_cmks_4

STEP 5. Let us convert the base64 encoded file to txt file using certutil. 

symmetric_vs._asymmetric_cmks_5

Free AWS Courses

Open the text file. The “Welcome to TutorialsDojo” text that we created earlier has now turned into an unrecognizable text. This implies that we have successfully encrypted the file.

symmetric_vs._asymmetric_cmks_6

STEP 6. Now that we have successfully encrypted the data. Let us turn it back and decrypt the message. Call the decrypt API on the command prompt. Note that instead of the “–plaintext” parameter, we are using the –ciphertext-blob parameter.

symmetric_vs._asymmetric_cmks_7

STEP 7. Again, let us convert the base64 file to a text file using the “certutil decode” command. 

symmetric_vs._asymmetric_cmks_8

STEP 8.  Open the “decrypted.txt” file. We have successfully decrypted the message using a single key. You can now see the message that we have written earlier. Good job following along!

symmetric_vs._asymmetric_cmks_9

In this tutorial, we have learned how to perform encryption and decryption by calling the AWS KMS API using the Amazon CLI on a command prompt. What we have done is a simple operation using one symmetrical encryption KMS key. You can play around the different parameters for your use case.

This article was taken from our AWS Certified Security Specialty study guide eBook:

AWS Security-eBook SCS-C01

 

If you are preparing for the AWS Security Specialty exam, we highly recommend that you grab a copy of our eBook and also simulate the exam with our AWS Certified Security Specialty Practice Exams.

 

References:

https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-compare.html

Get 20% Off – Christmas Big Sale on All Practice Exams, Video Courses, and eBooks!

Tutorials Dojo portal

Learn AWS with our PlayCloud Hands-On Labs

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

FREE AWS Exam Readiness Digital Courses

FREE AWS, Azure, GCP Practice Test Samplers

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

Follow Us On Linkedin

Recent Posts

Written by: Carlo Acebedo

Carlo is a cloud engineer and a content creator at Tutorials Dojo. He's also a member of the AWS Community builder and holds 5 AWS Certifications. Carlo specializes in building and automating solutions in the Amazon Web Services Cloud.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?