Skip to content
Gallery
14. Security in the Cloud
AWS Directory Service
Identity Providers and Federation
Encryption Primer
AWS Key Management Service
AWS Certificate Manager
AWS Security Hub
AWS Web Application Firewall (WAF)
AWS Shield and Shield Advanced
Amazon Inspector
Amazon Macie
Amazon GuardDuty
AWS Audit Manager
Share
Explore

icon picker
Encryption Primer

Encrypting Data-at-Rest and Data-in-Transit

image.png

Symmetric algorithms

AWS cryptographic tools and services support two widely used symmetric algorithms.
AES
Advanced Encryption Standard
(AES) with 128-, 192-, or 256-bit keys. AES is often combined with
Galois/Counter Mode
(GCM) and known as AES-GCM.
Triple DES – Triple DES (3DES) uses three 56-bit keys. The scheme works on a block of data by splitting it in two and iteratively applying arbitrary round functions derived from an initial function. Triple DES uses 48 rounds to encrypt a block of data.
For instance, AWS Key Management Service uses the Advanced Encryption Standard (AES) algorithm in Galois/Counter Mode (GCM) with 256-bit secret keys.
An encryption scheme is called symmetric if it uses the same key to both encrypt and decrypt a message. Technically, the encryption key e and decryption key d don't have to be exactly the same. All that's required is that it's computationally trivial to determine d when you know e and e when you know d. However, in most practical symmetric encryption schemes, e and d are the same.
info
Note
Symmetric encryption is also called shared key, shared secret, and secret key encryption. It is not called private key encryption. Convention reserves the term private key for asymmetric cryptography, which centers around the idea of a private key and a corresponding (but different) public key.
Symmetric key encryption requires that all intended message recipients have access to the shared key. Therefore, a secure communication channel must be established among the participants so that the key can be transmitted to each along with the ciphertext. This presents practical problems and limits the use of direct symmetric key exchange.
image.png

Asymmetric algorithms

AWS tools typically support RSA and Elliptic Curve Cryptography (ECC) asymmetric algorithms. These algorithms are useful for authentication and for establishing secure communication channels when it is inconvenient to share a symmetric key in advance. For example, Amazon CloudFront supports a
long list
of assymmetric ciphers used by the SSL/TLS protocols to enable encrypted connections over the web.
An encryption scheme is called asymmetric if it uses one key — the public key — to encrypt and a different, but mathematically related, key — the private key — to decrypt. It must be computationally infeasible to determine the private key if the only thing one knows is the public key. Therefore, the public key can be distributed publicly while the private key is kept secret and secure. Together the keys are referred to as a key pair.
Another more common name for asymmetric encryption is public-key cryptography. Public-key cryptography is typically based on mathematical problems that are relatively easy to perform but cannot be easily reversed. These include factoring a large integer back into its component prime numbers and solving the elliptic curve discrete logarithm function. The RSA algorithm is based on the practical difficulty of factoring the product of two large prime numbers. Elliptic-curve cryptography is based on the difficulty of finding the discrete logarithm of a random point on an elliptic curve given a publicly known point.
image.png
Loading
docs.aws.amazon.com
Loading
docs.aws.amazon.com
Encrypting Data-at-Rest and Data-in-Transit
Symmetric algorithms
Asymmetric algorithms
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.