Help Center> Data Encryption Workshop> FAQs> General> What Cryptography Algorithms Does DEW Use?
View PDF

What Cryptography Algorithms Does DEW Use?

Key Algorithms Supported by KMS

Symmetric keys created on the KMS console use the AES algorithm. Asymmetric keys created by KMS support the RSA and ECC algorithms.

Table 1 Key algorithms supported by KMS

Key Type

Algorithm Type

Key Specifications

Description

Application Scenario

Symmetric key

AES

AES_256

AES symmetric key
  • Data encryption and decryption
  • DEKs encryption and decryption
    NOTE:

    You can encrypt and decrypt a small amount of data using the online tools on the console.

    You need to call APIs to encrypt and decrypt a large amount of data.

Symmetric key

SM4

SM4

SM4 symmetric key
  • Data encryption and decryption
  • DEKs encryption and decryption

Symmetric key

AES
  • HMAC_256
  • HMAC_384
  • HMAC_512

HMAC symmetric key

Generates and verifies a message authentication code

Symmetric keys

SM3

HMAC_SM3

SM3 symmetric key

Generates and verifies a message authentication code

Asymmetric key

RSA
  • RSA_2048
  • RSA_3072
  • RSA_4096

RSA asymmetric password
  • Digital signature and signature verification
  • Data encryption and decryption
    NOTE:

    Asymmetric keys are applicable to signature and signature verification scenarios. Asymmetric keys are not efficient enough for data encryption. Symmetric keys are suitable for encrypting and decrypting data.

ECC
  • EC_P256
  • EC_P384

Elliptic curve recommended by NIST

Digital signature and signature verification

Asymmetric keys

SM2

SM2

SM2 asymmetric key
  • Digital signature and signature verification
  • Encryption and decryption of a small amount of data

Table 2 describes the encryption and decryption algorithms supported for user-imported keys.

Table 2 Key wrapping algorithms

Algorithm

Description

Configuration

RSAES_OAEP_SHA_256

RSA algorithm that uses OAEP and has the SHA-256 hash function

Select an algorithm based on your HSM functions.

If the HSMs support the RSAES_OAEP_SHA_256 algorithm, use RSAES_OAEP_SHA_256 to encrypt key materials.

NOTICE:

The RSAES_OAEP_SHA_1 algorithm is no longer secure. Exercise caution when performing this operation.

RSAES_OAEP_SHA_1

RSA algorithm that uses Optimal Asymmetric Encryption Padding (OAEP) and has the SHA-1 hash function

SM2_ENCRYPT

SM2 elliptic curve cryptography (ECC) recommended by the State Cryptography Administration

Use the SM2 algorithm at sites that support algorithms approved by the State Password Administration.

Cryptographic Algorithms Supported by KPS

  • The SSH key pairs created on the management console support the following cryptographic algorithms:
    • SSH-ED25519
    • ECDSA-SHA2-NISTP256
    • ECDSA-SHA2-NISTP384
    • ECDSA-SHA2-NISTP521
    • SSH_RSA: The length can be 2048, 3072, and 4096 bits.
  • The SSH keys imported to the KPS console support the following cryptographic algorithms:
    • SSH-DSS
    • SSH-ED25519
    • ECDSA-SHA2-NISTP256
    • ECDSA-SHA2-NISTP384
    • ECDSA-SHA2-NISTP521
    • SSH_RSA: The length can be 2048, 3072, 4096 bits.

Supported Cryptography Algorithms

You can use Chinese cryptographic algorithms and certain international common cryptographic algorithms to meet various user requirements.

Table 3 Supported cryptography algorithms

Category

Common Cryptographic Algorithm

Chinese Cryptographic Algorithm

Symmetric cryptographic algorithm

AES

SM1, SM4, and SM7

Asymmetric cryptographic algorithm

RSA (1024–4096)

SM2

Digest algorithm

SHA1, SHA256, and SHA384

SM3
Parent topic: General