Help Center/ Data Encryption Workshop/ Best Practices/ Key Management Service/ Using KMS to Encrypt Offline Data/ Asymmetric Encryption and Decryption/ Overview
Updated on 2025-09-24 GMT+08:00
View PDF

Overview

For asymmetric encryption and decryption, a public key and a private key are required. In cryptography, these two keys are a pair of bidirectional keys. That is, either the public key or the private key can be used for encryption, and only the other one can be used for decryption. The public key can be set to public, while the private key must be kept securely.

Asymmetric encryption does not require reliable key distribution channels. It is usually used between systems with different trust levels to implement encrypted transmission of sensitive data or digital signature verification.

Asymmetric Key Type

Table 1 lists the asymmetric key algorithms supported by KMS.

Table 1 Asymmetric key algorithms supported by KMS

Key Type

Algorithm Type

Key Specifications

Description

Application

Asymmetric key

RSA
  • RSA_2048
  • RSA_3072
  • RSA_4096

RSA asymmetric key
  • Digital signature and signature verification
  • Data encryption and decryption
    NOTE:

    Asymmetric keys are applicable to signature and signature verification scenarios. Asymmetric keys are not efficient enough for data encryption. Symmetric keys are suitable for encrypting and decrypting data.

Asymmetric key

ECC
  • EC_P256
  • EC_P384

Elliptic curve recommended by NIST

Digital signature and signature verification

Typical Scenarios of Asymmetric Encryption

Asymmetric encryption and decryption can be used for encrypted communication and digital signature.

Encrypted Communication

Encrypted communication is a typical application of asymmetric encryption algorithms. Encrypted communication is similar to symmetric encryption. The difference is that the public key is used for encryption and the private key is used for decryption.

The principles of encrypted communication are as follows:

1. The information receiver creates a public-private key pair and sends the public key to one or more information senders.

2. The information sender uses the public key to encrypt sensitive information and sends the encrypted ciphertext to the information receiver through the transmission medium.

3. After obtaining the data, the information receiver decrypts the information using the private key to restore the original information.

The ciphertext can be decrypted only using the private key, which is not public. Therefore, even if information is leaked due to the low security of the transmission medium, the ciphertext cannot be decrypted, ensuring the security of sensitive information.

Digital Signature

Digital signature is another typical application of asymmetric encryption algorithms. Digital signature includes signature signing and verification. A private key is used for signature, and a public key is used for verification. The process is opposite to that of encrypted communication.

The principles of digital signature are as follows:

1. The information sender creates a public-private key pair and sends the public key to one or more information receivers.

2. The information sender uses a hash function to generate a message digest from the message, and then uses the private key to encrypt the digest. The encrypted digest is the digital signature corresponding to the message.

3. The information sender sends the message and the digital signature to the information receiver.

4. After receiving the message and the digital signature, the information receiver uses the same hash function to generate digest A from the message, and uses the public key provided by the information sender to decrypt the digital signature to obtain digest B. The information receiver then compares digest A with digest B to check whether the message has been tampered with.

The signature is generated using a non-public private key, ensuring signature uniqueness. Digital signatures ensure that data is not tampered with during transmission, verify the identity of the information sender, and prevent repudiation in transactions.