Cloud Key Management 101: Cryptographic Keys and Algorithms
The top cloud security threat in 2022 is insufficient identity, credential, access, and key management. Key Management Systems (KMS), including hardware security modules and other cryptographic tools, are commonly used to address this threat.
While different KMS offerings provide varying capabilities and features, they typically leverage common, foundational components to achieve optimal key management. This blog, derived from CSA’s recently released cloud key management micro-training course, discusses cryptographic keys and algorithms and the differences between the types of encryption they offer. You can dive deeper into cloud key management by signing up for the course here.
Definition of Cryptographic Algorithms and Cryptographic Keys
A cryptographic algorithm is a computational procedure or formula used to encrypt and decrypt information to ensure security and privacy. A cryptographic key, sometimes referred to as an encryption/decryption key, is a string of data used by a cryptographic algorithm to convert plain text to ciphertext (human unreadable output).
Together, cryptographic algorithms and keys enable strong security and privacy in a wide range of use cases, from securing user authentication processes and website traffic to signing digital signatures and encrypting data-at-rest.
Cryptographic algorithms and keys can be categorized into three categories, each addressing specific purposes and use cases: hash functions, symmetric algorithms and keys, and asymmetric algorithms and keys.
Hash functions create a small, fixed-length digest value (known as the hash value) from a typically larger value that may be of arbitrary size. By converting the initial input value into a more compressed value, hash functions are an efficient and secure mechanism for ensuring data integrity in asymmetric encryption. However, since hashing is a one-way process with no concept of a key or decryption routine, initial input values cannot be decrypted and accessed after being hashed.
Symmetric encryption uses a single shared secret held by one or more authorized parties for encrypting and decrypting data and communications. In this model, the same key is used for encrypting and decrypting data between trusted parties.
Also known as public-key cryptography, asymmetric encryption is a relatively newer encryption method that uses mathematically linked public and private key pairs to encrypt and decrypt data between trusted parties. Unlike symmetric encryption’s single key model, asymmetric encryption uses paired keys (public and private keys) for more robust security. Therefore, messages encrypted using a public key can only be decrypted using a private key. Messages encrypted using a private key can be decrypted using a public key.
Because symmetric encryption only uses a single key, anyone who steals or copies that key can easily decrypt data and communications. In contrast, the asymmetric encryption model allows for freely sharing the public key, with the private key strictly controlled and protected by the key pair owner.
Both are needed to decrypt the data and communications, and the private key cannot be mathematically derived from the public key, despite their linkage. For this reason, asymmetric encryption is considered a more robust and flexible approach to encryption, despite being more computationally intensive.
Learn More About Cloud Key Management
CSA’s Cloud Key Management Foundations course is based on our cloud key management research initiatives and related artifacts. It takes approximately one hour to complete. After completion, you receive a certificate for 1 course hour that may be submitted for possible CPE credits. The course includes:
- An overview of the history, definitions, and components of cloud KMS
- An overview of the key features, technologies, and service patterns that comprise today’s cloud KMS solutions
- Considerations regarding cloud KMS selection and planning
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.