Shashank Shet's blog

How to digitally sign a message and verify using Aws Kms

How to digitally sign a message and verify using Aws Kms

Shashank Shet's photo
Shashank Shet
·

2 min read

Now before going into KMS let’s understand what is the purpose behind digital signing of data, it is mainly used to verify the integrity of the message, that it has not been tampered in between the transition. Let’s say we’ve a producer ‘A’ which produces messages to consumers ‘A’, using digital signatures consumer can verify that the message that it is consuming is from the genuine producer or not.

Now that we know what is the purpose of using digital signatures let’s see how we can achieve that using Aws Kms service.

First step we need to create a symmetric key in kms either by using Aws console or by using creatKey function. We will be using asymmetric keys to sign and validate, use the function GenerateDataKeyPair which generates a data key pair (public and private keys) which can be used outside aws kms. Here we will need to pass the keyId of the symmetric key which we created before, this will be used to encrypt the private key.

Once we get the public and private key, we can use the private key to sign our message, the signing can be done by using any jdk specific library like java.security. This will return us a signature which is of the form byte array.

Now in the consumer end we pass the message and signature, the consumer uses the public key and validates if the signature is correct or not, if it validates and returns true that means the message which got delivered was from the correct producer and the message was not tampered in between the transit, this means we have the message integrity intact.

Now if the validation returns false this means that the message received is not from the expected producer or the message has been tampered in between the transit.

Apart from using java.security library to sign and validate we can use kmsClient which has methods like sign() and verify() to sign a message and validate it, in this case we don’t have to explicitly generate a key pair, we just need to create kms key and kms takes care of everything else. This approach is a bit slow compared to the GenerateDataKeyPair method.

Reference links

aws.amazon.com/kms/faqs docs.aws.amazon.com/kms/latest/APIReference.. sdk.amazonaws.com/java/api/latest/software/..

Thank you for reading the blog till here, please let me know if you found this blog helpful.

KMSAWS