AWS kms medium security documentation change
Summary
Added guidance for handling large message signing (>4KB) with external hashing and MessageType requirements
Security assessment
The change addresses secure cryptographic practices by enforcing proper message handling for large payloads, preventing potential signature validation errors or insecure hashing practices.
Diff
diff --git a/kms/latest/developerguide/symmetric-asymmetric.md b/kms/latest/developerguide/symmetric-asymmetric.md index 724ac25d1..ed3782b46 100644 --- a//kms/latest/developerguide/symmetric-asymmetric.md +++ b//kms/latest/developerguide/symmetric-asymmetric.md @@ -13 +13,3 @@ If your use case requires encryption outside of AWS by users who cannot call AWS -AWS KMS supports three types of asymmetric KMS keys. +When signing messages larger than 4 KB with AWS KMS, you must hash the message outside of AWS KMS before signing. AWS KMS provides three `MessageType` options for handling message input: `RAW` for plaintext messages (where AWS KMS performs the hashing), `DIGEST` for pre-hashed messages (where AWS KMS skips the hashing step), and `EXTERNAL_MU` specifically for ML-DSA KMS key specs where the input is a 64-byte representative μ value. For large messages exceeding the 4 KB limit, hash the message externally and use [`MessageType:DIGEST`](https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html#KMS-Sign-request-MessageType) (or [`MessageType:EXTERNAL_MU`](https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html#KMS-Sign-request-MessageType) for ML-DSA KMS keys) when calling AWS KMS [Sign](https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html) and AWS KMS [Verify](https://docs.aws.amazon.com/kms/latest/APIReference/API_Verify.html) operations. + +AWS KMS supports several types of asymmetric KMS keys.