AWS Security ChangesHomeSearch

AWS payment-cryptography documentation change

Service: payment-cryptography · 2025-03-30 · Documentation low

File: payment-cryptography/latest/userguide/keys-importexport.md

Summary

Added references to ECC/ECDH in multiple sections and updated terminology links

Security assessment

Expands documentation of security features (elliptic curve cryptography support) but does not indicate remediation of a specific vulnerability

Diff

diff --git a/payment-cryptography/latest/userguide/keys-importexport.md b/payment-cryptography/latest/userguide/keys-importexport.md
index 058a23ba9..db6e9ba0c 100644
--- a/payment-cryptography/latest/userguide/keys-importexport.md
+++ b/payment-cryptography/latest/userguide/keys-importexport.md
@@ -18,6 +18,6 @@ The following table shows the supported combinations of wrapping keys, keys to p
-**Key To Protect** | TDES_2KEY | TDES_3KEY | AES_128 | AES_192 | AES_256 | RSA_2048 | RSA_3072 | RSA_4096 | Notes  
-**TDES_2KEY** | TR-31 | TR-31 | TR-31 | TR-31 | TR-31 | TR-34, RSA | TR-34, RSA | RSA |   
-**TDES_3KEY** |  Not supported | TR-31 | TR-31 | TR-31 | TR-31 | TR-34, RSA | TR-34, RSA | RSA |   
-**AES_128** |  Not supported |  Not supported | TR-31 | TR-31 | TR-31 |  Not supported | TR-34, RSA | RSA |   
-**AES_192** |  Not supported |  Not supported |  Not supported | TR-31 | TR-31 |  Not supported | TR-34, RSA | RSA |   
-**AES_256** |  Not supported |  Not supported |  Not supported |  Not supported |  Not supported |  Not supported |  Not supported |  Not supported | Import/Export of AES 256 bits keys is not currently supported as RSA-based approaches are not considered equivalent.  
+**Key To Protect** | TDES_2KEY | TDES_3KEY | AES_128 | AES_192 | AES_256 | RSA_2048 | RSA_3072 | RSA_4096 | ECC_p256 | ECC_p384 | ECC_p521 | Notes  
+**TDES_2KEY** | TR-31 | TR-31 | TR-31 | TR-31 | TR-31 | TR-34, RSA,ECDH | TR-34, RSA,ECDH | RSA,ECDH | ECDH | ECDH | ECDH |   
+**TDES_3KEY** |  Not supported | TR-31 | TR-31 | TR-31 | TR-31 | TR-34, RSA,ECDH | TR-34, RSA,ECDH | RSA,ECDH | ECDH | ECDH | ECDH |   
+**AES_128** |  Not supported |  Not supported | TR-31 | TR-31 | TR-31 |  Not supported | TR-34, RSA,ECDH | RSA,ECDH | ECDH | ECDH | ECDH |   
+**AES_192** |  Not supported |  Not supported |  Not supported | TR-31 | TR-31 |  Not supported | TR-34, RSA,ECDH | RSA,ECDH |  Not supported |  Not supported | ECDH |   
+**AES_256** |  Not supported |  Not supported |  Not supported |  Not supported |  Not supported |  Not supported |  Not supported |  Not supported | ECDH | ECDH | ECDH | Import/Export of AES 256 bits keys is only permitted under ECDH using 521 length curves.  
@@ -30 +30 @@ For more information, see [Appendix D - Minimum and Equivalent Key Sizes and Str
-We recommend using public key cryptography (RSA) for the initial key exchange with the [ANSI X9.24 TR-34](./terminology.html#terms.tr34) standard. This initial key type can be called a Key Encryption Key (KEK), Zone Master Key (ZMK), or Zone Control Master Key (ZCMK). If your systems or partners don't support TR-34 yet, you can use [RSA Wrap/Unwrap](./terminology.html#terms.rsawrap). 
+We recommend using public key cryptography (RSA,ECC) for the initial key exchange with the [ANSI X9.24 TR-34](./terminology.html#terms.tr34) standard. This initial key type can be called a Key Encryption Key (KEK), Zone Master Key (ZMK), or Zone Control Master Key (ZCMK). If your systems or partners don't support TR-34 yet you can use [RSA Wrap/Unwrap](./terminology.html#terms.rsawrap). If your needs include exchanging AES-256 keys, you can use [ECDH](./terminology.html#terms.ecdh)
@@ -32 +32 @@ We recommend using public key cryptography (RSA) for the initial key exchange wi
-If you need to continue processing paper key components until all partners support electronic key exchange, consider using an offline HSM.
+If you need to continue processing paper key components until all partners support electronic key exchange, consider using an offline HSM or utilizing a 3rd party [key custodian as a service](./terminology.html#terms.kcaas).
@@ -36 +36 @@ If you need to continue processing paper key components until all partners suppo
-To import your own test keys, see the AWS Payment Cryptography sample project on [GitHub](https://github.com/aws-samples/samples-for-payment-cryptography-service/tree/main/key-import-export). For instructions about importing/exporting keys from other platforms, see their user guides. 
+To import your own test keys or to synchronize keys with your existing HSMs, please see the AWS Payment Cryptography sample code on [GitHub](https://github.com/aws-samples/samples-for-payment-cryptography-service/tree/main/key-import-export). 
@@ -41 +41 @@ To import your own test keys, see the AWS Payment Cryptography sample project on
-We use industry standards ([ANSI X9.24 TR 31-2018](./terminology.html#terms.tr31) and X9.143) for exchanging working keys. This requires that you've already exchanged a KEK using TR-34, RSA Wrap, or similar schemes. This approach meets the PCI PIN requirement to cryptographically bind key material to its type and usage at all times. Working keys include acquirer working keys, issuer working keys, BDK, and IPEK. 
+We use industry standards ([ANSI X9.24 TR 31-2018](./terminology.html#terms.tr31) and X9.143) for exchanging working keys. This requires that you've already exchanged a KEK using TR-34, RSA Wrap, ECDH or similar schemes. This approach meets the PCI PIN requirement to cryptographically bind key material to its type and usage at all times. Working keys include acquirer working keys, issuer working keys, BDK, and IPEK.