AWS payment-cryptography documentation change
Summary
Added definitions for ECC, ECDH, and KCAAS; updated references to include ECC alongside RSA in public/private key explanations
Security assessment
Adds documentation about cryptographic standards (ECC/ECDH) and key management services (KCAAS) which are security features, but no evidence of addressing a specific vulnerability
Diff
diff --git a/payment-cryptography/latest/userguide/terminology.md b/payment-cryptography/latest/userguide/terminology.md index 3e22cdbe9..d86634ae6 100644 --- a/payment-cryptography/latest/userguide/terminology.md +++ b/payment-cryptography/latest/userguide/terminology.md @@ -123,0 +124,10 @@ Derived Unique Key Per Transaction (DUKPT) is a key management standard typicall +**ECC** + + +ECC (Elliptic Curve Cryptography) is a public key cryptography system that uses the mathematics of elliptic curves to create encryption keys. ECC provides the same security level as traditional methods like RSA but with much shorter key lengths, providing equivalent security in a more efficient manner. This is especially relevant for use cases where RSA is not a practical solution (RSA key length > 4096 bits). AWS Payment Cryptography supports curves defined by [NIST](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf) for use in ECDH operations. + +**ECDH** + + +ECDH (Elliptic Curve Diffie-Hellman) is a key agreement protocol that allows two parties to establish a shared secret (such as a KEK or a PEK). In ECDH, Party A and B each have their own public-private key pairs and exchange public keys with each other (in the form of certificates for AWS Payment Cryptography) as well as key derivation metadata (derivation method, hash type and shared info). Both parties multiply their private key by the other's public key and due to elliptic curve properties, both parties are able to derive(generate) the resulting key. + @@ -133,0 +144,5 @@ A Hardware Security Module (HSM) is a physical device that protects cryptographi +**KCAAS** + + +A Key Custodian As A Service (KCAAS) provides a variety of services relating to key management. For payment keys, they can typically convert paper-based key components to electronic forms supported by AWS Payment Cryptography or convert electronically protected keys to paper-based components that might be required by certain vendors. They may also provide key escrow services for keys whose loss would be detrimental to your ongoing opeations. KCAAS vendors are able to help customers offload the operational burden of managing key material outside a secure service such as AWS Payment Cryptography in a way compliant with PCI DSS, PCI PIN, and PCI P2PE standards. + @@ -187 +202 @@ PAN Sequence Number (PSN) is a numeric value used to differentiate multiple card -When using asymmetric ciphers (RSA), the public key is the public component of a public-private key pair. The public key can be shared and distributed to entities that need to encrypt data for the owner of the public-private key pair. For digital signature operations, the public key is used to verify the signature. +When using asymmetric ciphers (RSA, ECC), the public key is the public component of a public-private key pair. The public key can be shared and distributed to entities that need to encrypt data for the owner of the public-private key pair. For digital signature operations, the public key is used to verify the signature. @@ -192 +207 @@ When using asymmetric ciphers (RSA), the public key is the public component of a -When using asymmetric ciphers (RSA), the private key is the private component of a public-private key pair. The private key is used to decrypt data or create digital signatures. Similar to symmetric AWS Payment Cryptography keys, private keys are securely created by HSMs. They are decrypted only into the volatile memory of the HSM and only for the time needed to process your cryptographic request. +When using asymmetric ciphers (RSA,ECC), the private key is the private component of a public-private key pair. The private key is used to decrypt data or create digital signatures. Similar to symmetric AWS Payment Cryptography keys, private keys are securely created by HSMs. They are decrypted only into the volatile memory of the HSM and only for the time needed to process your cryptographic request.