AWS Security ChangesHomeSearch

AWS payment-cryptography documentation change

Service: payment-cryptography · 2025-04-01 · Documentation low

File: payment-cryptography/latest/userguide/keys-import.md

Summary

Updated ECDH key derivation documentation, changed KeyMaterialType value from TR34_KEY_BLOCK to DiffieHellmanTr31KeyBlock, and corrected parameter references from import-token to private key ARN

Security assessment

Changes appear to clarify API usage and correct parameter names without indicating security vulnerabilities. The DiffieHellmanTr31KeyBlock reference suggests protocol alignment rather than vulnerability mitigation.

Diff

diff --git a/payment-cryptography/latest/userguide/keys-import.md b/payment-cryptography/latest/userguide/keys-import.md
index 97d1794af..665a92ec4 100644
--- a/payment-cryptography/latest/userguide/keys-import.md
+++ b/payment-cryptography/latest/userguide/keys-import.md
@@ -135 +135 @@ If the imported KeyUsage was TR31_K0_KEY_ENCRYPTION_KEY, you can use this key fo
-ECDH uses ECC asymmetric cryptography to establish a joint key between two parties and does not rely on pre-exchanged keys. ECDH keys are intended to be ephemeral, so AWS Payment Cryptography does not store them. In this process a one-time KBPK/KEK is established(derived) using ECDH. That derived key is immediately used to wrap the actual key that you wish to transfer, which could be another KBPK, an IPEK key, etc. 
+ECDH uses ECC asymmetric cryptography to establish a joint key between two parties and does not rely on pre-exchanged keys. ECDH keys are intended to be ephemeral, so AWS Payment Cryptography does not store them. In this process a one-time [KBPK/KEK](./terminology.html#terms.kbpk)is established(derived) using ECDH. That derived key is immediately used to wrap the actual key that you wish to transfer, which could be another KBPK, an IPEK key, etc. 
@@ -228 +228 @@ Finally, you'll want to export the key you wish to transport to AWS Payment Cryp
-Call the importKey API with a KeyMaterialType of `TR34_KEY_BLOCK`. Use the keyARN of the last CA imported in step 3 for `certificate-authority-public-key-identifier`, the wrapped key material from step 4 for `key-material`, and the leaf certificate from step 3 for `signing-key-certificate`. Include the import-token from step 1. 
+Call the importKey API with a KeyMaterialType of `DiffieHellmanTr31KeyBlock`. Use the keyARN of the last CA imported in step 3 for `certificate-authority-public-key-identifier`, the wrapped key material from step 4 for `key-material`, and the leaf certificate from step 3 for `signing-key-certificate`. Include the private key arn from step 1. 
@@ -231 +231 @@ Call the importKey API with a KeyMaterialType of `TR34_KEY_BLOCK`. Use the keyAR
-        --key-material  --key-material='{
+        --key-material='{
@@ -240 +240 @@ Call the importKey API with a KeyMaterialType of `TR34_KEY_BLOCK`. Use the keyAR
-            "PrivateKeyIdentifier": "",
+            "PrivateKeyIdentifier": "arn:aws:payment-cryptography:us-east-2:111122223333:key/wc3rjsssguhxtilv",