AWS kms documentation change
Summary
Updated terminology from 'NIST-recommended' to 'NIST-standard' elliptic curves in key derivation guidance
Security assessment
The change clarifies compliance with NIST standards but does not introduce new security features or address vulnerabilities. It is a documentation refinement.
Diff
diff --git a/kms/latest/developerguide/create-keys.md b/kms/latest/developerguide/create-keys.md index 3f8ce6fab..483cc91b5 100644 --- a//kms/latest/developerguide/create-keys.md +++ b//kms/latest/developerguide/create-keys.md @@ -150 +150 @@ To avoid these errors, anyone using a public key outside of AWS KMS must store t -To derive shared secrets, use a KMS key with [NIST-recommended elliptic curve](./symm-asymm-choose-key-spec.html#key-spec-ecc) or [SM2](./symm-asymm-choose-key-spec.html#key-spec-sm) (China Regions only) key material. AWS KMS uses the [Elliptic Curve Cryptography Cofactor Diffie-Hellman Primitive](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf#page=60) (ECDH) to establish a key agreement between two peers by deriving a shared secret from their elliptic curve public-private key pairs. You can use the raw shared secret that the [ DeriveSharedSecret](https://docs.aws.amazon.com/kms/latest/APIReference/API_DeriveSharedSecret.html) operation returns to derive a symmetric key that can encrypt and decrypt data that is sent between two parties, or generate and verify HMACs. AWS KMS recommends that you follow [NIST recommendations for key derivation](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf) when using the raw shared secret to derive a symmetric key. +To derive shared secrets, use a KMS key with [NIST-standard elliptic curve](./symm-asymm-choose-key-spec.html#key-spec-ecc) or [SM2](./symm-asymm-choose-key-spec.html#key-spec-sm) (China Regions only) key material. AWS KMS uses the [Elliptic Curve Cryptography Cofactor Diffie-Hellman Primitive](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf#page=60) (ECDH) to establish a key agreement between two peers by deriving a shared secret from their elliptic curve public-private key pairs. You can use the raw shared secret that the [ DeriveSharedSecret](https://docs.aws.amazon.com/kms/latest/APIReference/API_DeriveSharedSecret.html) operation returns to derive a symmetric key that can encrypt and decrypt data that is sent between two parties, or generate and verify HMACs. AWS KMS recommends that you follow [NIST recommendations for key derivation](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf) when using the raw shared secret to derive a symmetric key.