AWS payment-cryptography medium security documentation change
Summary
Modified key usage requirements (removed 'Verify' from KeyModesOfUse) and increased maximum length for a field.
Security assessment
Removing 'Verify' from KeyModesOfUse for MAC generation keys could prevent unintended verification misuse, addressing a potential security misconfiguration. This is a direct security-related change.
Diff
diff --git a/payment-cryptography/latest/DataAPIReference/API_GenerateMac.md b/payment-cryptography/latest/DataAPIReference/API_GenerateMac.md index 74e1c6abb..b15c61328 100644 --- a//payment-cryptography/latest/DataAPIReference/API_GenerateMac.md +++ b//payment-cryptography/latest/DataAPIReference/API_GenerateMac.md @@ -13 +13 @@ You can use this operation to authenticate card-related data by using known data -You can use this operation to generate a DUPKT, CMAC, HMAC or EMV MAC by setting generation attributes and algorithm to the associated values. The MAC generation encryption key must have valid values for `KeyUsage` such as `TR31_M7_HMAC_KEY` for HMAC generation, and they key must have `KeyModesOfUse` set to `Generate` and `Verify`. +You can use this operation to generate a DUPKT, CMAC, HMAC or EMV MAC by setting generation attributes and algorithm to the associated values. The MAC generation encryption key must have valid values for `KeyUsage` such as `TR31_M7_HMAC_KEY` for HMAC generation, and the key must have `KeyModesOfUse` set to `Generate`. @@ -89 +89 @@ Type: String -Length Constraints: Minimum length of 2. Maximum length of 4096. +Length Constraints: Minimum length of 2. Maximum length of 8192.