AWS payment-cryptography documentation change
Summary
Updated allowed key algorithms with asterisks and added new asymmetric key usage types (TR31_K3 and TR31_K2_TR34)
Security assessment
The changes clarify cryptographic algorithm restrictions and introduce documentation for new key types supporting ECDH and TR-34 key exchange mechanisms. While these updates enhance cryptographic feature documentation, there is no evidence of addressing a specific security vulnerability.
Diff
diff --git a/payment-cryptography/latest/userguide/keys-validattributes.md b/payment-cryptography/latest/userguide/keys-validattributes.md index 667a17cfb..74cf7345f 100644 --- a//payment-cryptography/latest/userguide/keys-validattributes.md +++ b//payment-cryptography/latest/userguide/keys-validattributes.md @@ -23 +23 @@ Although AWS Payment Cryptography will prevent you from creating invalid keys, v - * **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY ,AES_128 ,AES_192 ,AES_256 + * **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY ,AES_128* ,AES_192* ,AES_256* @@ -35 +35 @@ Although AWS Payment Cryptography will prevent you from creating invalid keys, v - * **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY ,AES_128 ,AES_192 ,AES_256 + * **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY*, AES_128* ,AES_192* ,AES_256* @@ -41 +41 @@ Although AWS Payment Cryptography will prevent you from creating invalid keys, v - * **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY ,AES_128 ,AES_192 ,AES_256 + * **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY, AES_128*,AES_192*,AES_256* @@ -47 +47 @@ Although AWS Payment Cryptography will prevent you from creating invalid keys, v - * **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY ,AES_128 ,AES_192 ,AES_256 + * **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY ,AES_128* ,AES_192* ,AES_256* @@ -53 +53 @@ Although AWS Payment Cryptography will prevent you from creating invalid keys, v - * **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY ,AES_128 ,AES_192 ,AES_256 + * **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY ,AES_128* ,AES_192* ,AES_256* @@ -59 +59 @@ Although AWS Payment Cryptography will prevent you from creating invalid keys, v - * **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY ,AES_128 ,AES_192 ,AES_256 + * **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY ,AES_128* ,AES_192* ,AES_256* @@ -65 +65 @@ Although AWS Payment Cryptography will prevent you from creating invalid keys, v - * **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY ,AES_128 ,AES_192 ,AES_256 + * **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY ,AES_128* ,AES_192* ,AES_256* @@ -71 +71 @@ Although AWS Payment Cryptography will prevent you from creating invalid keys, v - * **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY ,AES_128 ,AES_192 ,AES_256 + * Recommended to use TR31_K1_KEY_BLOCK_PROTECTION_KEY. **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY ,AES_128 ,AES_192 ,AES_256 @@ -143,0 +144,23 @@ Although AWS Payment Cryptography will prevent you from creating invalid keys, v + * TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT + + * Used for key agreement algorithms such as ECDH + + * **Allowed Key Algorithms** : ECC_NIST_P256,ECC_NIST_P384,ECC_NIST_P521 + + * **Allowed combination of key modes of use** : { DeriveKey = true }. + + * **NOTE:** DeriveKeyUsage is used to specify what kind of key will be derived from this base key. This is fixed at key creation/import. + + * TR31_K2_TR34_ASYMMETRIC_KEY + + * Asymmetric key used for X9.24 compatible key exchange mechanisms like TR-34 + + * **Allowed Key Algorithms** : RSA_2048,RSA_3072,RSA_4096 + + * **Allowed combination of key modes of use** : { DeriveKey = true }. + + * **Allowed combination of key modes of use** : { Encrypt = true, Decrypt = true, Wrap = true, Unwrap = true } ,{ Encrypt = true, Wrap = true } ,{ Decrypt = true, Unwrap = true } + + * **NOTE:** : { Encrypt = true, Wrap = true } is the only valid option when importing a public key that is intended for encrypting data or wrapping a key + + @@ -145,0 +169 @@ Although AWS Payment Cryptography will prevent you from creating invalid keys, v +* This algorithm/key type combination is not currently supported by any cryptographic operations