AWS Security ChangesHomeSearch

AWS payment-cryptography documentation change

Service: payment-cryptography · 2025-11-22 · Documentation medium

File: payment-cryptography/latest/userguide/keys-validattributes.md

Summary

Updated allowed key algorithms with asterisks and added new asymmetric key usage types (TR31_K3 and TR31_K2_TR34)

Security assessment

The changes clarify cryptographic algorithm restrictions and introduce documentation for new key types supporting ECDH and TR-34 key exchange mechanisms. While these updates enhance cryptographic feature documentation, there is no evidence of addressing a specific security vulnerability.

Diff

diff --git a/payment-cryptography/latest/userguide/keys-validattributes.md b/payment-cryptography/latest/userguide/keys-validattributes.md
index 667a17cfb..74cf7345f 100644
--- a//payment-cryptography/latest/userguide/keys-validattributes.md
+++ b//payment-cryptography/latest/userguide/keys-validattributes.md
@@ -23 +23 @@ Although AWS Payment Cryptography will prevent you from creating invalid keys, v
-    * **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY ,AES_128 ,AES_192 ,AES_256
+    * **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY ,AES_128* ,AES_192* ,AES_256*
@@ -35 +35 @@ Although AWS Payment Cryptography will prevent you from creating invalid keys, v
-    * **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY ,AES_128 ,AES_192 ,AES_256
+    * **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY*, AES_128* ,AES_192* ,AES_256*
@@ -41 +41 @@ Although AWS Payment Cryptography will prevent you from creating invalid keys, v
-    * **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY ,AES_128 ,AES_192 ,AES_256
+    * **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY, AES_128*,AES_192*,AES_256*
@@ -47 +47 @@ Although AWS Payment Cryptography will prevent you from creating invalid keys, v
-    * **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY ,AES_128 ,AES_192 ,AES_256
+    * **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY ,AES_128* ,AES_192* ,AES_256*
@@ -53 +53 @@ Although AWS Payment Cryptography will prevent you from creating invalid keys, v
-    * **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY ,AES_128 ,AES_192 ,AES_256
+    * **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY ,AES_128* ,AES_192* ,AES_256*
@@ -59 +59 @@ Although AWS Payment Cryptography will prevent you from creating invalid keys, v
-    * **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY ,AES_128 ,AES_192 ,AES_256
+    * **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY ,AES_128* ,AES_192* ,AES_256*
@@ -65 +65 @@ Although AWS Payment Cryptography will prevent you from creating invalid keys, v
-    * **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY ,AES_128 ,AES_192 ,AES_256
+    * **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY ,AES_128* ,AES_192* ,AES_256*
@@ -71 +71 @@ Although AWS Payment Cryptography will prevent you from creating invalid keys, v
-    * **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY ,AES_128 ,AES_192 ,AES_256
+    * Recommended to use TR31_K1_KEY_BLOCK_PROTECTION_KEY. **Allowed Key Algorithms** : TDES_2KEY ,TDES_3KEY ,AES_128 ,AES_192 ,AES_256
@@ -143,0 +144,23 @@ Although AWS Payment Cryptography will prevent you from creating invalid keys, v
+  * TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT
+
+    * Used for key agreement algorithms such as ECDH
+
+    * **Allowed Key Algorithms** : ECC_NIST_P256,ECC_NIST_P384,ECC_NIST_P521
+
+    * **Allowed combination of key modes of use** : { DeriveKey = true }.
+
+    * **NOTE:** DeriveKeyUsage is used to specify what kind of key will be derived from this base key. This is fixed at key creation/import.
+
+  * TR31_K2_TR34_ASYMMETRIC_KEY
+
+    * Asymmetric key used for X9.24 compatible key exchange mechanisms like TR-34
+
+    * **Allowed Key Algorithms** : RSA_2048,RSA_3072,RSA_4096
+
+    * **Allowed combination of key modes of use** : { DeriveKey = true }.
+
+    * **Allowed combination of key modes of use** : { Encrypt = true, Decrypt = true, Wrap = true, Unwrap = true } ,{ Encrypt = true, Wrap = true } ,{ Decrypt = true, Unwrap = true }
+
+    * **NOTE:** : { Encrypt = true, Wrap = true } is the only valid option when importing a public key that is intended for encrypting data or wrapping a key
+
+
@@ -145,0 +169 @@ Although AWS Payment Cryptography will prevent you from creating invalid keys, v
+* This algorithm/key type combination is not currently supported by any cryptographic operations