AWS payment-cryptography documentation change
Summary
Updated key exchange guidance to reference Physical Key Exchange and added links to related documentation.
Security assessment
Enhanced documentation of key exchange methods (TR-34 and Physical Key Exchange) which are security features, but no vulnerability is addressed. Improves clarity of secure key rotation processes.
Diff
diff --git a/payment-cryptography/latest/userguide/keys-export.md b/payment-cryptography/latest/userguide/keys-export.md index d8cae01d3..601ff686a 100644 --- a//payment-cryptography/latest/userguide/keys-export.md +++ b//payment-cryptography/latest/userguide/keys-export.md @@ -364 +364 @@ We output the wrapped key in hexBinary format. You might need to convert the for -When exchanging multiple keys or supporting key rotation, you typically first exchange an initial key encryption key (KEK) using paper key components or, with AWS Payment Cryptography, using TR-34. After establishing a KEK, you can use it to transport subsequent keys, including other KEKs. We support this key exchange using ANSI TR-31, which is widely supported by HSM vendors. +When exchanging multiple keys or supporting key rotation, partners typically first exchange an initial key encryption key (KEK). You can exchange KEK with AWS Payment Cryptography, using techniques such as [TR-34](./keys-import.html#keys-import-tr34) or [Physical Key Exchange](./keys-physicalkeyexchange.html). After establishing a KEK, you can use it to transport subsequent keys, including other KEKs. We support this key exchange using ANSI TR-31, which is widely supported by HSM vendors.