Skip to content

Translate Key Material

paymentcryptographydataplane_translate_key_material R Documentation

Translates an cryptographic key between different wrapping keys without importing the key into Amazon Web Services Payment Cryptography

Description

Translates an cryptographic key between different wrapping keys without importing the key into Amazon Web Services Payment Cryptography.

This operation can be used when key material is frequently rotated, such as during every card transaction, and there is a need to avoid importing short-lived keys into Amazon Web Services Payment Cryptography. It translates short-lived transaction keys such as PEK generated for each transaction and wrapped with an ECDH derived wrapping key to another KEK wrapping key.

Before using this operation, you must first request the public key certificate of the ECC key pair generated within Amazon Web Services Payment Cryptography to establish an ECDH key agreement. In TranslateKeyData, the service uses its own ECC key pair, public certificate of receiving ECC key pair, and the key derivation parameters to generate a derived key. The service uses this derived key to unwrap the incoming transaction key received as a TR31WrappedKeyBlock and re-wrap using a user provided KEK to generate an outgoing Tr31WrappedKeyBlock.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

Cross-account use: This operation supports cross-account use when the key has a resource-based policy that grants access. For more information, see Resource-based policies.

Related operations:

Usage

paymentcryptographydataplane_translate_key_material(IncomingKeyMaterial,
  OutgoingKeyMaterial, KeyCheckValueAlgorithm)

Arguments

IncomingKeyMaterial

[required] Parameter information of the TR31WrappedKeyBlock containing the transaction key.
OutgoingKeyMaterial

[required] Parameter information of the wrapping key used to wrap the transaction key in the outgoing TR31WrappedKeyBlock.
KeyCheckValueAlgorithm

The key check value (KCV) algorithm used for calculating the KCV of the derived key.

Value

A list with the following syntax:

list(
  WrappedKey = list(
    WrappedKeyMaterial = "string",
    KeyCheckValue = "string",
    WrappedKeyMaterialFormat = "KEY_CRYPTOGRAM"|"TR31_KEY_BLOCK"|"TR34_KEY_BLOCK"
  )
)

Request syntax

svc$translate_key_material(
  IncomingKeyMaterial = list(
    DiffieHellmanTr31KeyBlock = list(
      PrivateKeyIdentifier = "string",
      CertificateAuthorityPublicKeyIdentifier = "string",
      PublicKeyCertificate = "string",
      DeriveKeyAlgorithm = "TDES_2KEY"|"TDES_3KEY"|"AES_128"|"AES_192"|"AES_256"|"HMAC_SHA256"|"HMAC_SHA384"|"HMAC_SHA512"|"HMAC_SHA224",
      KeyDerivationFunction = "NIST_SP800"|"ANSI_X963",
      KeyDerivationHashAlgorithm = "SHA_256"|"SHA_384"|"SHA_512",
      DerivationData = list(
        SharedInformation = "string"
      ),
      WrappedKeyBlock = "string"
    )
  ),
  OutgoingKeyMaterial = list(
    Tr31KeyBlock = list(
      WrappingKeyIdentifier = "string"
    )
  ),
  KeyCheckValueAlgorithm = "CMAC"|"ANSI_X9_24"|"HMAC"|"SHA_1"
)